From e683580863249ec9ebecbe17fbdbf2ce851109ed Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 17 Sep 2014 12:12:18 -0600 Subject: [PATCH 1/4] Update "apt-key" usage to verify the fingerprint This adds a little extra verification to make the build fail outright if the build server has been the subject of a MITM attack. --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c3e9e475..73cabd89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,7 @@ FROM debian:wheezy MAINTAINER NGINX Docker Maintainers "docker-maint@nginx.com" -RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y -q wget -RUN wget -q -O - http://nginx.org/keys/nginx_signing.key | apt-key add - +RUN apt-key adv --keyserver pgp.mit.edu --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 RUN echo "deb http://nginx.org/packages/mainline/debian/ wheezy nginx" >> /etc/apt/sources.list RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx From 27ced274faab6d289e0e32d865734ac555e69cd5 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 17 Sep 2014 12:14:40 -0600 Subject: [PATCH 2/4] Use same symlink logic for stderr as stdout This simplifies the default command by taking advantage of the default configuration just like the precedent set for access.log. --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 73cabd89..acd38be8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,8 +6,9 @@ RUN apt-key adv --keyserver pgp.mit.edu --recv-keys 573BFD6B3D8FBC641079A6ABABF5 RUN echo "deb http://nginx.org/packages/mainline/debian/ wheezy nginx" >> /etc/apt/sources.list RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx -# forward request logs to docker log collector +# forward request and error logs to docker log collector RUN ln -sf /dev/stdout /var/log/nginx/access.log +RUN ln -sf /dev/stderr /var/log/nginx/error.log # be backwards compatible with pre-official images RUN ln -sf ../share/nginx /usr/local/nginx @@ -17,4 +18,4 @@ VOLUME ["/etc/nginx"] EXPOSE 80 443 -CMD ["/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf", "-g", "daemon off; error_log /dev/stderr warn;"] +CMD ["/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf", "-g", "daemon off;"] From 305e28676377a334f0e462ac16412c0d391eeec4 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 17 Sep 2014 12:37:03 -0600 Subject: [PATCH 3/4] Simplify default command via PATH and default conf This makes it simpler for users to supply custom arguments at runtime, since they essentially have to duplicate this default command line to do so. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index acd38be8..6890ce92 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,4 +18,4 @@ VOLUME ["/etc/nginx"] EXPOSE 80 443 -CMD ["/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf", "-g", "daemon off;"] +CMD ["nginx", "-g", "daemon off;"] From d5b14ea77879ca2b07293eacd16bbc20a0aa79f0 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 17 Sep 2014 12:18:21 -0600 Subject: [PATCH 4/4] Add explicit version pinning, for cache-busting Because Docker uses the exact textual contents of the line for the purposes of the build cache, just doing `apt-get install -y nginx` would never actually update unless the base image itself updates. This `ENV XYZ_VERSION a.b.c` pattern is one we've had a lot of success with in other docker-library repos (see especially https://github.com/docker-library/postgres for a good example of how this allows us to magnify maintenance ability to span quite a few versions of PostgreSQL concurrently), and most importantly it creates an explicit, context-sensitive cache-bust right where it's needed. --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6890ce92..6f051e43 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,10 @@ MAINTAINER NGINX Docker Maintainers "docker-maint@nginx.com" RUN apt-key adv --keyserver pgp.mit.edu --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 RUN echo "deb http://nginx.org/packages/mainline/debian/ wheezy nginx" >> /etc/apt/sources.list -RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx + +ENV NGINX_VERSION 1.7.5-1~wheezy + +RUN apt-get update && apt-get install -y nginx=${NGINX_VERSION} # forward request and error logs to docker log collector RUN ln -sf /dev/stdout /var/log/nginx/access.log