NGINX with Docker Image
- Official GIT : https://github.com/nginxinc/docker-nginx/tree/73a5acae6945b75b433cafd0c9318e4378e72cbb
- Mainline / Stable / 3rd Module Build 등으로 Image Build 가능 항목 나뉘어있음
- mainline 기준으로 Image Build
OSS Image Build - Debian
https://github.com/nginxinc/docker-nginx/tree/master/mainline/debian\
Code
docker build -t nginxdebian -f Dockerfile --no-cache .
OSS Image Build - Alpine
https://github.com/nginxinc/docker-nginx/tree/master/mainline/alpine
Code
docker build -t nginxalpine -f Dockerfile --no-cache .
ETC
Image Build Command
docker build -t alpine-perl -f Dockerfile --no-cache . docker build -t alpine-slim -f Dockerfile --no-cache . docker build -t alpine -f Dockerfile --no-cache . docker build -t debian-perl -f Dockerfile --no-cache . docker build -t debian -f Dockerfile --no-cache .
Image Size ( 1.23.4 기준 )
alpine-perl latest e4edea9dc54b 46 seconds ago 76.5MB alpine-slim latest 08350251902b About a minute ago 11.5MB alpine latest 24672371dc15 About a minute ago 41MB debian latest 482894c6d1e0 2 minutes ago 142MB debian-perl latest 862ff2c67e82 2 minutes ago 189MB
NGINX Plus with Docker Image
공식 Docs 기준 자료
Plus Image Build - Debian
필요 파일
- DockerFile 경로에, NGINX CERT 필요 ( nginx-repo.crt / nginx-repo.key )
Docker File - 기본
FROM debian:bullseye-slim LABEL maintainer="NGINX Docker Maintainers <[email protected]>" # Define NGINX versions for NGINX Plus and NGINX Plus modules # Uncomment this block and the versioned nginxPackages block in the main RUN # instruction to install a specific release # ENV NGINX_VERSION 28 # ENV NJS_VERSION 0.7.9 # ENV PKG_RELEASE 1~bullseye # Download certificate and key from the customer portal (<https://account.f5.com>) # and copy to the build context RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \\ --mount=type=secret,id=nginx-key,dst=nginx-repo.key \\ set -x \\ # Create nginx user/group first, to be consistent throughout Docker variants && addgroup --system --gid 101 nginx \\ && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \\ && apt-get update \\ && apt-get install --no-install-recommends --no-install-suggests -y \\ ca-certificates \\ gnupg1 \\ lsb-release \\ && \\ NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \\ found=''; \\ for server in \\ hkp://keyserver.ubuntu.com:80 \\ pgp.mit.edu \\ ; do \\ echo "Fetching GPG key $NGINX_GPGKEY from $server"; \\ apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \\ done; \\ test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \\ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \\ # Install the latest release of NGINX Plus and/or NGINX Plus modules # Uncomment individual modules if necessary # Use versioned packages over defaults to specify a release && nginxPackages=" \\ nginx-plus \\ # nginx-plus=${NGINX_VERSION}-${PKG_RELEASE} \\ # nginx-plus-module-xslt \\ # nginx-plus-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \\ # nginx-plus-module-geoip \\ # nginx-plus-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \\ # nginx-plus-module-image-filter \\ # nginx-plus-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \\ # nginx-plus-module-perl \\ # nginx-plus-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \\ # nginx-plus-module-njs \\ # nginx-plus-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \\ " \\ && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \\"true\\";" > /etc/apt/apt.conf.d/90nginx \\ && echo "Acquire::https::pkgs.nginx.com::Verify-Host \\"true\\";" >> /etc/apt/apt.conf.d/90nginx \\ && echo "Acquire::https::pkgs.nginx.com::SslCert \\"/etc/ssl/nginx/nginx-repo.crt\\";" >> /etc/apt/apt.conf.d/90nginx \\ && echo "Acquire::https::pkgs.nginx.com::SslKey \\"/etc/ssl/nginx/nginx-repo.key\\";" >> /etc/apt/apt.conf.d/90nginx \\ && printf "deb <https://pkgs.nginx.com/plus/debian> `lsb_release -cs` nginx-plus\\n" > /etc/apt/sources.list.d/nginx-plus.list \\ && mkdir -p /etc/ssl/nginx \\ && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \\ && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \\ && apt-get update \\ && apt-get install --no-install-recommends --no-install-suggests -y \\ $nginxPackages \\ curl \\ gettext-base \\ && apt-get remove --purge -y lsb-release \\ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \\ && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx \\ # Forward request logs to Docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \\ && ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["nginx", "-g", "daemon off;"]
Build Command
docker build --no-cache --secret id=nginx-key,src=nginx-repo.key --secret id=nginx-crt,src=nginx-repo.crt -t nginxplus .
Plus Image Build - Alpine
필요 파일
- DockerFile 경로에, NGINX CERT 필요 ( nginx-repo.crt / nginx-repo.key )
Docker FIle - 기본
FROM alpine:3.17 LABEL maintainer="NGINX Docker Maintainers <[email protected]>" # Define NGINX versions for NGINX Plus and NGINX Plus modules # Uncomment this block and the versioned nginxPackages in the main RUN # instruction to install a specific release # ENV NGINX_VERSION 28 # ENV NJS_VERSION 0.7.9 # ENV PKG_RELEASE 1 # Download certificate and key from the customer portal (<https://account.f5.com>) # and copy to the build context RUN --mount=type=secret,id=nginx-crt,dst=cert.pem \\ --mount=type=secret,id=nginx-key,dst=cert.key \\ set -x \\ # Create nginx user/group first, to be consistent throughout Docker variants && addgroup -g 101 -S nginx \\ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \\ # Install the latest release of NGINX Plus and/or NGINX Plus modules # Uncomment individual modules if necessary # Use versioned packages over defaults to specify a release && nginxPackages=" \\ nginx-plus \\ # nginx-plus=${NGINX_VERSION}-r${PKG_RELEASE} \\ # nginx-plus-module-xslt \\ # nginx-plus-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \\ # nginx-plus-module-geoip \\ # nginx-plus-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \\ # nginx-plus-module-image-filter \\ # nginx-plus-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \\ # nginx-plus-module-perl \\ # nginx-plus-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \\ # nginx-plus-module-njs \\ # nginx-plus-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \\ " \\ KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \\ && apk add --no-cache --virtual .cert-deps openssl \\ && wget -O /tmp/nginx_signing.rsa.pub <https://nginx.org/keys/nginx_signing.rsa.pub> \\ && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \\ echo "key verification succeeded!"; \\ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \\ else \\ echo "key verification failed!"; \\ exit 1; \\ fi \\ && apk del .cert-deps \\ && cat cert.pem > /etc/apk/cert.pem \\ && cat cert.key > /etc/apk/cert.key \\ && apk add -X "<https://pkgs.nginx.com/plus/alpine/v$>(egrep -o '^[0-9]+\\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \\ && if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \\ && if [ -f "/etc/apk/cert.key" ] && [ -f "/etc/apk/cert.pem" ]; then rm -f /etc/apk/cert.key /etc/apk/cert.pem; fi \\ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can # be deleted completely, then move `envsubst` back. && apk add --no-cache --virtual .gettext gettext \\ && mv /usr/bin/envsubst /tmp/ \\ \\ && runDeps="$( \\ scanelf --needed --nobanner /tmp/envsubst \\ | awk '{ gsub(/,/, "\\nso:", $2); print "so:" $2 }' \\ | sort -u \\ | xargs -r apk info --installed \\ | sort -u \\ )" \\ && apk add --no-cache $runDeps \\ && apk del .gettext \\ && mv /tmp/envsubst /usr/local/bin/ \\ # Bring in tzdata so users could set the timezones through the environment # variables && apk add --no-cache tzdata \\ # Bring in curl and ca-certificates to make registering on DNS SD easier && apk add --no-cache curl ca-certificates \\ # Forward request and error logs to Docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \\ && ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 STOPSIGNAL SIGQUIT CMD ["nginx", "-g", "daemon off;"] # vim:syntax=Dockerfile
Build Command
docker build --no-cache --secret id=nginx-key,src=nginx-repo.key --secret id=nginx-crt,src=nginx-repo.crt -t nginxplus .
Docker with NGINX 운영 관련
Config File
Config File - OS File Mount
NGINX Config / Content : OS FIle 활용하여 Docker Running
Sample Docker Command
docker run --name mynginx2 \\ --mount type=bind,source=/var/www,target=/usr/share/nginx/html,readonly \\ --mount type=bind,source=/var/nginx/conf,target=/etc/nginx/conf,readonly \\ -p 80:80 \\ -d nginxplus
Config File - Image Build 에 통합
NGINX Config / Content : Image 에 build 하여 Container Running
Sample File Tree
. ├── 10-listen-on-ipv6-by-default.sh ├── 20-envsubst-on-templates.sh ├── 30-tune-worker-processes.sh ├── docker-entrypoint.sh ├── Dockerfile ├── sample-config │ └── nginx.conf └── sample-content └── index.html
Sample Docker FIle
# BASE : Alpine-Slim # # NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh" # # PLEASE DO NOT EDIT IT DIRECTLY. # FROM alpine:3.17 LABEL maintainer="NGINX Docker Maintainers <[email protected]>" ENV NGINX_VERSION 1.23.4 ENV PKG_RELEASE 1 RUN set -x \\ # create nginx user/group first, to be consistent throughout docker variants && addgroup -g 101 -S nginx \\ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \\ && apkArch="$(cat /etc/apk/arch)" \\ && nginxPackages=" \\ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \\ " \\ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \\ openssl \\ && case "$apkArch" in \\ x86_64|aarch64) \\ # arches officially built by upstream set -x \\ && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \\ && wget -O /tmp/nginx_signing.rsa.pub <https://nginx.org/keys/nginx_signing.rsa.pub> \\ && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \\ echo "key verification succeeded!"; \\ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \\ else \\ echo "key verification failed!"; \\ exit 1; \\ fi \\ && apk add -X "<https://nginx.org/packages/mainline/alpine/v$>(egrep -o '^[0-9]+\\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \\ ;; \\ *) \\ # we're on an architecture upstream doesn't officially build for # let's build binaries from the published packaging sources set -x \\ && tempDir="$(mktemp -d)" \\ && chown nobody:nobody $tempDir \\ && apk add --no-cache --virtual .build-deps \\ gcc \\ libc-dev \\ make \\ openssl-dev \\ pcre2-dev \\ zlib-dev \\ linux-headers \\ bash \\ alpine-sdk \\ findutils \\ && su nobody -s /bin/sh -c " \\ export HOME=${tempDir} \\ && cd ${tempDir} \\ && curl -f -O <https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz> \\ && PKGOSSCHECKSUM=\\"8f3f6c1ddd984c0c7320d3bea25eee42749db6d69c251223cf91d69b8d80b703ab39eb94fcf731399a7693ebd8dd37d1b3232ea1184ca98e5ca0ba6165e1a05c *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\\" \\ && if [ \\"\\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\\" = \\"\\$PKGOSSCHECKSUM\\" ]; then \\ echo \\"pkg-oss tarball checksum verification succeeded!\\"; \\ else \\ echo \\"pkg-oss tarball checksum verification failed!\\"; \\ exit 1; \\ fi \\ && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \\ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \\ && cd alpine \\ && make base \\ && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \\ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \\ " \\ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \\ && apk del .build-deps \\ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \\ ;; \\ esac \\ # remove checksum deps && apk del .checksum-deps \\ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \\ && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \\ && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \\ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can # be deleted completely, then move `envsubst` back. && apk add --no-cache --virtual .gettext gettext \\ && mv /usr/bin/envsubst /tmp/ \\ \\ && runDeps="$( \\ scanelf --needed --nobanner /tmp/envsubst \\ | awk '{ gsub(/,/, "\\nso:", $2); print "so:" $2 }' \\ | sort -u \\ | xargs -r apk info --installed \\ | sort -u \\ )" \\ && apk add --no-cache $runDeps \\ && apk del .gettext \\ && mv /tmp/envsubst /usr/local/bin/ \\ # Bring in tzdata so users could set the timezones through the environment # variables && apk add --no-cache tzdata \\ # forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \\ && ln -sf /dev/stderr /var/log/nginx/error.log \\ # create a docker-entrypoint.d directory && mkdir /docker-entrypoint.d COPY docker-entrypoint.sh / COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d COPY 20-envsubst-on-templates.sh /docker-entrypoint.d COPY 30-tune-worker-processes.sh /docker-entrypoint.d ## REMOVE Content RUN rm /etc/nginx/conf.d/default.conf RUN rm /etc/nginx/nginx.conf RUN rm /usr/share/nginx/html/index.html ## ADD New Content COPY sample-config/nginx.conf /etc/nginx/nginx.conf COPY sample-content/index.html /usr/share/nginx/html/index.html ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 803 STOPSIGNAL SIGQUIT CMD ["nginx", "-g", "daemon off;"]
Sample Image Build
docker build -t alpine-test -f Dockerfile --no-cache .
Sample Docker Access with CURL
# curl 0 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>**Customize Building NGINX Image - HTML Pages** </p> <p>For online documentation and support please refer to <a href="<http://nginx.org/>">nginx.org</a>.<br/> Commercial support is available at <a href="<http://nginx.com/>">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>