Get required UBI packages for NGINX and install agent

Author: shaun-nx

Makefile

@@ -45,6 +45,7 @@ PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-g
 NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx
 NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus
 BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi
+IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent
 TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0
 TARGET ?= local## The target of the build. Possible values: local and container
 OUT_DIR ?= build/out## The folder where the binary will be stored
@@ -228,7 +229,7 @@ install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-wi
 
 .PHONY: helm-install-local
 helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build.
-	helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=Never --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=Never --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS)
+	helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) || helm uninstall nginx-gateway -n nginx-gateway
 
 .PHONY: helm-install-local-with-plus
 helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus.

build/entrypoint.sh

@@ -41,11 +41,12 @@ nginx_pid=$!
 
 SECONDS=0
 
-while ! ps -ef | grep "nginx: master process" | grep -v grep; do
-    if ((SECONDS > 5)); then
-        echo "couldn't find nginx master process"
+while ! curl localhost:80 -s -o /dev/null; do
+    if ((SECONDS > 10)); then
+        echo "nginx didn't start within 10 seconds"
         exit 1
     fi
+    sleep 200
 done
 
 # start nginx-agent, pass args

build/ubi/Dockerfile.nginx

@@ -6,43 +6,61 @@ ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signi
 ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo
 ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo
 
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS packages
+
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
-# FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9
 
 # renovate: datasource=github-tags depName=nginx/agent
 ARG NGINX_AGENT_VERSION=v3.3.1
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT
 
-# c-ares is required by for nginx-module-otel. It is not available in ubi9-minimal by default
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+# Prepare packages
 RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \
     --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \
     --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
+    --mount=type=bind,from=packages,src=/,target=/ubi-bin/ \
     rpm --import /tmp/nginx_signing.key \
     && microdnf update -y \
     && microdnf --nodocs install -y shadow-utils subscription-manager \
-    # microdnf --enablerepo=appstream install -y c-ares \
+    && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-installed \
+	&& microdnf --nodocs --setopt=install_weak_deps=0 install -y diffutils dnf \
+	&& rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-new \
+	&& dnf install -y /ubi-bin/*.rpm \
+	&& dnf -q repoquery --resolve --requires --recursive --whatrequires nginx --queryformat "%{NAME}" > pkgs-nginx \
+	&& dnf --setopt=protected_packages= remove -y $(comm -13 pkgs-installed pkgs-new | comm -13 pkgs-nginx -) \
+	&& rm pkgs-installed pkgs-new pkgs-nginx \
     && microdnf --nodocs install -y nginx \
     && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \
-    && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
-    && microdnf clean all
+    # && microdnf --enablerepo=appstream install -y c-ares \
+    && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}
+
+# RUN  rm /etc/yum.repos.d/nginx.repo \
+#     && rm /etc/yum.repos.d/agent.repo \
+#     && microdnf clean all
 
+# Configure logs and directories
 RUN mkdir -p /usr/lib/nginx/modules \
-    # forward request and error logs to docker log collector
+    && mkdir -p /usr/lib64/nginx/modules \
+    && mkdir -p /var/run/nginx \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/
+    # && ln -sf /usr/lib64/nginx/modules/ngx_http_js_module.so /usr/lib/nginx/modules/ngx_http_js_module.so \
+    # && ln -sf /usr/lib64/nginx/modules/ngx_stream_js_module.so /usr/lib/nginx/modules/ngx_stream_js_module.so
 
 COPY build/entrypoint.sh /agent/entrypoint.sh
 COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js
 COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf
 COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf
 COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf
 
-RUN chown -R 101:1001 /etc/nginx /var/cache/nginx
+RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/run/nginx /etc/nginx-agent/nginx-agent.conf
 
 LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}"
 
 USER 101:1001
 
-ENTRYPOINT ["/agent/entrypoint.sh"]
+ENTRYPOINT ["/agent/entrypoint.sh"]