[bitnami/nginx] latest image: Read-only file system

[jgournet]

Name and Version

bitnami/nginx:1.25

What architecture are you using?

amd64

What steps will reproduce the bug?

1. Running in K8S with "containerSecurityContext.runAsNonRoot" = "true" and file system as read only.
2. Launching a new nginx image, we get an error

Edit:
easiest way to replicate the issue is by doing this:

$ docker run -it -v `pwd`:/opt/bitnami/nginx/conf/:ro bitnami/nginx:latest
nginx 00:13:23.12 INFO  ==> 
nginx 00:13:23.12 INFO  ==> Welcome to the Bitnami nginx container
nginx 00:13:23.12 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
nginx 00:13:23.12 INFO  ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
nginx 00:13:23.12 INFO  ==> 
cp: cannot create directory '/opt/bitnami/nginx/conf/./bitnami': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi.conf': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi.conf.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi_params': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi_params.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./koi-utf': Read-only file system
[...]

What is the expected behavior?

Same behavior as with the older image:

$ docker run -it -v `pwd`:/opt/bitnami/nginx/conf/:ro docker.io/bitnami/nginx:1.25.3
nginx 00:13:55.67 INFO  ==> 
nginx 00:13:55.67 INFO  ==> Welcome to the Bitnami nginx container
nginx 00:13:55.67 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
nginx 00:13:55.67 INFO  ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
nginx 00:13:55.67 INFO  ==> 
nginx 00:13:55.67 INFO  ==> ** Starting NGINX setup **
nginx 00:13:55.69 INFO  ==> Validating settings in NGINX_* env vars
nginx 00:13:55.69 WARN  ==> The NGINX configuration file '/opt/bitnami/nginx/conf/nginx.conf' is not writable by current user. Configurations based on environment variables will not be applied.
nginx 00:13:55.69 WARN  ==> The certificates directories '/opt/bitnami/nginx/conf/bitnami/certs' does not exist or is not writable, skipping sample HTTPS certificates generation

What do you see instead?

nginx 22:07:45.69 INFO  ==>
nginx 22:07:45.70 INFO  ==> Welcome to the Bitnami nginx container
nginx 22:07:45.70 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
nginx 22:07:45.71 INFO  ==> Submit issues and feature requests at https://github.com/bitnami/containers/issues
nginx 22:07:45.71 INFO  ==>
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi.conf': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi.conf.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi_params': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./fastcgi_params.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./koi-utf': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./koi-win': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./mime.types': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./mime.types.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./nginx.conf.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./scgi_params': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./scgi_params.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./uwsgi_params': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./uwsgi_params.default': Read-only file system
cp: cannot create regular file '/opt/bitnami/nginx/conf/./win-utf': Read-only file system
cp: cannot create directory '/opt/bitnami/nginx/conf/./bitnami': Read-only file system
cp: cannot create directory '/opt/bitnami/nginx/conf/./server_blocks': Read-only file

Additional information

Seems like in the new entrypoint file, there is this new code:

# We add the copy from default config in the entrypoint to not break users
# bypassing the setup.sh logic. If the file already exists do not overwrite (in
# case someone mounts a configuration file in /opt/bitnami/nginx/conf)
debug "Copying files from $NGINX_DEFAULT_CONF_DIR to $NGINX_CONF_DIR"
cp -nr "$NGINX_DEFAULT_CONF_DIR"/. "$NGINX_CONF_DIR"

coming from
https://github.com/bitnami/containers/blob/main/bitnami/nginx/1.25/debian-12/rootfs/opt/bitnami/scripts/nginx/entrypoint.sh#L25

which breaks on read-only filesystems

=> maybe just adding a "||true" in the cp command would be enough to satisfy everybody?

[javsalgar]

Hi!

We are very sorry for the inconvenience. Thank you so much for reporting. In the helm chart we are mounting a volume in /opt/bitnami/nginx/conf. In order to not break previous installations, it would make sense to add || true. Would you like to submit a PR with the fix?

[jgournet]

Hi!

We are very sorry for the inconvenience. Thank you so much for reporting. In the helm chart we are mounting a volume in /opt/bitnami/nginx/conf. In order to not break previous installations, it would make sense to add || true. Would you like to submit a PR with the fix?

Done.
This is my first PR here => hopefully I did not make a mess of it.
Let me know of any issues.

[javsalgar]

Thank you so much for the PR! The team will take a look