Run nginx as unprevileged user

Author: rcmadhankumar

src/bci_build/package/appcontainers.py

@@ -271,7 +271,14 @@ def _get_nginx_kwargs(os_version: OsVersion):
                 parse_version=ParseVersion.MINOR,
             )
         ],
-        "package_list": ["gawk", "nginx", "findutils", _envsubst_pkg_name(os_version)],
+        "package_list": [
+            "gawk",
+            "nginx",
+            "findutils",
+            _envsubst_pkg_name(os_version),
+            "sed",
+            "grep",
+        ],
         "entrypoint": ["/usr/local/bin/docker-entrypoint.sh"],
         "from_target_image": generate_from_image_tag(os_version, "bci-micro"),
         "cmd": ["nginx", "-g", "daemon off;"],
@@ -289,8 +296,15 @@ def _get_nginx_kwargs(os_version: OsVersion):
             COPY index.html /srv/www/htdocs/
             {DOCKERFILE_RUN} chmod +x /docker-entrypoint.d/*.sh /usr/local/bin/docker-entrypoint.sh
             {DOCKERFILE_RUN} install -d -o nginx -g nginx -m 750 /var/log/nginx; \
+                install -d /var/cache/nginx /var/run; \
                 ln -sf /dev/stdout /var/log/nginx/access.log; \
-                ln -sf /dev/stderr /var/log/nginx/error.log
+                ln -sf /dev/stderr /var/log/nginx/error.log; \
+                chown -R nginx:nginx /var/cache/nginx; \
+                chown -R nginx:nginx /etc/nginx; \
+                chown -R nginx:nginx /var/run; \
+                install -d -o nginx -g nginx /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp; \
+                chown -R nginx:nginx /tmp; \
+                chmod -R g+w /var/cache/nginx /var/log/nginx /etc/nginx /var/run /tmp
             STOPSIGNAL SIGQUIT"""),
     }
 

src/bci_build/package/nginx/docker-entrypoint.sh

@@ -44,4 +44,21 @@ if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
     fi
 fi
 
+CURRENT_UID=$(id -u)
+if [ "$CURRENT_UID" -gt "0" ]; then
+    # Running as Unprivileged User
+    entrypoint_log "$0: Running as unprivileged user (UID: $CURRENT_UID). Configuring for unprivileged mode (Port 8080)."
+
+    # Remove the 'user' directive
+    sed -i '/^user/d' /etc/nginx/nginx.conf
+    entrypoint_log "$0: Removed 'user' directive for unprivileged worker."
+
+    # Ensure PID path is set to /tmp/nginx.pid
+    sed -i 's,^#\?\s*pid\s\+.*;$,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf
+    sed -i "/^http {/a \        proxy_temp_path /tmp/proxy_temp;\n        client_body_temp_path /tmp/client_temp;\n        fastcgi_temp_path /tmp/fastcgi_temp;\n        uwsgi_temp_path /tmp/uwsgi_temp;\n        scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf
+    sed -i 's/listen \(.*\)80;/listen \18080;/' /etc/nginx/conf.d/default.conf 2>/dev/null || \
+    sed -i 's/listen \(.*\)80;/listen \18080;/' /etc/nginx/nginx.conf 2>/dev/null || true
+    entrypoint_log "$0: Listening on port 8080."
+fi
+
 exec "$@"