Use nginx-unprivileged as base image for web container#9719
Use nginx-unprivileged as base image for web container#9719prskr wants to merge 1 commit intoente-io:mainfrom
Conversation
This makes it easier to run Ente in Kubernetes environments with enabled pod security admission.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 429cb6d9b9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| COPY --from=builder /build/web/apps/share/out /out/share | ||
| COPY --from=builder /build/web/apps/embed/out /out/embed | ||
| COPY --chmod=755 <<EOF /docker-entrypoint.d/90-replace-ente-env.sh | ||
| sed -i'' "s#ENTE_API_ORIGIN_PLACEHOLDER#\$ENTE_API_ORIGIN#g" /etc/nginx/conf.d/default.conf |
There was a problem hiding this comment.
After USER nginx, the image starts under the unprivileged account and the upstream entrypoint executes 90-replace-ente-env.sh before nginx. This sed -i edits /etc/nginx/conf.d/default.conf, but that file is created by COPY without --chown, so it stays root-owned (and its parent directory is not writable either). The first command in the script will therefore fail with Permission denied, causing the entrypoint to exit before nginx starts, which makes the new web image unusable with its default startup path.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
This is a misunderstanding, this step is ONLY CREATING the script that will alter the /etc/nginx/conf.d/default.conf file. The file /etc/nginx/conf.d/default.conf itself is created in line 54 and following AFTER the USER nginx directive in line 45. So the user nginx is perfectly able to change the file /etc/nginx/conf.d/default.conf when the container is starting
|
|
2 participants
Description
It is strongly discouraged to run containers as
rootunless absolutely necessary. Fornginx, there is an official-unprivilegedimage variant available for use.This simplifies deploying Ente Web in Kubernetes environments with the Pod Security Admission controller enabled. Without explicit exclusion, the controller blocks the creation of containers or pods that run—or could run—as the root user.
The modifications applied to the
Dockerfilenow enable rootless container execution, though running the container with a read-only root filesystem remains challenging.Tests
The build is working and I'm running the image in my private cluster for a few days already. If there are any further things you would like me to test / document, please let me know :)