Merge branch 'master' of github.com:nginxinc/nginx-s3-gateway

Author: dekobon

.github/workflows/main.yml

@@ -21,9 +21,13 @@ jobs:
       - name: Install dependencies
         run: sudo apt-get install -y wait-for-it
       - name: Run tests - latest njs version
-        run: ./test.sh latest-njs-oss
+        run: ./test.sh --latest-njs --type oss
       - name: Run tests - stable njs version
-        run: ./test.sh oss
+        run: ./test.sh --type oss
+      - name: Run tests - stable njs version - unprivileged process
+        run: ./test.sh --unprivileged --type oss
+      - name: Run tests - latest njs version - unprivileged process
+        run: ./test.sh --latest-njs --unprivileged --type oss
 
   build_and_deploy:
     runs-on: ubuntu-latest
@@ -41,9 +45,9 @@ jobs:
       - name: Install dependencies
         run: sudo apt-get install -y wait-for-it
       - name: Run tests - latest njs version
-        run: ./test.sh latest-njs-oss
+        run: ./test.sh --latest-njs --type oss
       - name: Run tests - stable njs version
-        run: ./test.sh oss
+        run: ./test.sh --type oss
       # latest-njs-oss image push [Github]
       - name: Tag container image for Push to github [latest-njs-oss date]
         run: docker tag nginx-s3-gateway:latest-njs-oss docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
@@ -53,6 +57,15 @@ jobs:
         run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
       - name: Push container image to github [latest-njs-oss]
         run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-njs-oss
+      # unprivileged-oss image push [Github]
+      - name: Tag container image for Push to github [unprivileged-oss date]
+        run: docker tag nginx-s3-gateway:unprivileged-oss docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Tag container image for Push to github [unprivileged-oss]
+        run: docker tag nginx-s3-gateway:unprivileged-oss docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss
+      - name: Push container image to github [unprivileged-oss date]
+        run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Push container image to github [unprivileged-oss]
+        run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss
       # oss image push [Github]
       - name: Tag container image for Push to github [oss date]
         run: docker tag nginx-s3-gateway:latest docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-${{ steps.date.outputs.date }}
@@ -77,6 +90,15 @@ jobs:
         run: docker push nginxinc/nginx-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
       - name: Push container image to Docker Hub [latest-njs-oss]
         run: docker push nginxinc/nginx-s3-gateway:latest-njs-oss
+      # unprivileged-oss image push [Docker Hub]
+      - name: Tag container image for Push to Docker Hub [unprivileged-oss date]
+        run: docker tag nginx-s3-gateway:unprivileged-oss nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Tag container image for Push to Docker Hub [unprivileged-oss]
+        run: docker tag nginx-s3-gateway:unprivileged-oss nginxinc/nginx-s3-gateway:unprivileged-oss
+      - name: Push container image to Docker Hub [unprivileged-oss date]
+        run: docker push nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Push container image to Docker Hub [unprivileged-oss]
+        run: docker push nginxinc/nginx-s3-gateway:unprivileged-oss
       # oss image push [Docker Hub]
       - name: Tag container image for Push to Docker Hub [oss date]
         run: docker tag nginx-s3-gateway:latest nginxinc/nginx-s3-gateway:latest-${{ steps.date.outputs.date }}

Dockerfile.unprivileged

@@ -0,0 +1,21 @@
+# This container images makes the necessary modifications in the
+# inherited image (which could be OSS NGINX or NGINX Plus) in order
+# to allow running NGINX S3 Gateway as a non root user.
+# Steps are based on the official unprivileged container:
+# https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-debian.template
+FROM nginx-s3-gateway
+
+# Implement changes required to run NGINX as an unprivileged user
+RUN sed -i "/^server {/a \    listen       8080;" /etc/nginx/templates/default.conf.template \
+    && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf \
+    && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+    && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+# Nginx user must own the cache and etc directory to write cache and tweak the nginx config
+    && chown -R nginx:0 /var/cache/nginx \
+    && chmod -R g+w /var/cache/nginx \
+    && chown -R nginx:0 /etc/nginx \
+    && chmod -R g+w /etc/nginx
+
+EXPOSE 8080
+
+USER nginx

README.md

@@ -70,6 +70,9 @@ Dockerfile.buildkit.plus         Dockerfile with the same configuration as Docke
                                  with support for hiding secrets using Docker's Buildkit
 Dockerfile.latest-njs            Dockerfile that inherits from the last build of the gateway and
                                  then builds and installs the latest version of njs from source
+Dockerfile.latest-unpriviledged  Dockerfiles that inherits from the last build of the gateway and
+                                 makes the necessary modifications to allow running the container
+                                 as a non root, unpriviledged user.
 settings.example                 Docker env file example
 standalone_ubuntu_oss_install.sh install script that will install the gateway as a Systemd service
 test.sh                          test launcher

docs/getting_started.md

@@ -148,6 +148,17 @@ docker run --env-file ./settings --publish 80:80 --name nginx-s3-gateway \
     nginx-s3-gateway:oss
 ```
 
+In the same way, if you want to use NGINX OSS container image as a non-root, unpriviledged user,
+you can build it as follows:
+```
+docker build --file Dockerfile.latest-unpriviledged --tag nginx-s3-gateway --tag nginx-s3-gateway:latest-unpriviledged-oss .
+```
+And run the image binding the container port 8080 to 80 in the host like:
+```
+docker run --env-file ./settings --publish 80:8080 --name nginx-s3-gateway \
+    nginx-s3-gateway:latest-unpriviledged-oss
+```
+
 ### Building the NGINX Plus Container Image
 
 In order to build the NGINX Plus container image, copy your NGINX Plus 

test.sh

@@ -17,7 +17,6 @@
 #
 
 set -o errexit   # abort on nonzero exit status
-set -o nounset   # abort on unbound variable
 set -o pipefail  # don't hide errors within pipes
 
 nginx_server_proto="http"
@@ -41,28 +40,71 @@ e() {
   >&2 echo "$1"
 }
 
-
-if [ $# -eq 0 ]; then
+usage() { e "Usage: $0 [--latest-njs <default:false>] [--unprivileged <default:false>] [--type <default:oss|plus>" 1>&2; exit 1; }
+
+for arg in "$@"; do
+  shift
+  case "$arg" in
+    '--help')           set -- "$@" '-h'   ;;
+    '--latest-njs')     set -- "$@" '-j'   ;;
+    '--unprivileged')   set -- "$@" '-u'   ;;
+    '--type')           set -- "$@" '-t'   ;;
+    *)                  set -- "$@" "$arg" ;;
+  esac
+done
+
+while getopts "hjut:" arg; do
+    case "${arg}" in
+        j)
+            njs_latest="1"
+            ;;
+        u)
+            unprivileged="1"
+            ;;
+        t)
+            nginx_type="${OPTARG}"
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+startup_message=""
+
+if [ -z "${nginx_type}" ]; then
   nginx_type="oss"
-  njs_latest=0
-  p "No argument specified - defaulting to NGINX OSS. Valid arguments: oss, plus, latest-njs-oss, latest-njs-plus"
+  startup_message="Starting NGINX ${nginx_type} (default)"
+elif ! { [ ${nginx_type} == "oss" ] || [ ${nginx_type} == "plus" ]; }; then
+    e "Invalid NGINX type: ${nginx_type} - must be either 'oss' or 'plus'"
+    usage
 else
-  if [[ "${1}" == *plus ]]; then
-    nginx_type="plus"
-    p "Testing with NGINX Plus"
-  else
-    nginx_type="oss"
-    p "Testing with NGINX OSS"
-  fi
+  startup_message="Starting NGINX ${nginx_type}"
+fi
 
-  if [[ "${1}" == latest-njs-* ]]; then
-    p "Testing with latest development version of NJS"
-    njs_latest=1
-  else
-    njs_latest=0
-  fi
+if [ -z "${njs_latest}" ]; then
+  njs_latest="0"
+  startup_message="${startup_message} with the release NJS module (default)"
+elif [ ${njs_latest} -eq 1 ]; then
+  startup_message="${startup_message} with the latest NJS module"
+else
+  startup_message="${startup_message} with the release NJS module"
 fi
 
+if [ -z "${unprivileged}" ]; then
+  unprivileged="0"
+  startup_message="${startup_message} in privileged mode (default)"
+elif [ ${unprivileged} -eq 1 ]; then
+  startup_message="${startup_message} in unprivileged mode"
+else
+  startup_message="${startup_message} in privileged mode"
+fi
+
+e "${startup_message}"
+
+set -o nounset   # abort on unbound variable
+
 docker_cmd="$(command -v docker)"
 if ! [ -x "${docker_cmd}" ]; then
   e "required dependency not found: docker not found in the path or not executable"
@@ -102,7 +144,14 @@ if [ "${nginx_type}" = "plus" ]; then
 fi
 
 compose() {
-  "${docker_compose_cmd}"  -f "${test_compose_config}" -p "${test_compose_project}" "$@"
+  # Hint to docker-compose the internal port to map for the container
+  if [ ${unprivileged} -eq 1 ]; then
+    export NGINX_INTERNAL_PORT=8080
+  else
+    export NGINX_INTERNAL_PORT=80
+  fi
+
+  "${docker_compose_cmd}" -f "${test_compose_config}" -p "${test_compose_project}" "$@"
 }
 
 integration_test() {
@@ -208,6 +257,12 @@ if [ ${njs_latest} -eq 1 ]; then
     --tag nginx-s3-gateway --tag nginx-s3-gateway:latest-njs-${nginx_type} .
 fi
 
+if [ ${unprivileged} -eq 1 ]; then
+  p "Layering in unprivileged build"
+  docker build -f Dockerfile.unprivileged \
+    --tag nginx-s3-gateway --tag nginx-s3-gateway:unprivileged-${nginx_type} .
+fi
+
 ### UNIT TESTS
 
 p "Running unit tests in Docker image"

test/docker-compose.yaml

@@ -9,7 +9,7 @@ services:
         condition: service_healthy
     image: "nginx-s3-gateway"
     ports:
-      - "8989:80/tcp"
+      - "8989:${NGINX_INTERNAL_PORT-80}/tcp"
     links:
       - "minio"
     restart: "no"