10-listen-on-ipv6-by-default.sh breaks read-only container

[ginkel]

We are running our nginx containers with a read-only FS for security reasons (and mount a tmpfs as /run and /var/cache/nginx). These containers broke last night when mainline was switched to 1.19.0:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
sed: can't create temp file '/etc/nginx/conf.d/default.confXXXXXX': Read-only file system

Not completely sure what the right behavior should be, probably modifying the config file as part of the container build and not at runtime.

Edit: Just noticed that the script in question also has been added to stable, so that's also affected...

[thresheek]

Hello @ginkel, thanks for the notification.

I guess the proper way of action would be to check if /etc/nginx is writable and exiting nicely if it isnt.

[techgourmet]

Same here....
Any outlook on a solution, as we also run it with a read-only FS ... and yes this is also for security reasons.

Workaround for us was going back to version 1.18.

[thresheek]

There are temporary workarounds:

• remove /etc/nginx/conf.d/default.conf
• mount an empty volume to /docker-entrypoint.d/

I will push a fixed 10-listen-on-ipv6-by-default.sh shortly, but it will take some time to update the 1.19 tags.

[techgourmet]

thanks :)

[techgourmet]

Tested and confirming that the new deploy works out of the box again.
@thresheek thanks for your swift action.

[kk-hiraskar]

I got this issue today with nginx:alpine and also nginx:latest

Resolved by using https://hub.docker.com/r/nginxinc/nginx-unprivileged

[jed-hacker]

{"log":"10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist\n","stream":"stdout","time":"2023-02-02T02:42:24.199683098Z"}
I have a question to ask. I restarted the nginx container before this problem occurred. I don't know why it happened suddenly

[pgassmann]

The log message is just an INFO, from the check whether the file can be modified. if it cannot be touched, the script exits 0 (success).
That's not an issue if the read-only mounted config file works for you.

Current source code:
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }