removed dumb-init + aligned images to official one

Author: fabiocicerchia

10-listen-on-ipv6-by-default.sh

@@ -0,0 +1,61 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+ME=$(basename $0)
+DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf"
+
+# check if we have ipv6 available
+if [ ! -f "/proc/net/if_inet6" ]; then
+    echo >&3 "$ME: error: ipv6 not available"
+    exit 0
+fi
+
+if [ ! -f "/$DEFAULT_CONF_FILE" ]; then
+    echo >&3 "$ME: error: /$DEFAULT_CONF_FILE is not a file or does not exist"
+    exit 0
+fi
+
+# check if the file can be modified, e.g. not on a r/o filesystem
+touch /$DEFAULT_CONF_FILE 2>/dev/null || { echo >&3 "$ME: error: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
+
+# check if the file is already modified, e.g. on a container restart
+grep -q "listen  \[::]\:80;" /$DEFAULT_CONF_FILE && { echo >&3 "$ME: error: IPv6 listen already enabled"; exit 0; }
+
+if [ -f "/etc/os-release" ]; then
+    . /etc/os-release
+else
+    echo >&3 "$ME: error: can not guess the operating system"
+    exit 0
+fi
+
+echo >&3 "$ME: Getting the checksum of /$DEFAULT_CONF_FILE"
+
+case "$ID" in
+    "debian")
+        CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3)
+        echo "$CHECKSUM  /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || {
+            echo >&3 "$ME: error: /$DEFAULT_CONF_FILE differs from the packaged version"
+            exit 0
+        }
+        ;;
+    "alpine")
+        CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2)
+        echo "$CHECKSUM  /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || {
+            echo >&3 "$ME: error: /$DEFAULT_CONF_FILE differs from the packages version"
+            exit 0
+        }
+        ;;
+    *)
+        echo >&3 "$ME: error: Unsupported distribution"
+        exit 0
+        ;;
+esac
+
+# enable ipv6 on default.conf listen sockets
+sed -i -E 's,listen       80;,listen       80;\n    listen  [::]:80;,' /$DEFAULT_CONF_FILE
+
+echo >&3 "$ME: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE"
+
+exit 0

20-envsubst-on-templates.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -e
+
+ME=$(basename $0)
+
+auto_envsubst() {
+  local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
+  local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
+  local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+
+  local template defined_envs relative_path output_path subdir
+  defined_envs=$(printf '${%s} ' $(env | cut -d= -f1))
+  [ -d "$template_dir" ] || return 0
+  if [ ! -w "$output_dir" ]; then
+    echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
+    return 0
+  fi
+  find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
+    relative_path="${template#$template_dir/}"
+    output_path="$output_dir/${relative_path%$suffix}"
+    subdir=$(dirname "$relative_path")
+    # create a subdirectory where the template file exists
+    mkdir -p "$output_dir/$subdir"
+    echo >&3 "$ME: Running envsubst on $template to $output_path"
+    envsubst "$defined_envs" < "$template" > "$output_path"
+  done
+}
+
+auto_envsubst
+
+exit 0

README.md

@@ -56,7 +56,6 @@ Lua is a lightweight, high-level, multi-paradigm programming language designed p
 - Security checks: Docker Bench Security, Snyk.
 - Docker Healthchecks.
 - Exposes default ports (`80` and `443`), easy to extend.
-- Runs as non-root UID/GID `32548` (selected randomly to avoid mapping to an existing user) and uses [dumb-init](https://github.com/Yelp/dumb-init) to reap zombie processes.
 - Support for multiple linux distros: Alpine, Amazon, CentOS, Debian, Fedora, Ubuntu.
 - Extra Lua Modules.
 - Performance Benchmarks.
@@ -169,26 +168,41 @@ $ docker run -d -p 80:80 --read-only -v $(pwd)/nginx-cache:/var/cache/nginx -v $
 ```
 If you have a more advanced configuration that requires nginx to write to other locations, simply add more volume mounts to those locations.
 
-### Running nginx in debug mode
+### Entrypoint quiet logs
 
-Images since version 1.9.8 come with `nginx-debug` binary that produces verbose output when using higher log levels. It can be used with simple CMD substitution:
+Since version 1.19.0, a verbose entrypoint was added. It provides information on what's happening during container startup. You can silence this output by setting environment variable `NGINX_ENTRYPOINT_QUIET_LOGS`:
 ```console
-$ docker run --name my-nginx -v /host/path/nginx.conf:/etc/nginx/nginx.conf:ro -d nginx nginx-debug -g 'daemon off;'
+$ docker run -d -e NGINX_ENTRYPOINT_QUIET_LOGS=1 nginx
 ```
-Similar configuration in docker-compose.yml may look like this:
-```yaml
-web:
-  image: nginx
-  volumes:
-    - ./nginx.conf:/etc/nginx/nginx.conf:ro
-  command: [nginx-debug, '-g', 'daemon off;']
+
+### User and group id
+
+Since 1.17.0, both alpine- and debian-based images variants use the same user and group ids to drop the privileges for worker processes:
+```console
+$ id
+uid=101(nginx) gid=101(nginx) groups=101(nginx)
 ```
 
-### Entrypoint quiet logs
+### Running nginx as a non-root user
 
-Since version 1.19.0, a verbose entrypoint was added. It provides information on what's happening during container startup. You can silence this output by setting environment variable `NGINX_ENTRYPOINT_QUIET_LOGS`:
+It is possible to run the image as a less privileged arbitrary UID/GID. This, however, requires modification of nginx configuration to use directories writeable by that specific UID/GID pair:
 ```console
-$ docker run -d -e NGINX_ENTRYPOINT_QUIET_LOGS=1 nginx
+$ docker run -d -v $PWD/nginx.conf:/etc/nginx/nginx.conf nginx
+```
+where nginx.conf in the current directory should have the following directives re-defined:
+```nginx
+pid        /tmp/nginx.pid;
+```
+And in the http context:
+```nginx
+http {
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+...
+}
 ```
 
 ## Specs
@@ -282,7 +296,6 @@ The following are the available build-time options. They can be set using the `-
 | NGINX_BUILD_CONFIG       | `--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --user=nginx --group=nginx --add-module=/lua-nginx-module-${VER_LUA_NGINX_MODULE} --add-module=/ngx_devel_kit-${VER_NGX_DEVEL_KIT} --with-compat --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads` | Options to pass to nginx's `./configure` script. |
 | BUILD_DEPS               | Differs based on the distro                | List of needed packages to build properly the software. |
 | NGINX_BUILD_DEPS         | Differs based on the distro                | List of needed packages to build properly nginx. |
-| VER_DUMBINIT             | `1.2.2`                                    | The version of [dumb-init](https://github.com/Yelp/dumb-init) to use. |
 | PKG_DEPS                 | Differs based on the distro                | List of needed packages to run properly the software. |
 
 These built-from-source flavors include the following modules by default, but one can easily increase or decrease that with the custom build options above:
@@ -380,7 +393,6 @@ $ docker inspect fabiocicerchia/nginx-lua:1-alpine | jq '.[].Config.Labels'
   "org.label-schema.vcs-ref": "5b8a255",
   "org.label-schema.vcs-url": "https://github.com/fabiocicerchia/nginx-lua",
   "org.label-schema.version": "1.19.2-alpine3.12.0",
-  "versions.dumb-init": "1.2.2",
   "versions.extended": "1",
   "versions.headers-more-nginx-module": "d6d7ebab3c0c5b32ab421ba186783d3e5d2c6a17",
   "versions.lua-nginx-module": "0.10.17",
@@ -417,7 +429,6 @@ $ docker inspect fabiocicerchia/nginx-lua:1-alpine | jq '.[].Config.Labels'
 | `org.label-schema.vcs-url`                | URL for the source code under version control from which this container image was built. |
 | `org.label-schema.version`                | Release identifier for the contents of the image. |
 | `versions.extended`                       | Flag to identify if extended image (which contains extra modules). |
-| `versions.dumb-init`                      | The version of [dumb-init](https://github.com/Yelp/dumb-init) used. |
 | `versions.headers-more-nginx-module`      | The version of [headers-more-nginx-module](https://github.com/openresty/headers-more-nginx-module) used. |
 | `versions.lua-nginx-module`               | The version of [ngx_http_lua_module](https://github.com/openresty/lua-nginx-module) used. |
 | `versions.lua-resty-cookie`               | The version of [lua-resty-cookie](https://github.com/cloudflare/lua-resty-cookie) used. |

bin/test.sh

@@ -61,12 +61,12 @@ set -x
 
 OS=$1
 VERSIONS=()
-if [ "$OS" == "alpine" ]; then VERSIONS=$ALPINE
-elif [ "$OS" == "amazonlinux" ]; then VERSIONS=$AMAZONLINUX
-elif [ "$OS" == "centos" ]; then VERSIONS=$CENTOS
-elif [ "$OS" == "debian" ]; then VERSIONS=$DEBIAN
-elif [ "$OS" == "fedora" ]; then VERSIONS=$FEDORA
-elif [ "$OS" == "ubuntu" ]; then VERSIONS=$UBUNTU
+if [ "$OS" == "alpine" ]; then VERSIONS=("${ALPINE[@]}")
+elif [ "$OS" == "amazonlinux" ]; then VERSIONS=("${AMAZONLINUX[@]}")
+elif [ "$OS" == "centos" ]; then VERSIONS=("${CENTOS[@]}")
+elif [ "$OS" == "debian" ]; then VERSIONS=("${DEBIAN[@]}")
+elif [ "$OS" == "fedora" ]; then VERSIONS=("${FEDORA[@]}")
+elif [ "$OS" == "ubuntu" ]; then VERSIONS=("${UBUNTU[@]}")
 fi
 
 docker images

docker-entrypoint.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+    exec 3>&1
+else
+    exec 3>/dev/null
+fi
+
+if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -n | while read -r f; do
+            case "$f" in
+                *.sh)
+                    if [ -x "$f" ]; then
+                        echo >&3 "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        echo >&3 "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) echo >&3 "$0: Ignoring $f";;
+            esac
+        done
+
+        echo >&3 "$0: Configuration complete; ready for start up"
+    else
+        echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+exec "$@"

nginx/1.19.3/alpine/3.12.0/Dockerfile

@@ -198,11 +198,6 @@ ARG NGINX_BUILD_DEPS="\
       zlib-dev"
 ENV NGINX_BUILD_DEPS=$NGINX_BUILD_DEPS
 
-# dumb-init
-# https://github.com/Yelp/dumb-init
-ARG VER_DUMBINIT=1.2.2
-ENV VER_DUMBINIT=$VER_DUMBINIT
-
 ####################################
 # Build Nginx with support for LUA #
 ####################################
@@ -378,7 +373,6 @@ LABEL maintainer="Fabio Cicerchia <[email protected]>" \
       org.label-schema.vcs-url="https://github.com/$DOCKER_IMAGE" \
       org.label-schema.version="$VER_NGINX-$DOCKER_IMAGE_OS$DOCKER_IMAGE_TAG" \
       versions.extended=${EXTENDED_IMAGE} \
-      versions.dumb-init=${VER_DUMBINIT} \
       versions.headers-more-nginx-module=${VER_OPENRESTY_HEADERS} \
       versions.lua-nginx-module=${VER_LUA_NGINX_MODULE} \
       versions.lua-resty-cookie=${VER_CLOUDFLARE_COOKIE} \
@@ -442,16 +436,18 @@ RUN set -eux \
     && mkdir -p /var/log/nginx \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log \
-# dumb-init
-# ##############################################################################
-    && curl -Lo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${VER_DUMBINIT}/dumb-init_${VER_DUMBINIT}_x86_64 \
-    && chmod +x /usr/bin/dumb-init \
 # create nginx user/group first, to be consistent throughout docker variants
-    && addgroup -g 32548 -S nginx \
-    && adduser -S -D -H -u 32548 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
+    && addgroup -g 101 -S nginx \
+    && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx
+
+COPY docker-entrypoint.sh /
+COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d
+COPY 20-envsubst-on-templates.sh /docker-entrypoint.d
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
 # smoke test
 # ##############################################################################
-    && envsubst -V \
+RUN envsubst -V \
     && nginx -V \
     && nginx -t
 
@@ -462,6 +458,4 @@ EXPOSE 80 443
 # Override stop signal to stop process gracefully
 STOPSIGNAL SIGQUIT
 
-ENTRYPOINT ["dumb-init"]
-
 CMD ["nginx", "-g", "daemon off;"]

nginx/1.19.3/alpine/3.12.1/Dockerfile

@@ -198,11 +198,6 @@ ARG NGINX_BUILD_DEPS="\
       zlib-dev"
 ENV NGINX_BUILD_DEPS=$NGINX_BUILD_DEPS
 
-# dumb-init
-# https://github.com/Yelp/dumb-init
-ARG VER_DUMBINIT=1.2.2
-ENV VER_DUMBINIT=$VER_DUMBINIT
-
 ####################################
 # Build Nginx with support for LUA #
 ####################################
@@ -378,7 +373,6 @@ LABEL maintainer="Fabio Cicerchia <[email protected]>" \
       org.label-schema.vcs-url="https://github.com/$DOCKER_IMAGE" \
       org.label-schema.version="$VER_NGINX-$DOCKER_IMAGE_OS$DOCKER_IMAGE_TAG" \
       versions.extended=${EXTENDED_IMAGE} \
-      versions.dumb-init=${VER_DUMBINIT} \
       versions.headers-more-nginx-module=${VER_OPENRESTY_HEADERS} \
       versions.lua-nginx-module=${VER_LUA_NGINX_MODULE} \
       versions.lua-resty-cookie=${VER_CLOUDFLARE_COOKIE} \
@@ -442,16 +436,18 @@ RUN set -eux \
     && mkdir -p /var/log/nginx \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log \
-# dumb-init
-# ##############################################################################
-    && curl -Lo /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${VER_DUMBINIT}/dumb-init_${VER_DUMBINIT}_x86_64 \
-    && chmod +x /usr/bin/dumb-init \
 # create nginx user/group first, to be consistent throughout docker variants
-    && addgroup -g 32548 -S nginx \
-    && adduser -S -D -H -u 32548 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
+    && addgroup -g 101 -S nginx \
+    && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx
+
+COPY docker-entrypoint.sh /
+COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d
+COPY 20-envsubst-on-templates.sh /docker-entrypoint.d
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
 # smoke test
 # ##############################################################################
-    && envsubst -V \
+RUN envsubst -V \
     && nginx -V \
     && nginx -t
 
@@ -462,6 +458,4 @@ EXPOSE 80 443
 # Override stop signal to stop process gracefully
 STOPSIGNAL SIGQUIT
 
-ENTRYPOINT ["dumb-init"]
-
 CMD ["nginx", "-g", "daemon off;"]