From ab3ecd598d4e397061929b64952c27db4187bfd2 Mon Sep 17 00:00:00 2001 From: Muhamad Aditya Prima Date: Mon, 16 Dec 2024 00:49:08 +0700 Subject: [PATCH] Added support for almalinux base, removing ubi9 --- .gitea/workflows/almalinux.yaml | 73 ++++++++++++++++++++++++++ .gitea/workflows/alpine.yaml | 10 ++-- Dockerfile.almalinux | 72 +++++++++++++++++++++++++ Dockerfile.alpine | 4 +- Dockerfile.ubi9 | 37 ------------- Dockerfile.ubi9-micro | 49 ----------------- etc/alpine/conf.d/default.conf | 23 -------- etc/alpine/fastcgi_params | 24 --------- etc/alpine/nginx.conf | 93 --------------------------------- etc/alpine/proxy_params | 4 -- etc/alpine/ssl_params | 22 -------- etc/ubi9/conf.d/default.conf | 23 -------- etc/ubi9/nginx.conf | 70 ------------------------- etc/ubi9/proxy_params | 4 -- etc/ubi9/ssl_params | 22 -------- 15 files changed, 149 insertions(+), 381 deletions(-) create mode 100644 .gitea/workflows/almalinux.yaml create mode 100644 Dockerfile.almalinux delete mode 100644 Dockerfile.ubi9 delete mode 100644 Dockerfile.ubi9-micro delete mode 100644 etc/alpine/conf.d/default.conf delete mode 100644 etc/alpine/fastcgi_params delete mode 100644 etc/alpine/nginx.conf delete mode 100644 etc/alpine/proxy_params delete mode 100644 etc/alpine/ssl_params delete mode 100644 etc/ubi9/conf.d/default.conf delete mode 100644 etc/ubi9/nginx.conf delete mode 100644 etc/ubi9/proxy_params delete mode 100644 etc/ubi9/ssl_params diff --git a/.gitea/workflows/almalinux.yaml b/.gitea/workflows/almalinux.yaml new file mode 100644 index 0000000..19f1813 --- /dev/null +++ b/.gitea/workflows/almalinux.yaml @@ -0,0 +1,73 @@ +name: Build and push Nginx on almalinux based container images + +on: + push: + branches: + - master + +jobs: + build: + name: Build nginx container images + runs-on: ubuntu-latest + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + strategy: + matrix: + version: ["1.22", "1.24"] + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Login to docker.io + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v3 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push nginx on almalinux base + uses: docker/build-push-action@v5 + with: + # platforms: linux/amd64,linux/arm64 + push: true + context: . + file: Dockerfile.almalinux + build-args: | + NGINX_VERSION=${{ matrix.version }} + tags: | + ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version }}-almalinux + - name: Scan container image with Trivy + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: '${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-almalinux' + format: 'sarif' + output: 'trivy-results.sarif' + build-latest: + name: Build latest nginx almalinux based container images + runs-on: ubuntu-latest + needs: + - build + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Login to docker.io + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v3 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push latest nginx + uses: docker/build-push-action@v5 + with: + # platforms: linux/amd64,linux/arm64 + push: true + context: . + file: Dockerfile.almalinux + tags: | + ${{ vars.DOCKERHUB_USERNAME }}/nginx:almalinux diff --git a/.gitea/workflows/alpine.yaml b/.gitea/workflows/alpine.yaml index a84b27c..5809127 100644 --- a/.gitea/workflows/alpine.yaml +++ b/.gitea/workflows/alpine.yaml @@ -15,14 +15,11 @@ jobs: matrix: version: - alpine: "3.17" - nginx: "1.22.1" - nginx_short: "1.22" + nginx: "1.22" - alpine: "3.19" - nginx: "1.24.0" - nginx_short: "1.24" + nginx: "1.24" - alpine: "3.21" - nginx: "1.26.2" - nginx_short: "1.26" + nginx: "1.26" steps: - name: Check out repository code uses: actions/checkout@v4 @@ -47,7 +44,6 @@ jobs: NGINX_VERSION=${{ matrix.version.nginx }} tags: | ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-alpine - ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx_short }}-alpine - name: Scan container image with Trivy uses: aquasecurity/trivy-action@0.20.0 with: diff --git a/Dockerfile.almalinux b/Dockerfile.almalinux new file mode 100644 index 0000000..bb6ac16 --- /dev/null +++ b/Dockerfile.almalinux @@ -0,0 +1,72 @@ +ARG ALMALINUX_VERSION=9.5 + +FROM aprimediet/almalinux:${ALMALINUX_VERSION} AS builder + +ARG NGINX_VERSION=1.24 + +RUN mkdir -p /mnt/rootfs; \ + dnf install --installroot /mnt/rootfs \ + coreutils-single \ + glibc-minimal-langpack \ + --releasever 9 --setopt install_weak_deps=false --nodocs -y; \ + dnf module reset nginx ; \ + dnf module enable nginx:${NGINX_VERSION} ; \ + dnf install --installroot /mnt/rootfs \ + nginx \ + --releasever 9 --setopt install_weak_deps=false --nodocs -y; \ + dnf --installroot /mnt/rootfs clean all; + +FROM aprimediet/almalinux:${ALMALINUX_VERSION}-micro AS stage2 + +ENV DIR_DEPS="/var/run/nginx /var/log/nginx /var/lib/nginx/tmp /var/cache/nginx" + +ADD htdocs /app/htdocs +ADD scripts/entrypoint.sh /usr/local/bin/ + +RUN echo "nginx:x:10001:" >> /etc/group ; \ + echo "nginx:x:10001:10001:nginx:/app/htdocs:/sbin/nologin" >> /etc/passwd ; \ + echo "nginx:!!:20070::::::" >> /etc/shadow ; \ + mkdir -p ${DIR_DEPS} ; \ + chown -R nginx:nginx ${DIR_DEPS} ; \ + chmod +x /usr/local/bin/entrypoint.sh + +COPY --from=builder \ + /usr/lib64/libc* \ + /usr/lib64/libcrypt* \ + /usr/lib64/libcrypto* \ + /usr/lib64/libpcre* \ + /usr/lib64/libssl* \ + /usr/lib64/libz* \ + /usr/lib64/ + +COPY --from=builder /mnt/rootfs/etc/nginx /etc/nginx +COPY --from=builder /mnt/rootfs/usr/lib64/nginx /usr/lib64/nginx +COPY --from=builder /mnt/rootfs/usr/sbin/nginx /usr/sbin/nginx + +ADD etc/nginx /etc/nginx + +FROM scratch + +ARG NGINX_VERSION=1.24 +ENV NGINX_VERSION=${NGINX_VERSION} + +LABEL maintainer="Muhamad Aditya Prima " +LABEL name="nginx" +LABEL version="${NGINX_VERSION}" +LABEL distribution-scope="public" + +#labels for container catalog +LABEL summary="Nginx ${NGINX_VERSION} on almalinux based container image" +LABEL description="Provide nginx on almalinux based container base image" +LABEL io.k8s.description="Very small almalinux container image" +LABEL io.k8s.display-name="Nginx ${NGINX_VERSION}" + +COPY --from=stage2 / / + +USER nginx + +EXPOSE 80 + +STOPSIGNAL SIGQUIT + +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] \ No newline at end of file diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 107ad40..b7eb3d9 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -29,7 +29,7 @@ RUN /bin/chmod +x /usr/local/bin/entrypoint.sh; \ FROM scratch -ARG NGINX_VERSION=1.26.2 +ARG NGINX_VERSION=1.26 ENV NGINX_VERSION=${NGINX_VERSION} @@ -54,6 +54,4 @@ EXPOSE 80 STOPSIGNAL SIGQUIT -# ENTRYPOINT ["/bin/sh"] - ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] \ No newline at end of file diff --git a/Dockerfile.ubi9 b/Dockerfile.ubi9 deleted file mode 100644 index db3fd91..0000000 --- a/Dockerfile.ubi9 +++ /dev/null @@ -1,37 +0,0 @@ -ARG REGISTRY_URL=docker.io/aprimediet -ARG UBI_VERSION=9.5 - -FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION} AS builder -LABEL maintainer=" aprimediet@gmail.com" - -ARG NGINX_VERSION=1.24 - -USER root - -# Add group and user nginx -RUN groupadd -g 10001 nginx && \ - useradd -u 10001 -g 10001 -m -d /app -s /sbin/nologin nginx && \ - mkdir -p /var/run/nginx && \ - chown nginx:nginx /var/run/nginx - -# Update packages, configure nginx version -# and install nginx -RUN dnf -y update && \ - dnf -y module reset nginx && \ - dnf -y module enable nginx:${NGINX_VERSION} && \ - dnf -y install nginx && \ - dnf -y autoremove && \ - dnf -y clean all - -# Copy Nginx default config files -ADD ./etc/ubi9 /etc/nginx -ADD ./app /app -RUN chown -R nginx:nginx /app - -USER nginx - -WORKDIR /app - -EXPOSE 80 - -CMD ["nginx"] \ No newline at end of file diff --git a/Dockerfile.ubi9-micro b/Dockerfile.ubi9-micro deleted file mode 100644 index 31097dd..0000000 --- a/Dockerfile.ubi9-micro +++ /dev/null @@ -1,49 +0,0 @@ -ARG REGISTRY_URL=docker.io/aprimediet -ARG UBI_VERSION=9.5 -ARG NGINX_VERSION=1.24 - -FROM ${REGISTRY_URL}/nginx:${NGINX_VERSION}-ubi9 AS builder -LABEL maintainer=" aprimediet@gmail.com" - -FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION}-micro AS runtime -LABEL maintainer=" aprimediet@gmail.com" - -USER root - -# Create user and group -RUN echo "nginx:x:10001:" >> /etc/group && \ - echo "nginx:x:10001:10001:nginx:/app:/sbin/nologin" >> /etc/passwd && \ - echo "nginx:!!:20070::::::" >> /etc/shadow - -# Create nginx run and logs directory -RUN mkdir -p /var/run/nginx && \ - mkdir -p /var/log/nginx && \ - chown 10001:10001 /var/run/nginx && \ - chown 10001:10001 /var/log/nginx - -# Copy required libs -COPY --from=builder /usr/lib64/libcrypt* /usr/lib64 -COPY --from=builder /usr/lib64/libssl* /usr/lib64 -COPY --from=builder /usr/lib64/libz* /usr/lib64 - -# Copy nginx required files -COPY --from=builder /etc/nginx /etc/nginx -COPY --from=builder /usr/lib64/nginx /usr/lib64/nginx -COPY --from=builder /usr/libexec/nginx* /usr/libexec/ -COPY --from=builder /usr/sbin/nginx /usr/sbin -COPY --from=builder /usr/share/nginx /usr/share/nginx -COPY --from=builder /var/lib/nginx /var/lib/nginx - -# Copy Nginx default config files -ADD ./etc/ubi9 /etc/nginx -ADD ./app /app - -RUN chown -R 10001:10001 /app - -USER 10001 - -WORKDIR /app - -EXPOSE 80 - -CMD ["nginx"] \ No newline at end of file diff --git a/etc/alpine/conf.d/default.conf b/etc/alpine/conf.d/default.conf deleted file mode 100644 index 91eb4d0..0000000 --- a/etc/alpine/conf.d/default.conf +++ /dev/null @@ -1,23 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name _; - root /app; - index index.html; - - error_log stderr warn; - - location / { - try_files $uri $uri/ index.html; - } - - location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { - expires 30d; - } - - location /nginx-status { - stub_status on; - allow all; - } -} \ No newline at end of file diff --git a/etc/alpine/fastcgi_params b/etc/alpine/fastcgi_params deleted file mode 100644 index e5c2f5a..0000000 --- a/etc/alpine/fastcgi_params +++ /dev/null @@ -1,24 +0,0 @@ -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/etc/alpine/nginx.conf b/etc/alpine/nginx.conf deleted file mode 100644 index 71306c0..0000000 --- a/etc/alpine/nginx.conf +++ /dev/null @@ -1,93 +0,0 @@ -# /etc/nginx/nginx.conf - -# Do not start as daemon -daemon off; - -worker_processes auto; -worker_rlimit_nofile 100000; - -# Set log to stderr -error_log stderr warn; -pid #NGINX_RUN_DIR#/nginx.pid; - -include /etc/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - server_tokens off; - keepalive_timeout 15; - sendfile on; - tcp_nodelay on; - - log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'; - - # Log access to stdout - access_log /dev/stdout custom_log; - - # SSL - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:2m; - - # buffering causes issues, disable it - # increase buffer size. still useful even when buffering is off - proxy_buffering off; - proxy_buffer_size 4k; - - # Buffer size - client_body_buffer_size 10k; - client_header_buffer_size 1k; - client_max_body_size 8m; - large_client_header_buffers 2 1k; - - # Timeouts - client_body_timeout 12; - client_header_timeout 12; - send_timeout 10; - - # GZip Compression - gzip on; - gzip_http_version 1.0; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 1280; - gzip_buffers 128 4k; - # gzip_proxied expired no-cache no-store private auth; - gzip_proxied any; - gzip_disable "msie6"; - # gzip_types text/plain application/x-javascript text/xml text/css application/xml; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; - - server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name _; - root #NGINX_ROOT_DIR#; - index index.html; - - error_log stderr warn; - - location / { - try_files $uri $uri/ index.html; - } - - #NGINX_ENABLE_STATIC_CACHE#location ~* .(jpg|jpeg|png|gif|ico|css|js|flv|mp4)$ { - #NGINX_ENABLE_STATIC_CACHE# expires 30d; - #NGINX_ENABLE_STATIC_CACHE#} - - #NGINX_ENABLE_STUB#location /nginx-status { - #NGINX_ENABLE_STUB# stub_status on; - #NGINX_ENABLE_STUB# allow all; - #NGINX_ENABLE_STUB#} - } - - include /etc/nginx/conf.d/*.conf; -} \ No newline at end of file diff --git a/etc/alpine/proxy_params b/etc/alpine/proxy_params deleted file mode 100644 index 11c0f2c..0000000 --- a/etc/alpine/proxy_params +++ /dev/null @@ -1,4 +0,0 @@ -proxy_set_header Host $http_host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; \ No newline at end of file diff --git a/etc/alpine/ssl_params b/etc/alpine/ssl_params deleted file mode 100644 index db1efbe..0000000 --- a/etc/alpine/ssl_params +++ /dev/null @@ -1,22 +0,0 @@ -# secure nginx, see https://cipherli.st/ - -ssl_protocols TLSv1.3 -ssl_prefer_server_ciphers off; -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:10m; -ssl_session_tickets off; # Requires nginx >= 1.5.9 -ssl_stapling on; # Requires nginx >= 1.3.7 -ssl_stapling_verify on; # Requires nginx => 1.3.7 -resolver 8.8.8.8 8.8.4.4 valid=300s; -resolver_timeout 5s; - -# https://hstspreload.org -add_header Strict-Transport-Security "max-age=63072000" always; -# By default, HSTS header is not added to subdomain requests. If you have subdomains and want -# HSTS to apply to all of them, you should add the includeSubDomains variable like this: -#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; - -add_header X-Frame-Options DENY; -add_header X-Content-Type-Options nosniff; -add_header X-XSS-Protection "1; mode=block"; -add_header X-Robots-Tag none; \ No newline at end of file diff --git a/etc/ubi9/conf.d/default.conf b/etc/ubi9/conf.d/default.conf deleted file mode 100644 index 91eb4d0..0000000 --- a/etc/ubi9/conf.d/default.conf +++ /dev/null @@ -1,23 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name _; - root /app; - index index.html; - - error_log stderr warn; - - location / { - try_files $uri $uri/ index.html; - } - - location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { - expires 30d; - } - - location /nginx-status { - stub_status on; - allow all; - } -} \ No newline at end of file diff --git a/etc/ubi9/nginx.conf b/etc/ubi9/nginx.conf deleted file mode 100644 index eee3d39..0000000 --- a/etc/ubi9/nginx.conf +++ /dev/null @@ -1,70 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -# Do not start as daemon -daemon off; -worker_rlimit_nofile 100000; - -worker_processes auto; -error_log stderr warn; -pid /var/run/nginx/nginx.pid; - -# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_tokens off; - keepalive_timeout 15; - sendfile on; - tcp_nodelay on; - - log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'; - - # Log access to stdout - access_log /dev/stdout custom_log; - - # SSL - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:2m; - - - # buffering causes issues, disable it - # increase buffer size. still useful even when buffering is off - proxy_buffering off; - proxy_buffer_size 4k; - - # Buffer size - client_body_buffer_size 10k; - client_header_buffer_size 1k; - client_max_body_size 8m; - large_client_header_buffers 2 1k; - - # Timeouts - client_body_timeout 12; - client_header_timeout 12; - send_timeout 10; - - # GZip Compression - gzip on; - gzip_http_version 1.0; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 1280; - gzip_buffers 128 4k; - # gzip_proxied expired no-cache no-store private auth; - gzip_proxied any; - gzip_disable "msie6"; - # gzip_types text/plain application/x-javascript text/xml text/css application/xml; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; - - include /etc/nginx/conf.d/*.conf; -} \ No newline at end of file diff --git a/etc/ubi9/proxy_params b/etc/ubi9/proxy_params deleted file mode 100644 index 11c0f2c..0000000 --- a/etc/ubi9/proxy_params +++ /dev/null @@ -1,4 +0,0 @@ -proxy_set_header Host $http_host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; \ No newline at end of file diff --git a/etc/ubi9/ssl_params b/etc/ubi9/ssl_params deleted file mode 100644 index db1efbe..0000000 --- a/etc/ubi9/ssl_params +++ /dev/null @@ -1,22 +0,0 @@ -# secure nginx, see https://cipherli.st/ - -ssl_protocols TLSv1.3 -ssl_prefer_server_ciphers off; -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:10m; -ssl_session_tickets off; # Requires nginx >= 1.5.9 -ssl_stapling on; # Requires nginx >= 1.3.7 -ssl_stapling_verify on; # Requires nginx => 1.3.7 -resolver 8.8.8.8 8.8.4.4 valid=300s; -resolver_timeout 5s; - -# https://hstspreload.org -add_header Strict-Transport-Security "max-age=63072000" always; -# By default, HSTS header is not added to subdomain requests. If you have subdomains and want -# HSTS to apply to all of them, you should add the includeSubDomains variable like this: -#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; - -add_header X-Frame-Options DENY; -add_header X-Content-Type-Options nosniff; -add_header X-XSS-Protection "1; mode=block"; -add_header X-Robots-Tag none; \ No newline at end of file