fix(setcap) #206
fix(setcap) #206
Conversation
|
:( the |
alpine/docker-entrypoint.sh
Outdated
| chmod 777 /proc/self/fd/1 | ||
| chmod 777 /proc/self/fd/2 | ||
|
|
||
| su-exec kong /usr/local/openresty/nginx/sbin/nginx \ |
There was a problem hiding this comment.
This should be exec su-exec. otherwise bash will continue to exist as a parent. (also the script will continue.)
There was a problem hiding this comment.
That shouldn't be necessary (https://github.com/ncopa/su-exec/blob/master/su-exec.c#L103). It is also documented in the project's README: https://github.com/ncopa/su-exec#tty--parentchild-handling
There was a problem hiding this comment.
Unless you exec the bash process will live on as a parent.
The readme there is saying su-exec won't stick around; not the parent of su-exec.
There was a problem hiding this comment.
Indeed. Also, any thoughts on ncopa/su-exec#23?
* auto-detect 'transparent' suffix in listeners to trigger setcap
* ability to force setcap with new `SET_CAP_NET_RAW` env variable
* run master and worker processes as kong with su-exec
* requires a workaround for /dev/stdout and /dev/stderr output
Unfortunately, `kong prepare` still has to be executed as root (as it is
the case prior to this patch), but trying to execute it as the kong user
doesn't seem to work. Will revisit later.
Co-authored-by: Colin Hutchinson <[email protected]>
thibaultcha
force-pushed
the
fix/setcap
branch
from
89ec970
to
67a8f7a
Compare
|
New version pushed. Please see the commit message for details. This has been delayed long enough, and the current implementation already is an improvement over the existing image, plus supports auto-detection of the transparent option as the best compromise we could find. |
|
I tested the latest push in docker-compose and minikube both environments and setups worked as expected 👍 |
|
shouldn't the same changes be applied to the rhel image? |
We don't have any way to test rhel. |
|
Wouldn't this apply to any other distribution too (Ubuntu, Debian, CentOS in addition to RHEL, etc)? |
I'm not sure what you mean by this? The method is different per distro (su-exec is not that common). This repository only creates docker images for alpine, centos and rhel. rhel is the only one of those for which we have no testing setup. |
|
What are the next steps to support this feature on any other Docker image we create? @Tieske is right in his observation. |
|
@Kong/team-fast-track handles the RHEL container but I believe the RHEL container is loosely based on our centos image so it might be fine but probably best to follow up with folks on that team |
moves setcap out of Dockerfile and into the docker entrypoint's