Skip to content

Commit f950d55

Browse files
AlexFenlonAlexFenlon
committed
fix ubi 9 nap images
1 parent f5bfb63 commit f950d55

File tree

1 file changed

+16
-8
lines changed

1 file changed

+16
-8
lines changed

build/Dockerfile

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -384,7 +384,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
384384
mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
385385
apt-get update \
386386
apt-get install --no-install-recommends --no-install-suggests -y \
387-
nginx-agent app-protect-module-plus=33+5.264* nginx-plus-module-appprotect=33+5.264*; \
387+
nginx-agent app-protect-module-plus=33+5.264* nginx-plus-module-appprotect=33+5.264*; \
388388
nap-waf.sh \
389389
&& apt-get purge --auto-remove -y gpg \
390390
&& agent.sh
@@ -415,23 +415,27 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
415415

416416

417417
############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS #############################################
418-
FROM ubi-9-plus AS ubi-9-plus-nap
418+
FROM ubi-minimal AS ubi-9-plus-nap
419419
ARG NAP_MODULES
420420

421421
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
422422
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
423423
--mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \
424424
--mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
425+
--mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \
425426
--mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \
426427
--mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
427428
--mount=type=bind,from=nginx-files,src=app-protect-9.repo,target=/tmp/app-protect-9.repo \
428429
--mount=type=bind,from=nginx-files,src=app-protect-dos-9.repo,target=/tmp/app-protect-dos-9.repo \
430+
--mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \
429431
--mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \
430432
--mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \
431433
--mount=type=bind,from=nginx-files,src=nap-dos.sh,target=/usr/local/bin/nap-dos.sh \
432434
--mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \
433435
--mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \
434436
mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
437+
&& ubi-setup.sh \
438+
&& microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
435439
&& source /tmp/rhel_license \
436440
&& microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \
437441
&& rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
@@ -441,7 +445,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
441445
rpm --import /tmp/app-protect-security-updates.key \
442446
&& cp /tmp/app-protect-9.repo /etc/yum.repos.d/app-protect-9.repo \
443447
&& microdnf --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms --nodocs install -y \
444-
app-protect app-protect-attack-signatures app-protect-threat-campaigns nginx-agent \
448+
app-protect app-protect-attack-signatures app-protect-threat-campaigns nginx-agent \
445449
&& rm -f /etc/yum.repos.d/app-protect-9.repo \
446450
&& nap-waf.sh \
447451
&& agent.sh; \
@@ -457,20 +461,24 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
457461

458462

459463
############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 #############################################
460-
FROM ubi-9-plus AS ubi-9-plus-nap-v5
464+
FROM ubi-minimal AS ubi-9-plus-nap-v5
461465
ARG NAP_MODULES
462466

463467
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
464468
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
465469
--mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \
466470
--mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
471+
--mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \
467472
--mount=type=bind,from=nginx-files,src=nginx-agent.repo,target=/etc/yum.repos.d/nginx-agent.repo,rw \
468473
--mount=type=bind,from=nginx-files,src=app-protect-v5-9.repo,target=/etc/yum.repos.d/app-protect-9.repo \
474+
--mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \
469475
--mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \
470476
--mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \
471477
--mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \
472478
--mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \
473479
mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
480+
&& ubi-setup.sh \
481+
&& microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
474482
&& source /tmp/rhel_license \
475483
&& microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \
476484
&& microdnf --nodocs install -y nginx-agent app-protect-module-plus-33+5.264* \
@@ -624,10 +632,10 @@ COPY --link --chown=101:0 nginx-ingress /
624632
# root is required for `setcap` invocation
625633
USER 0
626634
RUN --mount=type=bind,target=/tmp [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
627-
/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
628-
&& chown -R 101:0 /*.tmpl \
629-
&& chmod -R g=u /*.tmpl \
630-
&& setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress
635+
/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
636+
&& chown -R 101:0 /*.tmpl \
637+
&& chmod -R g=u /*.tmpl \
638+
&& setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress
631639
# 101 is nginx, defined above
632640
USER 101
633641

0 commit comments

Comments
 (0)