Added support for almalinux base, removing ubi9

2024-12-16 00:49:08 +07:00 · 2024-12-16 00:49:08 +07:00 · ab3ecd598d
parent afd7f50dc9
commit ab3ecd598d
15 changed files with 149 additions and 381 deletions
--- a/.gitea/workflows/almalinux.yaml
+++ b/.gitea/workflows/almalinux.yaml
@ -0,0 +1,73 @@
 name: Build and push Nginx on almalinux based container images
 on:
  push:
    branches:
      - master
 jobs:
  build:
    name: Build nginx container images
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/catthehacker/ubuntu:act-latest
    strategy:
      matrix:
        version: ["1.22", "1.24"]
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
      - name: Login to docker.io
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      # - name: Set up QEMU
      #   uses: docker/setup-qemu-action@v3
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push nginx on almalinux base
        uses: docker/build-push-action@v5
        with:
          # platforms: linux/amd64,linux/arm64
          push: true
          context: .
          file: Dockerfile.almalinux
          build-args: |
            NGINX_VERSION=${{ matrix.version }}
          tags: |
            ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version }}-almalinux
      - name: Scan container image with Trivy
        uses: aquasecurity/trivy-action@0.20.0
        with:
          image-ref: '${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-almalinux'
          format: 'sarif'
          output: 'trivy-results.sarif'
  build-latest:
    name: Build latest nginx almalinux based container images
    runs-on: ubuntu-latest
    needs:
      - build
    container:
      image: ghcr.io/catthehacker/ubuntu:act-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
      - name: Login to docker.io
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      # - name: Set up QEMU
      #   uses: docker/setup-qemu-action@v3
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push latest nginx
        uses: docker/build-push-action@v5
        with:
          # platforms: linux/amd64,linux/arm64
          push: true
          context: .
          file: Dockerfile.almalinux
          tags: |
            ${{ vars.DOCKERHUB_USERNAME }}/nginx:almalinux
--- a/.gitea/workflows/alpine.yaml
+++ b/.gitea/workflows/alpine.yaml
@ -15,14 +15,11 @@ jobs:
      matrix:
        version:
          - alpine: "3.17"
-            nginx: "1.22.1"
+            nginx: "1.22"
            nginx_short: "1.22"
          - alpine: "3.19"
-            nginx: "1.24.0"
+            nginx: "1.24"
            nginx_short: "1.24"
          - alpine: "3.21"
-            nginx: "1.26.2"
+            nginx: "1.26"
            nginx_short: "1.26"
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
@ -47,7 +44,6 @@ jobs:
            NGINX_VERSION=${{ matrix.version.nginx }}
          tags: |
            ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-alpine
            ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx_short }}-alpine
      - name: Scan container image with Trivy
        uses: aquasecurity/trivy-action@0.20.0
        with:
--- a/Dockerfile.almalinux
+++ b/Dockerfile.almalinux
@ -0,0 +1,72 @@
 ARG ALMALINUX_VERSION=9.5
 FROM aprimediet/almalinux:${ALMALINUX_VERSION} AS builder
 ARG NGINX_VERSION=1.24
 RUN mkdir -p /mnt/rootfs; \
    dnf install --installroot /mnt/rootfs \
        coreutils-single \
        glibc-minimal-langpack \
        --releasever 9 --setopt install_weak_deps=false --nodocs -y; \
    dnf module reset nginx ; \
    dnf module enable nginx:${NGINX_VERSION} ; \
    dnf install --installroot /mnt/rootfs \
        nginx \
        --releasever 9 --setopt install_weak_deps=false --nodocs -y; \
    dnf --installroot /mnt/rootfs clean all;
 FROM aprimediet/almalinux:${ALMALINUX_VERSION}-micro AS stage2
 ENV DIR_DEPS="/var/run/nginx /var/log/nginx /var/lib/nginx/tmp /var/cache/nginx"
 ADD htdocs /app/htdocs
 ADD scripts/entrypoint.sh /usr/local/bin/
 RUN echo "nginx:x:10001:" >> /etc/group ; \
    echo "nginx:x:10001:10001:nginx:/app/htdocs:/sbin/nologin" >> /etc/passwd ; \
    echo "nginx:!!:20070::::::" >> /etc/shadow ; \
    mkdir -p ${DIR_DEPS} ; \
    chown -R nginx:nginx ${DIR_DEPS} ; \
    chmod +x /usr/local/bin/entrypoint.sh
 COPY --from=builder \
     /usr/lib64/libc* \
     /usr/lib64/libcrypt* \
     /usr/lib64/libcrypto* \
     /usr/lib64/libpcre* \
     /usr/lib64/libssl* \
     /usr/lib64/libz* \
     /usr/lib64/
 COPY --from=builder /mnt/rootfs/etc/nginx /etc/nginx
 COPY --from=builder /mnt/rootfs/usr/lib64/nginx /usr/lib64/nginx
 COPY --from=builder /mnt/rootfs/usr/sbin/nginx /usr/sbin/nginx
 ADD etc/nginx /etc/nginx
 FROM scratch
 ARG NGINX_VERSION=1.24
 ENV NGINX_VERSION=${NGINX_VERSION}
 LABEL maintainer="Muhamad Aditya Prima <aprimediet@gmail.com>"
 LABEL name="nginx"
 LABEL version="${NGINX_VERSION}"
 LABEL distribution-scope="public"
 #labels for container catalog
 LABEL summary="Nginx ${NGINX_VERSION} on almalinux based container image"
 LABEL description="Provide nginx on almalinux based container base image"
 LABEL io.k8s.description="Very small almalinux container image"
 LABEL io.k8s.display-name="Nginx ${NGINX_VERSION}"
 COPY --from=stage2 / /
 USER nginx
 EXPOSE 80
 STOPSIGNAL SIGQUIT
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -29,7 +29,7 @@ RUN /bin/chmod +x /usr/local/bin/entrypoint.sh; \
 FROM scratch
-ARG NGINX_VERSION=1.26.2
+ARG NGINX_VERSION=1.26
 ENV NGINX_VERSION=${NGINX_VERSION}
@ -54,6 +54,4 @@ EXPOSE 80
 STOPSIGNAL SIGQUIT
 # ENTRYPOINT ["/bin/sh"]
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
--- a/Dockerfile.ubi9
+++ b/Dockerfile.ubi9
@ -1,37 +0,0 @@
 ARG REGISTRY_URL=docker.io/aprimediet
 ARG UBI_VERSION=9.5
 FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION} AS builder
 LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
 ARG NGINX_VERSION=1.24
 USER root
 # Add group and user nginx
 RUN groupadd -g 10001 nginx && \
    useradd -u 10001 -g 10001 -m -d /app -s /sbin/nologin nginx && \
    mkdir -p /var/run/nginx && \
    chown nginx:nginx /var/run/nginx
 # Update packages, configure nginx version
 # and install nginx
 RUN dnf -y update && \
    dnf -y module reset nginx && \
    dnf -y module enable nginx:${NGINX_VERSION} && \
    dnf -y install nginx && \
    dnf -y autoremove && \
    dnf -y clean all
 # Copy Nginx default config files
 ADD ./etc/ubi9 /etc/nginx
 ADD ./app /app
 RUN chown -R nginx:nginx /app
 USER nginx
 WORKDIR /app
 EXPOSE 80
 CMD ["nginx"]
--- a/Dockerfile.ubi9-micro
+++ b/Dockerfile.ubi9-micro
@ -1,49 +0,0 @@
 ARG REGISTRY_URL=docker.io/aprimediet
 ARG UBI_VERSION=9.5
 ARG NGINX_VERSION=1.24
 FROM ${REGISTRY_URL}/nginx:${NGINX_VERSION}-ubi9 AS builder
 LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
 FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION}-micro AS runtime
 LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
 USER root
 # Create user and group
 RUN echo "nginx:x:10001:" >> /etc/group && \
    echo "nginx:x:10001:10001:nginx:/app:/sbin/nologin" >> /etc/passwd && \
    echo "nginx:!!:20070::::::" >> /etc/shadow
 # Create nginx run and logs directory
 RUN mkdir -p /var/run/nginx && \
    mkdir -p /var/log/nginx && \
    chown 10001:10001 /var/run/nginx && \
    chown 10001:10001 /var/log/nginx
 # Copy required libs
 COPY --from=builder /usr/lib64/libcrypt* /usr/lib64
 COPY --from=builder /usr/lib64/libssl* /usr/lib64
 COPY --from=builder /usr/lib64/libz* /usr/lib64
 # Copy nginx required files
 COPY --from=builder /etc/nginx /etc/nginx
 COPY --from=builder /usr/lib64/nginx /usr/lib64/nginx
 COPY --from=builder /usr/libexec/nginx* /usr/libexec/
 COPY --from=builder /usr/sbin/nginx /usr/sbin
 COPY --from=builder /usr/share/nginx /usr/share/nginx
 COPY --from=builder /var/lib/nginx /var/lib/nginx
 # Copy Nginx default config files
 ADD ./etc/ubi9 /etc/nginx
 ADD ./app /app
 RUN chown -R 10001:10001 /app
 USER 10001
 WORKDIR /app
 EXPOSE 80
 CMD ["nginx"]
--- a/etc/alpine/conf.d/default.conf
+++ b/etc/alpine/conf.d/default.conf
@ -1,23 +0,0 @@
 server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name _;
  root /app;
  index index.html;
  error_log stderr warn;
  location / {
    try_files $uri $uri/ index.html;
  }
  location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 30d;
  }
  location /nginx-status {
    stub_status on;
    allow all;
  }
 }
--- a/etc/alpine/fastcgi_params
+++ b/etc/alpine/fastcgi_params
@ -1,24 +0,0 @@
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
 fastcgi_param  CONTENT_LENGTH     $content_length;
 fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
 fastcgi_param  REQUEST_URI        $request_uri;
 fastcgi_param  DOCUMENT_URI       $document_uri;
 fastcgi_param  DOCUMENT_ROOT      $document_root;
 fastcgi_param  SERVER_PROTOCOL    $server_protocol;
 fastcgi_param  REQUEST_SCHEME     $scheme;
 fastcgi_param  HTTPS              $https if_not_empty;
 fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
 fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
 fastcgi_param  REMOTE_ADDR        $remote_addr;
 fastcgi_param  REMOTE_PORT        $remote_port;
 fastcgi_param  SERVER_ADDR        $server_addr;
 fastcgi_param  SERVER_PORT        $server_port;
 fastcgi_param  SERVER_NAME        $server_name;
 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
--- a/etc/alpine/nginx.conf
+++ b/etc/alpine/nginx.conf
@ -1,93 +0,0 @@
 # /etc/nginx/nginx.conf
 # Do not start as daemon
 daemon off;
 worker_processes auto;
 worker_rlimit_nofile 100000;
 # Set log to stderr
 error_log stderr warn;
 pid       #NGINX_RUN_DIR#/nginx.pid;
 include /etc/nginx/modules/*.conf;
 events {
  worker_connections 1024;
 }
 http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  server_tokens off;
  keepalive_timeout 15;
  sendfile on;
  tcp_nodelay on;
  log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
  # Log access to stdout
  access_log /dev/stdout custom_log;
  # SSL
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:2m;
  # buffering causes issues, disable it
  # increase buffer size. still useful even when buffering is off
  proxy_buffering off;
  proxy_buffer_size 4k;
  # Buffer size
  client_body_buffer_size 10k;
  client_header_buffer_size 1k;
  client_max_body_size 8m;
  large_client_header_buffers 2 1k;
  # Timeouts
  client_body_timeout 12;
  client_header_timeout 12;
  send_timeout 10;
  # GZip Compression
  gzip on;
  gzip_http_version 1.0;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 1280;
  gzip_buffers 128 4k;
  # gzip_proxied expired no-cache no-store private auth;
  gzip_proxied any;
  gzip_disable "msie6";
  # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
  server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    root #NGINX_ROOT_DIR#;
    index index.html;
    error_log stderr warn;
    location / {
      try_files $uri $uri/ index.html;
    }
    #NGINX_ENABLE_STATIC_CACHE#location ~* .(jpg|jpeg|png|gif|ico|css|js|flv|mp4)$ {
    #NGINX_ENABLE_STATIC_CACHE#  expires 30d;
    #NGINX_ENABLE_STATIC_CACHE#}
    #NGINX_ENABLE_STUB#location /nginx-status {
    #NGINX_ENABLE_STUB#  stub_status on;
    #NGINX_ENABLE_STUB#  allow all;
    #NGINX_ENABLE_STUB#}
  }
  include /etc/nginx/conf.d/*.conf;
 }
--- a/etc/alpine/proxy_params
+++ b/etc/alpine/proxy_params
@ -1,4 +0,0 @@
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
--- a/etc/alpine/ssl_params
+++ b/etc/alpine/ssl_params
@ -1,22 +0,0 @@
 # secure nginx, see https://cipherli.st/
 ssl_protocols TLSv1.3
 ssl_prefer_server_ciphers off;
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 # https://hstspreload.org
 add_header Strict-Transport-Security "max-age=63072000" always; 
 # By default, HSTS header is not added to subdomain requests. If you have subdomains and want
 # HSTS to apply to all of them, you should add the includeSubDomains variable like this:
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;
--- a/etc/ubi9/conf.d/default.conf
+++ b/etc/ubi9/conf.d/default.conf
@ -1,23 +0,0 @@
 server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name _;
  root /app;
  index index.html;
  error_log stderr warn;
  location / {
    try_files $uri $uri/ index.html;
  }
  location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 30d;
  }
  location /nginx-status {
    stub_status on;
    allow all;
  }
 }
--- a/etc/ubi9/nginx.conf
+++ b/etc/ubi9/nginx.conf
@ -1,70 +0,0 @@
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
 # Do not start as daemon
 daemon off;
 worker_rlimit_nofile 100000;
 worker_processes auto;
 error_log stderr warn;
 pid /var/run/nginx/nginx.pid;
 # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
 include /usr/share/nginx/modules/*.conf;
 events {
    worker_connections 1024;
 }
 http {
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    server_tokens off;
    keepalive_timeout 15;
    sendfile on;
    tcp_nodelay on;
    log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
    # Log access to stdout
    access_log /dev/stdout custom_log;
    # SSL
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:2m;
    # buffering causes issues, disable it
    # increase buffer size. still useful even when buffering is off
    proxy_buffering off;
    proxy_buffer_size 4k;
    # Buffer size
    client_body_buffer_size 10k;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;
    # Timeouts
    client_body_timeout 12;
    client_header_timeout 12;
    send_timeout 10;
    # GZip Compression
    gzip on;
    gzip_http_version 1.0;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 1280;
    gzip_buffers 128 4k;
    # gzip_proxied expired no-cache no-store private auth;
    gzip_proxied any;
    gzip_disable "msie6";
    # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
    include /etc/nginx/conf.d/*.conf;
 }
--- a/etc/ubi9/proxy_params
+++ b/etc/ubi9/proxy_params
@ -1,4 +0,0 @@
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
--- a/etc/ubi9/ssl_params
+++ b/etc/ubi9/ssl_params
@ -1,22 +0,0 @@
 # secure nginx, see https://cipherli.st/
 ssl_protocols TLSv1.3
 ssl_prefer_server_ciphers off;
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 # https://hstspreload.org
 add_header Strict-Transport-Security "max-age=63072000" always; 
 # By default, HSTS header is not added to subdomain requests. If you have subdomains and want
 # HSTS to apply to all of them, you should add the includeSubDomains variable like this:
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;