vmaillot opened a new issue, #326: URL: https://github.com/apache/apisix-docker/issues/326
Hey there, In advance, thanks for your time and help. # Context I was trying to make Apisix run in a OpenShift cluster but without having root running the container. To do so I am using the official upstream Helm [chart](https://github.com/apache/apisix-helm-chart). I was able to run everything but the Apisix deployment without root. A work around is to use the [SCC](https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html) as `anyuid` on the service account running the application to let the application run as user root (0). Obviously in a perfect world we do not want that. That is why I am asking if that would be possible to make the application run as a non-root user. When trying this solution with the help of the Helm chart, and without setting up the SCC I am getting this error below: ``` /usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init failed to update nginx.conf: failed to open file: /usr/local/apisi/conf/nginx.conf, error info:/usr/local/apisix/conf/nginx.conf: Permission denied ``` The error makes total sense, as the generated nginx configuration has those permissions: ``` bash-5.1# ls -la /usr/local/apisix/conf/nginx.conf -rw-r--r-- 1 root root 11422 Jul 5 10:49 /usr/local/apisix/conf/nginx.conf ``` # Solutions The first easy solution would be to add write access to the group root on this file as every container is started with the root group (0) on OpenShift. The nginx configuration seems to be generated somehow, maybe it would be doable to add the write permission to the group on the fly? The second one is a bit more tricky and might require more work but would simply follows the [Best practices for writing Dockerfiles](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user). Again maybe we have a application limitation, but I think that should be feasible! Please let me know if something is unclear or not understood here. Thanks for evaluating this proposition of a new feature to gain a bit of flexibility and security while running Apisix. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
