diff --git a/Dockerfile.buildkit.plus b/Dockerfile.buildkit.plus index 10643ef6..acbb7a53 100644 --- a/Dockerfile.buildkit.plus +++ b/Dockerfile.buildkit.plus @@ -1,67 +1,87 @@ -FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 +ARG RELEASE=bookworm +FROM debian:${RELEASE}-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 -ENV NGINX_PLUS_VERSION 30-2 -ENV NGINX_VERSION 1.25.1 -ENV NJS_VERSION 30+0.8.0-1 -ENV XSLT_VERSION 30-1 +# Persist RELEASE argument +ARG RELEASE -ENV PROXY_CACHE_MAX_SIZE "10g" -ENV PROXY_CACHE_INACTIVE "60m" -ENV PROXY_CACHE_SLICE_SIZE "1m" -ENV PROXY_CACHE_VALID_OK "1h" -ENV PROXY_CACHE_VALID_NOTFOUND "1m" -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" -ENV CORS_ENABLED 0 -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" -ENV DIRECTORY_LISTING_PATH_PREFIX "" -ENV STRIP_LEADING_DIRECTORY_PATH "" -ENV PREFIX_LEADING_DIRECTORY_PATH "" +# NJS env vars +ENV NGINX_VERSION=32 +ENV NGINX_PKG_RELEASE=1~${RELEASE} +ENV NJS_VERSION=0.8.4 +ENV NJS_PKG_RELEASE=1~${RELEASE} -COPY plus/usr /usr +# Proxy cache env vars +ENV PROXY_CACHE_MAX_SIZE=10g +ENV PROXY_CACHE_INACTIVE=60m +ENV PROXY_CACHE_SLICE_SIZE=1m +ENV PROXY_CACHE_VALID_OK=1h +ENV PROXY_CACHE_VALID_NOTFOUND=1m +ENV PROXY_CACHE_VALID_FORBIDDEN=30s -# Copy files from the OSS NGINX Docker container such that the container -# startup is the same. -# Source: https://github.com/nginxinc/docker-nginx/tree/1.19.2/stable/buster -COPY common/docker-entrypoint.sh /docker-entrypoint.sh -COPY common/docker-entrypoint.d /docker-entrypoint.d/ -COPY plus/docker-entrypoint.d /docker-entrypoint.d/ -# Add NGINX Plus package repository keyring -COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg +# CORS env vars +ENV CORS_ENABLED=0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" -RUN --mount=type=secret,id=nginx-crt --mount=type=secret,id=nginx-key \ - set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - mkdir -p /etc/ssl/nginx; \ - cp /run/secrets/nginx-crt /etc/ssl/nginx/nginx-repo.crt; \ - chmod 0664 /etc/ssl/nginx/nginx-repo.crt; \ - cp /run/secrets/nginx-key /etc/ssl/nginx/nginx-repo.key; \ - chmod 0664 /etc/ssl/nginx/nginx-repo.key; \ - # create nginx user/group first, to be consistent throughout docker variants - addgroup --system --gid 101 nginx; \ - adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \ - apt-get -qq update; \ - apt-get -qq upgrade --yes; \ - apt-get -qq install --yes \ - ca-certificates \ - curl \ - libedit2; \ - sh -a /usr/local/bin/add_nginx_plus_repo.sh; \ - rm /usr/local/bin/add_nginx_plus_repo.sh; \ - apt-get -qq update; \ - export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \ - apt-get -qq install --no-install-recommends --no-install-suggests -y \ - nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \ - gettext-base; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/* /etc/ssl/nginx; \ - # forward request and error logs to docker log collector - ln -sf /dev/stdout /var/log/nginx/access.log; \ - ln -sf /dev/stderr /var/log/nginx/error.log; \ - chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh +# S3 proxy env vars +ENV DIRECTORY_LISTING_PATH_PREFIX="" +ENV STRIP_LEADING_DIRECTORY_PATH="" +ENV PREFIX_LEADING_DIRECTORY_PATH="" -ENTRYPOINT ["/docker-entrypoint.sh"] +# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by: +# 1. Explicitly installing the version of njs coded in the environment variable above. +# 2. Adding configuration files needed for proxying private S3 buckets. +# 3. Adding a directory for proxied objects to be stored. +# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers. + +# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context +RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ + --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ + set -x \ +# Create nginx user/group first, to be consistent throughout Docker variants + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ + && \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ + export GNUPGHOME="$(mktemp -d)"; \ + found=''; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ + rm -rf "$GNUPGHOME"; \ + apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ +# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) + && nginxPackages=" \ + nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ + nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + " \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && mkdir -p /etc/ssl/nginx \ + && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ + && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ + && apt-get remove --purge -y lsb-release \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ + && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ +# Forward request logs to Docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 @@ -69,15 +89,17 @@ STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"] -# NGINX Docker image setup complete, everything below is specific for -# the S3 Gateway use case. - +# Copy files from the OSS NGINX Docker container such that the container +# startup is the same. COPY plus/etc/nginx /etc/nginx COPY common/etc /etc -COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh +COPY common/docker-entrypoint.sh /docker-entrypoint.sh +COPY common/docker-entrypoint.d /docker-entrypoint.d/ +COPY plus/docker-entrypoint.d /docker-entrypoint.d/ + +RUN set -x \ + && mkdir -p /var/cache/nginx/s3_proxy \ + && chown nginx:nginx /var/cache/nginx/s3_proxy \ + && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; -RUN set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - mkdir -p /var/cache/nginx/s3_proxy; \ - chown nginx:nginx /var/cache/nginx/s3_proxy; \ - chmod -R +x /docker-entrypoint.d/* +ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/Dockerfile.oss b/Dockerfile.oss index d6236077..8e5889ce 100644 --- a/Dockerfile.oss +++ b/Dockerfile.oss @@ -1,63 +1,46 @@ FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df # NJS env vars -ENV NJS_VERSION 0.8.4 -ENV NJS_RELEASE 2~bookworm +ENV NJS_VERSION=0.8.4 +ENV NJS_RELEASE=2~bookworm # Proxy cache env vars -ENV PROXY_CACHE_MAX_SIZE "10g" -ENV PROXY_CACHE_INACTIVE "60m" -ENV PROXY_CACHE_SLICE_SIZE "1m" -ENV PROXY_CACHE_VALID_OK "1h" -ENV PROXY_CACHE_VALID_NOTFOUND "1m" -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" +ENV PROXY_CACHE_MAX_SIZE=10g +ENV PROXY_CACHE_INACTIVE=60m +ENV PROXY_CACHE_SLICE_SIZE=1m +ENV PROXY_CACHE_VALID_OK=1h +ENV PROXY_CACHE_VALID_NOTFOUND=1m +ENV PROXY_CACHE_VALID_FORBIDDEN=30s # CORS env vars -ENV CORS_ENABLED 0 -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" +ENV CORS_ENABLED=0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" # S3 proxy env vars -ENV DIRECTORY_LISTING_PATH_PREFIX "" -ENV STRIP_LEADING_DIRECTORY_PATH "" -ENV PREFIX_LEADING_DIRECTORY_PATH "" - -# We modify the nginx base image by: -# 1. Explicitly install the version of njs coded in the environment variable above. -# 2. Adding configuration files needed for proxying private S3 buckets -# 3. Adding a directory for proxied objects to be stored +ENV DIRECTORY_LISTING_PATH_PREFIX="" +ENV STRIP_LEADING_DIRECTORY_PATH="" +ENV PREFIX_LEADING_DIRECTORY_PATH="" + +# We modify the NGINX base image by: +# 1. Explicitly installing the version of njs coded in the environment variable above. +# 2. Adding configuration files needed for proxying private S3 buckets. +# 3. Adding a directory for proxied objects to be stored. # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers. RUN set -x \ - && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ - && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ - export GNUPGHOME="$(mktemp -d)"; \ - found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ - rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \ - echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \ + && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \ apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y \ libedit2 \ nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list -COPY common/etc /etc COPY oss/etc /etc +COPY common/etc /etc COPY common/docker-entrypoint.sh /docker-entrypoint.sh COPY common/docker-entrypoint.d /docker-entrypoint.d/ -RUN mkdir -p /var/cache/nginx/s3_proxy \ +RUN set -x \ + && mkdir -p /var/cache/nginx/s3_proxy \ && chown nginx:nginx /var/cache/nginx/s3_proxy \ && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; diff --git a/Dockerfile.plus b/Dockerfile.plus index 9892b056..76d779da 100644 --- a/Dockerfile.plus +++ b/Dockerfile.plus @@ -1,61 +1,84 @@ -FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 +ARG RELEASE=bookworm +FROM debian:${RELEASE}-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 -ENV NGINX_PLUS_VERSION 30-2 -ENV NGINX_VERSION 1.25.1 -ENV NJS_VERSION 30+0.8.0-1 -ENV XSLT_VERSION 30-1 +# Persist RELEASE argument +ARG RELEASE -ENV PROXY_CACHE_MAX_SIZE "10g" -ENV PROXY_CACHE_INACTIVE "60m" -ENV PROXY_CACHE_SLICE_SIZE "1m" -ENV PROXY_CACHE_VALID_OK "1h" -ENV PROXY_CACHE_VALID_NOTFOUND "1m" -ENV PROXY_CACHE_VALID_FORBIDDEN "30s" -ENV CORS_ENABLED 0 -ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" -ENV DIRECTORY_LISTING_PATH_PREFIX "" -ENV STRIP_LEADING_DIRECTORY_PATH "" -ENV PREFIX_LEADING_DIRECTORY_PATH "" +# NJS env vars +ENV NGINX_VERSION=32 +ENV NGINX_PKG_RELEASE=1~${RELEASE} +ENV NJS_VERSION=0.8.4 +ENV NJS_PKG_RELEASE=1~${RELEASE} -COPY plus/etc/ssl /etc/ssl -COPY plus/usr /usr +# Proxy cache env vars +ENV PROXY_CACHE_MAX_SIZE=10g +ENV PROXY_CACHE_INACTIVE=60m +ENV PROXY_CACHE_SLICE_SIZE=1m +ENV PROXY_CACHE_VALID_OK=1h +ENV PROXY_CACHE_VALID_NOTFOUND=1m +ENV PROXY_CACHE_VALID_FORBIDDEN=30s -# Copy files from the OSS NGINX Docker container such that the container -# startup is the same. -COPY common/docker-entrypoint.sh /docker-entrypoint.sh -COPY common/docker-entrypoint.d /docker-entrypoint.d/ -COPY plus/docker-entrypoint.d /docker-entrypoint.d/ -# Add NGINX Plus package repository keyring -COPY plus/usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg +# CORS env vars +ENV CORS_ENABLED=0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS="" -RUN set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - # create nginx user/group first, to be consistent throughout docker variants - addgroup --system --gid 101 nginx; \ - adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx; \ - apt-get -qq update; \ - apt-get -qq upgrade --yes; \ - apt-get -qq install --yes \ - ca-certificates \ - curl \ - libedit2; \ - sh -a /usr/local/bin/add_nginx_plus_repo.sh; \ - rm /usr/local/bin/add_nginx_plus_repo.sh; \ - apt-get -qq update; \ - export DISTRO_VERSION="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" && \ - apt-get -qq install --yes --no-install-recommends --no-install-suggests \ - nginx-plus=${NGINX_PLUS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-njs=${NJS_VERSION}~${DISTRO_VERSION} \ - nginx-plus-module-xslt=${XSLT_VERSION}~${DISTRO_VERSION} \ - gettext-base; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - rm -rf /etc/apt/sources.list.d/nginx-plus.list /var/lib/apt/lists/* /var/tmp/* /tmp/*; \ - # forward request and error logs to docker log collector - ln -sf /dev/stdout /var/log/nginx/access.log; \ - ln -sf /dev/stderr /var/log/nginx/error.log; \ - chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh +# S3 proxy env vars +ENV DIRECTORY_LISTING_PATH_PREFIX="" +ENV STRIP_LEADING_DIRECTORY_PATH="" +ENV PREFIX_LEADING_DIRECTORY_PATH="" -ENTRYPOINT ["/docker-entrypoint.sh"] +# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by: +# 1. Explicitly installing the version of njs coded in the environment variable above. +# 2. Adding configuration files needed for proxying private S3 buckets. +# 3. Adding a directory for proxied objects to be stored. +# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers. + +# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context +COPY plus/etc/ssl /etc/ssl + +RUN set -x \ +# Create nginx user/group first, to be consistent throughout Docker variants + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ + && \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ + export GNUPGHOME="$(mktemp -d)"; \ + found=''; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ + rm -rf "$GNUPGHOME"; \ + apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ +# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) + && nginxPackages=" \ + nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ + nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ + " \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ + && apt-get remove --purge -y lsb-release \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ + && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ +# Forward request logs to Docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 @@ -63,15 +86,17 @@ STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"] -# NGINX Docker image setup complete, everything below is specific for -# the S3 Gateway use case. - +# Copy files from the OSS NGINX Docker container such that the container +# startup is the same. COPY plus/etc/nginx /etc/nginx COPY common/etc /etc -COPY common/docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/00-check-for-required-env.sh +COPY common/docker-entrypoint.sh /docker-entrypoint.sh +COPY common/docker-entrypoint.d /docker-entrypoint.d/ +COPY plus/docker-entrypoint.d /docker-entrypoint.d/ -RUN set -eux \ - export DEBIAN_FRONTEND=noninteractive; \ - mkdir -p /var/cache/nginx/s3_proxy; \ - chown nginx:nginx /var/cache/nginx/s3_proxy; \ - chmod -R +x /docker-entrypoint.d/* +RUN set -x \ + && mkdir -p /var/cache/nginx/s3_proxy \ + && chown nginx:nginx /var/cache/nginx/s3_proxy \ + && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; + +ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/plus/usr/local/bin/add_nginx_plus_repo.sh b/plus/usr/local/bin/add_nginx_plus_repo.sh deleted file mode 100644 index 6b24bd56..00000000 --- a/plus/usr/local/bin/add_nginx_plus_repo.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env sh - -# -# Copyright 2020 F5 Networks -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -if [ ! -f "/etc/ssl/nginx/nginx-repo.crt" ]; then - >&2 echo "NGINX Plus repository certificate file not found at path: /etc/ssl/nginx/nginx-repo.crt" - exit 1 -fi - -if [ ! -f "/etc/ssl/nginx/nginx-repo.key" ]; then - >&2 echo "NGINX Plus repository key file not found at path: /etc/ssl/nginx/nginx-repo.key" - exit 1 -fi - -version_codename="$(grep '^VERSION_CODENAME=' /etc/os-release | awk -v FS='=' '{print $2}')" - -echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" >> /etc/apt/apt.conf.d/90nginx -echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx -echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx -echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx -echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian ${version_codename} nginx-plus" >> /etc/apt/sources.list.d/nginx-plus.list diff --git a/plus/usr/share/keyrings/.gitattributes b/plus/usr/share/keyrings/.gitattributes deleted file mode 100644 index b69c02c2..00000000 --- a/plus/usr/share/keyrings/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -*.gpg binary diff --git a/plus/usr/share/keyrings/nginx-archive-keyring.gpg b/plus/usr/share/keyrings/nginx-archive-keyring.gpg deleted file mode 100644 index 82b5bff0..00000000 Binary files a/plus/usr/share/keyrings/nginx-archive-keyring.gpg and /dev/null differ