Comments (8)
Additionally, the image needs to run as an unpriviliged user.
Currently the container fails (openshift, 'restricted' security context) with:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/22 14:16:51 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2021/12/22 14:16:51 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
This was addressed for a 'raw' nginx deployment (which we use in front of UI & api) in the odpi-egeria-lab helm chart in 9ae21390d6679ef7736934eb8966857a1d446325
Whilst a similar approach could be followed, combining the improved security stance with a new base image likely makes the most sense
In the short term I will work around this issue in the chart itself. If/when this image is updated, the chart will need updating in any case.
from egeria-ui.
@planetf1 is this still a thing?
from egeria-ui.
The failure no longer occurs.
However I still think we should look at whether we can/should use a UBI8 image, since these typically include some forms of monitoring & are scanned for security vulnarabilities.
We have to balance this with resource overhead
from egeria-ui.
@planetf1 is this something that has been done in another project/repository?
from egeria-ui.
We did it for base Egeria. The idea of the UBI images is that they are more security hardened/reviewed . There was a good image for java apps, which we used.
I have not looked into what we might have to help with the UI - a quick search suggests there are some options such as https://catalog.redhat.com/software/containers/ubi8/nginx-120/6156abfac739c0a4123a86fd
We would need to see if these are suitable for us, and look at what value they provided - the hope, primarily, is that they address security issues in the base image layer when compared with base nginx.
For example our current UI image -> https://quay.io/repository/odpi/egeria-ui/manifest/sha256:602709226ebe82f5148e3f44c8742487250dec372c13da29785229ebc48ad4cf?tab=vulnerabilities
from egeria-ui.
So we probably should try
From registry.access.redhat.com/ubi8/nginx-120
Or search for other similar variants. But the base image is somewhat problematic
from egeria-ui.
reasoning: https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image
- security, support
The former is a must. But if the image is inappropriate in some way, then we need to source a similarly secure and maintained image to use. Our current one has too many vulnarabilities
from egeria-ui.
i merged the current docker image without platform linux/arm64 as it didn't build the image due to some errors, i will try to prioritize this issue, next iteration is not supporting linux/arm64
from egeria-ui.
Related Issues (20)
- Updates to Docker build HOT 3
- Egeria UI broken HOT 6
- User roles fix
- Appropriate UI release for base egeria release 2.9 HOT 2
- Error in homepage. "roles" request - 404 HOT 2
- Migrate build of container to egeria-ui project HOT 3
- Create stable releases (inc. docker images) HOT 3
- something wrong about egeria-ui HOT 1
- Introduce search flags into Rex HOT 2
- Replace iron-localstorage
- Migrate docker build to this repo & all builds to github actions HOT 7
- Cannot login to UI (helm chart) HOT 36
- 'About' does not work HOT 2
- Error handling needs improving when ui-chassis is not ready HOT 7
- Glossary View results in being thrown back to login page (user not authorized) HOT 1
- Simplifying the load of a glossary
- Initial feedback on building egeria-ui HOT 2
- Is egeria ui the management interface for egeria
- Random "OK" button on the login page
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from egeria-ui.