Fijxu/nginx-ktls
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

ricardbejarano's Jan. 2020 Docker image rework

Browse source
This commit is contained in:
Ricard Bejarano 2021-01-24 18:53:30 +01:00
parent 3ac1822cf1
commit 6b7bf2c2bf
No known key found for this signature in database
GPG key ID: 835D397AC7BB6B0F
6 changed files with 128 additions and 214 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
.github/workflows/docker-build.yaml vendored Normal file
View file

@ -0,0 +1,38 @@
name: "Build and push Docker image"
on:
push:
branches: ["*"]
tags: ["*"]
schedule:
- cron: "0 0 * * 0"
jobs:
main:
runs-on: "ubuntu-20.04"
steps:
- name: "Checkout"
uses: "actions/checkout@v2"
- name: "Prepare build environment; build; push to Docker Hub, RedHat Quay"
run: |
IMAGE_BUILD_CONTEXT='.'
IMAGE_BUILD_DOCKERFILE='Dockerfile'
IMAGE_BUILD_PLATFORMS='linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le'
IMAGE_NAME="$(echo '${{ github.repository }}' | sed 's,.*/,,g' | tr '[A-Z]' '[a-z]')"
IMAGE_VERSION="$(echo '${{ github.ref }}' | sed -e 's,.*/\(.*\),\1,')"
[ "$IMAGE_VERSION" == 'master' ] && IMAGE_VERSION='latest'
[ "$IMAGE_VERSION" == 'main' ] && IMAGE_VERSION='latest'
docker buildx create --use
IMAGE_REGISTRY='docker.io'
echo '${{ secrets.DOCKER_HUB_PASSWORD }}' | docker login --username '${{ secrets.DOCKER_HUB_USERNAME }}' --password-stdin "$IMAGE_REGISTRY"
docker buildx build --push --platform "$IMAGE_BUILD_PLATFORMS" --tag "$IMAGE_REGISTRY/${{ secrets.DOCKER_HUB_USERNAME }}/$IMAGE_NAME:$IMAGE_VERSION" --file "$IMAGE_BUILD_DOCKERFILE" "$IMAGE_BUILD_CONTEXT"
IMAGE_REGISTRY='quay.io'
echo '${{ secrets.REDHAT_QUAY_PASSWORD }}' | docker login --username '${{ secrets.REDHAT_QUAY_USERNAME }}' --password-stdin "$IMAGE_REGISTRY"
docker buildx build --push --platform "$IMAGE_BUILD_PLATFORMS" --tag "$IMAGE_REGISTRY/${{ secrets.REDHAT_QUAY_USERNAME }}/$IMAGE_NAME:$IMAGE_VERSION" --file "$IMAGE_BUILD_DOCKERFILE" "$IMAGE_BUILD_CONTEXT"

72
Dockerfile Normal file
View file

@ -0,0 +1,72 @@
FROM alpine:3 AS build
ARG VERSION="1.19.6"
ARG CHECKSUM="b11195a02b1d3285ddf2987e02c6b6d28df41bb1b1dd25f33542848ef4fc33b5"
ARG OPENSSL_VERSION="1.1.1i"
ARG OPENSSL_CHECKSUM="e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242"
ARG PCRE_VERSION="8.44"
ARG PCRE_CHECKSUM="aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728"
ARG ZLIB_VERSION="1.2.11"
ARG ZLIB_CHECKSUM="c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
ADD https://nginx.org/download/nginx-$VERSION.tar.gz /tmp/nginx.tar.gz
ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
ADD https://zlib.net/zlib-$ZLIB_VERSION.tar.gz /tmp/zlib.tar.gz
RUN [ "$(sha256sum /tmp/openssl.tar.gz | awk '{print $1}')" = "$OPENSSL_CHECKSUM" ] && \
[ "$(sha256sum /tmp/pcre.tar.gz | awk '{print $1}')" = "$PCRE_CHECKSUM" ] && \
[ "$(sha256sum /tmp/zlib.tar.gz | awk '{print $1}')" = "$ZLIB_CHECKSUM" ] && \
[ "$(sha256sum /tmp/nginx.tar.gz | awk '{print $1}')" = "$CHECKSUM" ] && \
apk add ca-certificates g++ gcc linux-headers make perl && \
tar -C /tmp -xf /tmp/openssl.tar.gz && \
tar -C /tmp -xf /tmp/pcre.tar.gz && \
tar -C /tmp -xf /tmp/zlib.tar.gz && \
tar -C /tmp -xf /tmp/nginx.tar.gz && \
cd /tmp/nginx-$VERSION && \
./configure \
--with-cc-opt='-static' \
--with-ld-opt='-static' \
--sbin-path=/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/tmp/nginx.pid \
--http-log-path=/dev/stdout \
--error-log-path=/dev/stderr \
--http-client-body-temp-path=/tmp/client_temp \
--http-proxy-temp-path=/tmp/proxy_temp \
--http-fastcgi-temp-path=/tmp/fastcgi_temp \
--http-uwsgi-temp-path=/tmp/uwsgi_temp \
--http-scgi-temp-path=/tmp/scgi_temp \
--with-openssl=/tmp/openssl-$OPENSSL_VERSION \
--with-pcre=/tmp/pcre-$PCRE_VERSION \
--with-zlib=/tmp/zlib-$ZLIB_VERSION \
--with-file-aio \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-stream \
--with-stream_ssl_module \
--with-threads && \
make
RUN mkdir -p /rootfs/bin && \
cp /tmp/nginx-$VERSION/objs/nginx /rootfs/bin/ && \
mkdir -p /rootfs/etc && \
echo "nogroup:*:10000:nobody" > /rootfs/etc/group && \
echo "nobody:*:10000:10000:::" > /rootfs/etc/passwd && \
mkdir -p /rootfs/etc/nginx && \
mkdir -p /rootfs/etc/ssl/certs && \
cp /etc/ssl/certs/ca-certificates.crt /rootfs/etc/ssl/certs/ && \
mkdir -p /rootfs/tmp
FROM scratch
COPY --from=build --chown=10000:10000 /rootfs /
USER 10000:10000
ENTRYPOINT ["/bin/nginx"]
CMD ["-g", "daemon off;"]

80
Dockerfile.glibc
View file

@ -1,80 +0,0 @@
FROM debian:10 AS build
ARG PCRE_VERSION="8.44"
ARG PCRE_CHECKSUM="aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728"
ARG ZLIB_VERSION="1.2.11"
ARG ZLIB_CHECKSUM="c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
ARG OPENSSL_VERSION="1.1.1g"
ARG OPENSSL_CHECKSUM="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
ARG VERSION="1.19.3"
ARG CHECKSUM="91e5b74fa17879d2463294e93ad8f6ffc066696ae32ad0478ffe15ba0e9e8df0"
ARG CONFIG="\
--with-cc-opt='-fstack-protector-all' \
--with-ld-opt='-Wl,-z,relro,-z,now' \
--sbin-path=/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/tmp/nginx.pid \
--http-log-path=/dev/stdout \
--error-log-path=/dev/stderr \
--http-client-body-temp-path=/tmp/client_temp \
--http-proxy-temp-path=/tmp/proxy_temp \
--http-fastcgi-temp-path=/tmp/fastcgi_temp \
--http-uwsgi-temp-path=/tmp/uwsgi_temp \
--http-scgi-temp-path=/tmp/scgi_temp \
--with-pcre=/tmp/pcre-$PCRE_VERSION \
--with-openssl=/tmp/openssl-$OPENSSL_VERSION \
--with-zlib=/tmp/zlib-$ZLIB_VERSION \
--with-file-aio \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-stream \
--with-stream_ssl_module \
--with-threads"
ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
ADD https://zlib.net/zlib-$ZLIB_VERSION.tar.gz /tmp/zlib.tar.gz
ADD https://nginx.org/download/nginx-$VERSION.tar.gz /tmp/nginx.tar.gz
RUN [ "$PCRE_CHECKSUM" = "$(sha256sum /tmp/pcre.tar.gz | awk '{print $1}')" ] && \
[ "$ZLIB_CHECKSUM" = "$(sha256sum /tmp/zlib.tar.gz | awk '{print $1}')" ] && \
[ "$OPENSSL_CHECKSUM" = "$(sha256sum /tmp/openssl.tar.gz | awk '{print $1}')" ] && \
[ "$CHECKSUM" = "$(sha256sum /tmp/nginx.tar.gz | awk '{print $1}')" ] && \
tar -C /tmp -xf /tmp/pcre.tar.gz && \
tar -C /tmp -xf /tmp/zlib.tar.gz && \
tar -C /tmp -xf /tmp/openssl.tar.gz && \
tar -C /tmp -xf /tmp/nginx.tar.gz && \
apt update && \
apt install -y gcc g++ perl make ca-certificates && \
cd /tmp/nginx-$VERSION && \
./configure $CONFIG && \
make
RUN mkdir -p /rootfs/etc/ssl/certs /rootfs/lib/x86_64-linux-gnu /rootfs/lib64 /rootfs/tmp && \
cp /tmp/nginx-$VERSION/objs/nginx /rootfs/ && \
cp \
/lib/x86_64-linux-gnu/libc.so.6 \
/lib/x86_64-linux-gnu/libcrypt.so.1 \
/lib/x86_64-linux-gnu/libdl.so.2 \
/lib/x86_64-linux-gnu/libnss_files.so.2 \
/lib/x86_64-linux-gnu/libnss_dns.so.2 \
/lib/x86_64-linux-gnu/libpthread.so.0 \
/lib/x86_64-linux-gnu/libresolv.so.2 \
/rootfs/lib/x86_64-linux-gnu/ && \
cp /lib64/ld-linux-x86-64.so.2 /rootfs/lib64/ && \
echo "nogroup:*:100:nobody" > /rootfs/etc/group && \
echo "nobody:*:100:100:::" > /rootfs/etc/passwd && \
cp /etc/ssl/certs/ca-certificates.crt /rootfs/etc/ssl/certs/
FROM scratch
COPY --from=build --chown=100:100 /rootfs /
USER 100:100
ENTRYPOINT ["/nginx"]
CMD ["-g", "daemon off;"]

69
Dockerfile.musl
View file

@ -1,69 +0,0 @@
FROM alpine:3 AS build
ARG PCRE_VERSION="8.44"
ARG PCRE_CHECKSUM="aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728"
ARG ZLIB_VERSION="1.2.11"
ARG ZLIB_CHECKSUM="c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
ARG OPENSSL_VERSION="1.1.1g"
ARG OPENSSL_CHECKSUM="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
ARG VERSION="1.19.3"
ARG CHECKSUM="91e5b74fa17879d2463294e93ad8f6ffc066696ae32ad0478ffe15ba0e9e8df0"
ARG CONFIG="\
--with-cc-opt='-static' \
--with-ld-opt='-static' \
--sbin-path=/nginx \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/tmp/nginx.pid \
--http-log-path=/dev/stdout \
--error-log-path=/dev/stderr \
--http-client-body-temp-path=/tmp/client_temp \
--http-proxy-temp-path=/tmp/proxy_temp \
--http-fastcgi-temp-path=/tmp/fastcgi_temp \
--http-uwsgi-temp-path=/tmp/uwsgi_temp \
--http-scgi-temp-path=/tmp/scgi_temp \
--with-pcre=/tmp/pcre-$PCRE_VERSION \
--with-openssl=/tmp/openssl-$OPENSSL_VERSION \
--with-zlib=/tmp/zlib-$ZLIB_VERSION \
--with-file-aio \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-stream \
--with-stream_ssl_module \
--with-threads"
ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
ADD https://zlib.net/zlib-$ZLIB_VERSION.tar.gz /tmp/zlib.tar.gz
ADD https://nginx.org/download/nginx-$VERSION.tar.gz /tmp/nginx.tar.gz
RUN [ "$PCRE_CHECKSUM" = "$(sha256sum /tmp/pcre.tar.gz | awk '{print $1}')" ] && \
[ "$ZLIB_CHECKSUM" = "$(sha256sum /tmp/zlib.tar.gz | awk '{print $1}')" ] && \
[ "$OPENSSL_CHECKSUM" = "$(sha256sum /tmp/openssl.tar.gz | awk '{print $1}')" ] && \
[ "$CHECKSUM" = "$(sha256sum /tmp/nginx.tar.gz | awk '{print $1}')" ] && \
tar -C /tmp -xf /tmp/pcre.tar.gz && \
tar -C /tmp -xf /tmp/zlib.tar.gz && \
tar -C /tmp -xf /tmp/openssl.tar.gz && \
tar -C /tmp -xf /tmp/nginx.tar.gz && \
apk add gcc g++ perl make linux-headers ca-certificates && \
cd /tmp/nginx-$VERSION && \
./configure $CONFIG && \
make
RUN mkdir -p /rootfs/etc/ssl/certs /rootfs/tmp && \
cp /tmp/nginx-$VERSION/objs/nginx /rootfs/ && \
echo "nogroup:*:100:nobody" > /rootfs/etc/group && \
echo "nobody:*:100:100:::" > /rootfs/etc/passwd && \
cp /etc/ssl/certs/ca-certificates.crt /rootfs/etc/ssl/certs/
FROM scratch
COPY --from=build --chown=100:100 /rootfs /
USER 100:100
ENTRYPOINT ["/nginx"]
CMD ["-g", "daemon off;"]

2
LICENSE
View file

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2020 Ricard Bejarano
Copyright (c) 2021 Ricard Bejarano
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

81
README.md
View file

@ -1,34 +1,39 @@
<p align="center"><img src="https://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/320/apple/155/gear_2699.png" width="120px"></p>
<h1 align="center">nginx (container image)</h1>
<p align="center">Built-from-source container image of the <a href="https://nginx.org/">NGINX HTTP server</a></p>
<p align="center">Built-from-source container image of the <a href="https://nginx.org/">NGINX</a> HTTP server</p>
## Tags
### Docker Hub
Available on [Docker Hub](https://hub.docker.com) as [`ricardbejarano/nginx`](https://hub.docker.com/r/ricardbejarano/nginx):
Available on Docker Hub as [`docker.io/ricardbejarano/nginx`](https://hub.docker.com/r/ricardbejarano/nginx):
- [`1.19.3-glibc`, `1.19.3`, `glibc`, `master`, `latest` *(Dockerfile.glibc)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.glibc) (about `14MB`)
- [`1.19.3-musl`, `musl` *(Dockerfile.musl)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.musl) (about `12.3MB`)
- [`1.19.6`, `latest` *(Dockerfile)*](Dockerfile)
### Quay
### RedHat Quay
Available on [Quay](https://quay.io) as:
Available on RedHat Quay as [`quay.io/ricardbejarano/nginx`](https://quay.io/repository/ricardbejarano/nginx):
- [`quay.io/ricardbejarano/nginx`](https://quay.io/repository/ricardbejarano/nginx), [`quay.io/ricardbejarano/nginx-glibc`](https://quay.io/repository/ricardbejarano/nginx-glibc), tags: [`1.19.3`, `master`, `latest` *(Dockerfile.glibc)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.glibc) (about `14MB`)
- [`quay.io/ricardbejarano/nginx-musl`](https://quay.io/repository/ricardbejarano/nginx-musl), tags: [`1.19.3`, `master`, `latest` *(Dockerfile.musl)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.musl) (about `12.3MB`)
- [`1.19.6`, `latest` *(Dockerfile)*](Dockerfile)
## Features
* Super tiny (see [Tags](#tags))
* Compiled from source (with binary exploit mitigations) during build time
* Built `FROM scratch`, with zero bloat (see [Filesystem](#filesystem))
* Compiled from source during build time
* Built `FROM scratch`, with zero bloat
* Statically linked to the [`musl`](https://musl.libc.org/) implementation of the C standard library
* Reduced attack surface (no shell, no UNIX tools, no package manager...)
* Runs as unprivileged (non-`root`) user
## Building
```bash
docker build --tag ricardbejarano/nginx --file Dockerfile .
```
## Configuration
### Volumes
@ -36,58 +41,6 @@ Available on [Quay](https://quay.io) as:
- Mount your **configuration** at `/etc/nginx/nginx.conf`.
## Building
- To build the `glibc`-based image: `$ docker build -t nginx:glibc -f Dockerfile.glibc .`
- To build the `musl`-based image: `$ docker build -t nginx:musl -f Dockerfile.musl .`
## Filesystem
### `glibc`
Based on the [glibc](https://www.gnu.org/software/libc/) implementation of `libc`. Dynamically linked.
```
/
├── etc/
│ ├── group
│ ├── passwd
│ └── ssl/
│ └── certs/
│ └── ca-certificates.crt
├── lib/
│ └── x86_64-linux-gnu/
│ ├── libc.so.6
│ ├── libcrypt.so.1
│ ├── libdl.so.2
│ ├── libnss_dns.so.2
│ ├── libnss_files.so.2
│ ├── libpthread.so.0
│ └── libresolv.so.2
├── lib64/
│ └── ld-linux-x86-64.so.2
├── nginx
└── tmp/
```
### `musl`
Based on the [musl](https://www.musl-libc.org/) implementation of `libc`. Statically linked.
```
/
├── etc/
│ ├── group
│ ├── passwd
│ └── ssl/
│ └── certs/
│ └── ca-certificates.crt
├── nginx
└── tmp/
```
## License
See [LICENSE](https://github.com/ricardbejarano/nginx/blob/master/LICENSE).
MIT licensed, see [LICENSE](LICENSE) for more details.