Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure /var/log/nginx is writeable by GID 0 #4269

Merged
merged 1 commit into from
Nov 8, 2023
Merged

Conversation

sigv
Copy link
Contributor

@sigv sigv commented Aug 18, 2023

Proposed changes

In a standard deployment, error log is written to /dev/stderr and access log is written to /dev/stdout. Furthermore, error.log and access.log in /var/log/nginx are mapped to the respective stdio. However, a deployment may override configuration, and remove the symbolic links, to write to the container storage directly.

OpenShift tries to impose various restrictions by default. One of these is for UID/GID used by the container process. If these restrictions are supported in future, adjustments to file system permissions need to be done so that /var/log/nginx remains writeable. Specifically, OpenShift adds GID 0 as supplemental to container process for file system operations.

This PR ensures the nginx user (UID 101) and root group (GID 0) owns the log directory, and that owner group permissions match the owner user permissions (g=u). This ensures that OpenShift deployments retain write permissions in future.

This permissions change was already being applied to App Protect builds, where I presume writing to disk is enabled by default. Now with the PR, the permissions are ensured for all customers (not only App Protect variant).

Closes #4279.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@sigv sigv requested a review from a team as a code owner August 18, 2023 20:22
@sigv sigv changed the title Ensure /var/log/nginx is writeable by 101:0 Ensure /var/log/nginx is writeable by GID 0 Aug 18, 2023
@sigv sigv mentioned this pull request Aug 18, 2023
6 tasks
@sigv sigv force-pushed the log-rw-101-0 branch 2 times, most recently from 44c3692 to b5784b6 Compare August 22, 2023 08:29
@vepatel
Copy link
Contributor

vepatel commented Aug 22, 2023

Hi @sigv can you please open an issue for this PR: https://github.com/nginxinc/kubernetes-ingress/blob/main/CONTRIBUTING.md#open-a-pull-request thanks!

@sigv
Copy link
Contributor Author

sigv commented Aug 22, 2023

@vepatel, opened and referenced #4279.

@sigv sigv force-pushed the log-rw-101-0 branch 4 times, most recently from a304611 to 7ab723f Compare August 30, 2023 07:20
@codecov
Copy link

codecov bot commented Sep 1, 2023

Codecov Report

Merging #4269 (4c5f307) into main (9a52e02) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #4269      +/-   ##
==========================================
- Coverage   52.00%   51.99%   -0.02%     
==========================================
  Files          59       59              
  Lines       16960    16960              
==========================================
- Hits         8820     8818       -2     
- Misses       7845     7847       +2     
  Partials      295      295              

see 1 file with indirect coverage changes

📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today!

@sigv sigv force-pushed the log-rw-101-0 branch 4 times, most recently from d640e6c to 6b93eec Compare September 7, 2023 17:39
@sigv sigv force-pushed the log-rw-101-0 branch 9 times, most recently from 083732d to 13219c8 Compare September 19, 2023 19:12
@sigv sigv force-pushed the log-rw-101-0 branch 4 times, most recently from 9ef13ec to e98cc72 Compare September 20, 2023 19:38
@sigv sigv force-pushed the log-rw-101-0 branch 7 times, most recently from 30030e0 to 78bce8d Compare October 19, 2023 15:44
@sigv sigv force-pushed the log-rw-101-0 branch 4 times, most recently from 21edb11 to 0d31e25 Compare October 28, 2023 22:13
@sigv sigv force-pushed the log-rw-101-0 branch 3 times, most recently from 10834df to fe561c6 Compare November 2, 2023 19:33
Copy link
Member

@lucacome lucacome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the long wait again @sigv

I guess it doesn't cost us anything to set the permissions for /var/log/nginx and be on the safe side.

@lucacome lucacome requested a review from a team November 3, 2023 01:53
@sigv
Copy link
Contributor Author

sigv commented Nov 3, 2023

Sorry for the long wait again

No worries! I fully understand things sometimes take time 🙂

0c8462d shuffled lines around and there's now a merge conflict to resolve.
I will squeeze this in around end of day (Europe), so the blocker doesn't stick around over the weekend. 🤞🏻

@sigv
Copy link
Contributor Author

sigv commented Nov 4, 2023

Tests are failing as they want to re-build the Nginx Plus components for which my repo doesn't have the certificate. 😞

@sigv sigv force-pushed the log-rw-101-0 branch 2 times, most recently from a1d5c86 to dfd1f02 Compare November 7, 2023 10:22
In a standard deployment, error log is written to `/dev/stderr` and
access log is written to `/dev/stdout`. Furthermore, `error.log` and
`access.log` in `/var/log/nginx` are mapped to the respective stdio.
However, a deployment may override configuration, and remove the
symbolic links, to write to the container storage directly.

OpenShift tries to impose various restrictions by default. One of these
is for UID/GID used by the container process. If these restrictions are
supported in future, adjustments to file system permissions need to be
done so that /var/log/nginx remains writeable. Specifically, OpenShift
adds GID 0 as supplemental to container process for file system
operations.

This PR ensures the nginx user (UID `101`) and root group (GID `0`) owns
the log directory, and that owner group permissions match the owner user
permissions (`g=u`). This ensures that OpenShift deployments retain
write permissions in future.
Copy link
Contributor

@shaun-nx shaun-nx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for being patient with us @sigv !

@sigv
Copy link
Contributor Author

sigv commented Nov 8, 2023

I'm not sure how the Alpine error could be triggered by this change (Error getting Endpoints for Upstream backend1: error retrieving endpoints for the service backend1-svc: no endpointslices for target port 8080 in service backend1-svc)

@shaun-nx
Copy link
Contributor

shaun-nx commented Nov 8, 2023

@sigv That particular log message happens when we're enumerating pods before they are ready. From the logs its looks like the pods for that test took too long to become ready.

@shaun-nx
Copy link
Contributor

shaun-nx commented Nov 8, 2023

@sigv I've re-run the failed test and everything is green now. Just waiting on images to be built and we should be good 😄

@shaun-nx shaun-nx merged commit 0e1e647 into nginx:main Nov 8, 2023
63 checks passed
@shaun-nx
Copy link
Contributor

shaun-nx commented Nov 8, 2023

🚀

@sigv sigv deleted the log-rw-101-0 branch November 8, 2023 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow writing to default log directory for nginx:root
5 participants