Last active
June 27, 2024 17:03
-
-
Save nginx-gists/36e97fc87efb5cf0039978c8e41a34b5 to your computer and use it in GitHub Desktop.
Dockerfiles for NGINX Plus R32 (Debian bookworm -12- and Alpine Linux 3.20), from Deploying NGINX and NGINX Plus on Docker (https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ARG RELEASE=bookworm | |
| FROM debian:${RELEASE}-slim | |
| LABEL maintainer="NGINX Docker Maintainers <[email protected]>" | |
| # Define NGINX versions for NGINX Plus and NGINX Plus modules | |
| # Uncomment this block and the versioned nginxPackages block in the main RUN | |
| # instruction to install a specific release | |
| # ARG RELEASE | |
| # ENV NGINX_VERSION=32 | |
| # ENV NGINX_PKG_RELEASE=1~${RELEASE} | |
| # ENV NJS_VERSION=0.8.4 | |
| # ENV NJS_PKG_RELEASE=1~${RELEASE} | |
| # ENV OTEL_VERSION=0.1.0 | |
| # ENV OTEL_PKG_RELEASE=1~${RELEASE} | |
| # ENV PKG_RELEASE=1~${RELEASE} | |
| # Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy to the build context | |
| RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ | |
| --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ | |
| set -x \ | |
| # Create nginx user/group first, to be consistent throughout Docker variants | |
| && groupadd --system --gid 101 nginx \ | |
| && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ | |
| && apt-get update \ | |
| && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \ | |
| && \ | |
| NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ | |
| NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ | |
| export GNUPGHOME="$(mktemp -d)"; \ | |
| found=''; \ | |
| for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ | |
| for server in \ | |
| hkp://keyserver.ubuntu.com:80 \ | |
| pgp.mit.edu \ | |
| ; do \ | |
| echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ | |
| gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ | |
| done; \ | |
| test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ | |
| done; \ | |
| gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ | |
| rm -rf "$GNUPGHOME"; \ | |
| apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ | |
| # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) | |
| # Uncomment any desired module packages to install the latest release or use the versioned package format to specify a release | |
| # For an exhaustive list of supported modules and how to install them, see https://docs.nginx.com/nginx/admin-guide/dynamic-modules/dynamic-modules/ | |
| && nginxPackages=" \ | |
| nginx-plus \ | |
| # nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \ | |
| # nginx-plus-module-geoip \ | |
| # nginx-plus-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| # nginx-plus-module-image-filter \ | |
| # nginx-plus-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| # nginx-plus-module-njs \ | |
| # nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \ | |
| # nginx-plus-module-otel \ | |
| # nginx-plus-module-otel=${NGINX_VERSION}+${OTEL_VERSION}-${OTEL_PKG_RELEASE} \ | |
| # nginx-plus-module-perl \ | |
| # nginx-plus-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| # nginx-plus-module-xslt \ | |
| # nginx-plus-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \ | |
| " \ | |
| && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ | |
| && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ | |
| && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ | |
| && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ | |
| && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ | |
| && mkdir -p /etc/ssl/nginx \ | |
| && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ | |
| && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ | |
| && apt-get update \ | |
| && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \ | |
| && apt-get remove --purge -y lsb-release \ | |
| && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ | |
| && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \ | |
| # Forward request logs to Docker log collector | |
| && ln -sf /dev/stdout /var/log/nginx/access.log \ | |
| && ln -sf /dev/stderr /var/log/nginx/error.log | |
| EXPOSE 80 | |
| STOPSIGNAL SIGQUIT | |
| CMD ["nginx", "-g", "daemon off;"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ARG RELEASE=3.20 | |
| FROM alpine:${RELEASE} | |
| LABEL maintainer="NGINX Docker Maintainers <[email protected]>" | |
| # Define NGINX versions for NGINX Plus and NGINX Plus modules | |
| # Uncomment this block and the versioned nginxPackages in the main RUN | |
| # instruction to install a specific release | |
| # ENV NGINX_VERSION=32 | |
| # ENV NGINX_PKG_RELEASE=1 | |
| # ENV NJS_VERSION=0.8.4 | |
| # ENV NJS_PKG_RELEASE=1 | |
| # ENV OTEL_VERSION=0.1.0 | |
| # ENV OTEL_PKG_RELEASE=1 | |
| # ENV PKG_RELEASE=1 | |
| # Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy to the build context | |
| RUN --mount=type=secret,id=nginx-crt,dst=cert.pem \ | |
| --mount=type=secret,id=nginx-key,dst=cert.key \ | |
| set -x \ | |
| # Create nginx user/group first, to be consistent throughout Docker variants | |
| && addgroup -g 101 -S nginx \ | |
| && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ | |
| # Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5) | |
| # Uncomment any desired module packages to install the latest release or use the versioned package format to specify a release | |
| # For an exhaustive list of supported modules and how to install them, see https://docs.nginx.com/nginx/admin-guide/dynamic-modules/dynamic-modules/ | |
| && nginxPackages=" \ | |
| nginx-plus \ | |
| # nginx-plus=${NGINX_VERSION}-r${NGINX_PKG_RELEASE} \ | |
| # nginx-plus-module-geoip \ | |
| # nginx-plus-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| # nginx-plus-module-image-filter \ | |
| # nginx-plus-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| # nginx-plus-module-njs \ | |
| # nginx-plus-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_PKG_RELEASE} \ | |
| # nginx-plus-module-otel \ | |
| # nginx-plus-module-otel=${NGINX_VERSION}.${OTEL_VERSION}-r${OTEL_PKG_RELEASE} \ | |
| # nginx-plus-module-perl \ | |
| # nginx-plus-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| # nginx-plus-module-xslt \ | |
| # nginx-plus-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ | |
| " \ | |
| KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ | |
| && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ | |
| && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ | |
| echo "key verification succeeded!"; \ | |
| mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ | |
| else \ | |
| echo "key verification failed!"; \ | |
| exit 1; \ | |
| fi \ | |
| && cat cert.pem > /etc/apk/cert.pem \ | |
| && cat cert.key > /etc/apk/cert.key \ | |
| && apk add -X "https://pkgs.nginx.com/plus/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ | |
| && if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ | |
| && if [ -f "/etc/apk/cert.key" ] && [ -f "/etc/apk/cert.pem" ]; then rm -f /etc/apk/cert.key /etc/apk/cert.pem; fi \ | |
| # Bring in tzdata so users could set the timezones through the environment variables | |
| && apk add --no-cache tzdata \ | |
| # Bring in curl and ca-certificates to make registering on DNS SD easier | |
| && apk add --no-cache curl ca-certificates \ | |
| # Forward request and error logs to Docker log collector | |
| && ln -sf /dev/stdout /var/log/nginx/access.log \ | |
| && ln -sf /dev/stderr /var/log/nginx/error.log | |
| EXPOSE 80 | |
| STOPSIGNAL SIGQUIT | |
| CMD ["nginx", "-g", "daemon off;"] | |
| # vim:syntax=Dockerfile |
Sorry for the delay in replying, but Gist didnโt inform us that you had left a comment.
Our testing doesnโt indicate that the change you suggest is necessary. Is it possible the difference is specific to your Docker environment? We havenโt made your suggested change in our Alpine Dockerfile, but your comment provides a helpful hint to anyone who has the same problem.
sks-keyservers should be removed, ref: nginx/docker-nginx#597
Shall we use SIGQUIT instead of SIGTERM for graceful shutdown? Ref: nginx/docker-nginx@3fb70dd
@nginx-gists @thresheek Please review the above 2 comments.
Updated gists are on the way @PMExtra ๐
For a discussion of these files, see Deploying NGINX and NGINX Plus with Docker
I have enabled nginx-plus-module-njs in alpine.Dockerfile ( Line number 34 and 35 ). It is throwing the below error. Can you help?
#0 2.585 + egrep -o '^[0-9]+.[0-9]+' /etc/alpine-release
#0 2.585 + apk add -X https://pkgs.nginx.com/plus/alpine/v3.17/main --no-cache nginx-plus nginx-plus-module-njs 'nginx-plus-module-njs=.-'
#0 2.589 fetch https://pkgs.nginx.com/plus/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
#0 3.290 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
#0 3.786 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
#0 4.466 ERROR: 'nginx-plus-module-njs=.-' is not a valid world dependency, format is name(@tag)([<>~=]version)
alpine.Dockerfile:19
I would uncomment only L34. L35 only works if you specify the version you want to install in L8-L10 :)
I would uncomment only L34. L35 only works if you specify the version you want to install in L8-L10 :)
Thanks for responding. I have tried the same but no luck.
ERROR: 'nginx-plus-module-njs=28.0.7.9-1' is not a valid world dependency, format is name(@tag)([<>~=]version)
Thanks for testing it out! You did indeed find a bug! I pushed a fix, the new Dockerfile for Alpine should work as intended ๐
I can successfully build now. Thank you !!
hi @alessfg and @thresheek, perhaps "ENV NJS_VERSION 0.7.9" should be updated to 0.7.12, thanks!
The NGINX Plus release also needs to be updated! I'll hopefully get to this before end of next week (I have a hefty backlog this week ๐)
thanks @alessfg, @thresheek ! and here's one more update request -
perhaps, the signing key needs to be changed
from https://nginx.org/keys/nginx_signing.rsa.pub
to https://cs.nginx.com/static/keys/nginx_signing.rsa.pub
(the gist is also used for NGINX Plus in https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker/)
Dockerfiles have been updated! Sorry for the delay, it's been a crazy month!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@nginx-gists I'm running into an issue where the mtls certs used to authenticate with the NGINX Plus Alpine repositories are not being deleted in the final image. I believe it's because this line should be...