Skip to content

feat(nginx): Make nginx Non-root & Read-only-friendly #13384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft

feat(nginx): Make nginx Non-root & Read-only-friendly #13384

wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 8, 2025

Fix #11031

@github-actions github-actions bot added the docker label Oct 8, 2025
@github-actions github-actions bot added the helm label Oct 8, 2025
@kiblik kiblik force-pushed the nginx_readonly branch 3 times, most recently from 3352df0 to f02448f Compare October 8, 2025 21:14
@Maffooch
Copy link
Contributor

@mtesauro does this fit into your plans for image hardening?

@mtesauro
Copy link
Contributor

@mtesauro does this fit into your plans for image hardening?

TBH, I was going to start with the DefectDojo/Django containers first as those are the containers where we have the most code / do the most modifications.

Changing the UID to under the typical 1000+ is interesting but I don't believe it will cause issues for k8s and it also seems that OpenSift has stopped wanting specific UIDs based on this so this shouldn't hurt those using k8s or compose currently as far as I can tell.

@mtesauro
Copy link
Contributor

I can test this PR out when it's not a draft as well

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik
Copy link
Contributor Author

kiblik commented Oct 11, 2025

I can test this PR out when it's not a draft as well

The current issue with this PR is that as soon as the process tries to modify configs

django-DefectDojo/docker/entrypoint-nginx.sh

Line 24 in 1b338e2

sed -i '/listen \[::\]:/d' "$NGINX_CONFIG"

django-DefectDojo/docker/entrypoint-nginx.sh

Line 28 in 1b338e2

sed -i "s/#stub_status/stub_status/g;" $NGINX_CONFIG

django-DefectDojo/docker/entrypoint-nginx.sh

Line 33 in 1b338e2

sed -i "s/#auth_basic/auth_basic/g;" $NGINX_CONFIG

django-DefectDojo/docker/entrypoint-nginx.sh

Line 36 in 1b338e2

echo "$METRICS_HTTP_AUTH_USER":"$openssl_passwd" >> /etc/nginx/.htpasswd

execution fails (because FS is read-only).

I'm considering creating a separate PR that will be responsible for generating the final config, which will be on a read-write location. It would combine multiple partial definitions of the nginx.conf file. Also, I would like to merge it with nginx_TLS.conf because most of the file is the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch will be requested when the pull request is marked ready for review Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro will be requested when the pull request is marked ready for review mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

conflicts-detected docker helm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kiblik @Maffooch @mtesauro