Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump docker/setup-qemu-action from 3.3.0 to 3.4.0 #287

Closed
wants to merge 67 commits into from
+680 −607
Closed

Bump docker/setup-qemu-action from 3.3.0 to 3.4.0 #287

Changes from all commits
Commits
Show all changes
67 commits
Select commit Hold shift + click to select a range
415fab7
Cleanup untagged images on the GitHub Container Registry (#191)
alessfg Feb 22, 2024
65ace00
Split image cleanup job into its own workflow (#193)
alessfg Feb 23, 2024
1714a41
Add OCI annotations to Docker images (#194)
alessfg Feb 24, 2024
a9affe9
Don't run cleanup on failed workflow_run triggers
alessfg Feb 28, 2024
6526911
Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 (#196)
dependabot[bot] Mar 7, 2024
8a0cafe
Bump docker/build-push-action from 5.1.0 to 5.2.0 (#197)
dependabot[bot] Mar 11, 2024
39d76c4
Bump docker/login-action from 3.0.0 to 3.1.0 (#200)
dependabot[bot] Mar 28, 2024
2ca3d81
Bump docker/build-push-action from 5.2.0 to 5.3.0 (#202)
dependabot[bot] Apr 2, 2024
4f3030f
Bump docker/setup-buildx-action from 3.1.0 to 3.2.0 (#201)
dependabot[bot] Apr 3, 2024
4f965dd
Bump actions/checkout from 4.1.1 to 4.1.2 (#203)
dependabot[bot] Apr 3, 2024
92b5b2f
Bump docker/setup-buildx-action from 3.2.0 to 3.3.0 (#205)
dependabot[bot] Apr 15, 2024
b3b9e1c
Update mainline NGINX to 1.25.5
alessfg Apr 17, 2024
dfeab68
Bump actions/checkout from 4.1.2 to 4.1.3 (#206)
dependabot[bot] Apr 23, 2024
80d437d
Bump stumpylog/image-cleaner-action from 0.5.0 to 0.6.0 (#207)
dependabot[bot] Apr 23, 2024
af3b28a
Update stable NGINX to 1.26.0
alessfg Apr 24, 2024
5a776b6
Bump actions/checkout from 4.1.3 to 4.1.4 (#208)
dependabot[bot] Apr 29, 2024
d47e080
Fix njs arm32v5 build
alessfg May 6, 2024
1a2dff7
Bump actions/checkout from 4.1.4 to 4.1.5 (#210)
dependabot[bot] May 14, 2024
996fd54
Bump actions/checkout from 4.1.5 to 4.1.6 (#212)
dependabot[bot] May 20, 2024
7ebc14d
Fix Alpine image tags
alessfg May 20, 2024
bf443c0
Update mainline NGINX to 1.27.0
alessfg Jun 2, 2024
e302dc3
Bump docker/login-action from 3.1.0 to 3.2.0 (#213)
dependabot[bot] Jun 4, 2024
5a5aae4
Bump stumpylog/image-cleaner-action from 0.6.0 to 0.7.0 (#215)
dependabot[bot] Jun 10, 2024
35bdcfa
Bump actions/checkout from 4.1.6 to 4.1.7 (#218)
dependabot[bot] Jun 17, 2024
c3359ff
Bump docker/build-push-action from 5.3.0 to 5.4.0 (#217)
dependabot[bot] Jun 17, 2024
2713a0e
Update GPG keys used to sign the NGINX packages (#220)
alessfg Jun 26, 2024
04c3e28
Bump docker/build-push-action from 5.4.0 to 6.2.0 (#221)
dependabot[bot] Jun 26, 2024
01445a1
Bump docker/build-push-action from 6.2.0 to 6.3.0 (#223)
dependabot[bot] Jul 8, 2024
a1df95b
Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 (#224)
dependabot[bot] Jul 8, 2024
5c38105
Bump docker/setup-qemu-action from 3.0.0 to 3.1.0 (#225)
dependabot[bot] Jul 9, 2024
d9407a0
Bump docker/build-push-action from 6.3.0 to 6.4.1 (#226)
dependabot[bot] Jul 23, 2024
723599b
Bump docker/setup-qemu-action from 3.1.0 to 3.2.0 (#232)
dependabot[bot] Jul 29, 2024
2e17aa7
Bump docker/login-action from 3.2.0 to 3.3.0 (#231)
dependabot[bot] Jul 29, 2024
1655d37
Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 (#229)
dependabot[bot] Jul 29, 2024
9560210
Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 (#236)
dependabot[bot] Aug 5, 2024
af6e325
Bump stumpylog/image-cleaner-action from 0.7.0 to 0.8.0 (#235)
dependabot[bot] Aug 5, 2024
ec67ff4
Bump docker/build-push-action from 6.4.1 to 6.6.1 (#237)
dependabot[bot] Aug 12, 2024
f633d7b
Update mainline NGINX to 1.27.1 (#238)
alessfg Aug 17, 2024
f76ccc0
Bump docker/build-push-action from 6.6.1 to 6.7.0 (#239)
dependabot[bot] Aug 19, 2024
63c0059
Use packaging sources to build packages on non-mainstream architectur…
alessfg Sep 17, 2024
085232b
Move NGINX package source to GitHub (#244)
alessfg Sep 24, 2024
9d9d3b0
Add tip re how to rebuild/change the image UID/GID
alessfg Sep 24, 2024
1c14e98
Update GH Actions runner to Ubuntu 24.04 (#245)
alessfg Sep 25, 2024
6a0946e
Bump actions/checkout from 4.1.7 to 4.2.0 (#247)
dependabot[bot] Oct 1, 2024
7eba53a
Bump docker/build-push-action from 6.7.0 to 6.8.0 (#246)
dependabot[bot] Oct 1, 2024
a4a8917
docs: Fix broken links in CONTRIBUTING.md (#248)
jsattler Oct 1, 2024
e6a1255
feat: Update mainline NGINX to 1.27.2 (#250)
alessfg Oct 4, 2024
31c40af
Bump docker/setup-buildx-action from 3.6.1 to 3.7.1 (#251)
dependabot[bot] Oct 7, 2024
d9fe8c8
Bump docker/build-push-action from 6.8.0 to 6.9.0 (#252)
dependabot[bot] Oct 7, 2024
338d5c7
Bump actions/checkout from 4.2.0 to 4.2.1 (#253)
dependabot[bot] Oct 14, 2024
54d8358
Bump actions/checkout from 4.2.1 to 4.2.2 (#256)
dependabot[bot] Oct 28, 2024
69dec3f
Bump stumpylog/image-cleaner-action from 0.8.0 to 0.9.0 (#255)
dependabot[bot] Oct 28, 2024
7e515bf
feat: Update mainline NGINX to 1.27.3 (#260)
alessfg Nov 27, 2024
899909e
Bump docker/metadata-action from 5.5.1 to 5.6.1 (#258)
dependabot[bot] Nov 27, 2024
a756e1a
Bump docker/build-push-action from 6.9.0 to 6.10.0 (#264)
dependabot[bot] Jan 9, 2025
7095a65
Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 (#266)
dependabot[bot] Jan 9, 2025
17ba3ab
Add `riscv64` support on Alpine Linux (#268)
alessfg Jan 13, 2025
e89cb03
Bump docker/setup-qemu-action from 3.2.0 to 3.3.0 (#270)
dependabot[bot] Jan 13, 2025
0cecd4e
Bump docker/build-push-action from 6.10.0 to 6.11.0 (#269)
dependabot[bot] Jan 13, 2025
e9a8dc4
Bump docker/setup-qemu-action from 3.3.0 to 3.4.0
dependabot[bot] Feb 10, 2025
2cc5e1e
feat: Update mainline NGINX to 1.27.4 (#283)
alessfg Feb 13, 2025
65d4bac
Bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 (#285)
dependabot[bot] Feb 19, 2025
5e0c7c5
Bump stumpylog/image-cleaner-action from 0.9.0 to 0.10.0 (#284)
dependabot[bot] Feb 19, 2025
37ecde6
Bump docker/build-push-action from 6.11.0 to 6.13.0 (#274)
dependabot[bot] Feb 20, 2025
b98b2e0
Bump docker/setup-qemu-action from 3.3.0 to 3.4.0 (#280)
dependabot[bot] Feb 20, 2025
f94d0d6
Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 (#279)
dependabot[bot] Feb 20, 2025
41c35be
Merge branch 'main' into dependabot/github_actions/docker/setup-qemu-…
Shadyboyty Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 57 additions & 70 deletions .github/workflows/alpine-mainline.yml
View file

Large diffs are not rendered by default.

127 changes: 57 additions & 70 deletions .github/workflows/alpine-stable.yml
View file

Large diffs are not rendered by default.

96 changes: 41 additions & 55 deletions .github/workflows/debian-mainline.yml
View file
Original file line number Diff line number Diff line change
@@ -8,15 +8,15 @@ on:
jobs:
version:
name: Fetch NGINX mainline version
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
major: ${{ steps.nginx_version.outputs.major }}
minor: ${{ steps.nginx_version.outputs.minor }}
patch: ${{ steps.nginx_version.outputs.patch }}
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Parse NGINX mainline version
id: nginx_version
@@ -28,64 +28,64 @@ jobs:
- name: Parse Debian version
id: distro_version
run: |
echo "release=$(cat update.sh | grep -m4 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
echo "release=$(cat update.sh | grep -m6 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
core:
name: Build Debian NGINX mainline Docker image
runs-on: ubuntu-22.04
needs: version
runs-on: ubuntu-24.04
strategy:
fail-fast: false
needs: version
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0

- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: public.ecr.aws

- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
docker.io/nginxinc/nginx-unprivileged
@@ -103,15 +103,19 @@ jobs:
type=raw,value=mainline-${{ needs.version.outputs.distro }}
type=raw,value=latest
type=raw,value=${{ needs.version.outputs.distro }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Build and push NGINX mainline Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
context: "{{ defaultContext }}:mainline/debian"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=debian-perl
# cache-to: type=gha,mode=min,scope=debian-perl
@@ -147,60 +151,60 @@ jobs:

perl:
name: Build Debian NGINX mainline perl Docker image
runs-on: ubuntu-22.04
needs: [version, core]
runs-on: ubuntu-24.04
strategy:
fail-fast: false
needs: [version, core]
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0

- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: public.ecr.aws

- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
docker.io/nginxinc/nginx-unprivileged
@@ -218,15 +222,19 @@ jobs:
type=raw,value=mainline-${{ needs.version.outputs.distro }}-perl
type=raw,value=perl
type=raw,value=${{ needs.version.outputs.distro }}-perl
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Build and push NGINX mainline perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
context: "{{ defaultContext }}:mainline/debian-perl"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=debian-perl
# cache-to: type=gha,mode=min,scope=debian-perl
@@ -259,25 +267,3 @@ jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}

cleanup:
name: Delete untagged Debian NGINX mainline Docker images on the Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
runs-on: ubuntu-22.04
strategy:
fail-fast: false
needs: [core, perl]
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Delete untagged Debian NGINX mainline Docker images on the Amazon ECR Public Gallery
run: |
.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
96 changes: 41 additions & 55 deletions .github/workflows/debian-stable.yml
View file
Original file line number Diff line number Diff line change
@@ -8,15 +8,15 @@ on:
jobs:
version:
name: Fetch NGINX stable version
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
outputs:
major: ${{ steps.nginx_version.outputs.major }}
minor: ${{ steps.nginx_version.outputs.minor }}
patch: ${{ steps.nginx_version.outputs.patch }}
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Parse NGINX stable version
id: nginx_version
@@ -28,64 +28,64 @@ jobs:
- name: Parse Alpine version
id: distro_version
run: |
echo "release=$(cat update.sh | grep -m4 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
echo "release=$(cat update.sh | grep -m6 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
core:
name: Build Debian NGINX stable Docker image
runs-on: ubuntu-22.04
needs: version
runs-on: ubuntu-24.04
strategy:
fail-fast: false
needs: version
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0

- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: public.ecr.aws

- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
docker.io/nginxinc/nginx-unprivileged
@@ -99,15 +99,19 @@ jobs:
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}
type=raw,value=stable
type=raw,value=stable-${{ needs.version.outputs.distro }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Build and push NGINX stable Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
context: "{{ defaultContext }}:stable/debian"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=stable-debian
# cache-to: type=gha,mode=min,scope=stable-debian
@@ -139,60 +143,60 @@ jobs:

perl:
name: Build Debian NGINX stable perl Docker image
runs-on: ubuntu-22.04
needs: [version, core]
runs-on: ubuntu-24.04
strategy:
fail-fast: false
needs: [version, core]
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0

- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: public.ecr.aws

- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
docker.io/nginxinc/nginx-unprivileged
@@ -206,15 +210,19 @@ jobs:
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl
type=raw,value=stable-perl
type=raw,value=stable-${{ needs.version.outputs.distro }}-perl
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Build and push NGINX stable perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
context: "{{ defaultContext }}:stable/debian-perl"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=stable-debian-perl
# cache-to: type=gha,mode=min,scope=stable-debian-perl
@@ -243,25 +251,3 @@ jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}

cleanup:
name: Delete untagged Debian NGINX stable Docker images on the Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
runs-on: ubuntu-22.04
strategy:
fail-fast: false
needs: [core, perl]
steps:
- name: Check out the codebase
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Delete untagged Debian NGINX stable Docker images on the Amazon ECR Public Gallery
run: |
.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
37 changes: 37 additions & 0 deletions .github/workflows/image-cleanup.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
name: Image Cleanup
on:
workflow_dispatch:
workflow_run:
workflows: [Alpine Mainline, Alpine Stable, Debian Mainline, Debian Stable]
types: [completed]
jobs:
cleanup:
name: Delete untagged NGINX Unprivileged Docker images on the Amazon ECR Public Gallery and the GitHub Container Registry
if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-24.04
strategy:
fail-fast: false
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Delete untagged NGINX Unprivileged Docker images on the Amazon ECR Public Gallery
run: |
.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
- name: Delete untagged NGINX Unprivileged Docker images on the GitHub Container Registry
uses: stumpylog/image-cleaner-action/untagged@48f1aa2111ae929cea4a0e056045f7de0e1b2618 # v0.10.0
with:
is_org: true
owner: nginxinc
package_name: nginx-unprivileged
do_delete: true
token: ${{ secrets.GITHUB_TOKEN }}
4 changes: 2 additions & 2 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ The following is a set of guidelines for contributing to the Docker Unprivileged

[Ask a Question](#ask-a-question)

[Getting Started](#getting-started)
[Project Overview](#project-overview)

[Contributing](#contributing)

@@ -34,7 +34,7 @@ To report a bug, open an issue on GitHub with the label `bug` using the availabl

### Report a Security vulnerability

To report a security vulnerability, open an issue on GitHub with the label `security` using the available security report issue template. Please ensure the security vulnerability directly impacts one of the NGINX dependencies listed in the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/.github/SECURITY.md) doc. Other security vulnerabilities should be addressed by the weekly Monday night build and as such will be promptly closed.
To report a security vulnerability, open an issue on GitHub with the label `security` using the available security report issue template. Please ensure the security vulnerability directly impacts one of the NGINX dependencies listed in the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md) doc. Other security vulnerabilities should be addressed by the weekly Monday night build and as such will be promptly closed.

### Suggest a Feature or Enhancement

22 changes: 6 additions & 16 deletions Dockerfile-alpine-perl.template
View file
Original file line number Diff line number Diff line change
@@ -16,17 +16,7 @@ RUN set -x \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
@@ -46,10 +36,11 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \
&& PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \
&& if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
@@ -61,7 +52,7 @@ RUN set -x \
&& cd pkg-oss-%%REVISION%% \
&& cd alpine \
&& make %%BUILDTARGET%% \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -72,8 +63,7 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi

USER $UID
15 changes: 8 additions & 7 deletions Dockerfile-alpine-slim.template
View file
Original file line number Diff line number Diff line change
@@ -3,8 +3,9 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ENV NGINX_VERSION %%NGINX_VERSION%%
ENV PKG_RELEASE %%PKG_RELEASE%%
ENV NGINX_VERSION=%%NGINX_VERSION%%
ENV PKG_RELEASE=%%PKG_RELEASE%%
ENV DYNPKG_RELEASE=%%DYNPKG_RELEASE%%

ARG UID=101
ARG GID=101
@@ -51,10 +52,11 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \
&& PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \
&& if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
@@ -66,7 +68,7 @@ RUN set -x \
&& cd pkg-oss-%%REVISION%% \
&& cd alpine \
&& make %%BUILDTARGET%% \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -77,9 +79,8 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
25 changes: 8 additions & 17 deletions Dockerfile-alpine.template
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
ARG IMAGE=nginxinc/nginx-unprivileged:%%NGINX_VERSION%%-alpine-slim
FROM $IMAGE

ENV NJS_VERSION %%NJS_VERSION%%
ENV NJS_VERSION=%%NJS_VERSION%%
ENV NJS_RELEASE=%%NJS_RELEASE%%

ARG UID=101
ARG GID=101
@@ -18,17 +19,7 @@ RUN set -x \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
@@ -51,10 +42,11 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \
&& PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \
&& if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
@@ -66,7 +58,7 @@ RUN set -x \
&& cd pkg-oss-%%REVISION%% \
&& cd alpine \
&& make %%BUILDTARGET%% \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -77,9 +69,8 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
# Bring in curl and ca-certificates to make registering on DNS SD easier
&& apk add --no-cache curl ca-certificates

61 changes: 33 additions & 28 deletions Dockerfile-debian-perl.template
View file
Original file line number Diff line number Diff line change
@@ -6,26 +6,9 @@ ARG GID=101

USER root

RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
RUN set -x; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages="%%PACKAGES%%
" \
&& case "$dpkgArch" in \
@@ -36,24 +19,46 @@ RUN set -x \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published source packages
echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
\
# let's build binaries from the published packaging sources
# new directory for storing sources and .deb files
&& tempDir="$(mktemp -d)" \
tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
# (777 to ensure APT's "_apt" user can access it too)
\
# save list of currently-installed packages so build dependencies can be cleanly removed later
&& savedAptMark="$(apt-mark showmanual)" \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
# build .deb files from upstream's packaging sources
&& apt-get update \
&& apt-get build-dep -y %%BUILDTARGET%% \
&& apt-get install --no-install-recommends --no-install-suggests -y \
curl \
devscripts \
equivs \
git \
libxml2-utils \
lsb-release \
xsltproc \
&& ( \
cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile %%BUILDTARGET%% \
&& REVISION="%%REVISION%%" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
&& PKGOSSCHECKSUM="%%PKGOSSCHECKSUM%% *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
echo "pkg-oss tarball checksum verification failed!"; \
exit 1; \
fi \
&& tar xzvf ${REVISION}.tar.gz \
&& cd pkg-oss-${REVISION} \
&& cd debian \
&& for target in %%BUILDTARGET%%; do \
make rules-$target; \
mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
debuild-$target/nginx-$NGINX_VERSION/debian/control; \
done \
&& make %%BUILDTARGET%% \
) \
# we don't remove APT lists here because they get re-downloaded and removed later
\
68 changes: 47 additions & 21 deletions Dockerfile-debian.template
View file
Original file line number Diff line number Diff line change
@@ -3,9 +3,11 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ENV NGINX_VERSION %%NGINX_VERSION%%
ENV NJS_VERSION %%NJS_VERSION%%
ENV PKG_RELEASE %%PKG_RELEASE%%
ENV NGINX_VERSION=%%NGINX_VERSION%%
ENV NJS_VERSION=%%NJS_VERSION%%
ENV NJS_RELEASE=%%NJS_RELEASE%%
ENV PKG_RELEASE=%%PKG_RELEASE%%
ENV DYNPKG_RELEASE=%%DYNPKG_RELEASE%%

ARG UID=101
ARG GID=101
@@ -17,19 +19,21 @@ RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
@@ -43,24 +47,46 @@ RUN set -x \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published source packages
echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
\
# let's build binaries from the published packaging sources
# new directory for storing sources and .deb files
&& tempDir="$(mktemp -d)" \
tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
# (777 to ensure APT's "_apt" user can access it too)
\
# save list of currently-installed packages so build dependencies can be cleanly removed later
&& savedAptMark="$(apt-mark showmanual)" \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
# build .deb files from upstream's packaging sources
&& apt-get update \
&& apt-get build-dep -y %%BUILDTARGET%% \
&& apt-get install --no-install-recommends --no-install-suggests -y \
curl \
devscripts \
equivs \
git \
libxml2-utils \
lsb-release \
xsltproc \
&& ( \
cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile %%BUILDTARGET%% \
&& REVISION="%%REVISION%%" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
&& PKGOSSCHECKSUM="%%PKGOSSCHECKSUM%% *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
echo "pkg-oss tarball checksum verification failed!"; \
exit 1; \
fi \
&& tar xzvf ${REVISION}.tar.gz \
&& cd pkg-oss-${REVISION} \
&& cd debian \
&& for target in %%BUILDTARGET%%; do \
make rules-$target; \
mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
debuild-$target/nginx-$NGINX_VERSION/debian/control; \
done \
&& make %%BUILDTARGET%% \
) \
# we don't remove APT lists here because they get re-downloaded and removed later
\
6 changes: 6 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -32,6 +32,12 @@ Most images are built for the `amd64`, `arm32v5` (for Debian), `arm32v6` (for Al

## Troubleshooting Tips

* If you wish to use a different user ID and/or group ID when running the Docker Unprivileged image, rebuild the image using the following Docker build arguments:

```bash
docker build --build-arg UID=<UID> --build-arg GID=<GID> -t nginx-unprivileged .
```

* If you override the default `nginx.conf` file you may encounter various types of error messages:
* To fix `nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)`, you have to specify a valid `pid` location by adding the line `pid /tmp/nginx.pid;` at the top level of your config.
* To fix `nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)`, you have to specify a valid location for the various NGINX temporary paths by adding these lines within the `http` context:
3 changes: 3 additions & 0 deletions entrypoint/15-local-resolvers.envsh
View file
Original file line number Diff line number Diff line change
@@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0

NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)

NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"

export NGINX_LOCAL_RESOLVERS
36 changes: 13 additions & 23 deletions mainline/alpine-perl/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=nginxinc/nginx-unprivileged:1.25.4-alpine
ARG IMAGE=nginxinc/nginx-unprivileged:1.27.4-alpine
FROM $IMAGE

ARG UID=101
@@ -15,29 +15,19 @@ RUN set -x \
&& apkArch="$(cat /etc/apk/arch)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \
" \
# install prerequisites for public key and pkg-oss checks
&& apk add --no-cache --virtual .checksum-deps \
openssl \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
@@ -57,11 +47,12 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
@@ -72,7 +63,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-perl \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -83,8 +74,7 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi

USER $UID
3 changes: 3 additions & 0 deletions mainline/alpine-slim/15-local-resolvers.envsh
View file
Original file line number Diff line number Diff line change
@@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0

NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)

NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"

export NGINX_LOCAL_RESOLVERS
19 changes: 10 additions & 9 deletions mainline/alpine-slim/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,13 +3,14 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=alpine:3.18
ARG IMAGE=alpine:3.21
FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ENV NGINX_VERSION 1.25.4
ENV PKG_RELEASE 1
ENV NGINX_VERSION=1.27.4
ENV PKG_RELEASE=1
ENV DYNPKG_RELEASE=1

ARG UID=101
ARG GID=101
@@ -57,11 +58,12 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
@@ -72,7 +74,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make base \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -83,9 +85,8 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
37 changes: 14 additions & 23 deletions mainline/alpine/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,10 +3,11 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=nginxinc/nginx-unprivileged:1.25.4-alpine-slim
ARG IMAGE=nginxinc/nginx-unprivileged:1.27.4-alpine-slim
FROM $IMAGE

ENV NJS_VERSION 0.8.3
ENV NJS_VERSION=0.8.9
ENV NJS_RELEASE=1

ARG UID=101
ARG GID=101
@@ -17,28 +18,18 @@ RUN set -x \
&& apkArch="$(cat /etc/apk/arch)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \
" \
# install prerequisites for public key and pkg-oss checks
&& apk add --no-cache --virtual .checksum-deps \
openssl \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
@@ -61,11 +52,12 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
@@ -76,7 +68,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-geoip module-image-filter module-njs module-xslt \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -87,9 +79,8 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
# Bring in curl and ca-certificates to make registering on DNS SD easier
&& apk add --no-cache curl ca-certificates

73 changes: 39 additions & 34 deletions mainline/debian-perl/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,41 +3,24 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=nginxinc/nginx-unprivileged:1.25.4
ARG IMAGE=nginxinc/nginx-unprivileged:1.27.4
FROM $IMAGE

ARG UID=101
ARG GID=101

USER root

RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
RUN set -x; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
@@ -47,24 +30,46 @@ RUN set -x \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published source packages
echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
\
# let's build binaries from the published packaging sources
# new directory for storing sources and .deb files
&& tempDir="$(mktemp -d)" \
tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
# (777 to ensure APT's "_apt" user can access it too)
\
# save list of currently-installed packages so build dependencies can be cleanly removed later
&& savedAptMark="$(apt-mark showmanual)" \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
# build .deb files from upstream's packaging sources
&& apt-get update \
&& apt-get build-dep -y nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
&& apt-get install --no-install-recommends --no-install-suggests -y \
curl \
devscripts \
equivs \
git \
libxml2-utils \
lsb-release \
xsltproc \
&& ( \
cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
&& PKGOSSCHECKSUM="973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
echo "pkg-oss tarball checksum verification failed!"; \
exit 1; \
fi \
&& tar xzvf ${REVISION}.tar.gz \
&& cd pkg-oss-${REVISION} \
&& cd debian \
&& for target in module-perl; do \
make rules-$target; \
mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
debuild-$target/nginx-$NGINX_VERSION/debian/control; \
done \
&& make module-perl \
) \
# we don't remove APT lists here because they get re-downloaded and removed later
\
3 changes: 3 additions & 0 deletions mainline/debian/15-local-resolvers.envsh
View file
Original file line number Diff line number Diff line change
@@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0

NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)

NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"

export NGINX_LOCAL_RESOLVERS
76 changes: 51 additions & 25 deletions mainline/debian/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -8,9 +8,11 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ENV NGINX_VERSION 1.25.4
ENV NJS_VERSION 0.8.3
ENV PKG_RELEASE 1~bookworm
ENV NGINX_VERSION=1.27.4
ENV NJS_VERSION=0.8.9
ENV NJS_RELEASE=1~bookworm
ENV PKG_RELEASE=1~bookworm
ENV DYNPKG_RELEASE=1~bookworm

ARG UID=101
ARG GID=101
@@ -22,28 +24,30 @@ RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
@@ -53,24 +57,46 @@ RUN set -x \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published source packages
echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
\
# let's build binaries from the published packaging sources
# new directory for storing sources and .deb files
&& tempDir="$(mktemp -d)" \
tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
# (777 to ensure APT's "_apt" user can access it too)
\
# save list of currently-installed packages so build dependencies can be cleanly removed later
&& savedAptMark="$(apt-mark showmanual)" \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
# build .deb files from upstream's packaging sources
&& apt-get update \
&& apt-get build-dep -y $nginxPackages \
&& apt-get install --no-install-recommends --no-install-suggests -y \
curl \
devscripts \
equivs \
git \
libxml2-utils \
lsb-release \
xsltproc \
&& ( \
cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile $nginxPackages \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
&& PKGOSSCHECKSUM="973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
echo "pkg-oss tarball checksum verification failed!"; \
exit 1; \
fi \
&& tar xzvf ${REVISION}.tar.gz \
&& cd pkg-oss-${REVISION} \
&& cd debian \
&& for target in base module-geoip module-image-filter module-njs module-xslt; do \
make rules-$target; \
mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
debuild-$target/nginx-$NGINX_VERSION/debian/control; \
done \
&& make base module-geoip module-image-filter module-njs module-xslt \
) \
# we don't remove APT lists here because they get re-downloaded and removed later
\
42 changes: 16 additions & 26 deletions stable/alpine-perl/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=nginxinc/nginx-unprivileged:1.24.0-alpine
ARG IMAGE=nginxinc/nginx-unprivileged:1.26.3-alpine
FROM $IMAGE

ARG UID=101
@@ -15,29 +15,19 @@ RUN set -x \
&& apkArch="$(cat /etc/apk/arch)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \
" \
# install prerequisites for public key and pkg-oss checks
&& apk add --no-cache --virtual .checksum-deps \
openssl \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
@@ -57,22 +47,23 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/e5d85b3424bb.tar.gz \
&& PKGOSSCHECKSUM=\"4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b *e5d85b3424bb.tar.gz\" \
&& if [ \"\$(openssl sha512 -r e5d85b3424bb.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
echo \"pkg-oss tarball checksum verification failed!\"; \
exit 1; \
fi \
&& tar xzvf e5d85b3424bb.tar.gz \
&& cd pkg-oss-e5d85b3424bb \
&& tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-perl \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -83,8 +74,7 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi

USER $UID
3 changes: 3 additions & 0 deletions stable/alpine-slim/15-local-resolvers.envsh
View file
Original file line number Diff line number Diff line change
@@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0

NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)

NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"

export NGINX_LOCAL_RESOLVERS
25 changes: 13 additions & 12 deletions stable/alpine-slim/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,13 +3,14 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=alpine:3.18
ARG IMAGE=alpine:3.20
FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ENV NGINX_VERSION 1.24.0
ENV PKG_RELEASE 1
ENV NGINX_VERSION=1.26.3
ENV PKG_RELEASE=1
ENV DYNPKG_RELEASE=2

ARG UID=101
ARG GID=101
@@ -57,22 +58,23 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/e5d85b3424bb.tar.gz \
&& PKGOSSCHECKSUM=\"4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b *e5d85b3424bb.tar.gz\" \
&& if [ \"\$(openssl sha512 -r e5d85b3424bb.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
echo \"pkg-oss tarball checksum verification failed!\"; \
exit 1; \
fi \
&& tar xzvf e5d85b3424bb.tar.gz \
&& cd pkg-oss-e5d85b3424bb \
&& tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make base \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -83,9 +85,8 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
43 changes: 17 additions & 26 deletions stable/alpine/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,10 +3,11 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=nginxinc/nginx-unprivileged:1.24.0-alpine-slim
ARG IMAGE=nginxinc/nginx-unprivileged:1.26.3-alpine-slim
FROM $IMAGE

ENV NJS_VERSION 0.8.0
ENV NJS_VERSION=0.8.9
ENV NJS_RELEASE=1

ARG UID=101
ARG GID=101
@@ -17,28 +18,18 @@ RUN set -x \
&& apkArch="$(cat /etc/apk/arch)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \
" \
# install prerequisites for public key and pkg-oss checks
&& apk add --no-cache --virtual .checksum-deps \
openssl \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
@@ -61,22 +52,23 @@ RUN set -x \
bash \
alpine-sdk \
findutils \
curl \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/e5d85b3424bb.tar.gz \
&& PKGOSSCHECKSUM=\"4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b *e5d85b3424bb.tar.gz\" \
&& if [ \"\$(openssl sha512 -r e5d85b3424bb.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
echo \"pkg-oss tarball checksum verification failed!\"; \
exit 1; \
fi \
&& tar xzvf e5d85b3424bb.tar.gz \
&& cd pkg-oss-e5d85b3424bb \
&& tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-geoip module-image-filter module-njs module-xslt \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
@@ -87,9 +79,8 @@ RUN set -x \
# remove checksum deps
&& apk del --no-network .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
# Bring in curl and ca-certificates to make registering on DNS SD easier
&& apk add --no-cache curl ca-certificates

75 changes: 40 additions & 35 deletions stable/debian-perl/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,68 +3,73 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=nginxinc/nginx-unprivileged:1.24.0
ARG IMAGE=nginxinc/nginx-unprivileged:1.26.3
FROM $IMAGE

ARG UID=101
ARG GID=101

USER root

RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
RUN set -x; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-perl=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
# arches officialy built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published source packages
echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \
\
# let's build binaries from the published packaging sources
# new directory for storing sources and .deb files
&& tempDir="$(mktemp -d)" \
tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
# (777 to ensure APT's "_apt" user can access it too)
\
# save list of currently-installed packages so build dependencies can be cleanly removed later
&& savedAptMark="$(apt-mark showmanual)" \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
# build .deb files from upstream's packaging sources
&& apt-get update \
&& apt-get build-dep -y nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
&& apt-get install --no-install-recommends --no-install-suggests -y \
curl \
devscripts \
equivs \
git \
libxml2-utils \
lsb-release \
xsltproc \
&& ( \
cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
&& PKGOSSCHECKSUM="3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
echo "pkg-oss tarball checksum verification failed!"; \
exit 1; \
fi \
&& tar xzvf ${REVISION}.tar.gz \
&& cd pkg-oss-${REVISION} \
&& cd debian \
&& for target in module-perl; do \
make rules-$target; \
mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
debuild-$target/nginx-$NGINX_VERSION/debian/control; \
done \
&& make module-perl \
) \
# we don't remove APT lists here because they get re-downloaded and removed later
\
3 changes: 3 additions & 0 deletions stable/debian/15-local-resolvers.envsh
View file
Original file line number Diff line number Diff line change
@@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0

NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf)

NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }"

export NGINX_LOCAL_RESOLVERS
80 changes: 53 additions & 27 deletions stable/debian/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -3,14 +3,16 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
ARG IMAGE=debian:bullseye-slim
ARG IMAGE=debian:bookworm-slim
FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"

ENV NGINX_VERSION 1.24.0
ENV NJS_VERSION 0.8.0
ENV PKG_RELEASE 1~bullseye
ENV NGINX_VERSION=1.26.3
ENV NJS_VERSION=0.8.9
ENV NJS_RELEASE=1~bookworm
ENV PKG_RELEASE=1~bookworm
ENV DYNPKG_RELEASE=2~bookworm

ARG UID=101
ARG GID=101
@@ -22,55 +24,79 @@ RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
# arches officialy built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published source packages
echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \
\
# let's build binaries from the published packaging sources
# new directory for storing sources and .deb files
&& tempDir="$(mktemp -d)" \
tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
# (777 to ensure APT's "_apt" user can access it too)
\
# save list of currently-installed packages so build dependencies can be cleanly removed later
&& savedAptMark="$(apt-mark showmanual)" \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
# build .deb files from upstream's packaging sources
&& apt-get update \
&& apt-get build-dep -y $nginxPackages \
&& apt-get install --no-install-recommends --no-install-suggests -y \
curl \
devscripts \
equivs \
git \
libxml2-utils \
lsb-release \
xsltproc \
&& ( \
cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile $nginxPackages \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
&& PKGOSSCHECKSUM="3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
echo "pkg-oss tarball checksum verification failed!"; \
exit 1; \
fi \
&& tar xzvf ${REVISION}.tar.gz \
&& cd pkg-oss-${REVISION} \
&& cd debian \
&& for target in base module-geoip module-image-filter module-njs module-xslt; do \
make rules-$target; \
mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
debuild-$target/nginx-$NGINX_VERSION/debian/control; \
done \
&& make base module-geoip module-image-filter module-njs module-xslt \
) \
# we don't remove APT lists here because they get re-downloaded and removed later
\
82 changes: 56 additions & 26 deletions update.sh
View file
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@
set -Eeuo pipefail
shopt -s nullglob

cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
cd "$(dirname "$(greadlink -f "$BASH_SOURCE")")"

declare branches=(
"stable"
@@ -12,48 +12,62 @@ declare branches=(
# Current nginx versions
# Remember to update pkgosschecksum when changing this.
declare -A nginx=(
[mainline]='1.25.4'
[stable]='1.24.0'
[mainline]='1.27.4'
[stable]='1.26.3'
)

# Current njs versions
declare -A njs=(
[mainline]='0.8.3'
[stable]='0.8.0'
[mainline]='0.8.9'
[stable]='0.8.9'
)

# Current package patchlevel version
# Current njs patchlevel version
# Remember to update pkgosschecksum when changing this.
declare -A njspkg=(
[mainline]='1'
[stable]='1'
)

# Current nginx package patchlevel version
# Remember to update pkgosschecksum when changing this.
declare -A pkg=(
[mainline]=1
[stable]=1
)

# Current built-in dynamic modules package patchlevel version
# Remember to update pkgosschecksum when changing this
declare -A dynpkg=(
[mainline]=1
[stable]=2
)

declare -A debian=(
[mainline]='bookworm'
[stable]='bullseye'
[stable]='bookworm'
)

declare -A alpine=(
[mainline]='3.18'
[stable]='3.18'
[mainline]='3.21'
[stable]='3.20'
)

# When we bump njs version in a stable release we don't move the tag in the
# mercurial repo. This setting allows us to specify a revision to check out
# when building alpine packages on architectures not supported by nginx.org
# pkg-oss repo. This setting allows us to specify a revision to check out
# when building packages on architectures not supported by nginx.org
# Remember to update pkgosschecksum when changing this.
declare -A rev=(
[mainline]='${NGINX_VERSION}-${PKG_RELEASE}'
[stable]='e5d85b3424bb'
[stable]='${NGINX_VERSION}-${PKG_RELEASE}'
)

# Holds SHA512 checksum for the pkg-oss tarball produced by source code
# revision/tag in the previous block
# Used in alpine builds for architectures not packaged by nginx.org
# Used in builds for architectures not packaged by nginx.org
declare -A pkgosschecksum=(
[mainline]='79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3'
[stable]='4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b'
[mainline]='973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845'
[stable]='3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea'
)

get_packages() {
@@ -89,11 +103,14 @@ get_packages() {
done
;;
*)
for p in nginx nginx-module-xslt nginx-module-geoip nginx-module-image-filter $perl; do
for p in nginx; do
echo -n ' '"$p"'=${NGINX_VERSION}-'"$r"'${PKG_RELEASE} \\\n'
done
for p in nginx-module-xslt nginx-module-geoip nginx-module-image-filter $perl; do
echo -n ' '"$p"'=${NGINX_VERSION}-'"$r"'${DYNPKG_RELEASE} \\\n'
done
for p in nginx-module-njs; do
echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${NJS_VERSION}-'"$r"'${PKG_RELEASE} \\'
echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${NJS_VERSION}-'"$r"'${NJS_RELEASE} \\'
done
;;
esac
@@ -116,11 +133,23 @@ get_packagever() {
shift
local branch="$1"
shift
local package="$1"
shift
local suffix=

[ "${distro}" = "debian" ] && suffix="~${debianver}"

echo ${pkg[$branch]}${suffix}
case "${package}" in
"njs")
echo ${njspkg[$branch]}${suffix}
;;
"dyn")
echo ${dynpkg[$branch]}${suffix}
;;
*)
echo ${pkg[$branch]}${suffix}
;;
esac
}

get_buildtarget() {
@@ -129,17 +158,14 @@ get_buildtarget() {
alpine-slim)
echo base
;;
alpine-perl)
echo module-perl
;;
alpine)
echo module-geoip module-image-filter module-njs module-xslt
;;
debian)
echo "\$nginxPackages"
echo base module-geoip module-image-filter module-njs module-xslt
;;
debian-perl)
echo "nginx-module-perl=\${NGINX_VERSION}-\${PKG_RELEASE}"
*-perl)
echo module-perl
;;
esac
}
@@ -179,14 +205,18 @@ for branch in "${branches[@]}"; do

packagerepo=$(get_packagerepo "$variant" "$branch")
packages=$(get_packages "$variant" "$branch")
packagever=$(get_packagever "$variant" "$branch")
packagever=$(get_packagever "$variant" "$branch" "any")
njspkgver=$(get_packagever "$variant" "$branch" "njs")
dynpkgver=$(get_packagever "$variant" "$branch" "dyn")
buildtarget=$(get_buildtarget "$variant")

sed -i \
gsed -i \
-e 's,%%ALPINE_VERSION%%,'"$alpinever"',' \
-e 's,%%DEBIAN_VERSION%%,'"$debianver"',' \
-e 's,%%DYNPKG_RELEASE%%,'"$dynpkgver"',' \
-e 's,%%NGINX_VERSION%%,'"$nginxver"',' \
-e 's,%%NJS_VERSION%%,'"$njsver"',' \
-e 's,%%NJS_RELEASE%%,'"$njspkgver"',' \
-e 's,%%PKG_RELEASE%%,'"$packagever"',' \
-e 's,%%PACKAGES%%,'"$packages"',' \
-e 's,%%PACKAGEREPO%%,'"$packagerepo"',' \