Setup frontend production container to run as non-privileged user

[tfrisk]

Is your feature request related to a problem? Please describe.
OpenShift platform requires containers to run as non-privileged users. In practice that means containers cannot have root access. This means file access to root filesystem is read-only and privileged network ports (below 1024) should not be used. Current Dockerfile-prod setup does not work with OpenShift without modifications.

Describe the solution you'd like
For production docker image, use non-privileged port (for example 8080) and adjust nginx pid+temp file paths to /tmp.

Describe alternatives you've considered
Alternatively you can provide openshift-specific production dockerfile for frontend container.

Additional context
I can provide base config and test the deployment in openshift cluster.

[ville-friman-siili]

I'll look into this.

[tfrisk]

Thanks. I have a draft version that runs on openshift in my own fork: master...tfrisk:openshift-deployment

[ville-friman-siili]

Would this do the trick https://github.com/salabs/Epimetheus/compare/develop...feature/docker_services_run_nonroot ?

[tfrisk]

Tested with that branch. Container failed to start:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: error: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2020/10/01 10:06:53 [emerg] 1#1: open() "/tmp/log/error.log" failed (13: Permission denied)
nginx: [emerg] open() "/tmp/log/error.log" failed (13: Permission denied)

[ville-friman-siili]

That's odd. If I build container locally with command docker build --build-arg backend_url=http://localhost -t foo -f ./Dockerfile-prod . then it starts normally with docker run -t -p 8080:8080 foo:latest and http://localhost:8080 shows the front page. Can you give more information about the system where try to run the container?

[tfrisk]

I'm running it on our OpenShift cluster, https://research.csc.fi/en/-/rahti

OpenShift is known to have more strict requirements over plain docker/kubernetes as it's targeted for more enterprise use.

My own fork I linked in previous comment works fine. It uses a bit dumber approach to build the frontend container.

[ville-friman-siili]

I updated the branch and moved the log files back to their orginal locations under the /var/log directory. I hope that this works because next step would be that the nginx is started by the root, not nginx user.

[tfrisk]

It works now, awesome! Thanks Ville.

These changes together with removing extra exit() from backend_server (discussed here: #114) makes working openshift combo.

[ville-friman-siili]

These changes have merged to master branch yesterday so closing this issue.