Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read-only container #7

Closed
wants to merge 2 commits into from
Closed

Read-only container #7

wants to merge 2 commits into from

Conversation

josephpage
Copy link
Contributor

  1. Since fastcgi module is enabled (bbe22b7), a parameter --http-fastcgi-temp-path should be passed.
  2. Using container in read-only mode (Add --read-only for read only container rootfs moby/moby#10093) is good for security and maintainability. docker diff shows some files are added in /var/nginx today. So I suggest to add a volume for this path.

Today :

# docker diff shows changes in the root file system

$ docker run -d -P --name openresty ficusio/openresty
163f8649d4c107d9bfac0b8f9d181e0b7fa093f462d04585e1a5c04d93032542
$ docker diff openresty
C /opt
C /opt/openresty
C /opt/openresty/nginx
A /opt/openresty/nginx/fastcgi_temp  # moved with --http-fastcgi-temp-path
C /var
C /var/nginx
A /var/nginx/access.log
A /var/nginx/client_body_temp
A /var/nginx/error.log
A /var/nginx/nginx.pid
A /var/nginx/proxy_temp
# Tests with read-only root file system (--read-only option)

$ docker run -d -P --name openresty --read-only=true ficusio/openresty
b43ca13b88af9f3c31fccfd03140d62164fb6b17888ee3d8c69d118195e33ed5
$ docker logs openresty
nginx: [alert] could not open error log file: open() "/var/nginx/error.log" failed (30: Read-only file system)
2015/08/05 15:19:18 [emerg] 1#0: mkdir() "/var/nginx/client_body_temp" failed (30: Read-only file system)

After this PR :

$ docker run -d -P --name openresty openresty:readonly
85f7122b42956a9e8ac277e1050a3f054054b2c56bdabf9200993bc23450cd38
$ docker diff openresty
     <nothing>

$ docker rm -vf openresty
openresty
$ docker run -d -P --name openresty --read-only=true openresty:readonly
ec7f3ac3f97d336f8096b3836a608e6999c570faaaa5c245f49ac38a7c71b4ed
$ docker logs openresty
2015/08/05 15:43:21 [notice] 1#0: using the "epoll" event method
2015/08/05 15:43:21 [notice] 1#0: openresty/1.7.10.2
2015/08/05 15:43:21 [notice] 1#0: built by gcc 4.9.2 (Alpine 4.9.2) 
2015/08/05 15:43:21 [notice] 1#0: OS: Linux 4.0.7-boot2docker
2015/08/05 15:43:21 [notice] 1#0: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2015/08/05 15:43:21 [notice] 1#0: start worker processes
2015/08/05 15:43:21 [notice] 1#0: start worker process 6

@josephpage
Copy link
Contributor Author

To do : Add documentation about read-only mode and the new volume /var/nginx.

@skozin
Copy link
Member

skozin commented Dec 7, 2015

I'm not sure this volume needs to be declared in the Dockerfile. It complicates things a little, as now you need to use docker rm -v when removing NginX container (e.g. during updates), otherwise all these volumes will accumulate on the machine.

On the other hand, you can always specify this volume in the command line if you wish, this will have the same effect as VOLUME directive in the Dockerfile:

docker run -v /var/nginx ... ficusio/openresty

What do you think?

@josephpage
Copy link
Contributor Author

Makes sense !
So the unified path /var/nginx should be documented in README.

@skozin skozin closed this in 5ce9ddd Dec 10, 2015
@skozin
Copy link
Member

skozin commented Dec 10, 2015

I've added the info on launching in read-only mode to the readme (here).

BTW, feel free to open another PR with --http-fastcgi-temp-path fix, I'll merge it right away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants