Running nginx as non-root in Docker container gives permission denied error

linux nginx docker permission-denied
Aides picture Aides · Oct 2, 2016 · Viewed 8.7k times · Source

I have the following Dockerfile 

FROM ubuntu:14.04
EXPOSE 8000

# Install nginx
RUN apt-get update -q \
    && apt-get install --no-install-recommends --no-install-suggests -y -q \
                        nginx \
    && rm -rf /var/lib/apt/lists/*

COPY ./nginx.conf /etc/nginx/
COPY ./index.html /usr/share/nginx/test/

RUN groupadd -r webgroup \
    && useradd -r -m -g webgroup webuser \
    && touch /run/nginx.pid \
    && chown -R webuser:webgroup /var/log/nginx /var/lib/nginx /run/nginx.pid 

USER webuser
CMD nginx

When I run it I get Permission denied on /var/log/nginx:

mikhails-mbp:test-docker-nginx mkuleshov$ docker run -p 8000:8000 mytest
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2016/10/02 17:02:51 [emerg] 5#0: open() "/var/log/nginx/access.log" failed (13: Permission denied)

If I get into the container with bash I see:

webuser@d190146a0e8d:/var/log/nginx$ ls -la
total 8
drwxr-x--- 2 webuser webgroup 4096 Jun  2 15:16 .
drwxrwxr-x 8 root    syslog   4096 Oct  2 17:02 ..

How is it possible? During the above session I also cannot create files under that user.

Thing that helped: Removing the /var/log/nginx and recreating it again. But I have no idea why this happens.

There is no SELinux.

Has anyone encountered anything like that or is there anything I'm doing wrong?

P.S. Here is docker info if it can help

mikhails-mbp:test-docker-nginx mkuleshov$ docker info
Containers: 179
 Running: 0
 Paused: 0
 Stopped: 179
Images: 901
Server Version: 1.11.2
Storage Driver: aufs
 Root Dir: /mnt/sda1/var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 1109
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host
Kernel Version: 4.4.12-boot2docker
Operating System: Boot2Docker 1.11.2 (TCL 7.1); HEAD : a6645c3 - Wed Jun  1 22:59:51 UTC 2016
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.955 GiB
Name: default
ID: 3K5S:3QBN:BXGY:FASS:VG6P:D4CS:UXRK:GYXB:HJQG:SIQH:F6KQ:N4BN
Docker Root Dir: /mnt/sda1/var/lib/docker
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 15
 Goroutines: 32
 System Time: 2016-10-02T17:08:51.355144074Z
 EventsListeners: 0
Username: mkuleshov
Registry: https://index.docker.io/v1/
Labels:
 provider=virtualbox

P.P.S. Here is a test repo with configs for that case: https://github.com/aides/test-docker-nginx

Answer

Egor Nazarov picture Egor Nazarov · Oct 3, 2016

Most likely adding your user into adm group will solve your issue.

Try sudo usermod -aG adm webuser

More details: https://askubuntu.com/questions/421684/cant-access-apache-error-logs

Related questions

How to run Nginx within a Docker container without halting?

I have Nginx installed on a Docker container, and am trying to run it like this: docker run -i -t -p 80:80 mydockerimage /usr/sbin/nginx The problem is that the way Nginx works, is that the initial process immediately spawns …

Read More
Docker and connections between containers

I'm trying create connections between docker's containers. One container with php5-fpm and second with nginx. Config for php5-fpm default, just few changes: listen = 9000 listen.allowed_clients = and nginx (/etc/nginx/sites-available/default): server { listen 80 default_server; #listen [::]:80 default_…

Read More
nginx not listening to port 80

I've just installed a Ubuntu 12.04 server and nginx 1.2.7, removed default from sites-enabled and added my own file into sites-available and symlink at sites-enabled. Then restarted nginx. Problem: However going to the URL does not load the site. netstat -nlp | grep …

Read More