We are doing PodSecurityPolicy in our cluster, so we are thinking to pull nginx unprivileged image.
https://hub.docker.com/_/nginx has official images tag, while https://hub.docker.com/u/nginxinc doesn't, how can we make sure the image is safe to pull?

If I try and run with a different user and group I get a write permission error on included files where replacements need to be performed like /etc/nginx/conf.d/default.conf:

➜ docker run --rm -it --publish 8080:8080 --user 1000:1000 nginxinc/nginx-unprivileged:1.19.3-alpine
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: error: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579 it seems that the current image tagged with 1.16 is vulnerable to that CVE.

docker run -it --entrypoint=/bin/sh nginxinc/nginx-unprivileged:1.16
$ nginx -v
nginx version: nginx/1.16.1
$ dpkg -s nginx | grep Version
Version: 1.16.1-1~buster

Are there plans to fix this?
How is the release process in general for these nginx-unprivileged Docker images?

Question:

apart from /var/cache/nginx, should the permissions for the following directories also be changed ?

/usr/share/nginx/html/
/var/log/nginx/

?

I don't know where to signal this, but as of 26/04/2019 the nginxinc/nginx-unprivileged:1.14-alpine has a nginx version of 1.16.0 (yesterday it was 1.14.2)
version 1.14.2 before 26/04 (stored locally)

version 1.16.0 today

The mainline-alpine image is using an old version of Alpine and OpenSSL.

docker run -it nginxinc/nginx-unprivileged:mainline-alpine /bin/s

/ $ more /etc/alpine-release
3.8.2

/ $ nginx -V
nginx version: nginx/1.15.8
built by gcc 6.4.0 (Alpine 6.4.0)
built with OpenSSL 1.0.2q  20 Nov 2018

Comparing this image's Dockerfile with the non unprivileged image's Dockerfile shows that this image takes the base image is an argument, which is probably incorrectly set by the build system:

diff docker-nginx/mainline/alpine/Dockerfile docker-nginx-unprivileged/mainline/alpine/Dockerfile
1c1,2
< FROM alpine:3.9
---
> ARG IMAGE=alpine:3.9
> FROM $IMAGE

Hi. I tried to run 1.19.2-alpine and I get a lot of permission errors.

Screenshot:

A CVE-free nginxinc/nginx-unprivileged:1.19.6-alpine released recently (yay!) but it looks like nginxinc/nginx-unprivileged:mainline-alpine is still pointing to 1.19.5-alpine.

$ docker run -it nginxinc/nginx-unprivileged:mainline-alpine /bin/sh
/ $ more /etc/alpine-release
3.12.1
/ $ nginx -V
nginx version: nginx/1.19.5
built by gcc 9.3.0 (Alpine 9.3.0) 
built with OpenSSL 1.1.1g  21 Apr 2020
...

Something similar might have happened back here #20

Issue:

Currently the images in the dockerhub are just divided by type, eg stable-alpine
but they are not pinned by version number, eg alpine-1.14 and stable-alpine.

The issue therefore is that stable-alpine is a moving target and some users might want access
to a fixed version such as alpine-1.14.

Proposed solution

Release unaltered images with pinned versions

Container does not run on Kubernetes

I have a project that has nginx in my docker-compose like this:

  nginx:
    image: nn-docker.artifactory.prd.ss.aws.insim.biz/nginxinc/nginx-unprivileged:1.18-alpine
    ports:
      - "8081:8081"
    volumes:
    - "./../etc/nginx.conf:/etc/nginx/nginx.conf"

But on v1.18 i am getting the following errors:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-configure-nginx-unprivileged.sh
sed: can't move '/etc/nginx/nginx.confMDbjOE' to '/etc/nginx/nginx.conf': Resource busy

Going back to version 1.17.x works fine. What is the issue here? Am I configuring something incorrectly or is this a bug?

As seen on https://www.xda-developers.com/linux-update-sudo-security-flaw/

nginx-docker@f1f53f9d0bf6:/etc/nginx$ sudoedit -s /
sudoedit: /: not a regular file

Alpine 3.11 has been released on 2019-12-19. Please upgrade the Alpine images to use the latest Alpine 3.11.x base.

Our container scanner shows up this recent CVE which is currently not even fixed in upstream Alpine image.

alpinelinux/docker-alpine#79

Can you please re-build a new image once this is fixed in the base image. Thanks.

Any chance we can please build & push images for other architectures like here?:
nginxinc/docker-nginx#290

arm64:

$ uname -a
Linux k8s-m-01 4.4.154-1128-rockchip-ayufan-g61b4b1151f9a #1 SMP Tue Dec 25 14:31:31 UTC 2018 aarch64 aarch64 aarch64 GNU/Linux

docker run:

$ sudo docker run nginxinc/nginx-unprivileged:alpine
Unable to find image 'nginxinc/nginx-unprivileged:alpine' locally
alpine: Pulling from nginxinc/nginx-unprivileged
4fe2ade4980c: Pull complete 
9eb6510d469d: Pull complete 
53a04bd986f3: Pull complete 
530e67dc0e9c: Pull complete 
c3d9ca62b5b0: Pull complete 
Digest: sha256:de550f18ba38c832034fa4f2fe1ecd2ee370593f7a523ae0825159626098be44
Status: Downloaded newer image for nginxinc/nginx-unprivileged:alpine
standard_init_linux.go:190: exec user process caused "exec format error"

docker manifest inspect (no arch listed?):

$ DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect nginxinc/nginx-unprivileged:alpine
{
	"schemaVersion": 2,
	"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
	"config": {
		"mediaType": "application/vnd.docker.container.image.v1+json",
		"size": 8712,
		"digest": "sha256:2c9ea44d06942609980c7f088f20ff41a702bb6fafa023ced02752ea472aa00b"
	},
	"layers": [
		{
			"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
			"size": 2206931,
			"digest": "sha256:4fe2ade4980c2dda4fc95858ebb981489baec8c1e4bd282ab1c3560be8ff9bde"
		},
		{
			"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
			"size": 5535768,
			"digest": "sha256:9eb6510d469dbc7c82205604f6008ded76563dd9d55f3a4d188792ae915d8794"
		},
		{
			"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
			"size": 545,
			"digest": "sha256:53a04bd986f3d2bfb38cbea618420a6f8481d7b491c0ff7fcf9b9136554d9fac"
		},
		{
			"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
			"size": 636,
			"digest": "sha256:530e67dc0e9c09a21619c99142594f54e199ef2a93fd5f1a5a0523115ffbf49c"
		},
		{
			"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
			"size": 148,
			"digest": "sha256:c3d9ca62b5b099324ef9eab8581927805f2836c6a6724f3cf5910c5213314cbc"
		}
	]
}

Any word on pull request #8 ? I'm curious to hear your feedback on this issue.

Also see a new question on #5 .

I'm using nginxinc/nginx-unprivileged:alpine in Docker to run Nginx non-root. During the build in Dockerfile, I restrict /etc/nginx folder to read & execute permissions only with chmod 555 -R /etc/nginx, so that no running config could be altered. Due to changes after 1.17.10 I'm experiencing unexpected behavior, where the build fails on start up with message:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Can not modify /etc/nginx/conf.d/default.conf (read-only file system?), exiting
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-configure-nginx-unprivileged.sh
sed: can't create temp file '/etc/nginx/conf.d/default.confXXXXXX': Permission denied

If I grant write permissions on /etc/nginx/conf.d the build will fail with message:

sed: can't create temp file '/etc/nginx/nginx.confXXXXXX': Permission denied

So I assume Nginx now requires write permissions on /etc/nginx. Is this behaviour intentional and expected?

I would like to retain my setup and deny write permissions on config folders.

Hi,
We have the following vulnerability that show up at the latest version.
It comes from alpine:3:11 and it was solved at 3:12.

Are you going to upgrade the alpine version ?

We have some issues today with all our running container using 1.18-alpine.

All our containers went CrashLoopBackOff after their recreation. After some investigation on our side looks like the new 1.18 (sha256:66ce6c6c5701f503c2eebd57b5353632a58be7c723e0994586aa3e710a83a9bd) have some differences with the 1.18 we were previously using (sha256:4e56608fb0b5207ea0407e31d7ae2964a6543c37a230ae1e0ea035c69e2f6432)

container-diff diff --type=file nginxinc/nginx-unprivileged:1.18-alpine eu.gcr.io/private-project-id/nginxinc/nginx-unprivileged:1.18-alpine
ERRO[0001] Could not obtain size for /home/fboula/.container-diff/cache/nginxincnginx-unprivileged_1.18-alpine/etc/ssl/certs/157753a5.0: stat /home/fboula/.container-diff/cache/nginxincnginx-unprivileged_1.18-alpine/etc/ssl/certs/157753a5.0: no such file or directory 
ERRO[0001] Could not obtain size for /home/fboula/.container-diff/cache/nginxincnginx-unprivileged_1.18-alpine/etc/ssl/certs/ca-cert-AddTrust_External_Root.pem: stat /home/fboula/.container-diff/cache/nginxincnginx-unprivileged_1.18-alpine/etc/ssl/certs/ca-cert-AddTrust_External_Root.pem: no such file or directory 

-----File-----

These entries have been added to nginxinc/nginx-unprivileged:1.18-alpine: None

These entries have been deleted from nginxinc/nginx-unprivileged:1.18-alpine:
FILE                                                                 SIZE
/docker-entrypoint.d/30-configure-nginx-unprivileged.sh              569B
/etc/ssl/certs/157753a5.0                                            unknown
/etc/ssl/certs/ca-cert-AddTrust_External_Root.pem                    unknown
/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt        1.5K

These entries have been changed between nginxinc/nginx-unprivileged:1.18-alpine and eu.gcr.io/private-project-id/nginxinc/nginx-unprivileged:1.18-alpine:
FILE                                                        SIZE1         SIZE2
/usr/lib/libturbojpeg.so.0.2.0                              706.3K        706.3K
/usr/lib/libjpeg.so.8.2.2                                   601.8K        601.8K
/usr/lib/nginx/modules/ngx_http_js_module.so                537.3K        595.7K
/usr/lib/nginx/modules/ngx_http_js_module-debug.so          537.3K        595.7K
/usr/lib/nginx/modules/ngx_stream_js_module-debug.so        520.4K        582.4K
/usr/lib/nginx/modules/ngx_stream_js_module.so              520.4K        582.4K
/usr/bin/njs                                                503.2K        565.1K
/etc/ssl/certs/ca-certificates.crt                          227.5K        226K
/usr/lib/libnghttp2.so.14.19.0                              141.7K        141.7K
/lib/apk/db/installed                                       92.6K         92.6K
/usr/share/doc/nginx-module-njs/CHANGES                     31.5K         32.9K
/usr/bin/c_rehash                                           13.9K         13.9K
/usr/sbin/update-ca-certificates                            13.8K         13.7K
/etc/ca-certificates.conf                                   6.2K          6.1K
/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh        1.9K          1.8K
/etc/nginx/conf.d/default.conf                              1.1K          1.1K
/docker-entrypoint.sh                                       1.1K          1.2K
/docker-entrypoint.d/20-envsubst-on-templates.sh            1K            1K
/etc/nginx/nginx.conf                                       646B          824B
/etc/shadow                                                 449B          449B
/etc/apk/world                                              242B          242B
/lib/apk/db/triggers                                        212B          212B

The container is failing at startup with the following error:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: /etc/nginx/conf.d/default.conf is not a file or does not exist, exiting
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-configure-nginx-unprivileged.sh
sed: /etc/nginx/conf.d/default.conf: No such file or directory

This error looks like the one fixed in #37.

The alpine based image fails to start with:

mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)

Looking at the Dockerfile of both, the stretch based image contains the following:

While the equivalent chmod line is missing from the alpine image.

@alessfg

The 1.19.5 release just made seems to have broken the entrypoint:

$ docker run -it --rm nginxinc/nginx-unprivileged:1.19.5
Unable to find image 'nginxinc/nginx-unprivileged:1.19.5' locally
1.19.5: Pulling from nginxinc/nginx-unprivileged
Digest: sha256:ed0c9fcace3f7fe25542d5e472fe6d853f3523a6d3362849653cf262ce5ff02a
Status: Downloaded newer image for nginxinc/nginx-unprivileged:1.19.5
docker: Error response from daemon: OCI runtime create failed: container_linux.go:370: starting container process caused: exec: "/docker-entrypoint.sh": permission denied: unknown.

Caught this because our CI/CD pipelines are only pinned to 1.19

Latest nginx 1.18-alpine docker image has port 80 instead of 8080

Also stable-alpine tag has port 80 in default.conf

After this commit was applied permissions aren't what they used to be:
090a545

The /var/cache/nginx directory is now owned by root:root causing our containers to fail.
I see the chown & chmod lines were deleted at the bottom of the Dockerfile.

2019/07/04 12:44:31 [emerg] 6#6: mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)

After the complete Dockerfile was refactored in 090a545, the container does not start because of missing privileges of folder /var/cache/nginx/. The owner must be user nginx.

2019/06/11 21:19:52 [emerg] 1#1: mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)

This is the new image:

» docker run --rm -it nginxinc/nginx-unprivileged:1.17.0-alpine sh
/ $ id
uid=101(nginx) gid=101(nginx) groups=101(nginx)
/ $ ls -lha /var/cache/nginx/
total 8
drwxr-xr-x    2 root     root        4.0K Jun  7 11:54 .
drwxr-xr-x    1 root     root        4.0K Jun  7 11:54 ..

Here is the same view for a cached and working container:

» docker run --rm -it nginxinc/nginx-unprivileged sh              
$ id
uid=1001(nginx) gid=101(nginx) groups=101(nginx)
$ ls -lha /var/cache/nginx/
total 8.0K
drwxrwxr-x 1 nginx root 4.0K Apr 16 13:08 .
drwxr-xr-x 1 root  root 4.0K May  5 20:15 ..

Hello,

There are a couple of vulnerabilities being reported with this image :

1. Busybox - CVE-2018-1000500
2. PCRE pkg - CVE-2020-14155

Container image scanning tools flag these. What are the alternatives or is there an image that would address these.

thanks,
KK

You did great job by complying with container runtiime security:

• container port must be over 1024
• Default user is a random user (1001)
• Files used by the main process are owned by group root but not user root.
• and others that you documented

However, ..

I want also to use a distroless image ( without specific linux distribution )

"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. Reference

This type of images is not only reduce the surface of attack but it also comply with defense in depth principal.

This is currently what i am using

FROM kyos0109/nginx-distroless:1.16.1-1 as release
WORKDIR /opt/app
COPY --from=build /code/build/. .

Reference: https://github.com/kyos0109/nginx-distroless

With the addition of listen [::]:8080; to the default nginx config the container will boot loop on systems that have IPv6 disabled.

By adding the capability CAP_NET_BIND_SERVICE to the nginx binary, it would be possible to bind to port 80 and 443 without running as root. Are there known reasons, why this should be avoided?

We have a custom image based (with some config templates and our build in /var/www) based on the nginx-unprivileged image. The nginx-unprivileged creates a nginx user with gid and uid 101.

In a new project we would like to run the image on a Debian buster host, where the uid 101 is already taken by the host user systemd-timesync. It's not creating any problem at the moment, but just as a best practice, I would like to create matching users between our host and Docker containers to restrict the users in the containers to their files.

Now, I'm not sure what would be the best way to go about this. I don't want to mess with the systemd user. I could, of course, create my own version of the nginx-unprivileged, but I'd rather stay with upstream as much as possible. There is also the option to remap the uids, but I haven't looked into that yet.

It would be easiest if we could just have a different uid/gid for the nginx user. Would you be willing to parameterize the uid/gid in the nginx-unprivileged Dockerfile? For example, like this:

...
ARG UID=101
ARG GID=101

RUN set -x \
# create nginx user/group first, to be consistent throughout docker variants
    && addgroup --system --gid "$GID" nginx \
    && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid "$UID" nginx \
...

It looks to me like 1.17.3 and 1.16.1 images have been partially, but not completely, released? For instance, I see that the mainline tag has been updated to point at a new 1.17.3 image, but there's no 1.17.3 tag, and the 1.17 tag is still pointing at the same image as 1.17.2. Looks like the same situation for the -alpine variants, and probably others?

I'm just looking at these images for the first time today, so apologies if I'm missing something about how they're usually organized or rolled out.

Hi,

Will there be any support for alpine variants?

Dear image maintainers,

our container scanner reported CVE-2020-11080 in the nginxinc/nginx-unprivileged:1.17-alpine image. Seems that this can be easily fixed by rebuilding the image with the latest package version of nghttp2-libs

nghttp2-libs (1.40.0-r0 -> 1.40.0-r1)

Can you please rebuild the images. Thanks.

With the current 1.18 (@sha256:73948ceb33ff13d977099d5c2a65faa62f9f04b8b5deea9be8df811a6a81659d) I get:

│ /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration                                                                                                         │
│ /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/                                                                                                                                │
│ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh                                                                                                                    │
│ /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh: 21: /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh: 2: not found                                                                             │
│ stream closed

Reverting back to @sha256:e1b0dc152caec58a182c130532140da5f39a780db554bd6d045830655f99069c resolved it for me.

Can this be related to #37 ?

Originally posted by @AllexVeldman in #37 (comment)

HIGH Vulnerability found in os package type (APKG) - libbz2 (CVE-2019-12900 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900) a part of 1.15.12-alpine

Since the image properly uses the nginx user now, you cannot modify anything in the /etc/nginx/ folder since it's owned by root:root and has 755 permissions.

Maybe the folder should be chmod'd to be owned by the nginx user now? As a workaround I just do this in my Dockerfile:

USER root
RUN rm /etc/nginx/conf.d/default.conf
COPY nginx_conf/nginx.conf /etc/nginx/
COPY nginx_conf/vhost.conf /etc/nginx/conf.d/
USER nginx

Hi,

The image nginxinc/nginx-unprivileged:1.18.0-alpine uses packages vulnerable to CVE-2020-14155 and CVE-2019-15601
-> package "pcre" version 8.43-r0 is vulnerable to CVE-2020-14155
-> package "curl (used in libcurl, curl)" version 7.67.0-r1 is vulnerable to CVE-2019-15601.

Upgrading the base image to Alpine Linux v3.12 would fix both of these CVEs.

It would be preferable to use https instead of http mirrors.

I am creating docker image of my angular app using root user.But i want to change it to use non root user.Please help me doing this. Here is my docker file.
`FROM docker.com/node:latest as node

WORKDIR /app

COPY . .

RUN npm install

RUN npm run ng build -- --prod

#stage 2 : to run application

FROM docker.com/nginx:alpine

COPY --from=node /app/dist/MyApp /usr/share/nginx/htm`

As the title says, I'm using the unprivileged image but it still fails to start due to checking for nginx.pid in the wrong path:

[devops@postetet ~]$ docker ps -a | grep nginx
bdbf5c66375c        b05a847a4c43                                                                                                                                "nginx -g 'daemon ..."   About a minute ago   Exited (1) About a minute ago                       k8s_nginx-service_nginx-e-69f9cbbfc9-8gxn9_mlp-sda-svil_7d818854-9b7b-11ea-8e4f-

[devops@postetet ~]$ docker logs bdbf5c66375c
2020/05/21 16:16:45 [emerg] 1#1: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)

[devops@postetet ~]$ docker images | grep b05a847a4c43
docker.io/nginxinc/nginx-unprivileged                                     latest              b05a847a4c43        2 weeks ago         132 MB

In our projects we use 1.19-alpine image and the critical CVE shows up in your imageScan stage:

+---------+------------------+----------+-------------------+---------------+--------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION
+---------+------------------+----------+-------------------+---------------+--------+
| libxml2 | CVE-2020-24977 | HIGH | 2.9.10-r4 | 2.9.10-r5

Apparently it is fixed in 2.9.10.-r5 which is used in 3.12 alpine since yesterday, 16.9.2020.
See https://pkgs.alpinelinux.org/packages?name=libxml2&branch=v3.12

@alessfg Please rebuild the project to update the library.

I'm curious to know if there is any plan to have the version 1.19.0 for https://hub.docker.com/r/nginxinc/nginx-unprivileged/tags?

References:

• http://nginx.org/en/CHANGES
• https://hub.docker.com/_/nginx?tab=tags&page=1&name=1.19

Hi, I noticed that the repo contains the 1.15.9 images, but it seems they're not available on dockerhub

docker pull nginxinc/nginx-unprivileged:1.15.9-alpine
Error response from daemon: manifest for nginxinc/nginx-unprivileged:1.15.9-alpine not found

See #4.

Hi,

In light of the recent "runc" vulnerability, we have started the task of ensuring that all of our containers are running unprivileged/non-root processes.

For one of our containers we are using the "official" Nginx image as the base (https://hub.docker.com/_/nginx) but would like to switch to this one as it runs "unprivileged".

However, we note that it's very hard to tell that the Dockerhub image (https://hub.docker.com/r/nginxinc/nginx-unprivileged) comes from this repository and also that the "nginxinc" accounts in Dockerhub and GitHub are the "official" Nginx ones.

Could we please have some kind of verification that:

• The DockerHub repository (https://hub.docker.com/r/nginxinc/nginx-unprivileged) is associated and originates from this GitHub repository (https://github.com/nginxinc/docker-nginx-unprivileged/)
• That the DockerHub and GitHub "nginxinc" accounts are associated/owned by Nginx
• That only Nginx maintainers are able to commit/merge to this repository

I'm not sure what the best way to do this is. Currently it seems that just having the "official" tag in DockerHub is enough. Otherwise some documentation on the Dockerhub image page that points back to this repository perhaps?

Thank you and please let me know if this is a stupid question or if you need any more information or something doesn't make sense.

According to stable/alpine/Dockerfile it will build using nginx 1.16.1, but the stable-alpine image in dockerhub, is built using the 1.16.0 which is vulnerable. We can pick the stable-alpine-perl version to avoid running on a vulnerable version (1.16.0), but we would prefer the stable-alpine built in a version that matches the Dockerfile. Tnx.

/Jonas

I'm trying to run nginx as unprivilaged user and adding multiple rewrite rule inthe nginx.conf.

post building the image I see just one rewrite rule deleting the remaining.

In local nginx.conf

rewrite ^/myaccount-messenger/services/rest/1.0/account/accountnumber/(.) https://messenger.nginx.coxbusiness.com/cbma/account/services/account/messenger/accountnumber/$1 last;
rewrite ^/myaccount-messenger/services/rest/1.0/user/email/(.) https://messenger.nginx.coxbusiness.com/cbma/user/services/user/messenger/email/$1 last;
rewrite ^/myaccount-messenger/services/rest/1.0/user/authenticate/(.*) https://messenger.nginx.coxbusiness.com/cbma/user/services/user/messenger/authenticate/$1 last;

In the Image:
rewrite ^/myaccount-messenger/services/rest/1.0/account/accountnumber/(.*) https://messenger.nginx.coxbusiness.com/cbma/account/services/account/messenger/accountnumber/$1 last;

Hi,

I just pulled this image and deployed it to openshift,

But its still giving me this error:

[emerg] 1#1: mkdir() "/var/cache/nginx/proxy_temp" failed (13: permission denied)

Thats all info I have, any way i can find more to trouble shoot this with ?

Regards,
Neil Beukes

Hi,

Is this project published anywhere in Docker Hub?

If yes, in which tag?

Thanks,
Gleidson

Looks like the image is not available on docker hub as mentioned in #18 is the normal image fixed but not the alpine one.

Nov 25 17:13:22 satellite pulp[17431]: nectar.downloaders.threaded:INFO: [0dcfccce] Download failed: Download of https://registry-1.docker.io/v2/nginxinc/nginx-unprivileged/manifests/1.15.9-alpine failed with code 404: Not Found

The image nginxinc/nginx-unprivileged:1.19.3-alpine is reporting this CVE-2020-15999 with the information Affected location: cpe:/o:alpine:alpine_linux:3.12.

Heap-based buffer overflow in freetype (Alpine package)

For your information, if I scan nginx:1.19.3-alpine, it doesn't have this CVE-2020-15999.

This CVE is fixed with alpine:3.12.1 which is integrated in nginx:1.19.3-alpine and not in nginxinc/nginx-unprivileged:1.19.3-alpine apparently?