Skip to content

Commit

Permalink
Change the base image to Debian Stretch for Plus controller (#235)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pleshakov
pleshakov authored Feb 8, 2018
1 parent 5a4b11c commit 0dafb34
Showing 1 changed file with 37 additions and 19 deletions.
56 changes: 37 additions & 19 deletions nginx-controller/DockerfileForPlus
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,61 @@
FROM ubuntu:16.04
FROM debian:stretch-slim

MAINTAINER NGINX Docker Maintainers "[email protected]"
LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

# Set the debconf front end to Noninteractive
RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections

RUN apt-get update && apt-get install -y -q wget lsb-release apt-transport-https
ENV NGINX_PLUS_VERSION 1.13.7-2~stretch

# Download certificate and key from the customer portal (https://cs.nginx.com)
# and copy to the build context
ADD nginx-repo.crt /etc/ssl/nginx/
ADD nginx-repo.key /etc/ssl/nginx/
COPY nginx-repo.crt /etc/ssl/nginx/
COPY nginx-repo.key /etc/ssl/nginx/

# Make sure the certificate and key have correct permissions
RUN chmod 644 /etc/ssl/nginx/*

# Get other files required for installation
RUN wget -q -O - http://nginx.org/keys/nginx_signing.key | apt-key add -
RUN wget -q -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx

RUN printf "deb https://plus-pkgs.nginx.com/ubuntu `lsb_release -cs` nginx-plus\n" >/etc/apt/sources.list.d/nginx-plus.list

# Install NGINX Plus
RUN apt-get update && apt-get install -y nginx-plus
RUN set -x \
&& apt-get update && apt-get upgrade -y \
&& apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
found=''; \
for server in \
ha.pool.sks-keyservers.net \
hkp://keyserver.ubuntu.com:80 \
hkp://p80.pool.sks-keyservers.net:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
echo "Acquire::https::plus-pkgs.nginx.com::Verify-Peer \"true\";" >> /etc/apt/apt.conf.d/90nginx \
&& echo "Acquire::https::plus-pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
&& echo "Acquire::https::plus-pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
&& echo "Acquire::https::plus-pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
&& printf "deb https://plus-pkgs.nginx.com/debian stretch nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
&& apt-get update && apt-get install -y nginx-plus=${NGINX_PLUS_VERSION} \
&& apt-get remove --purge --auto-remove -y gnupg1 \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /etc/ssl/nginx \
&& rm /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list

EXPOSE 80 443 8080

# forward nginx access and error logs to stdout and stderr of the ingress
# controller process
RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \
&& ln -sf /proc/1/fd/2 /var/log/nginx/error.log


EXPOSE 80 443

COPY nginx-ingress nginx/templates/nginx-plus.ingress.tmpl nginx/templates/nginx-plus.tmpl /
RUN rm /etc/nginx/conf.d/*

RUN mkdir -p /etc/nginx/secrets
RUN rm /etc/nginx/conf.d/* \
&& mkdir -p /etc/nginx/secrets

# Uncomment the line below if you would like to add the default.pem to the image
# and use it as a certificate and key for the default server
# ADD default.pem /etc/nginx/secrets/default

ENTRYPOINT ["/nginx-ingress"]
ENTRYPOINT ["/nginx-ingress"]

5 comments on commit 0dafb34

@nalston
Copy link

@nalston nalston commented on 0dafb34 Feb 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure how 'ready' this is, but this build fails for me. Here's my build log

I noticed that docker was using cache, so i modified the makefile to specify --no-cache, got the same results.

@pleshakov
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nalston the log reports that there were multiple Hash Sum mismatch errors when trying to install the required software packages. A possible reason could be a glitch in the debian package server or some caching proxy server was serving stale files.

Does the problem still exist?

@nalston
Copy link

@nalston nalston commented on 0dafb34 Feb 9, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pleshakov - The problem still exists, but i found a solution.

After spending some time researching, i believe the root cause is apt proxy/network config differences between the debian stretch/slim image and ubuntu image. I'm a RHEL/yum guy, so i'm not too knowledgeable on the intricacies of apt network config/options, but I was able to correct the issue by explicitly setting a few options.

1 - Added a file with my settings
# 99network
Acquire::http::Pipeline-Depth 0;
Acquire::http::No-Cache true;
Acquire::BrokenProxy    true;

2 - Mod Dockerfile  to include settings before apt runs
COPY 99network /etc/apt/apt.conf.d/

Similar issues

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810796
https://github.com/jenkinsci/docker/issues/543
https://github.com/moby/moby/issues/30207
https://github.com/moby/moby/issues/23202

To be fair, I am in a secure corp. environment, with multiple layers of network security, any of which could easily be the source. Really though, the larger concern is that we've been building the ubuntu based image without issue for over a year. Due to our stringent internal security, we frequently have to clone/build many different types of images internally, and have never run into anything like this.

Just to be sure nothing had unexpectedly changed in our environment recently, I downloaded the 1.1.1 release and was able to build that without issue (and without modifying any settings) - results

@pleshakov
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nalston
glad you found the solution. we'll think how we can address your issue in the Dockefile.

we decided to move from xenial to debian stretch as the resulted image is smaller, the packages are more recent than in ubuntu and have less known vulnerabilities (see #232), and our NGINX OSS images are also based on stretch.

while it should not affect your issue, note the most recent changes to the DockerfileForPlus #238

btw, you can also run make DOCKER_BUILD_OPTIONS=--no-cache ... to pass any options to the docker build command.

@pleshakov
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nalston are you able to build the image if you only have one Acquire::http::No-Cache true; option enabled?

Please sign in to comment.