From 44c12735d50e8728dbf5cee89cf8334d78addd07 Mon Sep 17 00:00:00 2001 From: Sam Weston <11150054+cablespaghetti@users.noreply.github.com> Date: Thu, 23 Mar 2023 17:18:37 +0000 Subject: [PATCH 1/3] Improve documentation around running using EKS IRSA --- docs/getting_started.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/getting_started.md b/docs/getting_started.md index eaf97b73..6704afca 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -159,6 +159,8 @@ docker run --env-file ./settings --publish 80:8080 --name nginx-s3-gateway \ nginx-s3-gateway:unprivileged-oss ``` +It is worth noting that due to the way the startup scripts work, even the unprivileged container will not work with a read-only root filesystem or a specific uid/gid set other then the default of `101`. + ### Building the NGINX Plus Container Image In order to build the NGINX Plus container image, copy your NGINX Plus @@ -297,6 +299,7 @@ If you are planning to use the container image on an EKS cluster, you can use a - As soon as the pods/deployments are updated, you will see the couple of Env Variables listed below in the pods. - `AWS_ROLE_ARN` - Contains IAM Role ARN - `AWS_WEB_IDENTITY_TOKEN_FILE` - Contains the token which will be used to create temporary credentials using AWS Security Token Service. +- You must also set the `AWS_REGION` and `JS_TRUSTED_CERT_PATH` environment variables as shown below in addition to the normal environment variables listed in the Configuration section. The following is a minimal set of resources to deploy: ```yaml @@ -341,12 +344,17 @@ spec: value: "virtual" - name: S3_REGION value: "" + - name: AWS_REGION + value: "" - name: AWS_SIGS_VERSION value: "4" - name: ALLOW_DIRECTORY_LIST value: "false" - name: PROVIDE_INDEX_PAGE value: "false" + - name: JS_TRUSTED_CERT_PATH + value: "/etc/ssl/certs/Amazon_Root_CA_1.pem" + ports: - name: http containerPort: 80 From bea4974c02c98cdabd539f34f1ea04ab249d93eb Mon Sep 17 00:00:00 2001 From: Simeon Castle <187514937+sim-tails@users.noreply.github.com> Date: Thu, 21 Nov 2024 15:44:12 +0000 Subject: [PATCH 2/3] Update Dockerfile.unprivileged --- Dockerfile.unprivileged | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile.unprivileged b/Dockerfile.unprivileged index 87ffcce2..349917b7 100644 --- a/Dockerfile.unprivileged +++ b/Dockerfile.unprivileged @@ -3,12 +3,14 @@ # to allow running NGINX S3 Gateway as a non root user. # Steps are based on the official unprivileged container: # https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-debian.template -FROM nginx-s3-gateway +FROM docker.io/nginxinc/nginx-s3-gateway:latest # Implement changes required to run NGINX as an unprivileged user RUN sed -i "/^server {/a \ listen 8080;" /etc/nginx/templates/default.conf.template \ && sed -i '/user nginx;/d' /etc/nginx/nginx.conf \ && sed -i 's#http://127.0.0.1:80#http://127.0.0.1:8080#g' /etc/nginx/include/s3gateway.js \ + && sed -i 's#80#8080#g' /etc/nginx/conf.d/default.conf \ + && sed -i 's#80#8080#g' /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh \ && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \ && sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \ # Nginx user must own the cache and etc directory to write cache and tweak the nginx config From de19163d07aa0ee0af0072d6cde5f394fb0e32de Mon Sep 17 00:00:00 2001 From: Simeon Castle <187514937+sim-tails@users.noreply.github.com> Date: Thu, 21 Nov 2024 15:44:52 +0000 Subject: [PATCH 3/3] fix hack for local dev --- Dockerfile.unprivileged | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.unprivileged b/Dockerfile.unprivileged index 349917b7..f61a7bc9 100644 --- a/Dockerfile.unprivileged +++ b/Dockerfile.unprivileged @@ -3,7 +3,7 @@ # to allow running NGINX S3 Gateway as a non root user. # Steps are based on the official unprivileged container: # https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-debian.template -FROM docker.io/nginxinc/nginx-s3-gateway:latest +FROM nginx-s3-gateway # Implement changes required to run NGINX as an unprivileged user RUN sed -i "/^server {/a \ listen 8080;" /etc/nginx/templates/default.conf.template \