Docker nginx SELinux (centOS/RHEL) with 403 forbidden access

So my Dockerfile runs via docker-compose using:

Dockerfile

FROM nginx
#COPY conf
COPY myapp/ /usr/share/nginx/html
RUN chmod -R 664 /usr/share/nginx/html
RUN chown -R nginx /usr/share/nginx/html
RUN chcon -R -t httpd_sys_content_t /usr/share/nginx/html

This is on RHEL 6.x, Docker is old 1.7 or something as well.

  • Advantages of a Dockerfile
  • How do you perform Django database migrations when using Docker-Compose?
  • How to determine why sigterm was sent to process running inside docker container on mesos?
  • Cython embed binary (docker): Failed to import the site module
  • Best way to reduce the size of a custom Docker image
  • What is the difference between Docker Service and Docker Container?
  • I don’t even need “run chmod/chown/chcon” for most environments!! The dockerfile works just fine on windows.

    However, I still get 403 Forbidden errors whenever nginx tries to access ANY file in /usr/share/nginx/html.

    What is the correct way to setup nginx in a docker container and avoid these SElinux problems? (SElinux is on “Enforcing”)

    In fact, if you do

    RUN/CMD ls -l

    we can see nginx is the user who owns that folder and it has the right permissions! So what the heck is going on?

  • Is Docker ARG allowed within CMD instrcution
  • How can I convert a Docker image into a (vagrant) VirtualBox box?
  • How to override the default value of COMPOSE_HTTP_TIMEOUT with docker-compose commnad
  • Why can't I access a host port from my Docker container?
  • Application has different appearance when running through docker
  • What does docker use for (image) versioning?
  • One Solution collect form web for “Docker nginx SELinux (centOS/RHEL) with 403 forbidden access”

    Special circumstances related to old Docker 1.7.1 and RHEL6, means you gotta install RHEL7. SELinux does not work well with it. There are some core RHEL6 library issues (shared library permission errors) making it nearly impossible to use with Docker 1.7.1.

    The labels are all wrong. the processes inside the image are init_rc_t type labels which are incorrect. The files can be changed to httpd_sys_content_t but it doesn’t work.

    I think also there may be some nginx:nginx (UID GID mismatching) issues.

    But really, it’s give up time. Not worth investing time in resolving it and my host provider wouldn’t call RHEL6 to ask about it.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.