Converted to rootless
This commit is contained in:
parent
330f62e1eb
commit
521d37d0fb
35
Dockerfile
35
Dockerfile
|
@ -26,12 +26,10 @@ RUN ./configure --prefix=/usr/share/nginx \
|
|||
--conf-path=/etc/nginx/nginx.conf \
|
||||
--error-log-path=/var/log/nginx/error.log \
|
||||
--http-log-path=/var/log/nginx/access.log \
|
||||
--pid-path=/run/nginx.pid \
|
||||
--pid-path=/tmp/nginx.pid \
|
||||
--lock-path=/run/lock/subsys/nginx \
|
||||
--http-client-body-temp-path=/tmp/nginx/client \
|
||||
--http-proxy-temp-path=/tmp/nginx/proxy \
|
||||
--user=www-data \
|
||||
--group=www-data \
|
||||
--with-threads \
|
||||
--with-file-aio \
|
||||
--with-pcre="/src/pcre/pcre-$PCRE_VER" \
|
||||
|
@ -58,26 +56,33 @@ RUN upx -9 /usr/sbin/nginx
|
|||
|
||||
# setup nginx folders and files
|
||||
RUN mkdir -p /etc/nginx
|
||||
RUN touch /run/nginx.pid
|
||||
RUN mkdir -p /tmp/nginx/{client,proxy}
|
||||
RUN mkdir -p /usr/share/nginx/fastcgi_temp
|
||||
RUN mkdir -p /var/log/nginx
|
||||
RUN touch /tmp/nginx.pid
|
||||
RUN mkdir -p /tmp/nginx/{client,proxy} && chmod 700 /tmp/nginx/{client,proxy}
|
||||
RUN mkdir -p /usr/share/nginx/fastcgi_temp && chmod 700 /usr/share/nginx/fastcgi_temp
|
||||
RUN mkdir -p /var/log/nginx && chmod 700 /var/log/nginx
|
||||
RUN mkdir -p /var/www/html
|
||||
|
||||
# copy in default nginx configs
|
||||
COPY nginx/ /etc/nginx
|
||||
|
||||
# set up the final container
|
||||
FROM gcr.io/distroless/static-debian11
|
||||
FROM gcr.io/distroless/static:nonroot
|
||||
|
||||
# run as nonroot
|
||||
USER nonroot
|
||||
|
||||
# copy files over
|
||||
COPY --from=nginx --chown=65532:65532 /etc/nginx /etc/nginx
|
||||
COPY --from=nginx --chown=65532:65532 /run/nginx.pid /run/nginx.pid
|
||||
COPY --from=nginx --chown=65532:65532 /tmp/nginx /tmp/nginx
|
||||
COPY --from=nginx --chown=65532:65532 /usr/sbin/nginx /usr/sbin/nginx
|
||||
COPY --from=nginx --chown=65532:65532 /usr/share/nginx/fastcgi_temp /usr/share/nginx/fastcgi_temp
|
||||
COPY --from=nginx --chown=65532:65532 /var/log/nginx /var/log/nginx
|
||||
COPY --from=nginx --chown=65532:65532 /var/www/html /var/www/html
|
||||
COPY --from=nginx --chown=nonroot:nonroot /etc/nginx /etc/nginx
|
||||
COPY --from=nginx --chown=nonroot:nonroot /tmp/nginx.pid /tmp/nginx.pid
|
||||
COPY --from=nginx --chown=nonroot:nonroot /tmp/nginx /tmp/nginx
|
||||
COPY --from=nginx --chown=nonroot:nonroot /usr/sbin/nginx /usr/sbin/nginx
|
||||
COPY --from=nginx --chown=nonroot:nonroot /usr/share/nginx/fastcgi_temp /usr/share/nginx/fastcgi_temp
|
||||
COPY --from=nginx --chown=nonroot:nonroot /var/log/nginx /var/log/nginx
|
||||
COPY --from=nginx --chown=nonroot:nonroot /var/www/html /var/www/html
|
||||
COPY --chown=nonroot:nonroot html/index.html /var/www/html/index.html
|
||||
|
||||
# listen on an unprivileged port
|
||||
EXPOSE 8080
|
||||
|
||||
# configure entrypoint
|
||||
ENTRYPOINT ["/usr/sbin/nginx","-g","daemon off;"]
|
||||
|
|
23
html/index.html
Normal file
23
html/index.html
Normal file
|
@ -0,0 +1,23 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Welcome to nginx!</title>
|
||||
<style>
|
||||
html { color-scheme: light dark; }
|
||||
body { width: 35em; margin: 0 auto;
|
||||
font-family: Tahoma, Verdana, Arial, sans-serif; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Welcome to nginx!</h1>
|
||||
<p>If you see this page, the nginx web server is successfully installed and
|
||||
working. Further configuration is required.</p>
|
||||
|
||||
<p>For online documentation and support please refer to
|
||||
<a href="http://nginx.org/">nginx.org</a>.<br/>
|
||||
Commercial support is available at
|
||||
<a href="http://nginx.com/">nginx.com</a>.</p>
|
||||
|
||||
<p><em>Thank you for using nginx.</em></p>
|
||||
</body>
|
||||
</html>
|
|
@ -1,5 +1,5 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen 8080;
|
||||
server_name localhost;
|
||||
|
||||
location / {
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
user nonroot;
|
||||
worker_processes auto;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 10240;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue