feat: update nginx plus image builds to use nginx plus base images (#449)

* refactor: simplify docker build process

This change does the following:
* Migrates to using the official NGINX Plus Docker
images as base images
* Removes the distinction between BuildKit and non-BuildKit
  builds for Plus images (OSS never had this)
* Adds support for license validation for Plus images
* Introduces a multi-stage build for Plus images

Signed-off-by: Elijah Zupancic <[email protected]>

* chore: remove deprecated version parameter from docker-compose.yaml

Signed-off-by: Elijah Zupancic <[email protected]>

* fix: use nginx version reported by binary instead of env var

By using the version reported by NGINX rather than the environment variable
it allows for a more reliable setting and less complexity.

Signed-off-by: Elijah Zupancic <[email protected]>

---------

Signed-off-by: Elijah Zupancic <[email protected]>

Author: dekobon

Dockerfile.buildkit.plus

@@ -3,10 +3,18 @@
 # source, and installs it.
 FROM nginx-s3-gateway
 
+# Package names with trailing dashes are intentionally specified in order to
+# suppress their install as build dependencies. Those libraries are being
+# provided by the inherited container images and we do not want to mess with
+# them.
 RUN set -eux \
-    export DEBIAN_FRONTEND=noninteractive;  \
+    export DEBIAN_FRONTEND=noninteractive; \
+    export NGINX_VERSION="$(nginx -V 2>&1 | grep 'nginx version' | awk -F'[/ ]' '{print $4}')"; \
     apt-get update -qq; \
-    apt-get install --no-install-recommends --no-install-suggests --yes make gcc libc6-dev curl expect libpcre2-dev libpcre3-dev libedit-dev libreadline-dev libssl-dev libpcre2-posix3 libxml2-dev libxslt1-dev zlib1g-dev; \
+    apt-get install --no-install-recommends --no-install-suggests --yes --allow-change-held-packages \
+        make gcc libc6-dev curl expect libpcre2-dev \
+        libpcre3-dev libedit-dev libreadline-dev libssl-dev libpcre2-posix3 libxml2-dev libxslt1-dev zlib1g-dev \
+        libgcrypt20 libicu-dev libssl-dev libxslt1-dev- libxml2-dev-; \
     mkdir -p /tmp/nginx /tmp/njs-latest; \
     curl --retry 6 --location "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" \
         | gunzip | tar --extract --strip-components=1 --directory /tmp/nginx; \

Dockerfile.latest-njs

@@ -1,8 +1,4 @@
-FROM nginx:1.29.0@sha256:f5c017fb33c6db484545793ffb67db51cdd7daebee472104612f73a85063f889
-
-# NJS env vars
-ENV NJS_VERSION=0.9.0
-ENV NJS_RELEASE=1~bookworm
+FROM nginx:1.29.1@sha256:d5f28ef21aabddd098f3dbc21fe5b7a7d7a184720bc07da0b6c9b9820e97f25e
 
 # Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE=10g
@@ -27,20 +23,20 @@ ENV PREFIX_LEADING_DIRECTORY_PATH=""
 # 3. Adding a directory for proxied objects to be stored.
 # 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
 
+# Note: the PKG_RELEASE environment variable is inherited
+
 RUN set -x \
-    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
-    apt-get update \
+    && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list \
+    && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
-      libedit2 \
-      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
-    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
+      libedit2 nginx-module-njs nginx-module-xslt \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/*
 
-COPY oss/etc /etc
+COPY oss/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
 
 RUN set -x \
     && mkdir -p /var/cache/nginx/s3_proxy \
     && chown nginx:nginx /var/cache/nginx/s3_proxy \
-    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
+    && find /docker-entrypoint.d -type f \( -name '*.sh' -or -name '*.envsh' \) -exec chmod -v +x {} \;

Dockerfile.oss

@@ -1,13 +1,7 @@
-FROM debian:bookworm-slim@sha256:b1211f6d19afd012477bd34fdcabb6b663d680e0f4b0537da6e6b0fd057a3ec3
+# Pull from NGINX image that provides the XSLT module and supporting libraries
+FROM private-registry.nginx.com/nginx-plus/modules:r35-xslt-debian@sha256:3eaa85dca47e31b9a6648bcaf6034f076cd59be9b1510b25fd1bbe1144f0bb48 AS xslt
 
-# Create RELEASE argument
-ARG RELEASE=bookworm
-
-# NJS env vars
-ENV NGINX_VERSION=34
-ENV NGINX_PKG_RELEASE=1~${RELEASE}
-ENV NJS_VERSION=0.9.0
-ENV NJS_PKG_RELEASE=1~${RELEASE}
+FROM private-registry.nginx.com/nginx-plus/base:r35-debian-bookworm@sha256:9a82ad3f96d58be861257efd621f215d599e226ebedd24d9f3211bdd743c3c27
 
 # Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE=10g
@@ -26,76 +20,25 @@ ENV DIRECTORY_LISTING_PATH_PREFIX=""
 ENV STRIP_LEADING_DIRECTORY_PATH=""
 ENV PREFIX_LEADING_DIRECTORY_PATH=""
 
-# We create an NGINX Plus image based on the official NGINX Plus Dockerfiles (https://gist.github.com/nginx-gists/36e97fc87efb5cf0039978c8e41a34b5) and modify it by:
-# 1. Explicitly installing the version of njs coded in the environment variable above.
-# 2. Adding configuration files needed for proxying private S3 buckets.
-# 3. Adding a directory for proxied objects to be stored.
-# 4. Adding the entrypoint scripts found in the base NGINX OSS Docker image with a modified version that explicitly sets resolvers.
-
-# Download your NGINX license certificate and key from the F5 customer portal (https://account.f5.com) and copy it to the build context
-COPY plus/etc/ssl /etc/ssl
-
-RUN set -x \
-# Create nginx user/group first, to be consistent throughout Docker variants
-    && groupadd --system --gid 101 nginx \
-    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg1 lsb-release \
-    && \
-    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
-    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
-    export GNUPGHOME="$(mktemp -d)"; \
-    found=''; \
-    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
-    for server in \
-        hkp://keyserver.ubuntu.com:80 \
-        pgp.mit.edu \
-    ; do \
-        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
-        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
-    done; \
-    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    done; \
-    gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
-    rm -rf "$GNUPGHOME"; \
-    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
-# Install the latest release of NGINX Plus and/or NGINX Plus modules (written and maintained by F5)
-    && nginxPackages=" \
-        nginx-plus=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
-        nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_PKG_RELEASE} \
-        nginx-plus-module-xslt=${NGINX_VERSION}-${NGINX_PKG_RELEASE} \
-    " \
-    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
-    && echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
-    && apt-get update \
-    && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages curl gettext-base \
-    && apt-get remove --purge -y lsb-release \
-    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
-    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \
-# Forward request logs to Docker log collector
-    && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
-
-EXPOSE 80
-
-STOPSIGNAL SIGTERM
-
-CMD ["nginx", "-g", "daemon off;"]
-
 # Copy files from the OSS NGINX Docker container such that the container
 # startup is the same.
+COPY --from=xslt / /
+
 COPY plus/etc/nginx /etc/nginx
 COPY common/etc /etc
-COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY plus/docker-entrypoint.d /docker-entrypoint.d/
-
-RUN set -x \
-    && mkdir -p /var/cache/nginx/s3_proxy \
-    && chown nginx:nginx /var/cache/nginx/s3_proxy \
-    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+RUN <<EOF
+    set -eux
+    apt-get update -qq
+    apt-get install --no-install-recommends --no-install-suggests -y \
+      gettext-base libxml2 libxslt1.1
+    apt-get remove --purge --auto-remove -y
+    rm -rf /usr/share/doc/ /usr/share/lintian /var/lib/apt/lists
+
+    cat /etc/nginx/nginx-license.conf >> /etc/nginx/nginx.conf; \
+    rm /etc/nginx/nginx-license.conf; \
+    mkdir -p /var/cache/nginx/s3_proxy; \
+    chown nginx:nginx /var/cache/nginx/s3_proxy; \
+    find /docker-entrypoint.d -type f \( -name '*.sh' -or -name '*.envsh' \) -exec chmod -v +x {} \;
+EOF

Dockerfile.plus

@@ -130,21 +130,3 @@ fi
 if [ $failed -gt 0 ]; then
   exit 1
 fi
-
-echo "S3 Backend Environment"
-echo "Service: ${S3_SERVICE:-s3}"
-echo "Access Key ID: ${AWS_ACCESS_KEY_ID}"
-echo "Origin: ${S3_SERVER_PROTO}://${S3_BUCKET_NAME}.${S3_SERVER}:${S3_SERVER_PORT}"
-echo "Region: ${S3_REGION}"
-echo "Addressing Style: ${S3_STYLE}"
-echo "AWS Signatures Version: v${AWS_SIGS_VERSION}"
-echo "DNS Resolvers: ${DNS_RESOLVERS}"
-echo "Directory Listing Enabled: ${ALLOW_DIRECTORY_LIST}"
-echo "Directory Listing Path Prefix: ${DIRECTORY_LISTING_PATH_PREFIX}"
-echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}"
-echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}"
-echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}"
-echo "Allow the following headers from responses (these take precedence over the above): ${HEADER_PREFIXES_ALLOWED}"
-echo "CORS Enabled: ${CORS_ENABLED}"
-echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}"
-echo "Proxy cache using stale setting: ${PROXY_CACHE_USE_STALE}"