Skip to content

Commit

Permalink
Decouple UBI images for Plus and NAP (#3540)
Browse files Browse the repository at this point in the history
This will decouple the UBI images so that NAP images don't depend on the Plus image. By doing this we can update the Plus image to UBI 9 and benefit from the newer image with less CVEs. It's also now possible to use the minimal image.

This also fixes CVE-2022-47629 in NAP images.
lucacome authored Feb 10, 2023
1 parent 7190979 commit 876a0f6
Showing 2 changed files with 19 additions and 9 deletions.
26 changes: 18 additions & 8 deletions build/Dockerfile
Original file line number Diff line number Diff line change
@@ -124,32 +124,42 @@ COPY --link --chown=101:0 LICENSE /licenses/


############################################# Base image for UBI with NGINX Plus #############################################
FROM redhat/ubi8:8.6 AS ubi-plus
FROM redhat/ubi9-minimal AS ubi-plus
ARG NGINX_PLUS_VERSION

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
dnf --nodocs install -y shadow-utils ca-certificates \
# temp fix for CVE-2022-1304 CVE-2016-3709, CVE-2022-42898, CVE-2022-42010, CVE-2022-43680, CVE-2022-3821, CVE-2021-46848 and CVE-2022-35737
&& dnf --nodocs upgrade -y libcom_err libxml2 krb5-libs dbus expat systemd libtasn1 sqlite-libs \
microdnf --nodocs install -y shadow-utils \
&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
&& rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \
&& curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \
&& curl -fsSL "https://cs.nginx.com/static/files/plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \
&& sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs

&& microdnf --nodocs install -y nginx-plus nginx-plus-module-njs \
&& microdnf remove -y shadow-utils \
&& microdnf clean all

############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS #############################################
FROM ubi-plus as ubi-plus-nap
FROM redhat/ubi8:8.6 as ubi-plus-nap
ARG NGINX_PLUS_VERSION
ARG NAP_MODULES

RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \
source /tmp/rhel_license \
## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI versions newer than 8.6
dnf --nodocs install -y shadow-utils ca-certificates \
# temp fix for CVE-2022-1304 CVE-2016-3709, CVE-2022-42898, CVE-2022-42010, CVE-2022-43680, CVE-2022-3821, CVE-2021-46848, CVE-2022-35737 and CVE-2022-47629
&& dnf --nodocs upgrade -y libcom_err libxml2 krb5-libs dbus expat systemd libtasn1 sqlite-libs libksba \
&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
&& rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \
&& curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \
&& sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \
&& dnf --nodocs install -y nginx-plus nginx-plus-module-njs \
## end of duplicated code
&& subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \
&& subscription-manager attach \
&& dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \
2 changes: 1 addition & 1 deletion docs/content/technical-specifications.md
Original file line number Diff line number Diff line change
@@ -67,7 +67,7 @@ NGINX Plus images are available through the F5 Container registry `private-regis
|Debian-based image with App Protect WAF | ``debian:11-slim`` | NGINX Plus App Protect WAF, JavaScript and OpenTracing modules, OpenTracing tracers for Jaeger, Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.0.1` | amd64 |
|Debian-based image with App Protect DoS | ``debian:11-slim`` | NGINX Plus App Protect DoS, JavaScript module and OpenTracing modules, OpenTracing tracers for Jaeger, Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.0.1` | amd64 |
|Debian-based image with App Protect WAF and DoS | ``debian:11-slim`` | NGINX Plus App Protect WAF, DoS, JavaScript and OpenTracing modules, OpenTracing tracers for Jaeger, Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.0.1` | amd64 |
|Ubi-based image | ``redhat/ubi8`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.0.1-ubi` | arm64, amd64, s390x |
|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.0.1-ubi` | arm64, amd64, s390x |
|Ubi-based image with App Protect WAF | ``redhat/ubi8`` | NGINX Plus App Protect WAF and JavaScript modules | `nginx-ic-nap/nginx-plus-ingress:3.0.1-ubi` | amd64 |
|Ubi-based image with App Protect DoS | ``redhat/ubi8`` | NGINX Plus App Protect DoS and JavaScript modules | `nginx-ic-dos/nginx-plus-ingress:3.0.1-ubi` | amd64 |
|Ubi-based image with App Protect WAF and DoS | ``redhat/ubi8`` | NGINX Plus App Protect WAF, DoS and JavaScript modules | `nginx-ic-nap-dos/nginx-plus-ingress:3.0.1-ubi` | amd64 |

0 comments on commit 876a0f6

Please sign in to comment.