Deployment failing in generic hosts with permission issues in deploy image

[debloper]

In docker-compose, minishift or regular docker-run, the deploy image fails with:

ls: cannot open directory /var/lib/nginx/: Permission denied
total 8
drwxrwxrwx. 1 nginx nginx 4096 Mar 20  2017 .
drwxr-xr-x. 1 root  root  4096 Sep 25 03:37 ..

Reference point for this issue, from the original base-image:
https://github.com/kbsingh/openshift-nginx/blob/master/root/run.sh#L6

The particular command itself isn't fatal, but it bails out with a fail and also gives the idea that the following commands will also fail, especially the one at https://github.com/kbsingh/openshift-nginx/blob/master/root/run.sh#L9 which is important.

Should we use root user, or escalate privileges of the current user, is probably the question here.
We should also investigate, why and how this works in the CI/CD pipeline.

[pranavgore09]

I tried to build image locally using cico_build_deploy.sh and running pod gives me same error

----
uid=1000(fabric8) gid=1000(fabric8) groups=1000(fabric8)
----
ls: cannot open directory /var/lib/nginx/: Permission denied
total 8
drwxrwxrwx 2 nginx nginx 4096 Mar 20  2017 .
drwxr-xr-x 6 root  root  4096 Sep 25 03:37 ..
nginx: [emerg] invalid number of arguments in "set" directive in /etc/nginx/nginx.conf:78

notice the last line in the error that complaints about nginx.conf, from where that file is injected?

[jarifibrahim]

@pranavgore09 Did you set the PROXY_PASS_URL? AFAIK, this error is because of PROXY_PASS_URL not set.

[pranavgore09]

@jarifibrahim yes I added that, still not looking good.

@debloper I could figure out permission error
I had to add following line in https://github.com/fabric8-ui/fabric8-ui/blob/master/Dockerfile.deploy

RUN chmod -R 777 /var/lib/nginx/

run.sh was crying for that direcotry.
And run.sh is found in the container and it looks like following

bash-4.2$ cat run.sh
#!/bin/bash
/template.sh /usr/share/nginx/html
VARS='$PROXY_PASS_URL' /template.sh /etc/nginx/nginx.conf  
echo "----"
id
echo "----"

ls -al /var/lib/nginx/
ls -al /var/log/nginx/

nginx -c /etc/nginx/nginx.conf

that is entrypoint for fabric8-ui

[debloper]

@jarifibrahim this issue isn't regarding the $PROXY_PASS_URL ref: #2360
This is caused by switching to non-root user before finishing super-user tasks in the nginx-base image.

@pranavgore09 I really hate how we practice security in here.
I know that's the lowest impact fix, but wish we didn't have to take that path & had a proper solution.

[pranavgore09]

@debloper maybe, I do not really understand security in this case, no opinion as of now 😄

[jarifibrahim]

@debloper @pranavgore09 The issue exists because fabric8-ui/fabric8-ui image uses fabric8-ui/fabric8-ui-openshift-nginx image and fabric8-ui/fabric8-ui-openshift-nginx uses kbsingh/openshift-nginx image. That is
fabric8-ui/fabric8-ui[0] -> fabric8-ui/fabric8-ui-openshift-nginx[1] -> kbsingh/openshift-nginx[2]

Now, the /var/lib/nginx folder is owned by nginx user, by default (This is the expected behavior) but we start fabric8-ui container as user fabric8[3]. So when the fabric8 user tries to list the contents of /var/lib/nginx folder, it gets permission denied

@debloper About the following error - it isn't actually fatal. I agree that it should be fixed, but the image works fine even with this error.

ls: cannot open directory /var/lib/nginx/: Permission denied
total 8
drwxrwxrwx. 1 nginx nginx 4096 Mar 20  2017 .
drwxr-xr-x. 1 root  root  4096 Sep 25 03:37 ..

The PR fabric8-services/fabric8-wit#1817 uses the same fabric8-ui docker image and it works fine.

[0] - https://github.com/fabric8-ui/fabric8-ui/blob/master/Dockerfile.deploy
[1] - https://github.com/fabric8-ui/fabric8-ui-openshift-nginx/blob/master/Dockerfile
[2] - https://github.com/kbsingh/openshift-nginx/blob/master/Dockerfile
[3] - https://github.com/fabric8-ui/fabric8-ui/blob/master/Dockerfile.deploy#L11