nginx:[emerg] 在 Openshift 上绑定()到 0.0.0.0:80 失败(13:权限被拒绝)

问题描述 投票:0回答:3

我正在尝试查看使用 Angular 构建的门户,使用 netcore 后端在 docker swarm 上流畅运行。当我尝试在 openshift 上部署角度图像时,出现以下错误;

[emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

首先,我使用“nginx:1.19.6-alpine”作为root用户创建了nginx部署并定义了服务帐户(anyuid),它工作正常。然后我尝试使用“nginxinc/nginx-unprivileged”映像创建 openshift 部署以作为非 root 用户运行。我根据“nginxinc/nginx-unprivileged”图像更改了 nginx.conf 。我再次定义了服务帐户,但它抛出“bind() to 0.0.0.0:80 failed (13: Permission returned)”错误。

容器80端口开放。没有任何入口。服务使用80端口公开路由。解决办法是什么?

这是我的 Dockerfile;

### STAGE 1: Build ###
FROM node:12.18-alpine as build-env
ENV TZ=Europe/Istanbul

RUN export NG_CLI_ANALYTICS=false

COPY ng/package.json ng/package-lock.json  ng/.npmrc ./
COPY ng/projects/package.json ./projects/package.json

RUN npm install && pwd && ls -ltra

COPY ./ng/ ./

RUN time node --max_old_space_size=12000 node_modules/@angular/cli/bin/ng build project --configuration production
WORKDIR /usr/src/app/dist/

COPY ng/.npmrc ./

RUN npm publish

WORKDIR /usr/src/app/

RUN time node --max_old_space_size=12000 node_modules/@angular/cli/bin/ng build portal --configuration production

### STAGE 2: Run ###

FROM nginxinc/nginx-unprivileged:1.23-alpine as runtime-env
ENV TZ=Europe/Istanbul

COPY ng/nginx.conf /etc/nginx/nginx.conf
COPY ng/nginx.template.conf /etc/nginx/nginx.template.conf
COPY --from=build-env /usr/src/app/dist/portal/ /usr/share/nginx/html/

CMD ["/bin/sh",  "-c",  "envsubst < /usr/share/nginx/html/assets/env.template.js > /usr/share/nginx/html/assets/env.js && envsubst '$API_URL' < /etc/nginx/nginx.template.conf > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'"]

nginx.conf 文件:



worker_processes  auto;   # nginx.conf file taken from nginxinc_nginx-unprivileged image

error_log  /var/log/nginx/error.log notice;
pid        /tmp/nginx.pid;


events {
    worker_connections  1024;
}


http {
    proxy_temp_path /tmp/proxy_temp;
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

nginx.template.conf

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        try_files $uri $uri/ /index.html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /api {
        proxy_pass ${API_URL};
        proxy_pass_request_headers on;
        #rewrite /api/(.*) /$1  break;
    }
}

我在部署中使用了所有服务帐户,例如 nonroot、hostaccess、hostmount-anyuid、priviedged、restricted 和 anyuid。

我还尝试将以下命令添加到 dockerfile 中:

"RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
chmod -R 770 /var/cache/nginx /var/run /var/log/nginx"

这里获取。

docker kubernetes nginx networking openshift
3个回答
2
投票

OpenShift 不会以 root 身份运行您的容器,因此它无法侦听端口 80。选择 >1024 的端口,例如改为端口 8080,它应该可以工作。


1
投票

我发现错误了。我必须将

nginx.template.conf
80
更改为
8080
。但
openshift
并没有重新部署。所以我部署了一个新图像来解决这个问题。


0
投票

对于那些必须监听

<1024
端口(例如端口
80
)的人,最好放弃所有 Linux 功能 并仅添加
NET_BIND_SERVICE
功能,而不是作为根容器运行:

   securityContext:
     capabilities:
       add:
       - NET_BIND_SERVICE
       drop:
       - ALL

这里阅读更多内容。

© www.soinside.com 2019 - 2024. All rights reserved.