Skip to content

feat(unprivileged): run unprivileged nginx to support arbitrarily assigned user ID #3033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat(unprivileged): run unprivileged nginx to support arbitrarily assigned user ID #3033

wants to merge 1 commit into from

Conversation

@m4s-b3n
Copy link

@m4s-b3n m4s-b3n commented Apr 22, 2022
edited
Loading

Use unprivileged nginx to support arbitrarily assigned user ID to be able to run the image e.g. on Red Hat Openshift

Description

The dockerfile uses the nginxinc/nginx-unprivileged image instead of the standard nginx image.
Moreover the nginx.conf file was extended for some configuration to locate nginx runtime data in the /tmp directory.

This enables the container to run as a non-root user which is an improvement to the container security and enables running the container on distributions such as OpenShift by default.

Motivation and Context

The change is necessary as the previous version required nginx to run as root to be able to read/write so several default paths.

Fixes #2931

How Has This Been Tested?

Dependencies: npm ci
Build: npm build
Docker Build: docker build -t swagger-editor-unprivileged .
Docker Run: docker run -p 8080:8080 -u 100000 swagger-editor-unprivileged
Visit in browser: http://localhost:8080

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

@char0n char0n self-assigned this May 6, 2022
@char0n char0n self-requested a review June 13, 2022 13:01
@char0n
Copy link
Contributor

char0n commented Jun 13, 2022

Hi @marius-boden-sva,

Thank you for the PR! I'll have some questions on the changes to fully understand what have been changed and why if that's OK.

char0n
char0n reviewed Jun 13, 2022
View reviewed changes
Copy link
Contributor

@char0n char0n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @marius-boden-sva, thanks again for the PR. Can you please address questions I had in the code review of this PR. Thanks!

Dockerfile Outdated
@@ -1,4 +1,4 @@
FROM nginx:1.21.6-alpine
FROM nginxinc/nginx-unprivileged:1.21.6-alpine
Copy link
Contributor

@char0n char0n Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an official image, so we should be fine. The image difference from nginx is as follows:

  • The default NGINX listen port is now 8080 instead of 80.
  • The default NGINX user directive in /etc/nginx/nginx.conf has been removed.
  • The default NGINX PID has been moved from /var/run/nginx.pid to /tmp/nginx.pid. *Change _temp_path variables to /tmp/.

Copy link
Contributor

@char0n char0n Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marius-boden-sva I want to address specifically The default NGINX listen port is now 8080 instead of 80. Will this affect the end users; will this be a breaking change for them? I assume not because of https://github.com/swagger-api/swagger-editor/pull/3033/files#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557L19 bug just asking to be sure.

Copy link
Author

@m4s-b3n m4s-b3n Jun 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default port has to be changed because ports below 1024 are privileged ports and require root privileges. For running the editor with docker only this results in changing the mapped port only (-p 80:80 will become -p 80:8080). Reminder: need to update the docs about that ;)
For end users running swagger editor e.g. with compose or in kubernetes this will be a breaking change as they need to adapt their ports.

Copy link
Contributor

@char0n char0n Jul 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it is going to be a breaking change. We have a version 5 comming up where we could possibly do this change.

Dockerfile
COPY ./docker-run.sh /usr/share/nginx/


RUN chmod +x /usr/share/nginx/docker-run.sh && \
Copy link
Contributor

@char0n char0n Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you maybe elaborate why we're removing this chmod?

Copy link
Author

@m4s-b3n m4s-b3n Jun 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we do not need this as the docker-run.sh script is already checked into git with -rwxr-xr-x permissions

nginx.conf
worker_processes 1;
worker_processes auto;

error_log /var/log/nginx/error.log notice;
Copy link
Contributor

@char0n char0n Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you collaborate why changing the error_log?

Copy link
Author

@m4s-b3n m4s-b3n Jun 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this ist just a merge of your your configuration an the one from the nginxinc/nginx-unprivileged:1.21.6-alpine image

nginx.conf
}

http {
proxy_temp_path /tmp/proxy_temp;
Copy link
Contributor

@char0n char0n Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume these changes are all necessary to be able to run as a non root, unprivileged user, right?

Copy link
Author

@m4s-b3n m4s-b3n Jun 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my answer above. my thought was to change as little as possible and only integrate what's necessary to run swagger editor

nginx.conf
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;

include /etc/nginx/conf.d/*.conf;
Copy link
Contributor

@char0n char0n Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we're including the default config here?

Copy link
Author

@m4s-b3n m4s-b3n Jun 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my answer above

@char0n
Copy link
Contributor

char0n commented Nov 16, 2022

@marius-boden-sva would you mind sending this PR against next branch? Now it's a good opportunity to push this effort forward.

Thanks!

@m4s-b3n
Copy link
Author

m4s-b3n commented Nov 21, 2022

@char0n done: #3697

char0n added a commit that referenced this pull request Nov 24, 2022
@char0n
feat(docker): build and publish unpriviledged image
93f297b 
Co-authored-by: marius-boden-sva

Refs #3033
Refs #3697
@char0n char0n mentioned this pull request Nov 24, 2022
Merged
@char0n
Copy link
Contributor

char0n commented Nov 24, 2022

Superseded by #3705

@char0n char0n closed this Nov 24, 2022
char0n added a commit that referenced this pull request Nov 24, 2022
@char0n
feat(docker): build and publish unpriviledged image (#3705)
30ce794 
Co-authored-by: marius-boden-sva

Refs #3033
Refs #3697
swagger-bot pushed a commit that referenced this pull request Nov 24, 2022
@semantic-release-bot
chore(release): cut the 5.0.0-alpha.38 release
ca6a0c0 
# [5.0.0-alpha.38](v5.0.0-alpha.37...v5.0.0-alpha.38) (2022-11-24)

### Features

* **docker:** build and publish unpriviledged image ([#3705](#3705)) ([30ce794](30ce794)), closes [#3033](#3033) [#3697](#3697)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@char0n char0n char0n left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@char0n char0n

Labels

cat: docker swagger-editor@next type: enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Docker image doesn't/can't run as non-root user

2 participants

@m4s-b3n @char0n