Skip to content

Add support for OpenShift compatible NGINX Docker images #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Add support for OpenShift compatible NGINX Docker images #188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fed3302
Add support for OpenShift compatible NGINX Docker images
alessfg Aug 12, 2017
cbbc0d1
Update generate-stackbrew-library.sh
alessfg Aug 14, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions generate-stackbrew-library.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,4 +96,18 @@ for version in "${versions[@]}"; do
Directory: $version/$variant
EOE
done

for variant in openshift; do
commit="$(dirCommit "$version/$variant")"

variantAliases=( "${versionAliases[@]/%/-$variant}" )
variantAliases=( "${variantAliases[@]//latest-/}" )

echo
cat <<-EOE
Tags: $(join ', ' "${variantAliases[@]}")
GitCommit: $commit
Directory: $version/$variant
EOE
done
done
32 changes: 32 additions & 0 deletions mainline/openshift/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
FROM docker.io/centos:7

ENV NGINX_VERSION 1.13.4-1.el7

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ADD nginx.repo /etc/yum.repos.d/nginx.repo

RUN curl -sO http://nginx.org/keys/nginx_signing.key && \
Copy link
Member

@thresheek thresheek Aug 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Insecure. Please use constructions similar to https://github.com/nginxinc/docker-nginx/blob/master/mainline/stretch/Dockerfile#L11

rpm --import ./nginx_signing.key && \
yum -y install --setopt=tsflags=nodocs nginx-${NGINX_VERSION}.ngx && \
rm -f ./nginx_signing.key && \
yum clean all

# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
ln -sf /dev/stderr /var/log/nginx/error.log && \
# Change pid file location & remove nginx user & change port to 8080
sed -i 's/\/var\/run\/nginx.pid/\/var\/cache\/nginx\/nginx.pid/g' /etc/nginx/nginx.conf && \
sed -i -e '/user/!b' -e '/nginx/!b' -e '/nginx/d' /etc/nginx/nginx.conf && \
sed -i -e '/listen/!b' -e '/80;/!b' -e 's/80;/8080;/' /etc/nginx/conf.d/default.conf && \
Copy link
Member

@thresheek thresheek Aug 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change should be documented as it's a big behaviour change from usual images.

# modify perms for non-root runtime
chown -R 998 /var/cache/nginx /etc/nginx && \
Copy link
Member

@thresheek thresheek Aug 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, that's bad - the files in /etc/nginx will be writable by nginx user, which means in case of vulnerability attacker could rewrite the configurations.

chmod -R g=u /var/cache/nginx /etc/nginx
Copy link
Member

@thresheek thresheek Aug 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

Copy link

@tobru tobru Sep 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-origin-specific-guidelines -> Support Arbitrary User IDs


VOLUME ["/var/cache/nginx"]

EXPOSE 8080 8443

USER 998
Copy link
Member

@thresheek thresheek Aug 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where does the magic number 998 come from? Is it guaranteed to be the same always? Why not to use "nginx" just like we add in rpm post-scripts?


CMD ["nginx", "-g", "daemon off;"]
5 changes: 5 additions & 0 deletions mainline/openshift/nginx.repo
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=1
enabled=1
32 changes: 32 additions & 0 deletions stable/openshift/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
FROM docker.io/centos:7

ENV NGINX_VERSION 1.12.1-1.el7

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ADD nginx.repo /etc/yum.repos.d/nginx.repo

RUN curl -sO http://nginx.org/keys/nginx_signing.key && \
rpm --import ./nginx_signing.key && \
yum -y install --setopt=tsflags=nodocs nginx-${NGINX_VERSION}.ngx && \
rm -f ./nginx_signing.key && \
yum clean all

# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
ln -sf /dev/stderr /var/log/nginx/error.log && \
# Change pid file location & remove nginx user & change port to 8080
sed -i 's/\/var\/run\/nginx.pid/\/var\/cache\/nginx\/nginx.pid/g' /etc/nginx/nginx.conf && \
sed -i -e '/user/!b' -e '/nginx/!b' -e '/nginx/d' /etc/nginx/nginx.conf && \
sed -i -e '/listen/!b' -e '/80;/!b' -e 's/80;/8080;/' /etc/nginx/conf.d/default.conf && \
# modify perms for non-root runtime
chown -R 998 /var/cache/nginx /etc/nginx && \
chmod -R g=u /var/cache/nginx /etc/nginx

VOLUME ["/var/cache/nginx"]

EXPOSE 8080 8443

USER 998

CMD ["nginx", "-g", "daemon off;"]
5 changes: 5 additions & 0 deletions stable/openshift/nginx.repo
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=1
enabled=1