Fix file and folder permissions on nginx-runtime

openshift/templates/nginx-runtime/Dockerfile

@@ -1,8 +1,12 @@
 # Use the offical nginx (based on debian)
-FROM nginx:mainline
+FROM nginx:stable
+
+ENV STI_SCRIPTS_PATH=/usr/libexec/s2i
 
 # Required for HTTP Basic feature
-RUN apt-get update && apt-get install openssl
+RUN apt-get update -y && \
+    apt-get install -y openssl ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 # Copy our OpenShift s2i scripts over to default location
 COPY ./s2i/bin/ /usr/libexec/s2i/
@@ -13,11 +17,27 @@ LABEL io.openshift.s2i.scripts-url=image:///usr/libexec/s2i
 # Copy config from source to container
 COPY nginx.conf.template /tmp/
 
+# =================================================================================
 # Fix up permissions
-RUN chmod -R 0777 /tmp /var /run /etc /mnt /usr/libexec/s2i/
+# ref: https://torstenwalter.de/openshift/nginx/2017/08/04/nginx-on-openshift.html
+# - S2I sripts must be executable
+# - Make sure nginx can read and write it's working directories.
+# - The container dynamically configures nginx on startup
+# - The application artifacts live in /tmp
+# ---------------------------------------------------------------------------------
+RUN chmod -R g+rwx $STI_SCRIPTS_PATH
+RUN chmod g+rw /var/cache/nginx \ 
+               /var/run \
+               /var/log/nginx \
+               /etc/nginx/nginx.conf \
+               /tmp
+# =================================================================================
+
+# Work-around for issues with S2I builds on Windows
+WORKDIR /tmp
 
 # Nginx runs on port 8080 by default
 EXPOSE 8080
 
 # Switch to usermode
-USER 104
+USER 104