Merge pull request #85 from adobejmong/ETHOS-36876

feat(ETHOS-36876): Add new Ubuntu 22.04, Replace nginx installation, Add njs module (ubuntu only)

Author: adobejmong

.github/workflows/ci.yml

@@ -11,6 +11,7 @@ jobs:
       matrix:
         props:
         - Dockerfile: Dockerfile
+        - Dockerfile: Dockerfile-ubuntu-22.04
         # - Dockerfile: Dockerfile-alpine
         # - Dockerfile: Dockerfile-centos
         platform:

.github/workflows/publish.yml

@@ -16,10 +16,14 @@ jobs:
         # This is the default variant-less distribution (ex. 3.2.1)
         - Dockerfile: Dockerfile
         # Variant distributions below all have semantic versions + suffix (ex. 3.2.1-alpine)
+        # Alpine is deprecated
         - Dockerfile: Dockerfile-alpine
           suffix: alpine
+        # CentOS is deprecated
         - Dockerfile: Dockerfile-centos
           suffix: centos
+        - Dockerfile: Dockerfile-ubuntu-22.04
+          suffix: ubuntu-22.04
     steps:
       -
         name: Checkout

Dockerfile-alpine

@@ -1,3 +1,7 @@
+################################################################################
+# The AlpineOS flavor is DEPRECATED and will be removed in a future release
+# Please stop using this variant and use the Ubuntu flavor instead
+################################################################################
 FROM behance/docker-base:5.0.1-alpine
 
 # Use in multi-phase builds, when an init process requests for the container to gracefully exit, so that it may be committed

Dockerfile-centos

@@ -1,3 +1,7 @@
+################################################################################
+# The CentOS flavor is DEPRECATED and will be removed in a future release
+# Please stop using this variant and use the Ubuntu flavor instead
+################################################################################
 FROM behance/docker-base:5.0.1-centos-7
 
 # Use in multi-phase builds, when an init process requests for the container to gracefully exit, so that it may be committed

Dockerfile-ubuntu-22.04

@@ -0,0 +1,70 @@
+FROM behance/docker-base:5.1.0-ubuntu-22.04 AS base
+
+### Stage 1 - add/remove packages ###
+
+# Ensure scripts are available for use in next command
+COPY ./container/root/scripts/* /scripts/
+
+# Env vars used during the build process
+ENV CONTAINER_PORT=8080 \
+    CONF_NGINX_SITE="/etc/nginx/sites-available/default" \
+    NOT_ROOT_USER=www-data
+
+# - Update security packages, plus ca-certificates required for https
+# - Install nginx
+# - Install njs
+RUN /bin/bash -e /security_updates.sh && \
+    /bin/bash -e /scripts/install_nginx.sh && \
+    /bin/bash -e /scripts/install_njs.sh
+
+# Overlay the root filesystem from this repo
+COPY --chown=www-data ./container/root /
+
+# Set nginx to listen on defined port
+#
+# NOTE: order of operations is important, new config had to already installed
+# from repo (above)
+#
+# - Make temp directory for .nginx runtime files
+# - Fix woff mime type support
+# - Set permissions to allow image to be run under a non root user
+RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \
+    mkdir /tmp/.nginx && \
+    /bin/bash -e /scripts/fix_woff_support.sh && \
+    /bin/bash -e /scripts/set_permissions.sh
+
+# Clean up
+RUN /bin/bash -e /scripts/cleanup.sh && \
+    /bin/bash -e /clean.sh
+
+### Stage 2 --- collapse layers ###
+
+FROM scratch
+COPY --from=base / .
+
+# Using a non-privileged port to prevent having to use setcap internally
+EXPOSE ${CONTAINER_PORT}
+
+# Env vars used during runtime
+ENV CONTAINER_ROLE=web \
+    CONTAINER_PORT=8080 \
+    CONF_NGINX_SITE="/etc/nginx/sites-available/default" \
+    CONF_NGINX_SERVER="/etc/nginx/nginx.conf" \
+    NOT_ROOT_USER=www-data
+
+# Use in multi-phase builds, when an init process requests for the container
+# to gracefully exit, so that it may be committed
+#
+# Used with alternative CMD (worker.sh), leverages supervisor to maintain
+# long-running processes
+ENV SIGNAL_BUILD_STOP=99 \
+    S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
+    S6_KILL_FINISH_MAXTIME=55000 \
+    S6_KILL_GRACETIME=3000
+
+RUN goss -g /tests/ubuntu/nginx.goss.yaml validate && \
+    /aufs_hack.sh
+
+# NOTE: intentionally NOT using s6 init as the entrypoint
+# This would prevent container debugging if any of those service crash
+CMD ["/bin/bash", "/run.sh"]

Makefile

@@ -0,0 +1,17 @@
+.PHONY: all
+
+IMAGE_NAME ?= docker-nginx
+OS_FAMILY ?= ubuntu-22.04
+PLATFORM ?= linux/amd64
+VERSION ?= test
+
+# Create
+IMAGE_TAG ?= $(VERSION)-$(OS_FAMILY)
+
+default: build
+
+build:
+	docker build --platform $(PLATFORM) -t $(IMAGE_NAME):$(IMAGE_TAG) -f Dockerfile-$(OS_FAMILY) .
+
+clean-room:
+	docker system prune -a -f --volumes

README.md

@@ -4,133 +4,39 @@ https://hub.docker.com/r/behance/docker-nginx/tags/
 
 Provides base OS, patches and stable nginx for quick and easy spinup.
 
-- Ubuntu used by default
-- Alpine builds available tagged as `-alpine`
-- Centos builds available tagged as `-centos`
+- Ubuntu 22.04 used by default
+- Alpine builds available tagged as `-alpine` **DEPRECATED**
+- Centos builds available tagged as `-centos` **DEPRECATED**
 
-
-[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation
+[S6](https://github.com/just-containers/s6-overlay) process supervisor is used
+for `only` for zombie reaping (as PID 1), boot coordination, and termination
+signal translation
 
 [Goss](https://github.com/aelsabbahy/goss) is used for build-time testing.
 
-See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration
-
-
-### Expectations
-
-- Applications must copy their html/app into the `/var/www/html` folder
-- Any new script/file that needs to be added must be given proper permissions/ownership to the non root user through `container/root/scripts/set_permissions.sh`. This is to ensure that the image can be run under a non root user.
--   NOTE: Nginx is exposed and bound to an unprivileged port, `8080`
-
-
-### Container Security
-
-See parent [configuration](https://github.com/behance/docker-base#security)
-
-
-### HTTPS usage
-
-To enable this container to serve HTTPS over its primary exposed port:
-- `SERVER_ENABLE_HTTPS` environment variable must be `true`
-- Certificates must be present in `/etc/nginx/certs` under the following names:
-    - `ca.crt`
-    - `ca.key`
-- Additionally, they must be marked read-only (0600)
-
-#### Local development usage
-
-To generate a self-signed certificate (won't work in most browsers):
-```
-openssl genrsa -out ca.key 2048
-openssl req -new -key ca.key -out ca.csr -subj '/CN=localhost'
-openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
-```
-
-Run the image in background, bind external port (443), flag HTTPS enabled, mount certificate:
-```
-docker run \
-  -d
-  -p 443:8080 \
-  -e SERVER_ENABLE_HTTPS=true \
-  -v {directory-containing-ca.crt-and-ca.key}:/etc/nginx/certs:ro
-  behance/docker-nginx
-```
-
-Test
-```
-curl -k -vvv https://{your-docker-machine-ip}
-```
-
-
-### Environment Variables
-
-Variable | Example | Description
---- | --- | ---
-SERVER_MAX_BODY_SIZE | SERVER_MAX_BODY_SIZE=4M | Allows the downstream application to specify a non-default `client_max_body_size` configuration for the `server`-level directive in `/etc/nginx/sites-available/default`
-SERVER_INDEX | SERVER_INDEX index.html index.html index.php | Changes the default pages to hit for folder and web roots
-SERVER_APP_NAME | SERVER_APP_NAME='view' | Gets appended to the default logging format
-SERVER_GZIP_OPTIONS | SERVER_GZIP_OPTIONS=1 | Allows default set of static content to be served gzipped
-SERVER_SENDFILE | SERVER_SENDFILE=off | Allows runtime to specify value of nginx's `sendfile` (default, on)
-SERVER_ENABLE_HTTPS | SERVER_ENABLE_HTTPS=true | Enable encrypted transmission using certificates
-SERVER_KEEPALIVE | SERVER_KEEPALIVE=30 | Define HTTP 1.1's keepalive timeout
-SERVER_WORKER_PROCESSES | SERVER_WORKER_PROCESSES=4 | Set to the number of cores in the machine, or the number of cores allocated to container
-SERVER_WORKER_CONNECTIONS | SERVER_WORKER_CONNECTIONS=2048 | Sets up the number of connections for worker processes
-SERVER_CLIENT_HEADER_BUFFER_SIZE | SERVER_CLIENT_HEADER_BUFFER_SIZE=16k | [docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size)
-SERVER_LARGE_CLIENT_HEADER_BUFFERS | SERVER_LARGE_CLIENT_HEADER_BUFFERS=8 16k | [docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers)
-SERVER_CLIENT_BODY_BUFFER_SIZE | SERVER_CLIENT_BODY_BUFFER_SIZE=128k | [docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size)
-SERVER_LOG_MINIMAL | SERVER_LOG_MINIMAL=1 | Minimize the logging format, appropriate for development environments
-S6_KILL_FINISH_MAXTIME | S6_KILL_FINISH_MAXTIME=55000 | The maximum time (in ms) a script in /etc/cont-finish.d could take before sending a KILL signal to it. Take into account that this parameter will be used per each script execution, it's not a max time for the whole set of scripts. This value has a max of 65535 on Alpine variants.
-S6_KILL_GRACETIME | S6_KILL_GRACETIME=500 | Wait time (in ms) for S6 finish scripts before sending kill signal
-
-
-### Startup/Runtime Modification
-
-- Environment variables are used to drive nginx configuration at runtime
-- See [here](https://github.com/behance/docker-base#startupruntime-modification) for more advanced options
-
-### Shutdown Behavior
-
-Graceful shutdown is handled as part of the [existing](https://github.com/behance/docker-base#shutdown-behavior) S6 termination process, using a `/etc/cont-finish.d` script.
-Nginx will attempt to drain active workers, while rejecting new connections. The drain timeout is controlled by `S6_KILL_FINISH_MAXTIME`, which corresponds to the length of time the supervisor will wait for the script to run during shutdown. This value defaults to 55s, which deliberately `less` than an downstream load balancers default max connection length (60s). Each upstream's timeout must be less than the downstream, for sanity and lack of timing precision.
-
-### Long-running processes (workers + crons)
-
-- See parent [configuration](https://github.com/behance/docker-base#long-running-processes-workers--crons) on reusing container for other purposes.
-
-
-### Container Organization
-
-Besides the instructions contained in the Dockerfile, the majority of this
-container's use is in configuration and process. The `./container/root` repo directory is overlayed into a container during build. Adding additional files
-to the folders in there will be present in the final image.
-
-Nginx is currently set up as an S6 service in `/etc/services-available/nginx`, during default environment conditions, it will symlink itself to be supervised under `/etc/services.d/nginx`. When running under worker entrypoint (`worker.sh`), it will not be S6's `service.d` folder to be supervised.
-
-
-### Release Management
-
-Github actions provide the machinery for testing (ci.yaml) and producing tags distributed through Docker Hub (publish.yaml). Testing will confirm that `nginx` is able to serve content in various configurations, but also that it can terminate TLS with self-signed certificates. Once a tested and approved PR is merged, simply cutting a new semantically-versioned tag will generate the following matrix of tagged builds:
-- `[major].[minor].[patch](?-variant)`
-- `[major].[minor](?-variant)`
-- `[major](?-variant)`
-Platform support is available for architectures:
-- `linux/arm64`
-- `linux/amd64`
+See parent(s) [docker-base](https://github.com/behance/docker-base) for
+additional configuration
 
-To add new variant based on a new Dockerfile, add an entry to `matrix.props` within `./github/workflows` YAML files.
+# Expectations
 
-### Github Actions: Simulation
+NOTE: Nginx is exposed and bound to an unprivileged port, `8080`
 
-docker-nginx uses Github Actions for CI/CD. Simulated workflows can be achieved locally with `act`. All commands must be executes from repository root.
+* Applications must copy their html/app into the `/var/www/html` folder
 
-Pre-reqs: tested on Mac
-1. [Docker Desktop](https://www.docker.com/products/docker-desktop)
-1. [act](https://github.com/nektos/act)
+* Any new script/file that needs to be added must be given proper permissions /
+ownership to the non root user through `container/root/scripts/set_permissions.sh`.
+This is to ensure that the image can be run under a non root user.
 
-Pull request simulation: executes successfully, but only on ARM devices (ex. Apple M1). ARM emulation through QEMU on X64 machines does not implement the full kernel functionality required by nginx at this time.
-- `act pull_request`
+# Quick Start
 
-Publish simulation: executes, but fails (intentionally) without credentials
-- `act`
+See [Quick Start](docs/quick_start.md)
 
+# Docs
 
+* [Container Organization](docs/container_organization.md)
+* [Container Security](docs/container_security.md)
+* [Environment Variables](docs/env_vars.md)
+* [Long-running processes (workers + crons)](docs/long_running.md)
+* [Shutdown Behavior](docs/shutdown_behavior.md)
+* [Release Management](docs/release_management.md)
+* [Troubleshooting](docs/troubleshooting.md)

container/root/etc/cont-init.d/10-nginx-config.sh

@@ -83,3 +83,9 @@ then
   # Add SSL to listen directive
   sed -i "s/^[ ]*listen ${CONTAINER_PORT}/  listen ${CONTAINER_PORT} ssl/" $CONF_NGINX_SITE
 fi
+
+if [[ $SERVER_ENABLE_NGX_HTTP_JS ]];
+then
+  echo "[nginx] enabling nginx njs module"
+  sed -i "s/#load_module/load_module/" $CONF_NGINX_SERVER
+fi

container/root/etc/nginx/nginx.conf

@@ -19,6 +19,9 @@ error_log /dev/stdout warn;
 # Number of file descriptors used for nginx
 worker_rlimit_nofile 40000;
 
+# Set SERVER_ENABLE_NGX_HTTP_JS=true to enable this module
+#load_module /usr/lib/nginx/modules/ngx_http_js_module.so;
+
 
 events {
     # Optimized to serve many clients with each thread, essential for linux

container/root/scripts/cleanup.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+###############################################################################
+# Remove any uneeded packages that we install that is not during runtime
+###############################################################################
+
+# Running python will generate .pyc files and it will prevent the folder
+# from being deleted. Sample warning:
+#
+# dpkg: warning: while removing python3.10, 
+# directory '/usr/lib/python3/dist-packages' not empty so not removed
+[[ -d /usr/lib/python3/dist-packages ]] && rm -rf /usr/lib/python3/dist-packages
+
+# Remove unused packages that should not be in the final image
+apt-get remove --purge -yq \
+  curl \
+  gnupg2 \
+  lsb-release \
+  manpages \
+  manpages-dev \
+  man-db \
+  patch \
+  make \
+  unattended-upgrades \
+  python*