docker-nginx-unprivileged
docker-nginx-unprivileged copied to clipboard
https://hub.docker.com/u/nginxinc doesn't have official or docker verified tag
We are doing PodSecurityPolicy in our cluster, so we are thinking to pull nginx unprivileged image. https://hub.docker.com/_/nginx has official images tag, while https://hub.docker.com/u/nginxinc doesn't, how can we make sure the image is safe to pull?
Hi @sandywang1982!
We've had a few requests asking whether this is an official image, whether it's safe to pull and so on. We are trying to figure out the best solution to address these concerns at the moment - but in the meantime, rest assured this image is as "official" as an image without the official images tag can be. It's not hosted on the official Docker images library, true, but it is owned and maintained by NGINX on both GitHub and Docker Hub.
Cheers, Alessandro.
Hi
Sorry to bump such an old issue. I was wondering if there was any decision made as far as making this image "official". I realize that its official since its the same team as the "official" image and wanted to pitch in some ideas. I was wondering if this image could be released under the _nginx
account too, maybe with its own tag.
Thanks for maintaining this image. Using a privileged container is a huge hazard and this image saves the day.
Sadly, no. While talks are continuously ongoing, there are no major updates to report in this front (nor would I expect any changes in the near future).
It has been more than 2 years since the last update on this issue. Has it been forgotten or can we expect some updates at some point? I can’t imagine what problems there may be that block the resolution of this issue 🤔
Hey @ste93cry!
It's not been forgotten but there are indeed some problems that fundamentally block the resolution of this issue. The first and foremost is that Docker does not allow "use-case" specific images to be part of their "official" library.
There are still continuous discussions on how to best approach this issue and I will hopefully have some positive news to share sooner rather than later, but for now and in the near future, I sadly don't expect anything to change.
I will admit this is a question rooted in ignorance but I am curious the answer; Is there a reason to not have a rootless version of NGINX be the default? What consequences does this ultimately present to the user and/or administrator?
I would suggest bringing up that topic on the https://github.com/nginxinc/docker-nginx repo. Discussions like this are always ongoing and in-flux.
That being said, couple reasons that come to mind would be: a) For legacy reasons -- millions of people are using the Docker NGINX image and suddenly swapping it around for a rootless version might break a ton of production environments. b) NGINX running as non-root presents some uniques challenges in so far as permissions go. It can be done (as it is in these images), but extra care has to be employed when determining which directories to use for various NGINX functionalities.
Great news! We finally managed to become a verified publisher! I am sorry it's taken way, way longer than it should have, but we got there in the end!