docker-nginx-unprivileged icon indicating copy to clipboard operation
docker-nginx-unprivileged copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

https://hub.docker.com/u/nginxinc doesn't have official or docker verified tag

Open sandywang1982 opened this issue 5 years ago • 3 comments

We are doing PodSecurityPolicy in our cluster, so we are thinking to pull nginx unprivileged image. https://hub.docker.com/_/nginx has official images tag, while https://hub.docker.com/u/nginxinc doesn't, how can we make sure the image is safe to pull?

sandywang1982 avatar Mar 31 '19 23:03 sandywang1982

Hi @sandywang1982!

We've had a few requests asking whether this is an official image, whether it's safe to pull and so on. We are trying to figure out the best solution to address these concerns at the moment - but in the meantime, rest assured this image is as "official" as an image without the official images tag can be. It's not hosted on the official Docker images library, true, but it is owned and maintained by NGINX on both GitHub and Docker Hub.

Cheers, Alessandro.

alessfg avatar Apr 03 '19 15:04 alessfg

Hi Sorry to bump such an old issue. I was wondering if there was any decision made as far as making this image "official". I realize that its official since its the same team as the "official" image and wanted to pitch in some ideas. I was wondering if this image could be released under the _nginx account too, maybe with its own tag.

Thanks for maintaining this image. Using a privileged container is a huge hazard and this image saves the day.

SayakMukhopadhyay avatar Oct 14 '20 08:10 SayakMukhopadhyay

Sadly, no. While talks are continuously ongoing, there are no major updates to report in this front (nor would I expect any changes in the near future).

alessfg avatar Oct 14 '20 12:10 alessfg

It has been more than 2 years since the last update on this issue. Has it been forgotten or can we expect some updates at some point? I can’t imagine what problems there may be that block the resolution of this issue 🤔

ste93cry avatar Apr 27 '23 21:04 ste93cry

Hey @ste93cry!

It's not been forgotten but there are indeed some problems that fundamentally block the resolution of this issue. The first and foremost is that Docker does not allow "use-case" specific images to be part of their "official" library.

There are still continuous discussions on how to best approach this issue and I will hopefully have some positive news to share sooner rather than later, but for now and in the near future, I sadly don't expect anything to change.

alessfg avatar May 02 '23 22:05 alessfg

I will admit this is a question rooted in ignorance but I am curious the answer; Is there a reason to not have a rootless version of NGINX be the default? What consequences does this ultimately present to the user and/or administrator?

NWarila avatar Jun 23 '23 18:06 NWarila

I would suggest bringing up that topic on the https://github.com/nginxinc/docker-nginx repo. Discussions like this are always ongoing and in-flux.

That being said, couple reasons that come to mind would be: a) For legacy reasons -- millions of people are using the Docker NGINX image and suddenly swapping it around for a rootless version might break a ton of production environments. b) NGINX running as non-root presents some uniques challenges in so far as permissions go. It can be done (as it is in these images), but extra care has to be employed when determining which directories to use for various NGINX functionalities.

alessfg avatar Jun 26 '23 14:06 alessfg

Great news! We finally managed to become a verified publisher! I am sorry it's taken way, way longer than it should have, but we got there in the end!

alessfg avatar Aug 02 '23 18:08 alessfg