Skip to content

Commit 2fcb617

Browse files
authored
fix: always redownload the NGINX GPG signing key in the NGINX OSS Dockerfile (#270)
1 parent 940c9c5 commit 2fcb617

File tree

1 file changed

+40
-22
lines changed

1 file changed

+40
-22
lines changed

Dockerfile.oss

Lines changed: 40 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,45 +1,63 @@
11
FROM nginx:1.25.5@sha256:a484819eb60211f5299034ac80f6a681b06f89e65866ce91f356ed7c72af059c
22

3-
ENV NGINX_VERSION 1.25.5
3+
# NJS env vars
44
ENV NJS_VERSION 0.8.4
55
ENV NJS_RELEASE 3~bookworm
66

7+
# Proxy cache env vars
78
ENV PROXY_CACHE_MAX_SIZE "10g"
89
ENV PROXY_CACHE_INACTIVE "60m"
910
ENV PROXY_CACHE_SLICE_SIZE "1m"
1011
ENV PROXY_CACHE_VALID_OK "1h"
1112
ENV PROXY_CACHE_VALID_NOTFOUND "1m"
1213
ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
14+
15+
# CORS env vars
1316
ENV CORS_ENABLED 0
1417
ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
18+
19+
# S3 proxy env vars
1520
ENV DIRECTORY_LISTING_PATH_PREFIX ""
1621
ENV STRIP_LEADING_DIRECTORY_PATH ""
1722
ENV PREFIX_LEADING_DIRECTORY_PATH ""
1823

1924
# We modify the nginx base image by:
20-
# 1. Adding configuration files needed for proxying private S3 buckets
21-
# 2. Adding a directory for proxied objects to be stored
22-
# 3. Replacing the entrypoint script with a modified version that explicitly
23-
# sets resolvers.
24-
# 4. Explicitly install the version of njs coded in the environment variable
25-
# above.
25+
# 1. Explicitly install the version of njs coded in the environment variable above.
26+
# 2. Adding configuration files needed for proxying private S3 buckets
27+
# 3. Adding a directory for proxied objects to be stored
28+
# 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
29+
30+
RUN set -x \
31+
&& apt-get update \
32+
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
33+
&& \
34+
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
35+
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
36+
export GNUPGHOME="$(mktemp -d)"; \
37+
found=''; \
38+
for server in \
39+
hkp://keyserver.ubuntu.com:80 \
40+
pgp.mit.edu \
41+
; do \
42+
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
43+
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
44+
done; \
45+
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
46+
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
47+
rm -rf "$GNUPGHOME"; \
48+
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \
49+
echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
50+
apt-get update \
51+
&& apt-get install --no-install-recommends --no-install-suggests -y \
52+
libedit2 \
53+
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
54+
&& apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
2655

2756
COPY common/etc /etc
57+
COPY oss/etc /etc
2858
COPY common/docker-entrypoint.sh /docker-entrypoint.sh
2959
COPY common/docker-entrypoint.d /docker-entrypoint.d/
30-
COPY oss/etc /etc
31-
32-
RUN set -eux \
33-
export DEBIAN_FRONTEND=noninteractive; \
34-
mkdir -p /var/cache/nginx/s3_proxy; \
35-
chown nginx:nginx /var/cache/nginx/s3_proxy; \
36-
chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
37-
echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
38-
apt-get update; \
39-
apt-get install --no-install-recommends --no-install-suggests --yes \
40-
curl \
41-
libedit2 \
42-
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
43-
apt-get remove --purge --auto-remove --yes; \
44-
rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
4560

61+
RUN mkdir -p /var/cache/nginx/s3_proxy \
62+
&& chown nginx:nginx /var/cache/nginx/s3_proxy \
63+
&& chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;

0 commit comments

Comments
 (0)