diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 7593b2572f..41035f6e17 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -13,7 +13,7 @@ # limitations under the License. # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.52 +TAG ?= 0.53 REGISTRY ?= quay.io/kubernetes-ingress-controller ARCH ?= $(shell go env GOARCH) DOCKER ?= docker diff --git a/images/nginx/build.sh b/images/nginx/build.sh index 62625ad0c2..8d98cfb481 100755 --- a/images/nginx/build.sh +++ b/images/nginx/build.sh @@ -26,7 +26,7 @@ export STICKY_SESSIONS_VERSION=08a395c66e42 export MORE_HEADERS_VERSION=0.33 export NGINX_DIGEST_AUTH=274490cec649e7300fea97fed13d84e596bbc0ce export NGINX_SUBSTITUTIONS=bc58cb11844bc42735bbaef7085ea86ace46d05b -export NGINX_OPENTRACING_VERSION=0.3.0 +export NGINX_OPENTRACING_VERSION=0.5.0 export OPENTRACING_CPP_VERSION=1.4.0 export ZIPKIN_CPP_VERSION=0.3.1 export JAEGER_VERSION=0.4.1 @@ -89,6 +89,7 @@ clean-install \ python \ luarocks \ libmaxminddb-dev \ + libcap2-bin \ || exit 1 if [[ ${ARCH} == "x86_64" ]]; then @@ -159,7 +160,7 @@ get_src ede0ad490cb9dd69da348bdea2a60a4c45284c9777b2f13fa48394b6b8e7671c \ get_src 618551948ab14cac51d6e4ad00452312c7b09938f59ebff4f93875013be31f2d \ "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" -get_src 2d2b8784a09c7bb4ae7f8a76ab679c54a683b8dda26db2f948982de0ad44c7a5 \ +get_src ad6c813cb8baa4a178417bfa316ab3535d950fe02c67dc3a4af96ef6a1f655d6 \ "https://github.com/opentracing-contrib/nginx-opentracing/archive/v$NGINX_OPENTRACING_VERSION.tar.gz" get_src 2eb0a4a7dc62bc8cbf12872080197b41d53b4c04966c860774a6b11fd59fad55 \ @@ -418,8 +419,6 @@ WITH_MODULES="--add-module=$BUILD_PATH/ngx_devel_kit-$NDK_VERSION \ --add-module=$BUILD_PATH/nginx_cookie_flag_module-$COOKIE_FLAG_VERSION \ --add-module=$BUILD_PATH/nginx-influxdb-module-$NGINX_INFLUXDB_VERSION \ --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \ - --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/jaeger \ - --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/zipkin \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \ --add-module=$BUILD_PATH/ngx_brotli" @@ -453,6 +452,11 @@ echo "Cleaning..." cd / +mv /usr/share/nginx/sbin/nginx /usr/sbin + +# allow binding to a port less than 1024 to non-root users +setcap cap_net_bind_service=+ep /usr/sbin/nginx + apt-mark unmarkauto \ bash \ curl ca-certificates \ @@ -478,14 +482,11 @@ apt-get remove -y --purge \ linux-libc-dev \ cmake \ wget \ + libcap2-bin \ git g++ pkgconf flex bison doxygen libyajl-dev liblmdb-dev libgeoip-dev libtool dh-autoreconf libpcre++-dev libxml2-dev apt-get autoremove -y -mkdir -p /var/lib/nginx/body /usr/share/nginx/html - -mv /usr/share/nginx/sbin/nginx /usr/sbin - rm -rf "$BUILD_PATH" rm -Rf /usr/share/man /usr/share/doc rm -rf /tmp/* /var/tmp/* @@ -499,3 +500,22 @@ rm -rf /etc/nginx/owasp-modsecurity-crs/.git rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests rm -rf $HOME/.hunter + +# update image permissions +writeDirs=( \ + /etc/nginx \ + /etc/ingress-controller/ssl \ + /etc/ingress-controller/auth \ + /var/log \ + /var/log/nginx \ + /var/lib/nginx/body \ + /usr/share/nginx/html \ + /opt/modsecurity/var/log \ + /opt/modsecurity/var/upload \ + /opt/modsecurity/var/audit \ +); + +for dir in "${writeDirs[@]}"; do + mkdir -p ${dir}; + chown -R www-data.www-data ${dir}; +done