From ccc3655e9489e2a65a98ba807990c30b57b8370c Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Mon, 29 Sep 2025 12:50:19 +0100 Subject: [PATCH 1/5] Allow easier updates to Agent versions on NAP images --- Makefile | 21 +++++++++++---------- build/Dockerfile | 25 +++++++++++++++++-------- 2 files changed, 28 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index 00e087f223..cfbb2a71be 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,7 @@ VERSION = $(VER)-SNAPSHOT NGINX_OSS_VERSION ?= 1.29 NGINX_PLUS_VERSION ?= R35 NGINX_AGENT_VERSION ?= 3.3 +NAP_AGENT_VERSION ?= 2.* PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden @@ -153,12 +154,12 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp .PHONY: alpine-image-nap-plus-fips alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: alpine-image-nap-v5-plus-fips alpine-image-nap-v5-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAFv5 and FIPS) $(DOCKER_CMD) $(PLUS_ARGS) \ - --build-arg BUILD_OS=alpine-plus-nap-v5-fips + --build-arg BUILD_OS=alpine-plus-nap-v5-fips --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) @@ -166,11 +167,11 @@ debian-image-plus: build ## Create Docker image for Ingress Controller (Debian w .PHONY: debian-image-nap-plus debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: debian-image-nap-v5-plus debian-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAFv5) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-v5 + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap-v5 --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: debian-image-dos-plus debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS) @@ -178,7 +179,7 @@ debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debi .PHONY: debian-image-nap-dos-plus debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF and DoS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: ubi-image ubi-image: build ## Create Docker image for Ingress Controller (UBI) @@ -190,21 +191,21 @@ ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NG .PHONY: ubi-image-nap-plus ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF) - $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: ubi8-image-nap-plus ubi8-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF) - $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=waf + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=waf --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: ubi-image-nap-v5-plus ubi-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \ - --build-arg BUILD_OS=ubi-9-plus-nap-v5 + --build-arg BUILD_OS=ubi-9-plus-nap-v5 --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: ubi8-image-nap-v5-plus ubi8-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \ - --build-arg BUILD_OS=ubi-8-plus-nap-v5 + --build-arg BUILD_OS=ubi-8-plus-nap-v5 --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: ubi-image-dos-plus ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS) @@ -212,7 +213,7 @@ ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI wit .PHONY: ubi-image-nap-dos-plus ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS) - $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf,dos + $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf,dos --build-arg NAP_AGENT_VERSION=$(NAP_AGENT_VERSION) .PHONY: all-images ## Create all the Docker images for Ingress Controller all-images: alpine-image alpine-image-plus alpine-image-plus-fips alpine-image-nap-plus-fips debian-image debian-image-plus debian-image-nap-plus debian-image-dos-plus debian-image-nap-dos-plus ubi-image ubi-image-plus ubi-image-nap-plus ubi-image-dos-plus ubi-image-nap-dos-plus diff --git a/build/Dockerfile b/build/Dockerfile index 33cbb00309..e08746b95b 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -3,6 +3,7 @@ ARG BUILD_OS=debian ARG NGINX_OSS_VERSION=1.29 ARG NGINX_PLUS_VERSION=R35 ARG NGINX_AGENT_VERSION=3.3 +ARG NAP_AGENT_VERSION=2.* ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -208,6 +209,7 @@ RUN --mount=type=bind,from=alpine-fips-3.22,target=/tmp/fips/ \ FROM alpine:3.19@sha256:3be987e6cde1d07e873c012bf6cfe941e6e85d16ca5fc5b8bedc675451d2de67 AS alpine-plus-nap-fips ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO +ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -224,7 +226,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~2 \ + && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION%.*} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -241,6 +243,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ FROM alpine:3.19@sha256:3be987e6cde1d07e873c012bf6cfe941e6e85d16ca5fc5b8bedc675451d2de67 AS alpine-plus-nap-v5-fips ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO +ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -255,7 +258,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~2 \ + && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION%.*} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -321,6 +324,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode FROM debian-plus-only AS debian-plus-nap ARG NAP_MODULES ARG NGINX_PLUS_VERSION +ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -337,7 +341,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources \ && cp /tmp/nginx-agent.sources /etc/apt/sources.list.d/nginx-agent.sources \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns nginx-agent=2.* \ + && apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns nginx-agent=${NAP_AGENT_VERSION}* \ && rm -f /etc/apt/sources.list.d/app-protect.sources /etc/apt/sources.list.d/nginx-agent.sources \ && nap-waf.sh \ && agent.sh; \ @@ -354,6 +358,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAFv5 ############################################# FROM debian-plus-only AS debian-plus-nap-v5 ARG NGINX_PLUS_VERSION +ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -365,7 +370,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=debian-agent-12.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=2.* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=35+5.498* app-protect-plugin=6.20.0* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NAP_AGENT_VERSION}* app-protect-module-plus=35+5.498* nginx-plus-module-appprotect=35+5.498* app-protect-plugin=6.20.0* \ && nap-waf.sh \ && agent.sh @@ -400,6 +405,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode FROM ubi-minimal AS ubi-9-plus-nap ARG NAP_MODULES ARG BUILD_OS +ARG NAP_AGENT_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ @@ -420,7 +426,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && ubi-setup.sh \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-2.* \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}* \ && source /tmp/rhel_license \ && microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \ && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ @@ -447,6 +453,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# FROM ubi-minimal AS ubi-9-plus-nap-v5 +ARG NAP_AGENT_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ @@ -468,7 +475,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ && microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \ - && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-2.* app-protect-module-plus-35+5.498* \ + && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}* app-protect-module-plus-35+5.498* \ && nap-waf.sh \ && ubi-clean.sh \ && agent.sh @@ -478,6 +485,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode FROM redhat/ubi8@sha256:534c2c0efa4150ede18e3f9d7480d3b9ec2a52e62bc91cd54e08ee7336819619 AS ubi-8-plus-nap ARG NGINX_PLUS_VERSION ARG BUILD_OS +ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -500,7 +508,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import /tmp/nginx_signing.key \ && rpm --import /tmp/app-protect-security-updates.key \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-2.* \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}* \ && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} --name ${BUILD_OS}-$(uname -m) || true \ && subscription-manager attach \ @@ -516,6 +524,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI8 with NGINX Plus and App Protect WAFv5 ############################################# FROM redhat/ubi8@sha256:534c2c0efa4150ede18e3f9d7480d3b9ec2a52e62bc91cd54e08ee7336819619 AS ubi-8-plus-nap-v5 ARG NGINX_PLUS_VERSION +ARG NAP_AGENT_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -537,7 +546,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && rpm --import /tmp/nginx_signing.key \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-2.* \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}* \ && dnf --nodocs install -y app-protect-module-plus-35+5.498* \ && nap-waf.sh \ && agent.sh \ From 7dec558870caf365c76105d0e79dc3e8a422485b Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Mon, 29 Sep 2025 16:23:08 +0100 Subject: [PATCH 2/5] fix alpine --- Makefile | 2 +- build/Dockerfile | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 283919456e..95bc40de9b 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ VERSION = $(VER)-SNAPSHOT NGINX_OSS_VERSION ?= 1.29 NGINX_PLUS_VERSION ?= R35 NGINX_AGENT_VERSION ?= 3.3 -NAP_AGENT_VERSION ?= 2.* +NAP_AGENT_VERSION ?= 2 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden diff --git a/build/Dockerfile b/build/Dockerfile index e08746b95b..853ff20535 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -3,7 +3,7 @@ ARG BUILD_OS=debian ARG NGINX_OSS_VERSION=1.29 ARG NGINX_PLUS_VERSION=R35 ARG NGINX_AGENT_VERSION=3.3 -ARG NAP_AGENT_VERSION=2.* +ARG NAP_AGENT_VERSION=2 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -226,7 +226,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION%.*} \ + && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -258,7 +258,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION%.*} \ + && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ From 67cd0dfcfcd92cb6334a284ff841742530595eed Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Wed, 1 Oct 2025 10:08:48 +0100 Subject: [PATCH 3/5] add restriction based off comment --- Makefile | 2 +- build/Dockerfile | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index d77680b311..03e037b083 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ NGINX_PLUS_VERSION ?= R35 NAP_WAF_VERSION ?= 35+5.498 NAP_WAF_COMMON_VERSION ?= 11.533 NAP_WAF_PLUGIN_VERSION ?= 6.20.0 -NAP_AGENT_VERSION ?= 2 +NAP_AGENT_VERSION ?= 2.0 NGINX_AGENT_VERSION ?= 3.3 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key diff --git a/build/Dockerfile b/build/Dockerfile index 4857f1bf54..31ba858e59 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,7 +6,7 @@ ARG NAP_WAF_VERSION=35+5.498 ARG NAP_WAF_COMMON_VERSION=11.533 ARG NAP_WAF_PLUGIN_VERSION=6.20.0 ARG NGINX_AGENT_VERSION=3.3 -ARG NAP_AGENT_VERSION=2 +ARG NAP_AGENT_VERSION=2.0 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -357,7 +357,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode app-protect-plugin=${NAP_WAF_PLUGIN_VERSION}* \ app-protect-attack-signatures \ app-protect-threat-campaigns \ - nginx-agent=${NAP_AGENT_VERSION}* \ + nginx-agent=${NAP_AGENT_VERSION}.* \ && rm -f /etc/apt/sources.list.d/app-protect.sources /etc/apt/sources.list.d/nginx-agent.sources \ && nap-waf.sh \ && agent.sh; \ @@ -388,7 +388,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \ --mount=type=bind,from=nginx-files,src=debian-agent-12.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NAP_AGENT_VERSION}* app-protect-module-plus=${NAP_WAF_VERSION}* nginx-plus-module-appprotect=${NAP_WAF_VERSION}* app-protect-plugin=${NAP_WAF_PLUGIN_VERSION}* \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NAP_AGENT_VERSION}.* app-protect-module-plus=${NAP_WAF_VERSION}* nginx-plus-module-appprotect=${NAP_WAF_VERSION}* app-protect-plugin=${NAP_WAF_PLUGIN_VERSION}* \ && nap-waf.sh \ && agent.sh @@ -414,7 +414,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && ubi-setup.sh \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NGINX_AGENT_VERSION}* \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NGINX_AGENT_VERSION}.* \ && agent.sh \ && ubi-clean.sh @@ -448,7 +448,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \ && ubi-setup.sh \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}* \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}.* \ && source /tmp/rhel_license \ && microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \ && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ @@ -501,7 +501,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ && microdnf --nodocs install -y ca-certificates shadow-utils subscription-manager \ - && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}* app-protect-module-plus-${NAP_WAF_VERSION}* \ + && microdnf --nodocs install -y nginx-plus-module-otel nginx-agent-${NAP_AGENT_VERSION}.* app-protect-module-plus-${NAP_WAF_VERSION}* \ && nap-waf.sh \ && ubi-clean.sh \ && agent.sh @@ -535,7 +535,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import /tmp/nginx_signing.key \ && rpm --import /tmp/app-protect-security-updates.key \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}* \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}.* \ && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} --name ${BUILD_OS}-$(uname -m) || true \ && subscription-manager attach \ @@ -574,7 +574,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && rpm --import /tmp/nginx_signing.key \ && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}* \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check nginx-agent-${NAP_AGENT_VERSION}.* \ && dnf --nodocs install -y app-protect-module-plus-${NAP_WAF_VERSION}* \ && nap-waf.sh \ && agent.sh \ From a520c6e5968ed275919bf43789b87cf5825e3175 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Wed, 1 Oct 2025 12:05:31 +0100 Subject: [PATCH 4/5] fix alpine --- Makefile | 2 +- build/Dockerfile | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 03e037b083..d77680b311 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ NGINX_PLUS_VERSION ?= R35 NAP_WAF_VERSION ?= 35+5.498 NAP_WAF_COMMON_VERSION ?= 11.533 NAP_WAF_PLUGIN_VERSION ?= 6.20.0 -NAP_AGENT_VERSION ?= 2.0 +NAP_AGENT_VERSION ?= 2 NGINX_AGENT_VERSION ?= 3.3 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key diff --git a/build/Dockerfile b/build/Dockerfile index 31ba858e59..6c8b12d508 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,7 +6,7 @@ ARG NAP_WAF_VERSION=35+5.498 ARG NAP_WAF_COMMON_VERSION=11.533 ARG NAP_WAF_PLUGIN_VERSION=6.20.0 ARG NGINX_AGENT_VERSION=3.3 -ARG NAP_AGENT_VERSION=2.0 +ARG NAP_AGENT_VERSION=2 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -230,7 +230,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ + && apk add --no-cache "nginx-agent>=${NAP_AGENT_VERSION}" \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -263,7 +263,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ + && apk add --no-cache "nginx-agent>=${NAP_AGENT_VERSION}" \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ From 8a1247ef7a47de27f59c5ddfcdd1192343062622 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Wed, 1 Oct 2025 14:56:47 +0100 Subject: [PATCH 5/5] fix alpine --- build/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 6c8b12d508..b5a155cd1c 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -230,7 +230,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache "nginx-agent>=${NAP_AGENT_VERSION}" \ + && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ @@ -263,7 +263,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ && printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-plus-module-fips-check \ - && apk add --no-cache "nginx-agent>=${NAP_AGENT_VERSION}" \ + && apk add --no-cache nginx-agent~${NAP_AGENT_VERSION} \ && mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \