Why I am getting Read only file system error from Nginx in my container?

#1

Dear K8S community Team,

I am getting this error message from nginx when I deploy my application pod. My application an angular6 app is hosted inside an nginx server, which is deployed as a docker container inside EKS.

I have my application configured as a “read-only container filesystem”, but I am using “ephemeral mounted” volume of type “emptyDir” in combination with a read-only filesystem.

So I am not sure the reason of this following error:

2019/04/02 14:11:29 [emerg] 1#1: mkdir() “/var/cache/nginx/client_temp” failed (30: Read-only file system) nginx: [emerg] mkdir() “/var/cache/nginx/client_temp” failed (30: Read-only file system)

my deployment.yaml

```
spec:
      volumes:
        - name: tmp-volume
          emptyDir: {}
        # Pod Security Context
      securityContext:
        fsGroup: 2000
      containers:
      - name: {{ .Chart.Name }}
        volumeMounts:
        - mountPath: /tmp
          name: tmp-volume
        image: "{{ .Values.image.name }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
        securityContext:
          readOnlyRootFilesystem: true
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
...
```

nginx.conf


```
...
http {

include           /etc/nginx/mime.types;
  default_type      application/octet-stream;

  # Turn off the bloody buffering to temp files
  proxy_buffering off;

  sendfile          off;
  keepalive_timeout 120;

  server_names_hash_bucket_size 128;

  # These two should be the same or nginx will start writing 
  #  large request bodies to temp files
  client_body_buffer_size 10m;
  client_max_body_size    10m;
...
```
0 Likes

#2

Am I missing something or “/var/cache/nginx/client_temp" is on the read only filesystem?

You are mounting only /tmp, right?

0 Likes

#3

you are right! Now i am redirecting nginx to create files here at my mounted volume:

nginx.conf


..
http {

client_body_temp_path /tmp 1 2;
proxy_temp_path /tmp 1 2;
fastcgi_temp_path /tmp 1 2;
uwsgi_temp_path /tmp 1 2;
scgi_temp_path /tmp 1 2;

...
  server {
        listen 0.0.0.0:80;

but now getting this error:

2019/04/02 15:22:43 [emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)

nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

0 Likes

#4

again, here is my deployment.yaml


volumes:
        - name: tmp-volume
          emptyDir: {}
        # Pod Security Context
      securityContext:
        fsGroup: 2000
      containers:
      - name: {{ .Chart.Name }}
        volumeMounts:
        - mountPath: /tmp
          name: tmp-volume
        image: "{{ .Values.image.name }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
        securityContext:
          readOnlyRootFilesystem: true
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
0 Likes

#5

Permission denied to bind to port 80 is probably because running as a non root user. You would need to use other port or give permissions, I think

0 Likes

#6

which permissions to give and how?

0 Likes

#7

If you are not running your containers as root, you probably need to set the capability of you need port 80. Like this: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container

But please note that you probably don’t need it, you can have a service expose port 80 and route it to your pod on port 8080. That is simpler and maybe more secure :slight_smile:

0 Likes