From 6b7bf2c2bff2e17b7a3dd63bf22274b986a6d0a1 Mon Sep 17 00:00:00 2001
From: Ricard Bejarano <ricard@bejarano.network>
Date: Sun, 24 Jan 2021 18:53:30 +0100
Subject: [PATCH] ricardbejarano's Jan. 2020 Docker image rework

---
 .github/workflows/docker-build.yaml | 38 ++++++++++++++
 Dockerfile                          | 72 +++++++++++++++++++++++++
 Dockerfile.glibc                    | 80 ----------------------------
 Dockerfile.musl                     | 69 ------------------------
 LICENSE                             |  2 +-
 README.md                           | 81 ++++++-----------------------
 6 files changed, 128 insertions(+), 214 deletions(-)
 create mode 100644 .github/workflows/docker-build.yaml
 create mode 100644 Dockerfile
 delete mode 100644 Dockerfile.glibc
 delete mode 100644 Dockerfile.musl

diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
new file mode 100644
index 0000000..28d5882
--- /dev/null
+++ b/.github/workflows/docker-build.yaml
@@ -0,0 +1,38 @@
+name: "Build and push Docker image"
+
+
+on:
+  push:
+    branches: ["*"]
+    tags: ["*"]
+  schedule:
+    - cron: "0 0 * * 0"
+
+
+jobs:
+
+  main:
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v2"
+      - name: "Prepare build environment; build; push to Docker Hub, RedHat Quay"
+        run: |
+          IMAGE_BUILD_CONTEXT='.'
+          IMAGE_BUILD_DOCKERFILE='Dockerfile'
+          IMAGE_BUILD_PLATFORMS='linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le'
+
+          IMAGE_NAME="$(echo '${{ github.repository }}' | sed 's,.*/,,g' | tr '[A-Z]' '[a-z]')"
+          IMAGE_VERSION="$(echo '${{ github.ref }}' | sed -e 's,.*/\(.*\),\1,')"
+          [ "$IMAGE_VERSION" == 'master' ] && IMAGE_VERSION='latest'
+          [ "$IMAGE_VERSION" == 'main' ] && IMAGE_VERSION='latest'
+
+          docker buildx create --use
+
+          IMAGE_REGISTRY='docker.io'
+          echo '${{ secrets.DOCKER_HUB_PASSWORD }}' | docker login --username '${{ secrets.DOCKER_HUB_USERNAME }}' --password-stdin "$IMAGE_REGISTRY"
+          docker buildx build --push --platform "$IMAGE_BUILD_PLATFORMS" --tag "$IMAGE_REGISTRY/${{ secrets.DOCKER_HUB_USERNAME }}/$IMAGE_NAME:$IMAGE_VERSION" --file "$IMAGE_BUILD_DOCKERFILE" "$IMAGE_BUILD_CONTEXT"
+
+          IMAGE_REGISTRY='quay.io'
+          echo '${{ secrets.REDHAT_QUAY_PASSWORD }}' | docker login --username '${{ secrets.REDHAT_QUAY_USERNAME }}' --password-stdin "$IMAGE_REGISTRY"
+          docker buildx build --push --platform "$IMAGE_BUILD_PLATFORMS" --tag "$IMAGE_REGISTRY/${{ secrets.REDHAT_QUAY_USERNAME }}/$IMAGE_NAME:$IMAGE_VERSION" --file "$IMAGE_BUILD_DOCKERFILE" "$IMAGE_BUILD_CONTEXT"
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..1b5b115
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,72 @@
+FROM alpine:3 AS build
+
+ARG VERSION="1.19.6"
+ARG CHECKSUM="b11195a02b1d3285ddf2987e02c6b6d28df41bb1b1dd25f33542848ef4fc33b5"
+
+ARG OPENSSL_VERSION="1.1.1i"
+ARG OPENSSL_CHECKSUM="e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242"
+
+ARG PCRE_VERSION="8.44"
+ARG PCRE_CHECKSUM="aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728"
+
+ARG ZLIB_VERSION="1.2.11"
+ARG ZLIB_CHECKSUM="c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
+
+ADD https://nginx.org/download/nginx-$VERSION.tar.gz /tmp/nginx.tar.gz
+ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
+ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
+ADD https://zlib.net/zlib-$ZLIB_VERSION.tar.gz /tmp/zlib.tar.gz
+
+RUN [ "$(sha256sum /tmp/openssl.tar.gz | awk '{print $1}')" = "$OPENSSL_CHECKSUM" ] && \
+    [ "$(sha256sum /tmp/pcre.tar.gz | awk '{print $1}')" = "$PCRE_CHECKSUM" ] && \
+    [ "$(sha256sum /tmp/zlib.tar.gz | awk '{print $1}')" = "$ZLIB_CHECKSUM" ] && \
+    [ "$(sha256sum /tmp/nginx.tar.gz | awk '{print $1}')" = "$CHECKSUM" ] && \
+    apk add ca-certificates g++ gcc linux-headers make perl && \
+    tar -C /tmp -xf /tmp/openssl.tar.gz && \
+    tar -C /tmp -xf /tmp/pcre.tar.gz && \
+    tar -C /tmp -xf /tmp/zlib.tar.gz && \
+    tar -C /tmp -xf /tmp/nginx.tar.gz && \
+    cd /tmp/nginx-$VERSION && \
+      ./configure \
+        --with-cc-opt='-static' \
+        --with-ld-opt='-static' \
+        --sbin-path=/nginx \
+        --conf-path=/etc/nginx/nginx.conf \
+        --pid-path=/tmp/nginx.pid \
+        --http-log-path=/dev/stdout \
+        --error-log-path=/dev/stderr \
+        --http-client-body-temp-path=/tmp/client_temp \
+        --http-proxy-temp-path=/tmp/proxy_temp \
+        --http-fastcgi-temp-path=/tmp/fastcgi_temp \
+        --http-uwsgi-temp-path=/tmp/uwsgi_temp \
+        --http-scgi-temp-path=/tmp/scgi_temp \
+        --with-openssl=/tmp/openssl-$OPENSSL_VERSION \
+        --with-pcre=/tmp/pcre-$PCRE_VERSION \
+        --with-zlib=/tmp/zlib-$ZLIB_VERSION \
+        --with-file-aio \
+        --with-http_v2_module \
+        --with-http_ssl_module \
+        --with-http_stub_status_module \
+        --with-stream \
+        --with-stream_ssl_module \
+        --with-threads && \
+      make
+
+RUN mkdir -p /rootfs/bin && \
+      cp /tmp/nginx-$VERSION/objs/nginx /rootfs/bin/ && \
+    mkdir -p /rootfs/etc && \
+      echo "nogroup:*:10000:nobody" > /rootfs/etc/group && \
+      echo "nobody:*:10000:10000:::" > /rootfs/etc/passwd && \
+    mkdir -p /rootfs/etc/nginx && \
+    mkdir -p /rootfs/etc/ssl/certs && \
+      cp /etc/ssl/certs/ca-certificates.crt /rootfs/etc/ssl/certs/ && \
+    mkdir -p /rootfs/tmp
+
+
+FROM scratch
+
+COPY --from=build --chown=10000:10000 /rootfs /
+
+USER 10000:10000
+ENTRYPOINT ["/bin/nginx"]
+CMD ["-g", "daemon off;"]
diff --git a/Dockerfile.glibc b/Dockerfile.glibc
deleted file mode 100644
index 9f72d05..0000000
--- a/Dockerfile.glibc
+++ /dev/null
@@ -1,80 +0,0 @@
-FROM debian:10 AS build
-
-ARG PCRE_VERSION="8.44"
-ARG PCRE_CHECKSUM="aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728"
-
-ARG ZLIB_VERSION="1.2.11"
-ARG ZLIB_CHECKSUM="c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
-
-ARG OPENSSL_VERSION="1.1.1g"
-ARG OPENSSL_CHECKSUM="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
-
-ARG VERSION="1.19.3"
-ARG CHECKSUM="91e5b74fa17879d2463294e93ad8f6ffc066696ae32ad0478ffe15ba0e9e8df0"
-ARG CONFIG="\
-    --with-cc-opt='-fstack-protector-all' \
-    --with-ld-opt='-Wl,-z,relro,-z,now' \
-    --sbin-path=/nginx \
-    --conf-path=/etc/nginx/nginx.conf \
-    --pid-path=/tmp/nginx.pid \
-    --http-log-path=/dev/stdout \
-    --error-log-path=/dev/stderr \
-    --http-client-body-temp-path=/tmp/client_temp \
-    --http-proxy-temp-path=/tmp/proxy_temp \
-    --http-fastcgi-temp-path=/tmp/fastcgi_temp \
-    --http-uwsgi-temp-path=/tmp/uwsgi_temp \
-    --http-scgi-temp-path=/tmp/scgi_temp \
-    --with-pcre=/tmp/pcre-$PCRE_VERSION \
-    --with-openssl=/tmp/openssl-$OPENSSL_VERSION \
-    --with-zlib=/tmp/zlib-$ZLIB_VERSION \
-    --with-file-aio \
-    --with-http_v2_module \
-    --with-http_ssl_module \
-    --with-http_stub_status_module \
-    --with-stream \
-    --with-stream_ssl_module \
-    --with-threads"
-
-ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
-ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
-ADD https://zlib.net/zlib-$ZLIB_VERSION.tar.gz /tmp/zlib.tar.gz
-ADD https://nginx.org/download/nginx-$VERSION.tar.gz /tmp/nginx.tar.gz
-
-RUN [ "$PCRE_CHECKSUM" = "$(sha256sum /tmp/pcre.tar.gz | awk '{print $1}')" ] && \
-    [ "$ZLIB_CHECKSUM" = "$(sha256sum /tmp/zlib.tar.gz | awk '{print $1}')" ] && \
-    [ "$OPENSSL_CHECKSUM" = "$(sha256sum /tmp/openssl.tar.gz | awk '{print $1}')" ] && \
-    [ "$CHECKSUM" = "$(sha256sum /tmp/nginx.tar.gz | awk '{print $1}')" ] && \
-    tar -C /tmp -xf /tmp/pcre.tar.gz && \
-    tar -C /tmp -xf /tmp/zlib.tar.gz && \
-    tar -C /tmp -xf /tmp/openssl.tar.gz && \
-    tar -C /tmp -xf /tmp/nginx.tar.gz && \
-    apt update && \
-    apt install -y gcc g++ perl make ca-certificates && \
-    cd /tmp/nginx-$VERSION && \
-      ./configure $CONFIG && \
-      make
-
-RUN mkdir -p /rootfs/etc/ssl/certs /rootfs/lib/x86_64-linux-gnu /rootfs/lib64 /rootfs/tmp && \
-    cp /tmp/nginx-$VERSION/objs/nginx /rootfs/ && \
-    cp \
-      /lib/x86_64-linux-gnu/libc.so.6 \
-      /lib/x86_64-linux-gnu/libcrypt.so.1 \
-      /lib/x86_64-linux-gnu/libdl.so.2 \
-      /lib/x86_64-linux-gnu/libnss_files.so.2 \
-      /lib/x86_64-linux-gnu/libnss_dns.so.2 \
-      /lib/x86_64-linux-gnu/libpthread.so.0 \
-      /lib/x86_64-linux-gnu/libresolv.so.2 \
-      /rootfs/lib/x86_64-linux-gnu/ && \
-    cp /lib64/ld-linux-x86-64.so.2 /rootfs/lib64/ && \
-    echo "nogroup:*:100:nobody" > /rootfs/etc/group && \
-    echo "nobody:*:100:100:::" > /rootfs/etc/passwd && \
-    cp /etc/ssl/certs/ca-certificates.crt /rootfs/etc/ssl/certs/
-
-
-FROM scratch
-
-COPY --from=build --chown=100:100 /rootfs /
-
-USER 100:100
-ENTRYPOINT ["/nginx"]
-CMD ["-g", "daemon off;"]
diff --git a/Dockerfile.musl b/Dockerfile.musl
deleted file mode 100644
index 4f730b4..0000000
--- a/Dockerfile.musl
+++ /dev/null
@@ -1,69 +0,0 @@
-FROM alpine:3 AS build
-
-ARG PCRE_VERSION="8.44"
-ARG PCRE_CHECKSUM="aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728"
-
-ARG ZLIB_VERSION="1.2.11"
-ARG ZLIB_CHECKSUM="c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
-
-ARG OPENSSL_VERSION="1.1.1g"
-ARG OPENSSL_CHECKSUM="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
-
-ARG VERSION="1.19.3"
-ARG CHECKSUM="91e5b74fa17879d2463294e93ad8f6ffc066696ae32ad0478ffe15ba0e9e8df0"
-ARG CONFIG="\
-    --with-cc-opt='-static' \
-    --with-ld-opt='-static' \
-    --sbin-path=/nginx \
-    --conf-path=/etc/nginx/nginx.conf \
-    --pid-path=/tmp/nginx.pid \
-    --http-log-path=/dev/stdout \
-    --error-log-path=/dev/stderr \
-    --http-client-body-temp-path=/tmp/client_temp \
-    --http-proxy-temp-path=/tmp/proxy_temp \
-    --http-fastcgi-temp-path=/tmp/fastcgi_temp \
-    --http-uwsgi-temp-path=/tmp/uwsgi_temp \
-    --http-scgi-temp-path=/tmp/scgi_temp \
-    --with-pcre=/tmp/pcre-$PCRE_VERSION \
-    --with-openssl=/tmp/openssl-$OPENSSL_VERSION \
-    --with-zlib=/tmp/zlib-$ZLIB_VERSION \
-    --with-file-aio \
-    --with-http_v2_module \
-    --with-http_ssl_module \
-    --with-http_stub_status_module \
-    --with-stream \
-    --with-stream_ssl_module \
-    --with-threads"
-
-ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
-ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
-ADD https://zlib.net/zlib-$ZLIB_VERSION.tar.gz /tmp/zlib.tar.gz
-ADD https://nginx.org/download/nginx-$VERSION.tar.gz /tmp/nginx.tar.gz
-
-RUN [ "$PCRE_CHECKSUM" = "$(sha256sum /tmp/pcre.tar.gz | awk '{print $1}')" ] && \
-    [ "$ZLIB_CHECKSUM" = "$(sha256sum /tmp/zlib.tar.gz | awk '{print $1}')" ] && \
-    [ "$OPENSSL_CHECKSUM" = "$(sha256sum /tmp/openssl.tar.gz | awk '{print $1}')" ] && \
-    [ "$CHECKSUM" = "$(sha256sum /tmp/nginx.tar.gz | awk '{print $1}')" ] && \
-    tar -C /tmp -xf /tmp/pcre.tar.gz && \
-    tar -C /tmp -xf /tmp/zlib.tar.gz && \
-    tar -C /tmp -xf /tmp/openssl.tar.gz && \
-    tar -C /tmp -xf /tmp/nginx.tar.gz && \
-    apk add gcc g++ perl make linux-headers ca-certificates && \
-    cd /tmp/nginx-$VERSION && \
-      ./configure $CONFIG && \
-      make
-
-RUN mkdir -p /rootfs/etc/ssl/certs /rootfs/tmp && \
-    cp /tmp/nginx-$VERSION/objs/nginx /rootfs/ && \
-    echo "nogroup:*:100:nobody" > /rootfs/etc/group && \
-    echo "nobody:*:100:100:::" > /rootfs/etc/passwd && \
-    cp /etc/ssl/certs/ca-certificates.crt /rootfs/etc/ssl/certs/
-
-
-FROM scratch
-
-COPY --from=build --chown=100:100 /rootfs /
-
-USER 100:100
-ENTRYPOINT ["/nginx"]
-CMD ["-g", "daemon off;"]
diff --git a/LICENSE b/LICENSE
index 2f09cf0..2f8be77 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Ricard Bejarano
+Copyright (c) 2021 Ricard Bejarano
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index f2e2116..bc9d0f8 100644
--- a/README.md
+++ b/README.md
@@ -1,34 +1,39 @@
 <p align="center"><img src="https://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/320/apple/155/gear_2699.png" width="120px"></p>
 <h1 align="center">nginx (container image)</h1>
-<p align="center">Built-from-source container image of the <a href="https://nginx.org/">NGINX HTTP server</a></p>
+<p align="center">Built-from-source container image of the <a href="https://nginx.org/">NGINX</a> HTTP server</p>
 
 
 ## Tags
 
 ### Docker Hub
 
-Available on [Docker Hub](https://hub.docker.com) as [`ricardbejarano/nginx`](https://hub.docker.com/r/ricardbejarano/nginx):
+Available on Docker Hub as [`docker.io/ricardbejarano/nginx`](https://hub.docker.com/r/ricardbejarano/nginx):
 
-- [`1.19.3-glibc`, `1.19.3`, `glibc`, `master`, `latest` *(Dockerfile.glibc)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.glibc) (about `14MB`)
-- [`1.19.3-musl`, `musl` *(Dockerfile.musl)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.musl) (about `12.3MB`)
+- [`1.19.6`, `latest` *(Dockerfile)*](Dockerfile)
 
-### Quay
+### RedHat Quay
 
-Available on [Quay](https://quay.io) as:
+Available on RedHat Quay as [`quay.io/ricardbejarano/nginx`](https://quay.io/repository/ricardbejarano/nginx):
 
-- [`quay.io/ricardbejarano/nginx`](https://quay.io/repository/ricardbejarano/nginx), [`quay.io/ricardbejarano/nginx-glibc`](https://quay.io/repository/ricardbejarano/nginx-glibc), tags: [`1.19.3`, `master`, `latest` *(Dockerfile.glibc)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.glibc) (about `14MB`)
-- [`quay.io/ricardbejarano/nginx-musl`](https://quay.io/repository/ricardbejarano/nginx-musl), tags: [`1.19.3`, `master`, `latest` *(Dockerfile.musl)*](https://github.com/ricardbejarano/nginx/blob/master/Dockerfile.musl) (about `12.3MB`)
+- [`1.19.6`, `latest` *(Dockerfile)*](Dockerfile)
 
 
 ## Features
 
-* Super tiny (see [Tags](#tags))
-* Compiled from source (with binary exploit mitigations) during build time
-* Built `FROM scratch`, with zero bloat (see [Filesystem](#filesystem))
+* Compiled from source during build time
+* Built `FROM scratch`, with zero bloat
+* Statically linked to the [`musl`](https://musl.libc.org/) implementation of the C standard library
 * Reduced attack surface (no shell, no UNIX tools, no package manager...)
 * Runs as unprivileged (non-`root`) user
 
 
+## Building
+
+```bash
+docker build --tag ricardbejarano/nginx --file Dockerfile .
+```
+
+
 ## Configuration
 
 ### Volumes
@@ -36,58 +41,6 @@ Available on [Quay](https://quay.io) as:
 - Mount your **configuration** at `/etc/nginx/nginx.conf`.
 
 
-## Building
-
-- To build the `glibc`-based image: `$ docker build -t nginx:glibc -f Dockerfile.glibc .`
-- To build the `musl`-based image: `$ docker build -t nginx:musl -f Dockerfile.musl .`
-
-
-## Filesystem
-
-### `glibc`
-
-Based on the [glibc](https://www.gnu.org/software/libc/) implementation of `libc`. Dynamically linked.
-
-```
-/
-├── etc/
-│   ├── group
-│   ├── passwd
-│   └── ssl/
-│       └── certs/
-│           └── ca-certificates.crt
-├── lib/
-│   └── x86_64-linux-gnu/
-│       ├── libc.so.6
-│       ├── libcrypt.so.1
-│       ├── libdl.so.2
-│       ├── libnss_dns.so.2
-│       ├── libnss_files.so.2
-│       ├── libpthread.so.0
-│       └── libresolv.so.2
-├── lib64/
-│   └── ld-linux-x86-64.so.2
-├── nginx
-└── tmp/
-```
-
-### `musl`
-
-Based on the [musl](https://www.musl-libc.org/) implementation of `libc`. Statically linked.
-
-```
-/
-├── etc/
-│   ├── group
-│   ├── passwd
-│   └── ssl/
-│       └── certs/
-│           └── ca-certificates.crt
-├── nginx
-└── tmp/
-```
-
-
 ## License
 
-See [LICENSE](https://github.com/ricardbejarano/nginx/blob/master/LICENSE).
+MIT licensed, see [LICENSE](LICENSE) for more details.