Allow st2web container to be runable as Non-Root

[jk464]

It is good security practice to run containers without root and minimal privileges.

However, the st2web container attempts to expose on port 80 and 443, which are both <1000 privileged ports.

This PR changes the exposed ports to 8080 / 8443, non-privileged ports.

It also edits permissions on NGINX files, to allow nginx to run as the nginx user.

[cognifloyd]

Looking good. Just a couple qusetions.

[jk464]

@cognifloyd I've hopefully actioned all your items - also added in some updates to the st2web README, and also note the latest nginx packages on ubuntu change the nginx user to have 999:999 uid/gid instead of 101:101 - so I've had to update that.

We probably want to pin the nginx version so it doesn't change on arbitrary image builds?

[cognifloyd]

What is the purpose of disabling this? disabling SSL verification is a last-resort--something to do when all other solutions (like regenerating the cert) have failed to fix an issue.

[cognifloyd]

Please re-add the NL at EOF

[cognifloyd]

@cognifloyd I've hopefully actioned all your items - also added in some updates to the st2web README, and also note the latest nginx packages on ubuntu change the nginx user to have 999:999 uid/gid instead of 101:101 - so I've had to update that.

We probably want to pin the nginx version so it doesn't change on arbitrary image builds?

I don't like to manually pin versions most of the time because then someone has to manage that pin. Most of the time (in my experience at least) pins are not well documented, so no one dares to update it until there is a CVE or some other bug or missing feature that forces an update. So, I hesitate to add pinning here without a good plan for how we'll manage that.

[jk464]

@cognifloyd that should be all the issues resolved

[cognifloyd]

I have 2 comments left to address:

• proxy_ssl_verify off maybe this should be configurable? Or allow people to inject lines into the st2api, st2stream, and st2auth blocks?
• re-add newline at end of file