From 5942c3f0af40c482637eb3bc0732ac9984d08d54 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Wed, 26 Jun 2024 18:56:16 +0200 Subject: [PATCH 1/3] fix: update NGINX Plus Dockerfile --- Dockerfile.buildkit.plus | 153 ++++++++++-------- Dockerfile.oss | 63 +++----- Dockerfile.plus | 144 ++++++++++------- plus/usr/local/bin/add_nginx_plus_repo.sh | 35 ---- plus/usr/share/keyrings/.gitattributes | 1 - .../share/keyrings/nginx-archive-keyring.gpg | Bin 1067 -> 0 bytes 6 files changed, 193 insertions(+), 203 deletions(-) delete mode 100644 plus/usr/local/bin/add_nginx_plus_repo.sh delete mode 100644 plus/usr/share/keyrings/.gitattributes delete mode 100644 plus/usr/share/keyrings/nginx-archive-keyring.gpg diff --git a/Dockerfile.buildkit.plus b/Dockerfile.buildkit.plus index e0fc59e..68f2654 100644 --- a/Dockerfile.buildkit.plus +++ b/Dockerfile.buildkit.plus @@ -1,67 +1,84 @@ -FROM debian:bookworm-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 +ARG RELEASE=bookworm +FROM debian:${RELEASE}-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 -ENV NGINX_PLUS_VERSION 30-2 -ENV NGINX_VERSION 1.25.1 -ENV NJS_VERSION 30+0.8.0-1 -ENV XSLT_VERSION 30-1 +# NJS env vars +ENV NGINX_VERSION=32 +ENV NGINX_PKG_RELEASE=1~${RELEASE} +ENV NJS_VERSION=0.8.4 +ENV NJS_PKG_RELEASE=1~${RELEASE} -ENV PROXY_CACHE_MAX_SIZE "10g" -ENV PROXY_CACHE_INACTIVE "60m" -ENV PROXY_CACHE_SLICE_SIZE "1m" -ENV PROXY_CACHE_VALID_OK "1h" -ENV PROXY_CACHE_VALID_NOTFOUND "1m" -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" -ENV CORS_ENABLED 0 -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" -ENV DIRECTORY_LISTING_PATH_PREFIX "" -ENV STRIP_LEADING_DIRECTORY_PATH "" -ENV PREFIX_LEADING_DIRECTORY_PATH "" +# Proxy cache env vars +ENV PROXY_CACHE_MAX_SIZE=10g +ENV PROXY_CACHE_INACTIVE=60m +ENV PROXY_CACHE_SLICE_SIZE=1m +ENV PROXY_CACHE_VALID_OK=1h +ENV PROXY_CACHE_VALID_NOTFOUND=1m +ENV PROXY_CACHE_VALID_FORBIDDEN=30s -COPY plus/usr /usr +# CORS env vars +ENV CORS_ENABLED=0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" -# Copy files from the OSS NGINX Docker container such that the container -# startup is the same. -# Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster -COPY common/docker-entrypoint.sh /docker-entrypoint.sh -COPY common/docker-entrypoint.d /docker-entrypoint.d/ -COPY plus/docker-entrypoint.d /docker-entrypoint.d/ -# Add NGINX Plus package repository keyring -COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg +# S3 proxy env vars +ENV DIRECTORY_LISTING_PATH_PREFIX="" +ENV STRIP_LEADING_DIRECTORY_PATH="" +ENV PREFIX_LEADING_DIRECTORY_PATH="" -RUN --mount=type=secret,id=nginx-crt --mount=type=secret,id=nginx-key \ - set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - mkdir -p /etc/ssl/nginx; \ - cp /run/secrets/nginx-crt /etc/ssl/nginx/nginx-repo.crt; \ - chmod 0664 /etc/ssl/nginx/nginx-repo.crt; \ - cp /run/secrets/nginx-key /etc/ssl/nginx/nginx-repo.key; \ - chmod 0664 /etc/ssl/nginx/nginx-repo.key; \ - # create nginx user/group first, to be consistent throughout docker variants - addgroup --system --gid 101 nginx; \ - adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \ - apt-get -qq update; \ - apt-get -qq upgrade --yes; \ - apt-get -qq install --yes \ - ca-certificates \ - curl \ - libedit2; \ - sh -a /usr/local/bin/add_nginx_plus_repo.sh; \ - rm /usr/local/bin/add_nginx_plus_repo.sh; \ - apt-get -qq update; \ - export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \ - apt-get -qq install --no-install-recommends --no-install-suggests -y \ - nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \ - gettext-base; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/* /etc/ssl/nginx; \ - # forward request and error logs to docker log collector - ln -sf /dev/stdout /var/log/nginx/access.log; \ - ln -sf /dev/stderr /var/log/nginx/error.log; \ - chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh +# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by: +# 1. Explicitly installing the version of njs coded in the environment variable above. +# 2. Adding configuration files needed for proxying private S3 buckets. +# 3. Adding a directory for proxied objects to be stored. +# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers. -ENTRYPOINT ["/docker-entrypoint.sh"] +# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context +RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ + --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ + set -x \ +# Create nginx user/group first, to be consistent throughout Docker variants + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg2 lsb-release \ + && \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + export GNUPGHOME="$(mktemp -d)"; \ + found=''; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ + rm -rf "$GNUPGHOME"; \ + apt-get remove --purge --auto-remove -y gnupg2 && rm -rf /var/lib/apt/lists/* \ +# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) + && nginxPackages=" \ + nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ + nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + " \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && mkdir -p /etc/ssl/nginx \ + && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ + && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ + && apt-get remove --purge -y lsb-release \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ + && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ +# Forward request logs to Docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 @@ -69,15 +86,17 @@ STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"] -# NGINX Docker image setup complete, everything below is specific for -# the S3 Gateway use case. - +# Copy files from the OSS NGINX Docker container such that the container +# startup is the same. COPY plus/etc/nginx /etc/nginx COPY common/etc /etc -COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh +COPY common/docker-entrypoint.sh /docker-entrypoint.sh +COPY common/docker-entrypoint.d /docker-entrypoint.d/ +COPY plus/docker-entrypoint.d /docker-entrypoint.d/ + +RUN set -x \ + && mkdir -p /var/cache/nginx/s3_proxy \ + && chown nginx:nginx /var/cache/nginx/s3_proxy \ + && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; -RUN set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - mkdir -p /var/cache/nginx/s3_proxy; \ - chown nginx:nginx /var/cache/nginx/s3_proxy; \ - chmod -R +x /docker-entrypoint.d/* +ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/Dockerfile.oss b/Dockerfile.oss index 4130624..aa64afb 100644 --- a/Dockerfile.oss +++ b/Dockerfile.oss @@ -1,63 +1,46 @@ -FROM nginx:1.27.0@sha256:56b388b0d79c738f4cf51bbaf184a14fab19337f4819ceb2cae7d94100262de8 +FROM nginx:1.27.0@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e # NJS env vars -ENV NJS_VERSION 0.8.4 -ENV NJS_RELEASE 2~bookworm +ENV NJS_VERSION=0.8.4 +ENV NJS_RELEASE=2~bookworm # Proxy cache env vars -ENV PROXY_CACHE_MAX_SIZE "10g" -ENV PROXY_CACHE_INACTIVE "60m" -ENV PROXY_CACHE_SLICE_SIZE "1m" -ENV PROXY_CACHE_VALID_OK "1h" -ENV PROXY_CACHE_VALID_NOTFOUND "1m" -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" +ENV PROXY_CACHE_MAX_SIZE=10g +ENV PROXY_CACHE_INACTIVE=60m +ENV PROXY_CACHE_SLICE_SIZE=1m +ENV PROXY_CACHE_VALID_OK=1h +ENV PROXY_CACHE_VALID_NOTFOUND=1m +ENV PROXY_CACHE_VALID_FORBIDDEN=30s # CORS env vars -ENV CORS_ENABLED 0 -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" +ENV CORS_ENABLED=0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" # S3 proxy env vars -ENV DIRECTORY_LISTING_PATH_PREFIX "" -ENV STRIP_LEADING_DIRECTORY_PATH "" -ENV PREFIX_LEADING_DIRECTORY_PATH "" - -# We modify the nginx base image by: -# 1. Explicitly install the version of njs coded in the environment variable above. -# 2. Adding configuration files needed for proxying private S3 buckets -# 3. Adding a directory for proxied objects to be stored +ENV DIRECTORY_LISTING_PATH_PREFIX="" +ENV STRIP_LEADING_DIRECTORY_PATH="" +ENV PREFIX_LEADING_DIRECTORY_PATH="" + +# We modify the NGINX base image by: +# 1. Explicitly installing the version of njs coded in the environment variable above. +# 2. Adding configuration files needed for proxying private S3 buckets. +# 3. Adding a directory for proxied objects to be stored. # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers. RUN set -x \ - && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ - && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ - export GNUPGHOME="$(mktemp -d)"; \ - found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ - rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \ - echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \ + && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \ apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y \ libedit2 \ nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list -COPY common/etc /etc COPY oss/etc /etc +COPY common/etc /etc COPY common/docker-entrypoint.sh /docker-entrypoint.sh COPY common/docker-entrypoint.d /docker-entrypoint.d/ -RUN mkdir -p /var/cache/nginx/s3_proxy \ +RUN set -x \ + && mkdir -p /var/cache/nginx/s3_proxy \ && chown nginx:nginx /var/cache/nginx/s3_proxy \ && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; diff --git a/Dockerfile.plus b/Dockerfile.plus index db8035a..61ee0b4 100644 --- a/Dockerfile.plus +++ b/Dockerfile.plus @@ -1,61 +1,83 @@ FROM debian:bookworm-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 -ENV NGINX_PLUS_VERSION 30-2 -ENV NGINX_VERSION 1.25.1 -ENV NJS_VERSION 30+0.8.0-1 -ENV XSLT_VERSION 30-1 +# NJS env vars +ENV NGINX_VERSION=32 +ENV NGINX_PKG_RELEASE=1~${RELEASE} +ENV NJS_VERSION=0.8.4 +ENV NJS_PKG_RELEASE=1~${RELEASE} -ENV PROXY_CACHE_MAX_SIZE "10g" -ENV PROXY_CACHE_INACTIVE "60m" -ENV PROXY_CACHE_SLICE_SIZE "1m" -ENV PROXY_CACHE_VALID_OK "1h" -ENV PROXY_CACHE_VALID_NOTFOUND "1m" -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" -ENV CORS_ENABLED 0 -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" -ENV DIRECTORY_LISTING_PATH_PREFIX "" -ENV STRIP_LEADING_DIRECTORY_PATH "" -ENV PREFIX_LEADING_DIRECTORY_PATH "" +# Proxy cache env vars +ENV PROXY_CACHE_MAX_SIZE=10g +ENV PROXY_CACHE_INACTIVE=60m +ENV PROXY_CACHE_SLICE_SIZE=1m +ENV PROXY_CACHE_VALID_OK=1h +ENV PROXY_CACHE_VALID_NOTFOUND=1m +ENV PROXY_CACHE_VALID_FORBIDDEN=30s -COPY plus/etc/ssl /etc/ssl -COPY plus/usr /usr +# CORS env vars +ENV CORS_ENABLED=0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" -# Copy files from the OSS NGINX Docker container such that the container -# startup is the same. -COPY common/docker-entrypoint.sh /docker-entrypoint.sh -COPY common/docker-entrypoint.d /docker-entrypoint.d/ -COPY plus/docker-entrypoint.d /docker-entrypoint.d/ -# Add NGINX Plus package repository keyring -COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg +# S3 proxy env vars +ENV DIRECTORY_LISTING_PATH_PREFIX="" +ENV STRIP_LEADING_DIRECTORY_PATH="" +ENV PREFIX_LEADING_DIRECTORY_PATH="" -RUN set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - # create nginx user/group first, to be consistent throughout docker variants - addgroup --system --gid 101 nginx; \ - adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \ - apt-get -qq update; \ - apt-get -qq upgrade --yes; \ - apt-get -qq install --yes \ - ca-certificates \ - curl \ - libedit2; \ - sh -a /usr/local/bin/add_nginx_plus_repo.sh; \ - rm /usr/local/bin/add_nginx_plus_repo.sh; \ - apt-get -qq update; \ - export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \ - apt-get -qq install --yes --no-install-recommends --no-install-suggests \ - nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \ - gettext-base; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/*; \ - # forward request and error logs to docker log collector - ln -sf /dev/stdout /var/log/nginx/access.log; \ - ln -sf /dev/stderr /var/log/nginx/error.log; \ - chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh +# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by: +# 1. Explicitly installing the version of njs coded in the environment variable above. +# 2. Adding configuration files needed for proxying private S3 buckets. +# 3. Adding a directory for proxied objects to be stored. +# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers. -ENTRYPOINT ["/docker-entrypoint.sh"] +# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context +COPY plus/etc/ssl /etc/ssl + +RUN set -x \ +# Create nginx user/group first, to be consistent throughout Docker variants + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg2 lsb-release \ + && \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + export GNUPGHOME="$(mktemp -d)"; \ + found=''; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ + rm -rf "$GNUPGHOME"; \ + apt-get remove --purge --auto-remove -y gnupg2 && rm -rf /var/lib/apt/lists/* \ +# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) + && nginxPackages=" \ + nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ + nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + " \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && mkdir -p /etc/ssl/nginx \ + && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ + && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ + && apt-get remove --purge -y lsb-release \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ + && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ +# Forward request logs to Docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 @@ -63,15 +85,17 @@ STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"] -# NGINX Docker image setup complete, everything below is specific for -# the S3 Gateway use case. - +# Copy files from the OSS NGINX Docker container such that the container +# startup is the same. COPY plus/etc/nginx /etc/nginx COPY common/etc /etc -COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh +COPY common/docker-entrypoint.sh /docker-entrypoint.sh +COPY common/docker-entrypoint.d /docker-entrypoint.d/ +COPY plus/docker-entrypoint.d /docker-entrypoint.d/ -RUN set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - mkdir -p /var/cache/nginx/s3_proxy; \ - chown nginx:nginx /var/cache/nginx/s3_proxy; \ - chmod -R +x /docker-entrypoint.d/* +RUN set -x \ + && mkdir -p /var/cache/nginx/s3_proxy \ + && chown nginx:nginx /var/cache/nginx/s3_proxy \ + && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; + +ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/plus/usr/local/bin/add_nginx_plus_repo.sh b/plus/usr/local/bin/add_nginx_plus_repo.sh deleted file mode 100644 index 6b24bd5..0000000 --- a/plus/usr/local/bin/add_nginx_plus_repo.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env sh - -# -# Copyright 2020 F5 Networks -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -if [ ! -f "/etc/ssl/nginx/nginx-repo.crt" ]; then - >&2 echo "NGINX Plus repository certificate file not found at path: /etc/ssl/nginx/nginx-repo.crt" - exit 1 -fi - -if [ ! -f "/etc/ssl/nginx/nginx-repo.key" ]; then - >&2 echo "NGINX Plus repository key file not found at path: /etc/ssl/nginx/nginx-repo.key" - exit 1 -fi - -version_codename="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" - -echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" >> /etc/apt/apt.conf.d/90nginx -echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx -echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx -echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx -echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian ${version_codename} nginx-plus" >> /etc/apt/sources.list.d/nginx-plus.list diff --git a/plus/usr/share/keyrings/.gitattributes b/plus/usr/share/keyrings/.gitattributes deleted file mode 100644 index b69c02c..0000000 --- a/plus/usr/share/keyrings/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -*.gpg binary diff --git a/plus/usr/share/keyrings/nginx-archive-keyring.gpg b/plus/usr/share/keyrings/nginx-archive-keyring.gpg deleted file mode 100644 index 82b5bff0f1e0456b8d71d9dff520b740b88ec4bf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1067 zcmV+`1l0SP0SyFBPBLNv2mt;R_6i!fh8h0Ns{)@`FE?-%bk+u&fmM*1mdtQm-dpHQ zvJ6LCsG^uX5wZ4tphn*$BgW7qQfInptC~t`W-Qy`3GofGu;E7^3P!9Ag7Z9$0?r6S z8QElp#7+kiz*|GQeHV(O@I9C^xpijr@Ea|ZTYMbm^8|n0C9;C1K?Ju@la$1KG=36% zzcW--M~p(0K#nwDR0JKKj8{n1u=wNy+dpV*H~L}}9F*4H@+)X57bI=>wX+y`{V`sD zOuoRG6U^e5E8Lcxn$V}kcYz8sE+u$3&4#)S1YL zX|rZ7vj*|>BG>X?t8D-g0RRECDQ;(JZg?PbX=iR}Zf78CWqBYxb7^O8X>MmNYh`&r zZf9w3crIgaZ9a(sJ_Hj10stri8v_Ol2?z%R0tOWb0tpHW1Qr4V0RkQY0vCV<0#{K6x$vMSxGE}6pdGCM(`$z1=FlZt}F!64sP z9_w2t(S^WsRlEbC@6QiU0H6Rme--aqG_lL)MubL}p)uo-CiDJYjmEOKBwU)fI27Qn z49eRX)NtZ50~YcYSH{ffASBa?0UQJn0RjL91p-b^N2LG?2@s}F)vN#D8T?;} z#c2(fH-e|(sI-Qi^8SfP?{~e;Uc89j>R2ul z%|{+$XZCtAJd1BS^o(z8kFZZBABPDY6vZ_mAw6!OhG}0}uUWz+SLP@&a`uQu1P~Dd z00spDPEK3W0162Z?C|LeEEgbyQN946r)k35|K+-I`C_d?1jYtkP@1Ts0G>4Ua9$zA zAzGrg5DeCrSpEkZL79j~1P~Dd00spDPEKE80162ZsW)Lcr6k2Zb5;PKU{Z|oi7&m4 l{i`PWrX?qqxF{7z0GtUyVOxWof%>=#j>Mx$*dzb| From 4c1f32e4a5251b74b2a53f9ba342c733f42d3b3e Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 27 Jun 2024 00:06:54 +0200 Subject: [PATCH 2/3] fix: Plus Dockerfiles --- Dockerfile.buildkit.plus | 25 ++++++++++++++----------- Dockerfile.plus | 31 ++++++++++++++++--------------- 2 files changed, 30 insertions(+), 26 deletions(-) diff --git a/Dockerfile.buildkit.plus b/Dockerfile.buildkit.plus index 68f2654..f5590fc 100644 --- a/Dockerfile.buildkit.plus +++ b/Dockerfile.buildkit.plus @@ -1,6 +1,9 @@ ARG RELEASE=bookworm FROM debian:${RELEASE}-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 +# Persist RELEASE argument +ARG RELEASE + # NJS env vars ENV NGINX_VERSION=32 ENV NGINX_PKG_RELEASE=1~${RELEASE} @@ -38,25 +41,25 @@ RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg2 lsb-release \ + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ && \ NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ done; \ gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg2 && rm -rf /var/lib/apt/lists/* \ + apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) && nginxPackages=" \ nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ diff --git a/Dockerfile.plus b/Dockerfile.plus index 61ee0b4..9434f1a 100644 --- a/Dockerfile.plus +++ b/Dockerfile.plus @@ -1,4 +1,8 @@ -FROM debian:bookworm-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 +ARG RELEASE=bookworm +FROM debian:${RELEASE}-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 + +# Persist RELEASE argument +ARG RELEASE # NJS env vars ENV NGINX_VERSION=32 @@ -37,25 +41,25 @@ RUN set -x \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg2 lsb-release \ + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ && \ NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ done; \ gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg2 && rm -rf /var/lib/apt/lists/* \ + apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) && nginxPackages=" \ nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ @@ -67,9 +71,6 @@ RUN set -x \ && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ - && mkdir -p /etc/ssl/nginx \ - && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ - && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ && apt-get remove --purge -y lsb-release \ From 699d436470849d2bced37db428d6a73fd8df10f8 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Wed, 10 Jul 2024 19:46:34 +0200 Subject: [PATCH 3/3] Update Dockerfile.oss --- Dockerfile.oss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.oss b/Dockerfile.oss index aa64afb..8e5889c 100644 --- a/Dockerfile.oss +++ b/Dockerfile.oss @@ -1,4 +1,4 @@ -FROM nginx:1.27.0@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e +FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df # NJS env vars ENV NJS_VERSION=0.8.4