diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 29b785f0c2..4baec60bcd 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -1,4 +1,4 @@ -FROM rancher/hardened-build-base:v1.17.5b7 +FROM rancher/hardened-build-base:v1.18.7b7 ARG STEP=ci ARG DAPPER_HOST_ARCH ARG DOCKER_USER diff --git a/images/nginx/rootfs/Dockerfile.amd64 b/images/nginx/rootfs/Dockerfile.amd64 index 4c509b92a9..c87a3e2df6 100644 --- a/images/nginx/rootfs/Dockerfile.amd64 +++ b/images/nginx/rootfs/Dockerfile.amd64 @@ -30,15 +30,8 @@ COPY build.sh / RUN /build.sh -# Pull static components from alpine -FROM alpine:3.13 as extras - -RUN apk update \ - && apk upgrade \ - && apk add -U --no-cache dumb-init - -# With UBI as base image -FROM registry.access.redhat.com/ubi8/ubi-minimal +# With BCI as base image +FROM registry.suse.com/bci/bci-base:latest ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin @@ -48,23 +41,26 @@ ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" COPY --from=builder /usr/local /usr/local COPY --from=builder /opt /opt COPY --from=builder /etc/nginx /etc/nginx -COPY --from=extras /usr/bin/dumb-init /usr/bin/dumb-init - -RUN rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -RUN microdnf -y update && rm -rf /var/cache/yum -RUN microdnf -y install lmdb-libs || rpm -iv http://vault.centos.org/centos/8/BaseOS/x86_64/os/Packages/lmdb-libs-0.9.24-1.el8.x86_64.rpm -RUN microdnf -y install \ - util-linux \ - findutils \ - which \ - yajl \ - GeoIP \ - libmaxminddb \ - wget -RUN microdnf -y install crypto-policies-scripts - -RUN rm -rf /var/cache/yum +RUN rpm -iv http://vault.centos.org/centos/8/BaseOS/x86_64/os/Packages/lmdb-libs-0.9.24-1.el8.x86_64.rpm +RUN ln -s /usr/lib64/liblua5.3.so.5.3.0 /usr/local/lib/liblua-5.3.so + +RUN zypper addrepo \ + -p 105 http://download.opensuse.org/tumbleweed/repo/oss/ download.opensuse.org-oss && \ + zypper --gpg-auto-import-keys refresh +RUN zypper install -y \ + libcap-progs \ + libmaxminddb0 \ + libGeoIP1 \ + crypto-policies-scripts \ + wget \ + which \ + git \ + libyajl2 \ + make \ + tar \ + gzip \ + catatonit RUN ldDirs=" \ /usr/local/lib \ @@ -77,7 +73,7 @@ RUN /sbin/ldconfig RUN ln -s /usr/local/nginx/sbin/nginx /sbin/nginx RUN groupadd -rg 101 www-data -RUN adduser -u 101 -M -d /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data +RUN useradd -u 101 -M -d /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data RUN writeDirs=" \ /var/log/nginx \ @@ -93,8 +89,6 @@ RUN writeDirs=" \ chown -R www-data.www-data ${dir}; \ done -RUN microdnf clean all - EXPOSE 80 443 CMD ["nginx", "-g", "daemon off;"] diff --git a/images/nginx/rootfs/Dockerfile.s390x b/images/nginx/rootfs/Dockerfile.s390x index c2b536d672..a44ed16115 100644 --- a/images/nginx/rootfs/Dockerfile.s390x +++ b/images/nginx/rootfs/Dockerfile.s390x @@ -54,7 +54,8 @@ RUN dnf -y install \ libmaxminddb0 \ lmdb \ wget \ - libcap-progs + libcap-progs \ + catatonit RUN dnf -y install 'dnf-command(config-manager)' RUN dnf config-manager --add-repo https://download.opensuse.org/repositories/security:tls/openSUSE_Leap_15.3/security:tls.repo diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index d4a27de038..db96d7184e 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -59,8 +59,8 @@ RUN setcap cap_net_bind_service=+ep /nginx-ingress-controller \ && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller \ && setcap cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \ && setcap -v cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \ - && setcap cap_net_bind_service=+ep /usr/bin/dumb-init \ - && setcap -v cap_net_bind_service=+ep /usr/bin/dumb-init \ + && setcap cap_net_bind_service=+ep /usr/bin/catatonit \ + && setcap -v cap_net_bind_service=+ep /usr/bin/catatonit \ && ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx USER www-data @@ -69,6 +69,6 @@ USER www-data RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -ENTRYPOINT ["/usr/bin/dumb-init", "--"] +ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/nginx-ingress-controller"] diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index ee6f7f5722..6846aec2ad 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -48,12 +48,7 @@ RUN if [ "$TARGETARCH" = "s390x" ] ; then dnf install -y \ ca-certificates \ diffutils \ timezone \ - util-linux ; else microdnf install bash \ - curl \ - openssl \ - ca-certificates \ - tzdata \ - diffutils; fi + util-linux ; fi COPY --chown=www-data:www-data etc /chroot/etc @@ -85,8 +80,8 @@ RUN setcap cap_sys_chroot,cap_net_bind_service=+ep /nginx-ingress-controller && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/unshare \ && setcap cap_net_bind_service=+ep /chroot/usr/local/nginx/sbin/nginx \ && setcap -v cap_net_bind_service=+ep /chroot/usr/local/nginx/sbin/nginx \ - && setcap cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/dumb-init \ - && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/dumb-init + && setcap cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/catatonit \ + && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/catatonit RUN ln -sf /chroot/etc/nginx /etc/nginx \ && ln -sf /chroot/tmp/nginx /tmp/nginx \ @@ -108,7 +103,7 @@ USER www-data EXPOSE 80 443 -ENTRYPOINT ["/usr/bin/dumb-init", "--"] +ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/nginx-ingress-controller"]