c

dsx.sh / chronicler

Unprivileged NGINX Dockerfiles

12
1.29.8-alpine Apache-2.0 Source

Pull this image

docker pull atcr.io/dsx.sh/chronicler:latest

Overview

OpenSSF Scorecard

Community Support
Community Forum
License
Contributor Covenant

NGINX Unprivileged Docker Image

This repo contains a series of Dockerfiles to create an NGINX Docker image that runs NGINX as a non root, unprivileged user. Notable differences with respect to the official NGINX Docker image include:

  • The default NGINX listen port is now 8080 instead of 80 (this is no longer necessary as of Docker 20.03 but it’s still required in other container runtimes)
  • The default NGINX user directive in /etc/nginx/nginx.conf has been removed
  • The default NGINX PID has been moved from /var/run/nginx.pid (prior to NGINX 1.27.5) and /run/nginx.pid (NGINX 1.27.5 and later) to /tmp/nginx.pid
  • Change *_temp_path variables to /tmp/*

Check out the docs for the upstream Docker NGINX image for a detailed explanation on how to use this image.

Supported Image Registries and Platforms

Image Registries

You can find pre-built images in each of the following registries:

Image Builds and Retention Policy

Image Builds

New images are built whenever there is a new NGINX release or a critical CVE is found and fixed (check the security documentation for more details). New images are also built and pushed to all registries on a weekly basis every Monday night. Whenever a new image is built, the current NGINX mainline and stable tags get switched to the latest build, and the image that gets replaced will become untagged. If you wish to point your builds to a specific image over time, use the specific image digest instead of the tag.

Image Retention Policy

Untagged images on Amazon ECR and the GitHub Container Registry are cleaned up on a two year basis. Untagged images on Docker Hub are not cleaned up at this time (this might change with the incoming storage changes). Untagged images on Quay are continuously removed due to its built in garbage collector. The last built tag of every release is kept indefinitely in every of the aforementioned registries.

Architectures

Most images are built for the amd64, arm32v5 (for Debian), arm32v6 (for Alpine), arm32v7, arm64, i386, mips64le (for Debian), ppc64le and s390x architectures. OTel images are built for amd64 and arm64.

Troubleshooting Tips

  • If you wish to use a different user ID and/or group ID when running the Docker Unprivileged image, rebuild the image using the following Docker build arguments:

    docker build --build-arg UID=<UID> --build-arg GID=<GID> -t nginx-unprivileged .

  • If you override the default nginx.conf file you may encounter various types of error messages:

    • To fix nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied), you have to specify a valid pid location by adding the line pid /tmp/nginx.pid; at the top level of your config. NOTE: NGINX 1.27.5 will complain about permissions for /run/nginx.pid due to a policy change for this path.

    • To fix nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system), you have to specify a valid location for the various NGINX temporary paths by adding these lines within the http context:

      http {
    client_body_temp_path /tmp/client_temp;
    proxy_temp_path       /tmp/proxy_temp_path;
    fastcgi_temp_path     /tmp/fastcgi_temp;
    uwsgi_temp_path       /tmp/uwsgi_temp;
    scgi_temp_path        /tmp/scgi_temp;
...
}

On Reporting Issues and Opening PRs

Whilst issues and PRs are welcome, please do note that:

  1. Issues related to security vulnerabilities will be promptly closed unless they are accompanied by a solid reasoning as to why the vulnerability poses a real security threat to this image. Check out the security documentation for more details.
  2. These images are unprivileged ports of the upstream Docker NGINX images. Any changes that do not specifically involve the changes made to run NGINX on an unprivileged system should be reported in the Docker NGINX upstream repo. They will not get addressed here.
  3. Following from 2., base images (e.g. Alpine x.x or Debian x) in the Docker NGINX upstream repo get updated when a new version of NGINX is released, never within the same release version. Similarly, new NGINX releases usually make their way to the Docker NGINX image a couple days after their standard release. Please refrain from opening an issue or PR here if the upstream repo hasn’t been updated – it will be closed.

Contributing

Please see the contributing guide for guidelines on how to best contribute to this project.

License

Apache License, Version 2.0

© F5, Inc. 2018 - 2025

Tags

latest
sha256:f2733794c3ee363bd5195717a94a3caae26a5c572fac3f5f8084c9d29c181686
docker pull atcr.io/dsx.sh/chronicler:latest

Manifests

Image
sha256:f2733794c3ee363bd5195717a94a3caae26a5c572fac3f5f8084c9d29c181686
Tags: latest
Image
sha256:6a5b0b27b607a383f21b5bbdb43f3d0cd71196c57e5df126316e75fd6f2fb32a
(untagged)
Image
sha256:ff730eed768bf6dd612fa43521a4a1cd7165f294736650fc2a0ab02b12eaba00
(untagged)
Image
sha256:8a5454a9d9e818f1cb262f450fe65f34c6e9b75fa5668b589f78209566035557
(untagged)
Image
sha256:7356c0e9cead06540dd9ed014e366e1537034f4e7a21884525e19a4da2af5fc8
(untagged)
Image
sha256:241f875a0fcc92309ffd5b2f2a69a278f7d532479c792434479a24d86b66eddb
(untagged)
Image
sha256:8daf94cf8e33eb4a2240543938ac0ac69988b2b0a2e71952007eda81f0b1ff3b
(untagged)
Image
sha256:77a3fd54e3b6f96096e0b05a0f5d188d3f709170e07acca6ef754c3b71b9e198
(untagged)
Image
sha256:5dfc316b49aa85d9f7c44c2ac80eba4f355caf9e5a8d5c896f326147fddfb91c
(untagged)

Confirm Deletion

This manifest has associated tags that will also be deleted:

This action cannot be undone.

Delete Untagged Manifests

This will delete all untagged manifests in this repository.

This action cannot be undone.

Vulnerability Scan Results

Attestation Details