From 78966329e3caea5983ec25c82b4eb1530f1f35b2 Mon Sep 17 00:00:00 2001 From: continuist Date: Sat, 20 Sep 2025 23:52:41 -0400 Subject: [PATCH] precreate tmp folders in nginx container --- deploy/prod-pod.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/deploy/prod-pod.yml b/deploy/prod-pod.yml index bc22cd0..f5a1d16 100644 --- a/deploy/prod-pod.yml +++ b/deploy/prod-pod.yml @@ -144,22 +144,31 @@ spec: - name: nginx image: docker.io/nginx:alpine + command: ["/bin/sh"] + args: + - "-c" + - | + mkdir -p /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp; + chmod 777 /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp; + exec nginx -g 'daemon off;' # Security: drop all capabilities, read-only root filesystem securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] - runAsUser: 0 # Run as root - runAsGroup: 0 # Run as root group + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 ports: - containerPort: 8080 # inside pod - hostIP: 127.0.0.1 # only loopback on host - containerPort: 8090 # health inside pod (not exposed) volumeMounts: - { name: nginx-run, mountPath: /var/run, readOnly: false } - { name: nginx-cache, mountPath: /var/cache/nginx, readOnly: false } - { name: nginx-conf, mountPath: /etc/nginx/nginx.conf, readOnly: true, subPath: nginx.conf } + - name: nginx-tmp + mountPath: /tmp # Health check livenessProbe: httpGet: { path: /healthz, port: 8090, scheme: HTTP } @@ -191,4 +200,7 @@ spec: - name: nginx-cache hostPath: { path: /opt/sharenet/volumes/nginx-cache, type: DirectoryOrCreate } - name: nginx-conf - hostPath: { path: /opt/sharenet/nginx, type: Directory } \ No newline at end of file + hostPath: { path: /opt/sharenet/nginx, type: Directory } + - name: nginx-tmp + emptyDir: + medium: Memory # Uses tmpfs for better performance \ No newline at end of file