Test build for #3167

Author: SUSE Update Bot

nginx-image/Dockerfile

@@ -25,7 +25,7 @@ COPY --from=target / /target
 
 RUN set -euo pipefail; \
     export PERMCTL_ALLOW_INSECURE_MODE_IF_NO_PROC=1; \
-    zypper -n --installroot /target --gpg-auto-import-keys install --no-recommends curl gawk nginx findutils envsubst
+    zypper -n --installroot /target --gpg-auto-import-keys install --no-recommends curl gawk nginx findutils envsubst sed grep
 # sanity check that the version from the tag is equal to the version of nginx that we expect
 RUN set -euo pipefail; \
     [ "$(rpm --root /target -q --qf '%{version}' nginx | \
@@ -69,5 +69,5 @@ COPY [1-3]0-*.sh /docker-entrypoint.d/
 COPY docker-entrypoint.sh /usr/local/bin
 COPY index.html /srv/www/htdocs/
 RUN set -euo pipefail; chmod +x /docker-entrypoint.d/*.sh /usr/local/bin/docker-entrypoint.sh
-RUN set -euo pipefail; install -d -o nginx -g nginx -m 750 /var/log/nginx;                 ln -sf /dev/stdout /var/log/nginx/access.log;                 ln -sf /dev/stderr /var/log/nginx/error.log
+RUN set -euo pipefail; set -euo pipefail; mkdir -p /var/cache/nginx /var/run/nginx /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp;                ln -sf /dev/stdout /var/log/nginx/access.log;                ln -sf /dev/stderr /var/log/nginx/error.log;                chmod -R 777 /var/cache/nginx /etc/nginx /var/run/nginx /var/log/nginx /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp;
 STOPSIGNAL SIGQUIT

nginx-image/README.md

@@ -41,6 +41,12 @@ The template above is then rendered to `/etc/nginx/conf.d/default.conf` as follo
 ```nginx
 listen  80;
 ```
+## Running nginx as a non-root user
+To run the image as a less privileged user using the `nginx` user, do the following:
+```ShellSession
+$ podman run -it --user nginx --rm -p 8080:8080 -v /path/to/html/:/srv/www/htdocs/:Z -v $PWD/nginx.conf:/etc/nginx/nginx.conf:Z registry.opensuse.org/opensuse/nginx:1.29
+```
+**Note:** When running as the `nginx` user the default port is 8080.
 
 ## Environment variables
 

nginx-image/docker-entrypoint.sh

@@ -44,4 +44,40 @@ if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
     fi
 fi
 
+CURRENT_UID=$(id -u)
+if [ "$CURRENT_UID" -gt "0" ]; then
+    # Running as Unprivileged User
+    entrypoint_log "$0: Running as unprivileged user (UID: $CURRENT_UID). Configuring for unprivileged mode (Port 8080)."
+
+    # Define targets
+    CONF_FILES="/etc/nginx/conf.d/default.conf /etc/nginx/nginx.conf"
+
+    for FILE in $CONF_FILES; do
+        if [ -w "$FILE" ]; then
+            # Check if it actually contains port 80
+            if grep -q "listen .*80;" "$FILE"; then
+                entrypoint_log "Changing port 80 to 8080 in $FILE"
+                # Use a safe writable subdirectory for the swap file
+                sed 's/listen\s*80;/listen 8080;/g' "$FILE" > /tmp/client_temp/nginx_swap.conf && \
+                cat /tmp/client_temp/nginx_swap.conf > "$FILE" && \
+                rm -f /tmp/client_temp/nginx_swap.conf
+            fi
+
+            # Redirect temp paths to /tmp if we are editing the main nginx.conf
+            if [ "$FILE" = "/etc/nginx/nginx.conf" ]; then
+                entrypoint_log "Redirecting NGINX temp paths and setting PID to /tmp in $FILE"
+                # Use a safe writable subdirectory for the swap file
+                sed -e '/^user/d' \
+                    -e 's,^#\?\s*pid\s\+.*;$,pid /var/run/nginx/nginx.pid;,' \
+                    -e '/http {/a \    client_body_temp_path /tmp/client_temp;\n    proxy_temp_path /tmp/proxy_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;' \
+                    "$FILE" > /tmp/client_temp/nginx_ultra.conf && \
+                cat /tmp/client_temp/nginx_ultra.conf > "$FILE" && \
+                rm -f /tmp/client_temp/nginx_ultra.conf
+                entrypoint_log "$0: Removed 'user' directive and updated PID path."
+            fi
+        fi
+    done
+
+    entrypoint_log "$0: Listening on port 8080."
+fi
 exec "$@"