2022-01-10 13:55:32 +00:00
|
|
|
FROM harbor.dragse.it/base/alpine:3.15
|
|
|
|
|
|
|
|
LABEL maintainer="Lennard Brinkhaus <lennard.brinkhaus@dragse.de>"
|
|
|
|
|
|
|
|
ENV NGINX_VERSION 1.21.5
|
|
|
|
ENV NJS_VERSION 0.7.1
|
|
|
|
ENV PKG_RELEASE 1
|
|
|
|
|
|
|
|
RUN echo $'http://nexus.dragse.it/repository/apk-main/\nhttp://nexus.dragse.it/repository/apk-community/' > /etc/apk/repositories
|
|
|
|
|
|
|
|
RUN apk --no-cache upgrade \
|
|
|
|
&& apk --no-cache add ca-certificates wget openssl \
|
|
|
|
&& update-ca-certificates
|
|
|
|
|
|
|
|
ARG UID=101
|
|
|
|
ARG GID=101
|
|
|
|
|
|
|
|
RUN set -x \
|
|
|
|
# create nginx user/group first, to be consistent throughout docker variants
|
|
|
|
&& addgroup -g $GID -S nginx || true \
|
|
|
|
&& adduser -S -D -H -u $UID -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx || true \
|
|
|
|
&& apkArch="$(cat /etc/apk/arch)" \
|
|
|
|
&& nginxPackages=" \
|
|
|
|
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
|
|
|
|
nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \
|
|
|
|
nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \
|
|
|
|
nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
|
|
|
|
nginx-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \
|
|
|
|
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
|
|
|
|
" \
|
|
|
|
# install prerequisites for public key and pkg-oss checks
|
|
|
|
&& apk add --no-cache --virtual .checksum-deps \
|
|
|
|
openssl \
|
|
|
|
&& case "$apkArch" in \
|
|
|
|
x86_64|aarch64) \
|
|
|
|
# arches officially built by upstream
|
|
|
|
set -x \
|
|
|
|
&& KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \
|
|
|
|
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
|
|
|
|
&& if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \
|
|
|
|
echo "key verification succeeded!"; \
|
|
|
|
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
|
|
|
|
else \
|
|
|
|
echo "key verification failed!"; \
|
|
|
|
exit 1; \
|
|
|
|
fi \
|
|
|
|
&& apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
|
|
|
|
;; \
|
|
|
|
*) \
|
|
|
|
# we're on an architecture upstream doesn't officially build for
|
|
|
|
# let's build binaries from the published packaging sources
|
|
|
|
set -x \
|
|
|
|
&& tempDir="$(mktemp -d)" \
|
|
|
|
&& chown nobody:nobody $tempDir \
|
|
|
|
&& apk add --no-cache --virtual .build-deps \
|
|
|
|
gcc \
|
|
|
|
libc-dev \
|
|
|
|
make \
|
|
|
|
openssl-dev \
|
|
|
|
pcre-dev \
|
|
|
|
zlib-dev \
|
|
|
|
linux-headers \
|
|
|
|
libxslt-dev \
|
|
|
|
gd-dev \
|
|
|
|
geoip-dev \
|
|
|
|
perl-dev \
|
|
|
|
libedit-dev \
|
|
|
|
bash \
|
|
|
|
alpine-sdk \
|
|
|
|
findutils \
|
|
|
|
&& su nobody -s /bin/sh -c " \
|
|
|
|
export HOME=${tempDir} \
|
|
|
|
&& cd ${tempDir} \
|
|
|
|
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
|
|
|
|
&& PKGOSSCHECKSUM=\"f917c27702aa89cda46878fc80d446839c592c43ce7f251b3f4ced60c7033d34496a92d283927225d458cbc4f2f89499e7fb16344923317cd7725ad722eaf93e *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
|
|
|
|
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
|
|
|
|
echo \"pkg-oss tarball checksum verification succeeded!\"; \
|
|
|
|
else \
|
|
|
|
echo \"pkg-oss tarball checksum verification failed!\"; \
|
|
|
|
exit 1; \
|
|
|
|
fi \
|
|
|
|
&& tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
|
|
|
|
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
|
|
|
|
&& cd alpine \
|
|
|
|
&& make all \
|
|
|
|
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
|
|
|
|
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
|
|
|
|
" \
|
|
|
|
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
|
|
|
|
&& apk del .build-deps \
|
|
|
|
&& apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
|
|
|
|
;; \
|
|
|
|
esac \
|
|
|
|
# remove checksum deps
|
|
|
|
&& apk del .checksum-deps \
|
|
|
|
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
|
|
|
|
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
|
|
|
|
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
|
|
|
|
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
|
|
|
|
# Bring in gettext so we can get `envsubst`, then throw
|
|
|
|
# the rest away. To do this, we need to install `gettext`
|
|
|
|
# then move `envsubst` out of the way so `gettext` can
|
|
|
|
# be deleted completely, then move `envsubst` back.
|
|
|
|
&& apk add --no-cache --virtual .gettext gettext \
|
|
|
|
&& mv /usr/bin/envsubst /tmp/ \
|
|
|
|
\
|
|
|
|
&& runDeps="$( \
|
|
|
|
scanelf --needed --nobanner /tmp/envsubst \
|
|
|
|
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
|
|
|
|
| sort -u \
|
|
|
|
| xargs -r apk info --installed \
|
|
|
|
| sort -u \
|
|
|
|
)" \
|
|
|
|
&& apk add --no-cache $runDeps \
|
|
|
|
&& apk del .gettext \
|
|
|
|
&& mv /tmp/envsubst /usr/local/bin/ \
|
|
|
|
# Bring in tzdata so users could set the timezones through the environment
|
|
|
|
# variables
|
|
|
|
&& apk add --no-cache tzdata \
|
|
|
|
# Bring in curl and ca-certificates to make registering on DNS SD easier
|
|
|
|
&& apk add --no-cache curl ca-certificates \
|
|
|
|
# forward request and error logs to docker log collector
|
|
|
|
&& ln -sf /dev/stdout /var/log/nginx/access.log \
|
|
|
|
&& ln -sf /dev/stderr /var/log/nginx/error.log \
|
|
|
|
# create a docker-entrypoint.d directory
|
|
|
|
&& mkdir /docker-entrypoint.d
|
|
|
|
|
|
|
|
# implement changes required to run NGINX as an unprivileged user
|
|
|
|
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
|
|
|
|
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
|
|
|
|
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
|
|
|
|
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
|
|
|
|
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
|
|
|
|
&& chown -R $UID:0 /var/cache/nginx \
|
|
|
|
&& chmod -R g+w /var/cache/nginx \
|
|
|
|
&& chown -R $UID:0 /etc/nginx \
|
|
|
|
&& chmod -R g+w /etc/nginx
|
|
|
|
|
2022-01-10 14:12:47 +00:00
|
|
|
USER $UID
|
|
|
|
|
2022-01-10 14:25:06 +00:00
|
|
|
COPY docker-entrypoint.sh /
|
|
|
|
COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d
|
|
|
|
COPY 20-envsubst-on-templates.sh /docker-entrypoint.d
|
|
|
|
COPY 30-tune-worker-processes.sh /docker-entrypoint.d
|
2022-01-10 13:55:32 +00:00
|
|
|
ENTRYPOINT ["/docker-entrypoint.sh"]
|
|
|
|
|
|
|
|
EXPOSE 8080
|
|
|
|
|
|
|
|
STOPSIGNAL SIGQUIT
|
|
|
|
|
|
|
|
CMD ["nginx", "-g", "daemon off;"]
|