Added support for almalinux base, removing ubi9

.gitea/workflows/almalinux.yaml

@@ -0,0 +1,73 @@
+name: Build and push Nginx on almalinux based container images
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Build nginx container images
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        version: ["1.22", "1.24"]
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Login to docker.io
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      # - name: Set up QEMU
+      #   uses: docker/setup-qemu-action@v3
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push nginx on almalinux base
+        uses: docker/build-push-action@v5
+        with:
+          # platforms: linux/amd64,linux/arm64
+          push: true
+          context: .
+          file: Dockerfile.almalinux
+          build-args: |
+            NGINX_VERSION=${{ matrix.version }}
+          tags: |
+            ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version }}-almalinux
+      - name: Scan container image with Trivy
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: '${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-almalinux'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+  build-latest:
+    name: Build latest nginx almalinux based container images
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    container:
+      image: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Login to docker.io
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      # - name: Set up QEMU
+      #   uses: docker/setup-qemu-action@v3
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push latest nginx
+        uses: docker/build-push-action@v5
+        with:
+          # platforms: linux/amd64,linux/arm64
+          push: true
+          context: .
+          file: Dockerfile.almalinux
+          tags: |
+            ${{ vars.DOCKERHUB_USERNAME }}/nginx:almalinux

.gitea/workflows/alpine.yaml

@@ -15,14 +15,11 @@ jobs:
       matrix:
         version:
           - alpine: "3.17"
-            nginx: "1.22.1"
-            nginx_short: "1.22"
+            nginx: "1.22"
           - alpine: "3.19"
-            nginx: "1.24.0"
-            nginx_short: "1.24"
+            nginx: "1.24"
           - alpine: "3.21"
-            nginx: "1.26.2"
-            nginx_short: "1.26"
+            nginx: "1.26"
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -47,7 +44,6 @@ jobs:
             NGINX_VERSION=${{ matrix.version.nginx }}
           tags: |
             ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx }}-alpine
-            ${{ vars.DOCKERHUB_USERNAME }}/nginx:${{ matrix.version.nginx_short }}-alpine
       - name: Scan container image with Trivy
         uses: aquasecurity/trivy-action@0.20.0
         with:

Dockerfile.almalinux

@@ -0,0 +1,72 @@
+ARG ALMALINUX_VERSION=9.5
+
+FROM aprimediet/almalinux:${ALMALINUX_VERSION} AS builder
+
+ARG NGINX_VERSION=1.24
+
+RUN mkdir -p /mnt/rootfs; \
+    dnf install --installroot /mnt/rootfs \
+        coreutils-single \
+        glibc-minimal-langpack \
+        --releasever 9 --setopt install_weak_deps=false --nodocs -y; \
+    dnf module reset nginx ; \
+    dnf module enable nginx:${NGINX_VERSION} ; \
+    dnf install --installroot /mnt/rootfs \
+        nginx \
+        --releasever 9 --setopt install_weak_deps=false --nodocs -y; \
+    dnf --installroot /mnt/rootfs clean all;
+
+FROM aprimediet/almalinux:${ALMALINUX_VERSION}-micro AS stage2
+
+ENV DIR_DEPS="/var/run/nginx /var/log/nginx /var/lib/nginx/tmp /var/cache/nginx"
+
+ADD htdocs /app/htdocs
+ADD scripts/entrypoint.sh /usr/local/bin/
+
+RUN echo "nginx:x:10001:" >> /etc/group ; \
+    echo "nginx:x:10001:10001:nginx:/app/htdocs:/sbin/nologin" >> /etc/passwd ; \
+    echo "nginx:!!:20070::::::" >> /etc/shadow ; \
+    mkdir -p ${DIR_DEPS} ; \
+    chown -R nginx:nginx ${DIR_DEPS} ; \
+    chmod +x /usr/local/bin/entrypoint.sh
+
+COPY --from=builder \
+     /usr/lib64/libc* \
+     /usr/lib64/libcrypt* \
+     /usr/lib64/libcrypto* \
+     /usr/lib64/libpcre* \
+     /usr/lib64/libssl* \
+     /usr/lib64/libz* \
+     /usr/lib64/
+
+COPY --from=builder /mnt/rootfs/etc/nginx /etc/nginx
+COPY --from=builder /mnt/rootfs/usr/lib64/nginx /usr/lib64/nginx
+COPY --from=builder /mnt/rootfs/usr/sbin/nginx /usr/sbin/nginx
+
+ADD etc/nginx /etc/nginx
+
+FROM scratch
+
+ARG NGINX_VERSION=1.24
+ENV NGINX_VERSION=${NGINX_VERSION}
+
+LABEL maintainer="Muhamad Aditya Prima <aprimediet@gmail.com>"
+LABEL name="nginx"
+LABEL version="${NGINX_VERSION}"
+LABEL distribution-scope="public"
+
+#labels for container catalog
+LABEL summary="Nginx ${NGINX_VERSION} on almalinux based container image"
+LABEL description="Provide nginx on almalinux based container base image"
+LABEL io.k8s.description="Very small almalinux container image"
+LABEL io.k8s.display-name="Nginx ${NGINX_VERSION}"
+
+COPY --from=stage2 / /
+
+USER nginx
+
+EXPOSE 80
+
+STOPSIGNAL SIGQUIT
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

Dockerfile.alpine

@@ -29,7 +29,7 @@ RUN /bin/chmod +x /usr/local/bin/entrypoint.sh; \
 
 FROM scratch
 
-ARG NGINX_VERSION=1.26.2
+ARG NGINX_VERSION=1.26
 
 ENV NGINX_VERSION=${NGINX_VERSION}
 
@@ -54,6 +54,4 @@ EXPOSE 80
 
 STOPSIGNAL SIGQUIT
 
-# ENTRYPOINT ["/bin/sh"]
-
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

Dockerfile.ubi9

@@ -1,37 +0,0 @@
-ARG REGISTRY_URL=docker.io/aprimediet
-ARG UBI_VERSION=9.5
-
-FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION} AS builder
-LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
-
-ARG NGINX_VERSION=1.24
-
-USER root
-
-# Add group and user nginx
-RUN groupadd -g 10001 nginx && \
-    useradd -u 10001 -g 10001 -m -d /app -s /sbin/nologin nginx && \
-    mkdir -p /var/run/nginx && \
-    chown nginx:nginx /var/run/nginx
-
-# Update packages, configure nginx version
-# and install nginx
-RUN dnf -y update && \
-    dnf -y module reset nginx && \
-    dnf -y module enable nginx:${NGINX_VERSION} && \
-    dnf -y install nginx && \
-    dnf -y autoremove && \
-    dnf -y clean all
-
-# Copy Nginx default config files
-ADD ./etc/ubi9 /etc/nginx
-ADD ./app /app
-RUN chown -R nginx:nginx /app
-
-USER nginx
-
-WORKDIR /app
-
-EXPOSE 80
-
-CMD ["nginx"]

Dockerfile.ubi9-micro

@@ -1,49 +0,0 @@
-ARG REGISTRY_URL=docker.io/aprimediet
-ARG UBI_VERSION=9.5
-ARG NGINX_VERSION=1.24
-
-FROM ${REGISTRY_URL}/nginx:${NGINX_VERSION}-ubi9 AS builder
-LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
-
-FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION}-micro AS runtime
-LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
-
-USER root
-
-# Create user and group
-RUN echo "nginx:x:10001:" >> /etc/group && \
-    echo "nginx:x:10001:10001:nginx:/app:/sbin/nologin" >> /etc/passwd && \
-    echo "nginx:!!:20070::::::" >> /etc/shadow
-
-# Create nginx run and logs directory
-RUN mkdir -p /var/run/nginx && \
-    mkdir -p /var/log/nginx && \
-    chown 10001:10001 /var/run/nginx && \
-    chown 10001:10001 /var/log/nginx
-
-# Copy required libs
-COPY --from=builder /usr/lib64/libcrypt* /usr/lib64
-COPY --from=builder /usr/lib64/libssl* /usr/lib64
-COPY --from=builder /usr/lib64/libz* /usr/lib64
-
-# Copy nginx required files
-COPY --from=builder /etc/nginx /etc/nginx
-COPY --from=builder /usr/lib64/nginx /usr/lib64/nginx
-COPY --from=builder /usr/libexec/nginx* /usr/libexec/
-COPY --from=builder /usr/sbin/nginx /usr/sbin
-COPY --from=builder /usr/share/nginx /usr/share/nginx
-COPY --from=builder /var/lib/nginx /var/lib/nginx
-
-# Copy Nginx default config files
-ADD ./etc/ubi9 /etc/nginx
-ADD ./app /app
-
-RUN chown -R 10001:10001 /app
-
-USER 10001
-
-WORKDIR /app
-
-EXPOSE 80
-
-CMD ["nginx"]

etc/alpine/conf.d/default.conf

@@ -1,23 +0,0 @@
-server {
-  listen 80 default_server;
-  listen [::]:80 default_server;
-
-  server_name _;
-  root /app;
-  index index.html;
-
-  error_log stderr warn;
-
-  location / {
-    try_files $uri $uri/ index.html;
-  }
-
-  location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
-    expires 30d;
-  }
-
-  location /nginx-status {
-    stub_status on;
-    allow all;
-  }
-}

etc/alpine/fastcgi_params

@@ -1,24 +0,0 @@
-fastcgi_param  QUERY_STRING       $query_string;
-fastcgi_param  REQUEST_METHOD     $request_method;
-fastcgi_param  CONTENT_TYPE       $content_type;
-fastcgi_param  CONTENT_LENGTH     $content_length;
-
-fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
-fastcgi_param  REQUEST_URI        $request_uri;
-fastcgi_param  DOCUMENT_URI       $document_uri;
-fastcgi_param  DOCUMENT_ROOT      $document_root;
-fastcgi_param  SERVER_PROTOCOL    $server_protocol;
-fastcgi_param  REQUEST_SCHEME     $scheme;
-fastcgi_param  HTTPS              $https if_not_empty;
-
-fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
-fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
-
-fastcgi_param  REMOTE_ADDR        $remote_addr;
-fastcgi_param  REMOTE_PORT        $remote_port;
-fastcgi_param  SERVER_ADDR        $server_addr;
-fastcgi_param  SERVER_PORT        $server_port;
-fastcgi_param  SERVER_NAME        $server_name;
-
-# PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param  REDIRECT_STATUS    200;

etc/alpine/nginx.conf

@@ -1,93 +0,0 @@
-# /etc/nginx/nginx.conf
-
-# Do not start as daemon
-daemon off;
-
-worker_processes auto;
-worker_rlimit_nofile 100000;
-
-# Set log to stderr
-error_log stderr warn;
-pid       #NGINX_RUN_DIR#/nginx.pid;
-
-include /etc/nginx/modules/*.conf;
-
-events {
-  worker_connections 1024;
-}
-
-http {
-  include /etc/nginx/mime.types;
-  default_type application/octet-stream;
-
-  server_tokens off;
-  keepalive_timeout 15;
-  sendfile on;
-  tcp_nodelay on;
-
-  log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
-                        '"$request" $status $body_bytes_sent '
-                        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
-
-  # Log access to stdout
-  access_log /dev/stdout custom_log;
-
-  # SSL
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:2m;
-
-  # buffering causes issues, disable it
-  # increase buffer size. still useful even when buffering is off
-  proxy_buffering off;
-  proxy_buffer_size 4k;
-
-  # Buffer size
-  client_body_buffer_size 10k;
-  client_header_buffer_size 1k;
-  client_max_body_size 8m;
-  large_client_header_buffers 2 1k;
-
-  # Timeouts
-  client_body_timeout 12;
-  client_header_timeout 12;
-  send_timeout 10;
-
-  # GZip Compression
-  gzip on;
-  gzip_http_version 1.0;
-  gzip_vary on;
-  gzip_comp_level 4;
-  gzip_min_length 1280;
-  gzip_buffers 128 4k;
-  # gzip_proxied expired no-cache no-store private auth;
-  gzip_proxied any;
-  gzip_disable "msie6";
-  # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
-  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
-
-  server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-
-    server_name _;
-    root #NGINX_ROOT_DIR#;
-    index index.html;
-
-    error_log stderr warn;
-
-    location / {
-      try_files $uri $uri/ index.html;
-    }
-
-    #NGINX_ENABLE_STATIC_CACHE#location ~* .(jpg|jpeg|png|gif|ico|css|js|flv|mp4)$ {
-    #NGINX_ENABLE_STATIC_CACHE#  expires 30d;
-    #NGINX_ENABLE_STATIC_CACHE#}
-
-    #NGINX_ENABLE_STUB#location /nginx-status {
-    #NGINX_ENABLE_STUB#  stub_status on;
-    #NGINX_ENABLE_STUB#  allow all;
-    #NGINX_ENABLE_STUB#}
-  }
-  
-  include /etc/nginx/conf.d/*.conf;
-}

etc/alpine/proxy_params

@@ -1,4 +0,0 @@
-proxy_set_header Host $http_host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;

etc/alpine/ssl_params

@@ -1,22 +0,0 @@
-# secure nginx, see https://cipherli.st/
-
-ssl_protocols TLSv1.3
-ssl_prefer_server_ciphers off;
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off; # Requires nginx >= 1.5.9
-ssl_stapling on; # Requires nginx >= 1.3.7
-ssl_stapling_verify on; # Requires nginx => 1.3.7
-resolver 8.8.8.8 8.8.4.4 valid=300s;
-resolver_timeout 5s;
-
-# https://hstspreload.org
-add_header Strict-Transport-Security "max-age=63072000" always; 
-# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
-# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
-#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Robots-Tag none;

etc/ubi9/conf.d/default.conf

@@ -1,23 +0,0 @@
-server {
-  listen 80 default_server;
-  listen [::]:80 default_server;
-
-  server_name _;
-  root /app;
-  index index.html;
-
-  error_log stderr warn;
-
-  location / {
-    try_files $uri $uri/ index.html;
-  }
-
-  location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
-    expires 30d;
-  }
-
-  location /nginx-status {
-    stub_status on;
-    allow all;
-  }
-}

etc/ubi9/nginx.conf

@@ -1,70 +0,0 @@
-# For more information on configuration, see:
-#   * Official English Documentation: http://nginx.org/en/docs/
-#   * Official Russian Documentation: http://nginx.org/ru/docs/
-
-# Do not start as daemon
-daemon off;
-worker_rlimit_nofile 100000;
-
-worker_processes auto;
-error_log stderr warn;
-pid /var/run/nginx/nginx.pid;
-
-# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
-include /usr/share/nginx/modules/*.conf;
-
-events {
-    worker_connections 1024;
-}
-
-http {
-    include             /etc/nginx/mime.types;
-    default_type        application/octet-stream;
-    server_tokens off;
-    keepalive_timeout 15;
-    sendfile on;
-    tcp_nodelay on;
-    
-    log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
-                        '"$request" $status $body_bytes_sent '
-                        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
-
-    # Log access to stdout
-    access_log /dev/stdout custom_log;
-
-    # SSL
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:2m;
-
-
-    # buffering causes issues, disable it
-    # increase buffer size. still useful even when buffering is off
-    proxy_buffering off;
-    proxy_buffer_size 4k;
-
-    # Buffer size
-    client_body_buffer_size 10k;
-    client_header_buffer_size 1k;
-    client_max_body_size 8m;
-    large_client_header_buffers 2 1k;
-
-    # Timeouts
-    client_body_timeout 12;
-    client_header_timeout 12;
-    send_timeout 10;
-
-    # GZip Compression
-    gzip on;
-    gzip_http_version 1.0;
-    gzip_vary on;
-    gzip_comp_level 4;
-    gzip_min_length 1280;
-    gzip_buffers 128 4k;
-    # gzip_proxied expired no-cache no-store private auth;
-    gzip_proxied any;
-    gzip_disable "msie6";
-    # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
-    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
-    
-    include /etc/nginx/conf.d/*.conf;
-}

etc/ubi9/proxy_params

@@ -1,4 +0,0 @@
-proxy_set_header Host $http_host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;

etc/ubi9/ssl_params

@@ -1,22 +0,0 @@
-# secure nginx, see https://cipherli.st/
-
-ssl_protocols TLSv1.3
-ssl_prefer_server_ciphers off;
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off; # Requires nginx >= 1.5.9
-ssl_stapling on; # Requires nginx >= 1.3.7
-ssl_stapling_verify on; # Requires nginx => 1.3.7
-resolver 8.8.8.8 8.8.4.4 valid=300s;
-resolver_timeout 5s;
-
-# https://hstspreload.org
-add_header Strict-Transport-Security "max-age=63072000" always; 
-# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
-# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
-#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
-
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Robots-Tag none;