I wasn't able to build on my Ubuntu 18.04 LTS. How can I change default registry from hub.docker.com to registry.access.redhat.com?

Here are the messages I got when running make build TARGET=centos7 VERSIONS=1.12 command.

$ make build TARGET=rhel7 VERSIONS=1.12
make[1]: Entering directory '/home/will/build/nginx-container'
VERSION="1.12" SKIP_SQUASH=0 UPDATE_BASE= OS=rhel7 CLEAN_AFTER= DOCKER_BUILD_CONTEXT=. OPENSHIFT_NAMESPACES="" CUSTOM_REPO="" /usr/bin/env bash common/build.sh
-> Version 1.12: building image from 'Dockerfile.rhel7' ...
Sending build context to Docker daemon  57.86kB
Step 1/15 : FROM rhscl/s2i-core-rhel7:1
pull access denied for rhscl/s2i-core-rhel7, repository does not exist or may require 'docker login'
common/common.mk:75: recipe for target '1.12' failed
make[1]: *** [1.12] Error 1
make[1]: Leaving directory '/home/will/build/nginx-container'
common/common.mk:64: recipe for target 'build-serial' failed
make: *** [build-serial] Error 2

The nginxconf.sd script is removing the access log line rather then redirecting logging to stdout like the error log.

Currently:

s%/var/opt/rh/rh-nginx112/log/nginx/error.log%stderr%
s%access_log  /var/opt/rh/rh-nginx112/log/nginx/access.log  main;%%

I would expect instead:

s%/var/opt/rh/rh-nginx112/log/nginx/error.log%stderr%
s%/var/opt/rh/rh-nginx112/log/nginx/access.log%stdout%

Hello,
I have got a customer who requires nginx1.22 or higher to pass "External Penetration Testing".
Here is the Red Hat supported version of nginx.
https://catalog.redhat.com/software/containers/ubi9/nginx-120/61a609f2bfd4a5234d596287
Is there any road map to update the nginx to latest version ?

Regards
Selim
Red Hat Brisbane Office

Trying to build 1.12 on RHEL

following

To build a RHEL7 based Nginx image, you need to run Docker build on a properly subscribed RHEL machine.

```
$ git clone --recursive https://github.com/sclorg/nginx-container.git
$ cd nginx-container
$ git submodule update --init
$ make build TARGET=rhel7 VERSIONS=1.10 and 1.12
```

getting

....
Step 14/15 : CMD $STI_SCRIPTS_PATH/usage
---> Running in 8d0f4fce67d5
---> 1750245a6262
Removing intermediate container 8d0f4fce67d5
Step 15/15 : LABEL "io.openshift.builder-version" '"ce0192c"'
---> Running in 623a99da35b5
---> 697ee0df98bf
Removing intermediate container 623a99da35b5
Successfully built 697ee0df98bf
ERROR: docker-squash 1.0.5 required
make[1]: *** [1.10] Error 1
make[1]: Leaving directory `/home/mikk/composeTest/nginx-container'
make: *** [build-serial] Error 2

What's up with docker-squash?

Suggestions?

Environment:
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.6:GA:server
Docker version 1.13.1, build 07f3374/1.13.1

s2i version unknown

running as VM in VirtualBox 5.2.22 r126460 on win 10

Creating an issue for this so that it is not forgotten.

For more information about the reason why it was commented out, see similar bug in httpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1482143

Workaround introduced in:
5d1a17d

A comment in the Dockerfile says # FIXME: Not sure if this is safe to do, just a hack to make the image work. It then runs chmod -R a+rwx /var/run. That is all visible on the Red Hat Container Catalog's Dockerfile display, where it is not confidence-inspiring.

While using given step in doc getting mentioned error and POD status is "CrashedLoopBackOff"

When I am checking POD log I am getting below,

Log:

"This is a S2I rhel base image.

To use it in OpenShift, run:

oc new-app nginx:1.16~https://github.com/sclorg/nginx-container.git --context-dir=1.16/test/test-app/

You can then run the resulting image via:

docker run -p 8080:8080 nginx-sample-app

Alternatively, to run the image directly using podman or docker, or how to use it as a parent image in a Dockerfile, see documentation at

https://github.com/sclorg/nginx-container/blob/master/1.16/README.md."

CentOS7 - openshift failed on this reason at the end

10:20:16 Error from server (Forbidden): pods is forbidden: User "developer" cannot list pods in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): replicationcontrollers is forbidden: User "developer" cannot list replicationcontrollers in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): services is forbidden: User "developer" cannot list services in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): daemonsets.apps is forbidden: User "developer" cannot list daemonsets.apps in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): deployments.apps is forbidden: User "developer" cannot list deployments.apps in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): replicasets.apps is forbidden: User "developer" cannot list replicasets.apps in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): statefulsets.apps is forbidden: User "developer" cannot list statefulsets.apps in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "developer" cannot list horizontalpodautoscalers.autoscaling in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): jobs.batch is forbidden: User "developer" cannot list jobs.batch in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): cronjobs.batch is forbidden: User "developer" cannot list cronjobs.batch in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): deploymentconfigs.apps.openshift.io is forbidden: User "developer" cannot list deploymentconfigs.apps.openshift.io in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): buildconfigs.build.openshift.io is forbidden: User "developer" cannot list buildconfigs.build.openshift.io in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): builds.build.openshift.io is forbidden: User "developer" cannot list builds.build.openshift.io in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): imagestreams.image.openshift.io is forbidden: User "developer" cannot list imagestreams.image.openshift.io in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 Error from server (Forbidden): routes.route.openshift.io is forbidden: User "developer" cannot list routes.route.openshift.io in the namespace "sclorg-test-11930": no RBAC policy matched
10:20:16 OpenShift tests for quay.io/centos7/nginx-116-centos7:1.16 failed.

Fedora tests PASSED but the output is FAILED.

10:13:14  [PASSED] test_s2i_usage
10:13:14  [PASSED] test_docker_run_usage
10:13:14  [PASSED] test_application
10:13:14  [PASSED] test_log_output
10:13:14  [PASSED] test_log_volume_output
10:13:14  [PASSED] test_application_user
10:13:14  [PASSED] test_pre_init_script
10:13:14  [PASSED] test_perl_directive
10:13:14  [PASSED] run_dockerfiles_test

Environment : Openshift 4.7.9
Log

oc new-app nginx:1.18~https://github.com/sclorg/nginx-container.git --context-dir=1.18/test/test-app/

error: the image match "nginx:1.18" for source repository "https://github.com/sclorg/nginx-container.git" does not appear to be a source-to-image builder.

- to attempt to use this image as a source builder, pass "--strategy=source"
- to use it as a base image for a Docker build, pass "--strategy=docker"

The httpd image has support for developer provided sed input that can override the global config.

Can the nginx image be altered so a similar mechanism can be used to do things like enable /nginx_status with the server { } block?

The 1.20 / Dockerfile.rhel8 recursively changes ownership of /var/lib/nginx to 1001:0 with mode 770, however the nginx application runs as user 998. Due to this, the nginx application is unable to write to /var/lib/nginx/tmp/client_body/ directory and large requests to the server result in 500 Internal Server Error. This applies to other tmp directories used by nginx.

Example log errors:
[crit] 7#0: *29 open() "/var/lib/nginx/tmp/client_body/0000000001" failed (13: Permission denied)
[crit] 7#0: *56 open() "/var/lib/nginx/tmp/proxy/2/00/0000000002" failed (13: Permission denied)

For standalone (direct) container usage this can be resolved by adding:
user default root;
to the beginning of /etc/nginx/nginx.conf, but this may not be suitable for Kubernetes environments.

I am not able to run this image on Openshift due to permission issues.

Error:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2022/07/27 18:08:31 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:3
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:3
2022/07/27 18:08:31 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Below is my Dockerfile to build it. I am using podman to build the image

Built image currently hosted at quay.io/wainaina3/nginxgovtocp

#nginxbase
FROM registry.access.redhat.com/ubi9/nginx-120

LABEL io.k8s.description="Nginx proxy server image"
io.k8s.display-name="Nginx builder image"
io.openshift.expose-services="8080:http"
io.openshift.tags="nginx,proxy,govt"

COPY *.conf "${NGINX_CONFIGURATION_PATH}"

USER 0
RUN chgrp -R 0 "${APP_ROOT}" &&
chmod -R g=u "${APP_ROOT}"

USER 1001

CMD nginx -g "daemon off;"

Content of *.conf

#Wsgi configs
#Define the parameters for a specific virtual host/server
server {
#Define the listening port
listen 8181;
server_name govt;

#Listen to requests coming via / and direct them to gunicorn server
#gunicorn server is running in a container with a service called govt and listening at port 8000
location /{
include uwsgi_params;
proxy_pass http://localhost:8000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}

}

The variables in https://github.com/sclorg/nginx-container/blob/master/1.22/Dockerfile.fedora#L11..L15 are only used to set LABELS a fe lines below and should not "leak" inside the container images.

Using ARG instead of ENV will make those variables only available during the build and not built into the image default environment.

Note: This also applies to all other container images in this org. I'm only reporting this once.

See containers/docs#15

Container platform

OCP 3, OCP 4

Version

12

OS version of the container image

RHEL 9, Fedora

Bugzilla, Jira

I do not have related Jira

Description

Something bad happened.

Reproducer

And I do not know how to reproduce it.

Looking at the Dockerfiles I don't find that STOPSIGNAL is set as in the official Dockerfiles for nginx (https://github.com/nginxinc/docker-nginx/blob/master/Dockerfile-debian.template#L106). Please see:
nginxinc/docker-nginx#377

Container platform

Podman/Docker

Version

1.20

OS version of the container image

RHEL 8

Bugzilla, Jira

No response

Description

yum install nginx-module-njs

Basically it can't find the module.

Reproducer

No response

I see there is an Nginx 1.14 image in the Red Hat Container Catalog. Should the nginx-container/1.14 and nginx-container/example/1.14/test-app folders also be visible in this github repo sclorg/nginx-container?

This is for testing of automation workflow. No further action is required.

Currently s2i image allows to add static configuration files. Nginx by default is not providing any comprehensible solution to do it and usually best pattern to achieve that is to create wrapper script that would replace environment variables in the configuration.

Is that something that would be useful for this image? I would be happy to provide PR with the solution.

ping @hhorak @omron93 @mohammedzee1000

CentOS Stream 8 should be deprecated because we have UBI image.

The Nginx official document recommends to enable ssl_session_cache and set that to shared:name:size, which enables cache shared between all worker processes.

"To reduce the processor load it is recommended to set the number of worker processes equal to the number of processors, enable keep-alive connections,enable the shared session cache,"

I wonder whether the default setting need to be changed. Thanks.

Hi, I'm trying to install nginx 1.20 from the ubi8 image and it seems the only nginx packages available is 1.14 and 1.18.

Hello,

I have encountered an issue which makes containers unable to restart once stopped.

This bug affects versions 1.10, 1.12 and 1.14.

Steps to reproduce

• Build a minimal image.

mkdir s2i-nginx-bug
cd s2i-nginx-bug
s2i build . centos/nginx-112-centos7 s2i-nginx-bug:dev

• Create a container using the built image.

docker run -d --name s2i-nginx-bug s2i-nginx-bug:dev

• Observe that the container is up and running.

docker ps -a -f name=s2i-nginx-bug

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES
72ebd4e6bc9e        s2i-nginx-bug:dev   "container-entrypoin…"   6 seconds ago       Up 5 seconds        8080/tcp, 8443/tcp   s2i-nginx-bug

• Restart the container.

docker restart s2i-nginx-bug

• Observe that the container crashed.

docker ps -a -f name=s2i-nginx-bug

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
72ebd4e6bc9e        s2i-nginx-bug:dev   "container-entrypoin…"   49 seconds ago      Exited (1) 4 seconds ago                       s2i-nginx-bug

Notes

• Inspect the container's logs.

docker logs s2i-nginx-bug

/bin/ln: failed to create symbolic link '/var/opt/rh/rh-nginx112/log/nginx/access.log': File exists

The error is caused by the logging feature in the run script. The first time the container starts, the ln commands run just fine. However, when the container restarts, the targets already exist, resulting in the error shown above.

Suggested fix

Add the -f option to ln commands in order to force the recreation of the links.

if [ ! -v NGINX_LOG_TO_VOLUME -a -v NGINX_LOG_PATH ]; then
    /bin/ln -sf /dev/stdout ${NGINX_LOG_PATH}/access.log
    /bin/ln -sf /dev/stderr ${NGINX_LOG_PATH}/error.log
fi

Alternatively, you can check whether the targets already exist beforehand and skip the commands if they do.

Workaround

Since s2i allows to override the run script given by the builder image, you can provide the suggested fix as part of the source files as .s2i/bin/run.

# In the `s2i-nginx-bug` folder

mkdir -p .s2i/bin && \
echo '#!/bin/bash

source /opt/app-root/etc/generate_container_user

set -e

source ${NGINX_CONTAINER_SCRIPTS_PATH}/common.sh

process_extending_files ${NGINX_APP_ROOT}/src/nginx-start ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
if [ ! -v NGINX_LOG_TO_VOLUME -a -v NGINX_LOG_PATH ]; then
    /bin/ln -sf /dev/stdout ${NGINX_LOG_PATH}/access.log
    /bin/ln -sf /dev/stderr ${NGINX_LOG_PATH}/error.log
fi

exec nginx -g "daemon off;"' > .s2i/bin/run && \
chmod +x .s2i/bin/run

You can then re-build the image and use it to work around the bug.

s2i build . centos/nginx-112-centos7 s2i-nginx-bug:dev

There are no ubi/xginx:122 and ubi/xginx:121 images available from Red Hat, thereby rendering the respective .rhel8 docker files incorrect. This is going to confuse developers. The builds will fail. Can those docker files be removed for the time being? Or maybe a note on the respective READMEs about this? I'm happy to contribute either way, if you let me know a preferred solution.

The latest available version from Red Hat is 120.

this issue is created for the testing purpose no action required

oc new-app nginx:1.18~https://github.com/sclorg/nginx-container.git --context-dir=1.18/test/test-app/
error: the image match "nginx:1.18" for source repository "https://github.com/sclorg/nginx-container.git" does not appear to be a source-to-image builder.

• to attempt to use this image as a source builder, pass "--strategy=source"
• to use it as a base image for a Docker build, pass "--strategy=docker"

oc new-app nginx:1.18~https://github.com/sclorg/nginx-container.git --context-dir=1.18/test/test-app/ --strategy=source
--> Found container image 862e748 (22 hours old) from Docker Hub for "nginx:1.18"

* An image stream tag will be created as "nginx:1.18" that will track the source image
* A source build using source code from https://github.com/sclorg/nginx-container.git will be created
  * The resulting image will be pushed to image stream tag "nginx-container:latest"
  * Every time "nginx:1.18" changes a new build will be triggered

--> Creating resources ...
imagestream.image.openshift.io "nginx" created
imagestream.image.openshift.io "nginx-container" created
buildconfig.build.openshift.io "nginx-container" created
deployment.apps "nginx-container" created
service "nginx-container" created
--> Success
Build scheduled, use 'oc logs -f bc/nginx-container' to track its progress.
Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
'oc expose svc/nginx-container'
Run 'oc status' to view your app.

oc logs -f bc/nginx-container
Cloning "https://github.com/sclorg/nginx-container.git" ...
Commit: 4ce4be9 (Merge pull request #125 from pkubatrh/move_latest_imagestreams)
Author: Petr Hracek [email protected]
Date: Thu Oct 22 12:57:02 2020 +0200
Caching blobs under "/var/cache/blobs".
Getting image source signatures
Copying blob sha256:bb79b6b2107fea8e8a47133a660b78e3a546998fcf0427be39ac9a0af4a97e90
Copying blob sha256:ad34e8cc33546c0c8fb4afb5d881052e8c7350e2aa6a27435994b6d34cfd3d72
Copying blob sha256:49ddf17900338a5699a1be53911eea9f546c722330699b4d49c6ad2e38df8a78
Copying blob sha256:8f71a46554c507ff1a2b1a8dfa5804ec6b7d3ed66190d94bd67039e9b260b41a
Copying blob sha256:67b735c9b17f1efa80f5516d25748b4c870bbe16758a24fd64612da110ba51a4
Copying config sha256:862e7484c3741e813dcc8c408c9f6a3e391fba1388c9407685893af0b9f0bea9
Writing manifest to image destination
Storing signatures
Generating dockerfile with builder image nginx@sha256:c06730857b347ac1f0c12ff7b866dc384feafa7d1fe81900412c7bdaba042a74
STEP 1: FROM nginx@sha256:c06730857b347ac1f0c12ff7b866dc384feafa7d1fe81900412c7bdaba042a74
STEP 2: LABEL "io.openshift.build.source-context-dir"="1.18/test/test-app" "io.openshift.build.image"="nginx@sha256:c06730857b347ac1f0c12ff7b866dc384feafa7d1fe81900412c7bdaba042a74" "io.openshift.build.commit.author"="Petr Hracek [email protected]" "io.openshift.build.commit.date"="Thu Oct 22 12:57:02 2020 +0200" "io.openshift.build.commit.id"="4ce4be9db468c35a15f6124024a697a221619dea" "io.openshift.build.commit.ref"="master" "io.openshift.build.commit.message"="Merge pull request #125 from pkubatrh/move_latest_imagestreams" "io.openshift.build.source-location"="https://github.com/sclorg/nginx-container.git"
STEP 3: ENV OPENSHIFT_BUILD_NAME="nginx-container-1" OPENSHIFT_BUILD_NAMESPACE="s2i-lighttpd" OPENSHIFT_BUILD_SOURCE="https://github.com/sclorg/nginx-container.git" OPENSHIFT_BUILD_COMMIT="4ce4be9db468c35a15f6124024a697a221619dea"
STEP 4: USER root
STEP 5: COPY upload/src /tmp/src
STEP 6: RUN chown -R 1001:0 /tmp/src
STEP 7: USER 1001
STEP 8: RUN /usr/libexec/s2i/assemble
/bin/sh: 1: /usr/libexec/s2i/assemble: not found
subprocess exited with status 127
subprocess exited with status 127
error: build error: error building at STEP "RUN /usr/libexec/s2i/assemble": exit status 127

Nginx rpm package, in Fedora land, has version 1.18.
Unfortunately, the latest version in the container is 1.16.

It would be nice to add there the latest version.
The version is needed by this PR:

• sclorg/container-workflow-tool#21
• sclorg/betka#19

Preconditions:
Openshift version: oc v3.11.0+0cbc58b

Steps:

• login to the Openshift privileged.psi
• Create a new project
• Deploy a new app:oc new-app nginx:1.16~https://github.com/sclorg/nginx-container.git --context-dir=1.16/test/test-app/ --strategy=source

Actual result:

    Cloning "https://github.com/sclorg/nginx-container.git " ...
            Commit: fd6408c1fdaeb6777718c8354699583620bdabb8 (Run all tests and report results at the end (#117))
            Author: Petr Hracek <[email protected]>
            Date:   Mon Jul 27 13:24:40 2020 +0200
    error: build error: image "nginx@sha256:2963fc49cc50883ba9af25f977a9997ff9af06b45c12d968b7985dc1e9254e4b" must specify a user that is numeric and within the range of allowed users
Submit a correction or amendment below (click here to make a fresh posting)

Expected result:
The app was deployed without any errors

Right now the nginx.conf provided by s2i by default includes a block:

 location {
 }

in the default_server block. When serving an SPA at root this causes problems. There are a bunch of examples out there for how to serve single page apps from root

• https://gist.github.com/dimitardanailov/7a7c4e3be9e03d1b578a
• https://gkedge.gitbooks.io/react-router-in-the-real/content/nginx.html
• https://serverfault.com/questions/773705/make-nginx-serve-index-html-if-requested-url-is-not-found-without-using-error-pa

What I'd like to propose (and will submit a PR for) is to allow an environment flag for replacing the default location block with SPA block.

 location / {
    try_files $uri $uri/ /index.html
 }

Or if we want to add the ability to inject a SPA block through a predefined named file.

I would like to set-up nginx as a reverse proxy for TCP data using configuration as shown below.

stream {
    access_log /var/log/nginx/stream-rp.log ;
    error_log /var/log/nginx/stream-rp.err ;

    upstream messaging {
        server messaging:9090;
    }

    server {
        listen 9090;
        proxy_ssl false;
        location / {
            proxy_pass messaging;
        }
    }
}

This does not work since stream is not a known directive. The resolution is to add the stream modules dynamically as seen in nginx -V output below (--with-stream=dynamic).

nginx version: nginx/1.14.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/opt/rh/rh-nginx114/root/usr/share/nginx --sbin-path=/opt/rh/rh-nginx114/root/usr/sbin/nginx --modules-path=/opt/rh/rh-nginx114/root/usr/lib64/nginx/modules --conf-path=/etc/opt/rh/rh-nginx114/nginx/nginx.conf --error-log-path=/var/opt/rh/rh-nginx114/log/nginx/error.log --http-log-path=/var/opt/rh/rh-nginx114/log/nginx/access.log --http-client-body-temp-path=/var/opt/rh/rh-nginx114/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/opt/rh/rh-nginx114/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/opt/rh/rh-nginx114/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/opt/rh/rh-nginx114/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/opt/rh/rh-nginx114/lib/nginx/tmp/scgi --pid-path=/var/opt/rh/rh-nginx114/run/nginx/nginx.pid --lock-path=/var/opt/rh/rh-nginx114/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_auth_request_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

To load the module dynamically, I added this line right at the top of thenginx.conf file. The module path is derived from --modules_path in the nginx -V output.

load_module /opt/rh/rh-nginx114/root/usr/lib64/nginx/modules/ngx_stream_module.so

However, /opt/rh/rh-nginx114/root/usr/lib64/nginx/modules is empty.

Can you please suggest a way to enable the stream module?

It's present in 1.18 and 1.22, but missing in 1.20.

The result in the following failing:

podman run -it ubi8/nginx-120 /usr/libexec/s2i/run
2022/12/09 19:47:01 [emerg] 1#0: getpwnam("nginx") failed (2: No such file or directory)
nginx: [emerg] getpwnam("nginx") failed (2: No such file or directory)

or after running an s2i the resultant container runs as root (if not run in OpenShift):

s2i build empty registry.access.redhat.com/ubi8/nginx-120 nginx1
podman run -it nginx1 id
uid=0(root) gid=0(root) groups=0(root)

The instructions on https://access.redhat.com/containers/?tab=overview&get-method=red-hat-login#/registry.access.redhat.com/rhel8/nginx-114 using 1.14 produce a s2i container that doesn't start:

$ docker run --rm -it nginx-sample-app:latest
2019/05/07 21:52:37 [emerg] 1#0: open() "/etc/opt/rh/rh-nginx114/nginx/mime.types" failed (2: No such file or directory) in /etc/nginx/nginx.conf:28
nginx: [emerg] open() "/etc/opt/rh/rh-nginx114/nginx/mime.types" failed (2: No such file or directory) in /etc/nginx/nginx.conf:28

The paths in rhel8 have been changed, specifically mime.types:

$ docker run --rm -it nginx-sample-app:latest rpm -qf /etc/nginx/mime.types
nginx-1.14.1-8.module+el8+2505+fe936cef.x86_64

https://hub.docker.com/r/centos/nginx-16-centos7/ has a few basic things about the container, but it would be good to extend that information to also include the default config already supplied inside the container and the default web content path's etc.

That would dramatically improve the usability of this container and reduce the amount of time the user needs to spend introspecting the container itself.

If such information is available elsewhere, please link to it.

cc @kwk @hhorak

during pull as rootless, /root/.bash_logout access is attempted?

I have a simple nginx.conf at the root of my git repository. I want to launch Nginx in a pod with this command: oc new-app registry.access.redhat.com/rhscl/nginx-114-rhel7~https://github.com/user/repo.git

The build and deployment configuration seem to have gone fine. However, the pod does not show any log output at all! How do I verify if the launch is successful or not?

nginx.conf

events { }

http {
    log_format main '$time_iso8601 - $remote_addr - "$http_user_agent" - "$request" - $request_id '
    '- $status - $body_bytes_sent - $request_time ';

    upstream registry {
        least_conn;
        server localhost:3000;
    }

    server {
        location / {
            proxy_set_header X-Nginx-Header $request_id;
            proxy_pass http://registry/;
        }
    }
}

Similar to the other request for streaming support can we install the module to support the perl module?

The default nginx installation is set to load that module dynamically already it just needs the module installed.

sh-4.4$ nginx -V
nginx version: nginx/1.16.1
built by gcc 8.3.1 20190507 (Red Hat 8.3.1-4) (GCC) 
built with OpenSSL 1.1.1c FIPS  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

--with-http_perl_module=dynamic

The module path only has the current stream module

sh-4.4$ ls /usr/lib64/nginx/modules
ngx_stream_module.so

Is it just a matter of adding rh-nginx${NGINX_SHORT_VER}-nginx-mod-http-perl to the install list?

Hi,

Today I get some 404 HTTP error when trying to install rh-nginx116-nginx-mod-http-perl in your container. The 404 error originates from https://cbs.centos.org/repos/sclo7-rh-nginx116-rh-candidate/x86_64/os/repodata/repomd.xml .

You can easily replicate the issue:

bash-4.2# yum update
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
 * base: XXX
 * centos-sclo-rh: XXX
 * extras: XXX
 * updates: XXX
base                                                                                                                                                                           | 3.6 kB  00:00:00     
https://cbs.centos.org/repos/sclo7-rh-nginx116-rh-candidate/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article 

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/.



 One of the configured repositories failed (added from: https://cbs.centos.org/repos/sclo7-rh-nginx116-rh-candidate/x86_64/os/),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=cbs.centos.org_repos_sclo7-rh-nginx116-rh-candidate_x86_64_os_ ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable cbs.centos.org_repos_sclo7-rh-nginx116-rh-candidate_x86_64_os_
        or
            subscription-manager repos --disable=cbs.centos.org_repos_sclo7-rh-nginx116-rh-candidate_x86_64_os_

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=cbs.centos.org_repos_sclo7-rh-nginx116-rh-candidate_x86_64_os_.skip_if_unavailable=true

failure: repodata/repomd.xml from cbs.centos.org_repos_sclo7-rh-nginx116-rh-candidate_x86_64_os_: [Errno 256] No more mirrors to try.
https://cbs.centos.org/repos/sclo7-rh-nginx116-rh-candidate/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found

While looking into it, i observed that the Dockerfile between 1.16 and 1.12 differs on two lines:
https://github.com/sclorg/nginx-container/blob/master/1.16/Dockerfile#L48 . In other versions, those got removed: https://github.com/sclorg/nginx-container/blob/master/1.14/Dockerfile#L48

Were they accidentally left in?

Given these nginx instances are configured to run in containers, is there any reason that port_in_redirect off; should not be a default directive in the server {} block? I realize one can add that directive to a file in ./nginx-default-cfg/, but given the unlikely scenario of wanting the internal container listening port exposed by a redirect it seems reasonable to disable by default.

Scenario: foo.org/blah =[redirect]=> foo.org:8080/blah/, which will fail because haproxy (or the like) isn't listening to 8080.

Nginx image should allow to use secured connections over SSL. I believe that it should be possible to just provide the SSL certificate somewhere, and appropriate config file, but we should document it explicitly as a common use case. We may also consider providing a self-signed certificate as a default case, same as it is done in httpd case.

I'm attempting to validate I can use the the recently added nginx-start feature, however the vcs-ref label of 006f87a5925d52ba6e121929586a8aa167975c doesn't match any commits in this github project.

The image id I have is 89a6bb330c17, and the image was sourced from:
https://access.redhat.com/containers/?tab=docker-file#/registry.access.redhat.com/rhscl/nginx-112-rhel7/images/1-8