diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index 351967eb63..bf60b1d7af 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -1,29 +1,20 @@ # syntax=docker/dockerfile:1.16 -# TODO(sberman): the commented out lines are for when we use the published agent release -# FROM scratch AS nginx-files +FROM scratch AS nginx-files -# # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -# ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub - -FROM golang:alpine AS builder - -WORKDIR /tmp - -RUN apk add --no-cache git make \ - && git clone https://github.com/nginx/agent.git \ - && cd agent \ - && git checkout 0de3ba3451d8b05cced5eedb744a82db90db7e53 \ - && make build +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub FROM nginx:1.28.0-alpine-otel +# renovate: datasource=github-tags depName=nginx/agent extractVersion=^v?(?.*)$ +ARG NGINX_AGENT_VERSION=3.0.0 ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -# RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ -# printf "%s\n" "http://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ -# && apk add --no-cache nginx-agent +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION} RUN apk add --no-cache libcap bash \ && mkdir -p /usr/lib/nginx/modules \ @@ -33,9 +24,10 @@ RUN apk add --no-cache libcap bash \ && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \ # Update packages for CVE-2025-32414 and CVE-2025-32415 && apk --no-cache upgrade libxml2 \ - && apk del libcap - -COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent + && apk del libcap \ + # forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus index 09479c31c0..ece5d6c453 100644 --- a/build/Dockerfile.nginxplus +++ b/build/Dockerfile.nginxplus @@ -4,19 +4,11 @@ FROM scratch AS nginx-files # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub -FROM golang:alpine AS builder - -WORKDIR /tmp - -RUN apk add --no-cache git make \ - && git clone https://github.com/nginx/agent.git \ - && cd agent \ - && git checkout 0de3ba3451d8b05cced5eedb744a82db90db7e53 \ - && make build - FROM alpine:3.21 ARG NGINX_PLUS_VERSION=R34 +# renovate: datasource=github-tags depName=nginx/agent extractVersion=^v?(?.*)$ +ARG NGINX_AGENT_VERSION=3.0.0 ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT @@ -27,7 +19,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ addgroup -g 1001 -S nginx \ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel libcap bash \ + && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION} + +RUN apk add --no-cache libcap bash \ && mkdir -p /usr/lib/nginx/modules \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \ @@ -38,8 +33,6 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log -COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent - COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx-plus.conf /etc/nginx/nginx.conf diff --git a/go.mod b/go.mod index 34c55445f2..7a54bfbe40 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/go-logr/logr v1.4.3 github.com/google/go-cmp v0.7.0 github.com/google/uuid v1.6.0 - github.com/nginx/agent/v3 v3.0.0-20250530133342-0de3ba3451d8 + github.com/nginx/agent/v3 v3.0.0 github.com/nginx/telemetry-exporter v0.1.4 github.com/onsi/ginkgo/v2 v2.23.4 github.com/onsi/gomega v1.37.0 diff --git a/go.sum b/go.sum index 9ef5ff6595..6b06bdf8c7 100644 --- a/go.sum +++ b/go.sum @@ -137,8 +137,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/nginx/agent/v3 v3.0.0-20250530133342-0de3ba3451d8 h1:CHIWBxdGA10EtNnCCwxaI49HvM3rRgWuBiA9moVF7dw= -github.com/nginx/agent/v3 v3.0.0-20250530133342-0de3ba3451d8/go.mod h1:O/31aKtii/mpiZmFGMcTNDoLtKzwTyTXOBMSRkMaPvs= +github.com/nginx/agent/v3 v3.0.0 h1:iUAho/Q1qx63CP4Eunf94DmLFOrOe7/r3oCPwy72p7E= +github.com/nginx/agent/v3 v3.0.0/go.mod h1:O/31aKtii/mpiZmFGMcTNDoLtKzwTyTXOBMSRkMaPvs= github.com/nginx/telemetry-exporter v0.1.4 h1:3ikgKlyz/O57oaBLkxCInMjr74AhGTKr9rHdRAkkl/w= github.com/nginx/telemetry-exporter v0.1.4/go.mod h1:bl6qmsxgk4a9D0X8R5E3sUNXN2iECPEK1JNbRLhN5C4= github.com/nginxinc/nginx-plus-go-client/v2 v2.0.1 h1:5VVK38bnELMDWnwfF6dSv57ResXh9AUzeDa72ENj94o=