-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The variant provides an image built with a recently opensourced opentelemetry module developed by F5/NGINX [1]. I've decided to make a separate variant based on the main image instead of extending it because the module build-depends on a fairly large chunk of C++ code from multiple projects, which takes around 10 minutes to compile and link on an 8-core amd64 machine. This is why it's currently limited to amd64 and arm64v8, which nginx.org provides builds for. Users can build them on less popular architectures as the instructions are still provided in the dockerfiles. Also, it's currently only available for the "mainline" branch, with "stable" to follow in the future. [1] https://nginx.org/en/docs/ngx_otel_module.html [2] https://nginx.org/en/linux_packages.html#dynmodules
- Loading branch information
Showing
6 changed files
with
419 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| FROM nginx:%%NGINX_VERSION%%-alpine | ||
|
|
||
| ENV OTEL_VERSION %%OTEL_VERSION%% | ||
|
|
||
| RUN set -x \ | ||
| && apkArch="$(cat /etc/apk/arch)" \ | ||
| && nginxPackages="%%PACKAGES%% | ||
| " \ | ||
| # install prerequisites for public key and pkg-oss checks | ||
| && apk add --no-cache --virtual .checksum-deps \ | ||
| openssl \ | ||
| && case "$apkArch" in \ | ||
| x86_64|aarch64) \ | ||
| # arches officially built by upstream | ||
| set -x \ | ||
| && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ | ||
| && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ | ||
| && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ | ||
| echo "key verification succeeded!"; \ | ||
| mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ | ||
| else \ | ||
| echo "key verification failed!"; \ | ||
| exit 1; \ | ||
| fi \ | ||
| && apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ | ||
| ;; \ | ||
| *) \ | ||
| # we're on an architecture upstream doesn't officially build for | ||
| # let's build binaries from the published packaging sources | ||
| set -x \ | ||
| && tempDir="$(mktemp -d)" \ | ||
| && chown nobody:nobody $tempDir \ | ||
| && apk add --no-cache --virtual .build-deps \ | ||
| gcc \ | ||
| libc-dev \ | ||
| make \ | ||
| openssl-dev \ | ||
| pcre2-dev \ | ||
| zlib-dev \ | ||
| linux-headers \ | ||
| cmake \ | ||
| bash \ | ||
| alpine-sdk \ | ||
| findutils \ | ||
| xz \ | ||
| re2-dev \ | ||
| c-ares-dev \ | ||
| && su nobody -s /bin/sh -c " \ | ||
| export HOME=${tempDir} \ | ||
| && cd ${tempDir} \ | ||
| && curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \ | ||
| && PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \ | ||
| && if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ | ||
| echo \"pkg-oss tarball checksum verification succeeded!\"; \ | ||
| else \ | ||
| echo \"pkg-oss tarball checksum verification failed!\"; \ | ||
| exit 1; \ | ||
| fi \ | ||
| && tar xzvf %%REVISION%%.tar.gz \ | ||
| && cd pkg-oss-%%REVISION%% \ | ||
| && cd alpine \ | ||
| && make %%BUILDTARGET%% \ | ||
| && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ | ||
| && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ | ||
| " \ | ||
| && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ | ||
| && apk del --no-network .build-deps \ | ||
| && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \ | ||
| ;; \ | ||
| esac \ | ||
| # remove checksum deps | ||
| && apk del --no-network .checksum-deps \ | ||
| # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) | ||
| && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ | ||
| && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ | ||
| && if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| FROM nginx:%%NGINX_VERSION%% | ||
|
|
||
| ENV OTEL_VERSION %%OTEL_VERSION%% | ||
|
|
||
| RUN set -x \ | ||
| && apt-get update \ | ||
| && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ | ||
| && \ | ||
| NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ | ||
| NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ | ||
| export GNUPGHOME="$(mktemp -d)"; \ | ||
| found=''; \ | ||
| for server in \ | ||
| hkp://keyserver.ubuntu.com:80 \ | ||
| pgp.mit.edu \ | ||
| ; do \ | ||
| echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ | ||
| gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ | ||
| done; \ | ||
| test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ | ||
| gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ | ||
| rm -rf "$GNUPGHOME"; \ | ||
| apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ | ||
| && dpkgArch="$(dpkg --print-architecture)" \ | ||
| && nginxPackages="%%PACKAGES%% | ||
| " \ | ||
| && case "$dpkgArch" in \ | ||
| amd64|arm64) \ | ||
| # arches officialy built by upstream | ||
| echo "deb [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \ | ||
| && apt-get update \ | ||
| ;; \ | ||
| *) \ | ||
| # we're on an architecture upstream doesn't officially build for | ||
| # let's build binaries from the published source packages | ||
| echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \ | ||
| \ | ||
| # new directory for storing sources and .deb files | ||
| && tempDir="$(mktemp -d)" \ | ||
| && chmod 777 "$tempDir" \ | ||
| # (777 to ensure APT's "_apt" user can access it too) | ||
| \ | ||
| # save list of currently-installed packages so build dependencies can be cleanly removed later | ||
| && savedAptMark="$(apt-mark showmanual)" \ | ||
| \ | ||
| # build .deb files from upstream's source packages (which are verified by apt-get) | ||
| && apt-get update \ | ||
| && apt-get build-dep -y %%BUILDTARGET%% \ | ||
| && ( \ | ||
| cd "$tempDir" \ | ||
| && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ | ||
| apt-get source --compile %%BUILDTARGET%% \ | ||
| ) \ | ||
| # we don't remove APT lists here because they get re-downloaded and removed later | ||
| \ | ||
| # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies | ||
| # (which is done after we install the built packages so we don't have to redownload any overlapping dependencies) | ||
| && apt-mark showmanual | xargs apt-mark auto > /dev/null \ | ||
| && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \ | ||
| \ | ||
| # create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be) | ||
| && ls -lAFh "$tempDir" \ | ||
| && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \ | ||
| && grep '^Package: ' "$tempDir/Packages" \ | ||
| && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \ | ||
| # work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes") | ||
| # Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied) | ||
| # ... | ||
| # E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied) | ||
| && apt-get -o Acquire::GzipIndexes=false update \ | ||
| ;; \ | ||
| esac \ | ||
| \ | ||
| && apt-get install --no-install-recommends --no-install-suggests -y \ | ||
| $nginxPackages \ | ||
| gettext-base \ | ||
| curl \ | ||
| && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \ | ||
| \ | ||
| # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) | ||
| && if [ -n "$tempDir" ]; then \ | ||
| apt-get purge -y --auto-remove \ | ||
| && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \ | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| # | ||
| # NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh" | ||
| # | ||
| # PLEASE DO NOT EDIT IT DIRECTLY. | ||
| # | ||
| FROM nginx:1.25.4-alpine | ||
|
|
||
| ENV OTEL_VERSION 0.1.0 | ||
|
|
||
| RUN set -x \ | ||
| && apkArch="$(cat /etc/apk/arch)" \ | ||
| && nginxPackages=" \ | ||
| nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ | ||
| nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ | ||
| nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ | ||
| nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ | ||
| nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ | ||
| nginx-module-otel=${NGINX_VERSION}.${OTEL_VERSION}-r${PKG_RELEASE} \ | ||
| " \ | ||
| # install prerequisites for public key and pkg-oss checks | ||
| && apk add --no-cache --virtual .checksum-deps \ | ||
| openssl \ | ||
| && case "$apkArch" in \ | ||
| x86_64|aarch64) \ | ||
| # arches officially built by upstream | ||
| set -x \ | ||
| && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ | ||
| && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ | ||
| && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ | ||
| echo "key verification succeeded!"; \ | ||
| mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ | ||
| else \ | ||
| echo "key verification failed!"; \ | ||
| exit 1; \ | ||
| fi \ | ||
| && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ | ||
| ;; \ | ||
| *) \ | ||
| # we're on an architecture upstream doesn't officially build for | ||
| # let's build binaries from the published packaging sources | ||
| set -x \ | ||
| && tempDir="$(mktemp -d)" \ | ||
| && chown nobody:nobody $tempDir \ | ||
| && apk add --no-cache --virtual .build-deps \ | ||
| gcc \ | ||
| libc-dev \ | ||
| make \ | ||
| openssl-dev \ | ||
| pcre2-dev \ | ||
| zlib-dev \ | ||
| linux-headers \ | ||
| cmake \ | ||
| bash \ | ||
| alpine-sdk \ | ||
| findutils \ | ||
| xz \ | ||
| re2-dev \ | ||
| c-ares-dev \ | ||
| && su nobody -s /bin/sh -c " \ | ||
| export HOME=${tempDir} \ | ||
| && cd ${tempDir} \ | ||
| && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ | ||
| && PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ | ||
| && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ | ||
| echo \"pkg-oss tarball checksum verification succeeded!\"; \ | ||
| else \ | ||
| echo \"pkg-oss tarball checksum verification failed!\"; \ | ||
| exit 1; \ | ||
| fi \ | ||
| && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ | ||
| && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ | ||
| && cd alpine \ | ||
| && make module-otel \ | ||
| && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ | ||
| && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ | ||
| " \ | ||
| && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ | ||
| && apk del --no-network .build-deps \ | ||
| && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \ | ||
| ;; \ | ||
| esac \ | ||
| # remove checksum deps | ||
| && apk del --no-network .checksum-deps \ | ||
| # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) | ||
| && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ | ||
| && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ | ||
| && if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi |
Oops, something went wrong.