From ca71c52af9842a0b62b3b20353adbc219363fdfd Mon Sep 17 00:00:00 2001 From: Nikola Davidova Date: Mon, 20 Apr 2026 15:57:36 +0200 Subject: [PATCH 1/5] create 1.26-minimal directory --- 1.26-minimal/.exclude-rhel8 | 0 1.26-minimal/Dockerfile.c11s | 0 1.26-minimal/Dockerfile.rhel11 | 0 1.26-minimal/README.md | 205 +++++++++++++++ 1.26-minimal/root/README.md | 233 ++++++++++++++++++ .../opt/app-root/etc/generate_container_user | 9 + .../root/opt/app-root/etc/passwd.template | 15 ++ .../root/opt/app-root/nginxconf-rhscl.sed | 10 + 1.26-minimal/root/opt/app-root/nginxconf.sed | 10 + .../share/container-scripts/nginx/common.sh | 31 +++ 1.26-minimal/s2i/bin/assemble | 50 ++++ 1.26-minimal/s2i/bin/run | 16 ++ 1.26-minimal/s2i/bin/usage | 19 ++ 1.26-minimal/test/__init__.py | 1 + 1.26-minimal/test/conftest.py | 1 + 1.26-minimal/test/examples | 1 + 1.26-minimal/test/imagestreams | 1 + 1.26-minimal/test/perl-test-app | 1 + 1.26-minimal/test/run | 1 + .../test/run-openshift-remote-cluster | 1 + 1.26-minimal/test/run-pytest | 1 + 1.26-minimal/test/start-hook-test-app | 1 + 1.26-minimal/test/test-app | 1 + 1.26-minimal/test/test-lib-nginx.sh | 1 + 1.26-minimal/test/test-lib-openshift.sh | 1 + .../test/test-lib-remote-openshift.sh | 1 + 1.26-minimal/test/test-lib.sh | 1 + 1.26-minimal/test/test-openshift.yaml | 1 + .../test/test_container_application.py | 1 + 1.26-minimal/test/test_container_basics.py | 1 + .../test/test_container_example_apps.py | 1 + 1.26-minimal/test/test_ocp_imagestream_s2i.py | 1 + 1.26-minimal/test/test_ocp_imagestreams.py | 1 + 1.26-minimal/test/test_ocp_local_example.py | 1 + 1.26-minimal/test/test_ocp_remote_example.py | 1 + .../test/test_ocp_shared_helm_imagestreams.py | 1 + .../test/test_ocp_shared_helm_template.py | 1 + .../test/test_ocp_template_example_app.py | 1 + 38 files changed, 623 insertions(+) create mode 100644 1.26-minimal/.exclude-rhel8 create mode 100644 1.26-minimal/Dockerfile.c11s create mode 100644 1.26-minimal/Dockerfile.rhel11 create mode 100644 1.26-minimal/README.md create mode 100644 1.26-minimal/root/README.md create mode 100644 1.26-minimal/root/opt/app-root/etc/generate_container_user create mode 100644 1.26-minimal/root/opt/app-root/etc/passwd.template create mode 100644 1.26-minimal/root/opt/app-root/nginxconf-rhscl.sed create mode 100644 1.26-minimal/root/opt/app-root/nginxconf.sed create mode 100644 1.26-minimal/root/usr/share/container-scripts/nginx/common.sh create mode 100755 1.26-minimal/s2i/bin/assemble create mode 100755 1.26-minimal/s2i/bin/run create mode 100755 1.26-minimal/s2i/bin/usage create mode 120000 1.26-minimal/test/__init__.py create mode 120000 1.26-minimal/test/conftest.py create mode 120000 1.26-minimal/test/examples create mode 120000 1.26-minimal/test/imagestreams create mode 160000 1.26-minimal/test/perl-test-app create mode 120000 1.26-minimal/test/run create mode 120000 1.26-minimal/test/run-openshift-remote-cluster create mode 120000 1.26-minimal/test/run-pytest create mode 160000 1.26-minimal/test/start-hook-test-app create mode 120000 1.26-minimal/test/test-app create mode 120000 1.26-minimal/test/test-lib-nginx.sh create mode 120000 1.26-minimal/test/test-lib-openshift.sh create mode 120000 1.26-minimal/test/test-lib-remote-openshift.sh create mode 120000 1.26-minimal/test/test-lib.sh create mode 120000 1.26-minimal/test/test-openshift.yaml create mode 120000 1.26-minimal/test/test_container_application.py create mode 120000 1.26-minimal/test/test_container_basics.py create mode 120000 1.26-minimal/test/test_container_example_apps.py create mode 120000 1.26-minimal/test/test_ocp_imagestream_s2i.py create mode 120000 1.26-minimal/test/test_ocp_imagestreams.py create mode 120000 1.26-minimal/test/test_ocp_local_example.py create mode 120000 1.26-minimal/test/test_ocp_remote_example.py create mode 120000 1.26-minimal/test/test_ocp_shared_helm_imagestreams.py create mode 120000 1.26-minimal/test/test_ocp_shared_helm_template.py create mode 120000 1.26-minimal/test/test_ocp_template_example_app.py diff --git a/1.26-minimal/.exclude-rhel8 b/1.26-minimal/.exclude-rhel8 new file mode 100644 index 00000000..e69de29b diff --git a/1.26-minimal/Dockerfile.c11s b/1.26-minimal/Dockerfile.c11s new file mode 100644 index 00000000..e69de29b diff --git a/1.26-minimal/Dockerfile.rhel11 b/1.26-minimal/Dockerfile.rhel11 new file mode 100644 index 00000000..e69de29b diff --git a/1.26-minimal/README.md b/1.26-minimal/README.md new file mode 100644 index 00000000..50be323e --- /dev/null +++ b/1.26-minimal/README.md @@ -0,0 +1,205 @@ +Nginx 1.26 server and a reverse proxy server container image +============================================================ +This container image includes Nginx 1.26 server and a reverse server for OpenShift and general usage. +Users can choose between RHEL, CentOS Stream and Fedora based images. +The RHEL images are available in the [Red Hat Container Catalog](https://access.redhat.com/containers/), +the CentOS Stream images are available in the [Quay.io](https://quay.io/organization/sclorg), +and the Fedora images are available in the [Quay.io](https://quay.io/organization/fedora). +The resulting image can be run using [podman](https://github.com/containers/libpod). + +Note: while the examples in this README are calling `podman`, you can replace any such calls by `docker` with the same arguments. + + +Description +----------- + +Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP +protocols, with a strong focus on high concurrency, performance and low memory usage. The container +image provides a containerized packaging of the nginx 1.26 daemon. The image can be used +as a base image for other applications based on nginx 1.26 web server. +Nginx server image can be extended using Openshift's `Source` build feature. + + +Usage in OpenShift +------------------ +In this example, we assume that you are using the `ubi9/nginx-126` image, available through the `nginx:1.26` imagestream tag in Openshift. +To build a simple [test-app](https://github.com/sclorg/nginx-container/tree/master/examples/1.26/test-app) application in Openshift: + +``` +oc new-app nginx:1.26~https://github.com/sclorg/nginx-container.git --context-dir=1.26/test/test-app/ +``` + +To access the application: +``` +$ oc get pods +$ oc exec -- curl 127.0.0.1:8080 +``` + + +Source-to-Image framework and scripts +------------------------------------- +This image supports the [Source-to-Image](https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#images-create-s2i_create-images) +(S2I) strategy in OpenShift. The Source-to-Image is an OpenShift framework +which makes it easy to write images that take application source code as +an input, use a builder image like this Nginx container image, and produce +a new image that runs the assembled application as an output. + +In case of Nginx container image, the application source code is typically +either static HTML pages or configuration files. + +To support the Source-to-Image framework, important scripts are included in the builder image: + +* The `/usr/libexec/s2i/run` script is set as the default command in the resulting container image (the new image with the application artifacts). + +* The `/usr/libexec/s2i/assemble` script inside the image is run to produce a new image with the application artifacts. The script takes sources of a given application (HTML pages), Nginx configuration files, and places them into appropriate directories inside the image. The structure of nginx-app can look like this: + +**`./nginx.conf`**-- + The main nginx configuration file + +**`./nginx-cfg/*.conf`** + Should contain all nginx configuration we want to include into image + +**`./nginx-default-cfg/*.conf`** + Contains any nginx config snippets to include in the default server block + +**`./nginx-start/*.sh`** + Contains shell scripts that are sourced right before nginx is launched + +**`./nginx-perl/*.pm`** + Contains perl modules to be use by `perl_modules` and `perl_require` directives + +**`./`** + Should contain nginx application source code + + +Build an application using a Dockerfile +--------------------------------------- +Compared to the Source-to-Image strategy, using a Dockerfile is a more +flexible way to build an Nginx container image with an application. +Use a Dockerfile when Source-to-Image is not sufficiently flexible for you or +when you build the image outside of the OpenShift environment. + +To use the Nginx image in a Dockerfile, follow these steps: + +#### 1. Pull a base builder image to build on + +podman pull ubi9/nginx-126 + +#### 2. Pull an application code + +An example application available at https://github.com/sclorg/nginx-container.git is used here. To adjust the example application, clone the repository. + +``` +git clone https://github.com/sclorg/nginx-container.git nginx-container +cd nginx-container/examples/1.26/ +``` + +#### 3. Prepare an application inside a container + +This step usually consists of at least these parts: + +* putting the application source into the container +* moving configuration files to the correct place (if available in the application source code) +* setting the default command in the resulting image + +For all these three parts, you can either set up all manually and use the `nginx` command explicitly in the Dockerfile ([3.1.](#31-to-use-own-setup-create-a-dockerfile-with-this-content)), or you can use the Source-to-Image scripts inside the image ([3.2.](#32-to-use-the-source-to-image-scripts-and-build-an-image-using-a-dockerfile-create-a-dockerfile-with-this-content); see more about these scripts in the section "Source-to-Image framework and scripts" above), that already know how to set-up and run some common Nginx applications. + +##### 3.1. To use your own setup, create a Dockerfile with this content: + +``` +FROM registry.access.redhat.com/ubi9/nginx-126 + +# Add application sources +ADD test-app/nginx.conf "${NGINX_CONF_PATH}" +ADD test-app/nginx-default-cfg/*.conf "${NGINX_DEFAULT_CONF_PATH}" +ADD test-app/nginx-cfg/*.conf "${NGINX_CONFIGURATION_PATH}" +ADD test-app/*.html . + +# Run script uses standard ways to run the application +CMD nginx -g "daemon off;" +``` + +##### 3.2. To use the Source-to-Image scripts and build an image using a Dockerfile, create a Dockerfile with this content: + +``` +FROM registry.access.redhat.com/ubi9/nginx-126 + +# Add application sources to a directory where the assemble script expects them +# and set permissions so that the container runs without root access +# With older docker that does not support --chown option for ADD statement, +# use these statements instead: +# USER 0 +# ADD app-src /tmp/src +# RUN chown -R 1001:0 /tmp/src +# USER 1001 +ADD --chown=1001:0 app-src /tmp/src + +# Let the assemble script to install the dependencies +RUN /usr/libexec/s2i/assemble + +# Run script uses standard ways to run the application +CMD /usr/libexec/s2i/run +``` + +#### 4. Build a new image from a Dockerfile prepared in the previous step +``` +podman build -t nginx-app . +``` + +#### 5. Run the resulting image with the final application +``` +podman run -d nginx-app +``` + + +Direct usage with a mounted directory +------------------------------------- +An example of the data on the host for the following example: +``` +$ ls -lZ /wwwdata/html +-rw-r--r--. 1 1001 1001 54321 Jan 01 12:34 index.html +-rw-r--r--. 1 1001 1001 5678 Jan 01 12:34 page.html +``` + +If you want to run the image directly and mount the static pages available in the `/wwwdata/` directory on the host +as a container volume, execute the following command: + +``` +$ podman run -d --name nginx -p 8080:8080 -v /wwwdata:/opt/app-root/src:Z ubi9/nginx-126 nginx -g "daemon off;" +``` + +This creates a container named `nginx` running the Nginx server, serving data from +the `/wwwdata/` directory. Port 8080 is exposed and mapped to the host. +You can pull the data from the nginx container using this command: + +``` +$ curl -Lk 127.0.0.1:8080 +``` + +You can replace `/wwwdata/` with location of your web root. Please note that this has to be an **absolute** path, due to podman requirements. + + +Environment variables and volumes +--------------------------------- +The nginx container image supports the following configuration variable, which can be set by using the `-e` option with the podman run command: + + +**`NGINX_LOG_TO_VOLUME`** + When `NGINX_LOG_TO_VOLUME` is set, nginx logs into `/var/log/nginx/`. + + +Troubleshooting +--------------- +By default, nginx access logs are written to standard output and error logs are written to standard error, so both are available in the container log. The log can be examined by running: + + podman logs + +See also +-------- +Dockerfile and other sources for this container image are available on +https://github.com/sclorg/nginx-container. +In that repository you also can find another versions of Python environment Dockerfiles. +for RHEL8 it's `Dockerfile.rhel8`, Dockerfile for RHEL10 is called `Dockerfile.rhel10`, +Dockerfile for CentOS Stream 9 is called `Dockerfile.c9s`, +Dockerfile for CentOS Stream 10 is called `Dockerfile.c10s`, and the Fedora Dockerfile is called `Dockerfile.fedora`. + diff --git a/1.26-minimal/root/README.md b/1.26-minimal/root/README.md new file mode 100644 index 00000000..e997be14 --- /dev/null +++ b/1.26-minimal/root/README.md @@ -0,0 +1,233 @@ +Nginx 1.26 server and a reverse proxy server container image +============================================================ +This container image includes Nginx 1.26 server and a reverse server for OpenShift and general usage. +Users can choose between RHEL, CentOS Stream and Fedora based images. +The RHEL images are available in the [Red Hat Container Catalog](https://access.redhat.com/containers/), +the CentOS Stream images are available in the [Quay.io](https://quay.io/organization/sclorg), +and the Fedora images are available in the [Quay.io](https://quay.io/organization/fedora). +The resulting image can be run using [podman](https://github.com/containers/libpod). + +Note: while the examples in this README are calling `podman`, you can replace any such calls by `docker` with the same arguments. + + +Description +----------- + +Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP +protocols, with a strong focus on high concurrency, performance and low memory usage. The container +image provides a containerized packaging of the nginx 1.26 daemon. The image can be used +as a base image for other applications based on nginx 1.26 web server. +Nginx server image can be extended using Openshift's `Source` build feature. + + +Minimized Variant (Dockerfile.rhel11) +-------------------------------------- + +A **minimized variant** is available via `Dockerfile.rhel11` that provides significant size reduction: + +**Key Features:** +- **72% smaller image size** (81 MB vs 297 MB for standard variant) +- Built using multi-stage build: `ubi10/ubi → scratch` (not s2i-core) +- No package manager in final image (dnf/yum absent for enhanced security) +- Minimal package set: coreutils-single, glibc-minimal-langpack, nginx-core +- Same S2I functionality as standard builds +- Ideal for production, edge, and IoT deployments + +**Limitations:** +- No package manager available for runtime package installation +- Perl modules excluded (minimization priority) +- Limited extensibility compared to standard variant + +**Build the minimized variant:** +```bash +make build TARGET=rhel11 VERSIONS=1.26 +``` + +**When to use minimized vs standard:** +- **Use minimized** for: production deployments, edge/IoT, security-focused environments +- **Use standard** for: development, environments requiring runtime package installation, Perl module support + + +Usage in OpenShift +------------------ +In this example, we assume that you are using the `ubi9/nginx-126` image, available through the `nginx:1.26` imagestream tag in Openshift. +To build a simple [test-app](https://github.com/sclorg/nginx-container/tree/master/examples/1.26/test-app) application in Openshift: + +``` +oc new-app nginx:1.26~https://github.com/sclorg/nginx-container.git --context-dir=1.26/test/test-app/ +``` + +To access the application: +``` +$ oc get pods +$ oc exec -- curl 127.0.0.1:8080 +``` + + +Source-to-Image framework and scripts +------------------------------------- +This image supports the [Source-to-Image](https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#images-create-s2i_create-images) +(S2I) strategy in OpenShift. The Source-to-Image is an OpenShift framework +which makes it easy to write images that take application source code as +an input, use a builder image like this Nginx container image, and produce +a new image that runs the assembled application as an output. + +In case of Nginx container image, the application source code is typically +either static HTML pages or configuration files. + +To support the Source-to-Image framework, important scripts are included in the builder image: + +* The `/usr/libexec/s2i/run` script is set as the default command in the resulting container image (the new image with the application artifacts). + +* The `/usr/libexec/s2i/assemble` script inside the image is run to produce a new image with the application artifacts. The script takes sources of a given application (HTML pages), Nginx configuration files, and places them into appropriate directories inside the image. The structure of nginx-app can look like this: + +**`./nginx.conf`**-- + The main nginx configuration file + +**`./nginx-cfg/*.conf`** + Should contain all nginx configuration we want to include into image + +**`./nginx-default-cfg/*.conf`** + Contains any nginx config snippets to include in the default server block + +**`./nginx-start/*.sh`** + Contains shell scripts that are sourced right before nginx is launched + +**`./nginx-perl/*.pm`** + Contains perl modules to be use by `perl_modules` and `perl_require` directives + +**`./`** + Should contain nginx application source code + + +Build an application using a Dockerfile +--------------------------------------- +Compared to the Source-to-Image strategy, using a Dockerfile is a more +flexible way to build an Nginx container image with an application. +Use a Dockerfile when Source-to-Image is not sufficiently flexible for you or +when you build the image outside of the OpenShift environment. + +To use the Nginx image in a Dockerfile, follow these steps: + +#### 1. Pull a base builder image to build on + +podman pull ubi9/nginx-126 + +#### 2. Pull an application code + +An example application available at https://github.com/sclorg/nginx-container.git is used here. To adjust the example application, clone the repository. + +``` +git clone https://github.com/sclorg/nginx-container.git nginx-container +cd nginx-container/examples/1.26/ +``` + +#### 3. Prepare an application inside a container + +This step usually consists of at least these parts: + +* putting the application source into the container +* moving configuration files to the correct place (if available in the application source code) +* setting the default command in the resulting image + +For all these three parts, you can either set up all manually and use the `nginx` command explicitly in the Dockerfile ([3.1.](#31-to-use-own-setup-create-a-dockerfile-with-this-content)), or you can use the Source-to-Image scripts inside the image ([3.2.](#32-to-use-the-source-to-image-scripts-and-build-an-image-using-a-dockerfile-create-a-dockerfile-with-this-content); see more about these scripts in the section "Source-to-Image framework and scripts" above), that already know how to set-up and run some common Nginx applications. + +##### 3.1. To use your own setup, create a Dockerfile with this content: + +``` +FROM registry.access.redhat.com/ubi9/nginx-126 + +# Add application sources +ADD test-app/nginx.conf "${NGINX_CONF_PATH}" +ADD test-app/nginx-default-cfg/*.conf "${NGINX_DEFAULT_CONF_PATH}" +ADD test-app/nginx-cfg/*.conf "${NGINX_CONFIGURATION_PATH}" +ADD test-app/*.html . + +# Run script uses standard ways to run the application +CMD nginx -g "daemon off;" +``` + +##### 3.2. To use the Source-to-Image scripts and build an image using a Dockerfile, create a Dockerfile with this content: + +``` +FROM registry.access.redhat.com/ubi9/nginx-126 + +# Add application sources to a directory where the assemble script expects them +# and set permissions so that the container runs without root access +# With older docker that does not support --chown option for ADD statement, +# use these statements instead: +# USER 0 +# ADD app-src /tmp/src +# RUN chown -R 1001:0 /tmp/src +# USER 1001 +ADD --chown=1001:0 app-src /tmp/src + +# Let the assemble script to install the dependencies +RUN /usr/libexec/s2i/assemble + +# Run script uses standard ways to run the application +CMD /usr/libexec/s2i/run +``` + +#### 4. Build a new image from a Dockerfile prepared in the previous step +``` +podman build -t nginx-app . +``` + +#### 5. Run the resulting image with the final application +``` +podman run -d nginx-app +``` + + +Direct usage with a mounted directory +------------------------------------- +An example of the data on the host for the following example: +``` +$ ls -lZ /wwwdata/html +-rw-r--r--. 1 1001 1001 54321 Jan 01 12:34 index.html +-rw-r--r--. 1 1001 1001 5678 Jan 01 12:34 page.html +``` + +If you want to run the image directly and mount the static pages available in the `/wwwdata/` directory on the host +as a container volume, execute the following command: + +``` +$ podman run -d --name nginx -p 8080:8080 -v /wwwdata:/opt/app-root/src:Z ubi9/nginx-126 nginx -g "daemon off;" +``` + +This creates a container named `nginx` running the Nginx server, serving data from +the `/wwwdata/` directory. Port 8080 is exposed and mapped to the host. +You can pull the data from the nginx container using this command: + +``` +$ curl -Lk 127.0.0.1:8080 +``` + +You can replace `/wwwdata/` with location of your web root. Please note that this has to be an **absolute** path, due to podman requirements. + + +Environment variables and volumes +--------------------------------- +The nginx container image supports the following configuration variable, which can be set by using the `-e` option with the podman run command: + + +**`NGINX_LOG_TO_VOLUME`** + When `NGINX_LOG_TO_VOLUME` is set, nginx logs into `/var/log/nginx/`. + + +Troubleshooting +--------------- +By default, nginx access logs are written to standard output and error logs are written to standard error, so both are available in the container log. The log can be examined by running: + + podman logs + +See also +-------- +Dockerfile and other sources for this container image are available on +https://github.com/sclorg/nginx-container. +In that repository you also can find another versions of Python environment Dockerfiles. +for RHEL8 it's `Dockerfile.rhel8`, Dockerfile for RHEL10 is called `Dockerfile.rhel10`, +Dockerfile for CentOS Stream 9 is called `Dockerfile.c9s`, +Dockerfile for CentOS Stream 10 is called `Dockerfile.c10s`, and the Fedora Dockerfile is called `Dockerfile.fedora`. + diff --git a/1.26-minimal/root/opt/app-root/etc/generate_container_user b/1.26-minimal/root/opt/app-root/etc/generate_container_user new file mode 100644 index 00000000..229b986a --- /dev/null +++ b/1.26-minimal/root/opt/app-root/etc/generate_container_user @@ -0,0 +1,9 @@ +# Set current user in nss_wrapper +PASSWD_DIR="/opt/app-root/etc" + +export USER_ID=$(id -u) +export GROUP_ID=$(id -g) +envsubst < ${PASSWD_DIR}/passwd.template > ${PASSWD_DIR}/passwd +export LD_PRELOAD=libnss_wrapper.so +export NSS_WRAPPER_PASSWD=${PASSWD_DIR}/passwd +export NSS_WRAPPER_GROUP=/etc/group diff --git a/1.26-minimal/root/opt/app-root/etc/passwd.template b/1.26-minimal/root/opt/app-root/etc/passwd.template new file mode 100644 index 00000000..7ad0b787 --- /dev/null +++ b/1.26-minimal/root/opt/app-root/etc/passwd.template @@ -0,0 +1,15 @@ +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +nobody:x:99:99:Nobody:/:/sbin/nologin +default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin +apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin diff --git a/1.26-minimal/root/opt/app-root/nginxconf-rhscl.sed b/1.26-minimal/root/opt/app-root/nginxconf-rhscl.sed new file mode 100644 index 00000000..ed31f84c --- /dev/null +++ b/1.26-minimal/root/opt/app-root/nginxconf-rhscl.sed @@ -0,0 +1,10 @@ +/listen/s%80%8080 default_server% +s/^user *nginx;// +s%/etc/nginx/conf.d/%/opt/app-root/etc/nginx.d/% +s%/etc/nginx/default.d/%/opt/app-root/etc/nginx.default.d/% +s%/usr/share/nginx/html%/opt/app-root/src% + +# See: https://github.com/sclorg/nginx-container/pull/69 +/error_page/d +/40x.html/,+1d +/50x.html/,+1d diff --git a/1.26-minimal/root/opt/app-root/nginxconf.sed b/1.26-minimal/root/opt/app-root/nginxconf.sed new file mode 100644 index 00000000..ed31f84c --- /dev/null +++ b/1.26-minimal/root/opt/app-root/nginxconf.sed @@ -0,0 +1,10 @@ +/listen/s%80%8080 default_server% +s/^user *nginx;// +s%/etc/nginx/conf.d/%/opt/app-root/etc/nginx.d/% +s%/etc/nginx/default.d/%/opt/app-root/etc/nginx.default.d/% +s%/usr/share/nginx/html%/opt/app-root/src% + +# See: https://github.com/sclorg/nginx-container/pull/69 +/error_page/d +/40x.html/,+1d +/50x.html/,+1d diff --git a/1.26-minimal/root/usr/share/container-scripts/nginx/common.sh b/1.26-minimal/root/usr/share/container-scripts/nginx/common.sh new file mode 100644 index 00000000..319219cd --- /dev/null +++ b/1.26-minimal/root/usr/share/container-scripts/nginx/common.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# get_matched_files finds file for image extending +function get_matched_files() { + local custom_dir default_dir + custom_dir="$1" + default_dir="$2" + files_matched="$3" + find "$default_dir" -maxdepth 1 -type f -name "$files_matched" -printf "%f\n" + [ -d "$custom_dir" ] && find "$custom_dir" -maxdepth 1 -type f -name "$files_matched" -printf "%f\n" +} + +# process_extending_files process extending files in $1 and $2 directories +# - source all *.sh files +# (if there are files with same name source only file from $1) +function process_extending_files() { + local custom_dir default_dir + custom_dir=$1 + default_dir=$2 + while read filename ; do + if [ $filename ]; then + echo "=> sourcing $filename ..." + # Custom file is prefered + if [ -f $custom_dir/$filename ]; then + source $custom_dir/$filename + elif [ -f $default_dir/$filename ]; then + source $default_dir/$filename + fi + fi + done <<<"$(get_matched_files "$custom_dir" "$default_dir" '*.sh' | sort -u)" +} \ No newline at end of file diff --git a/1.26-minimal/s2i/bin/assemble b/1.26-minimal/s2i/bin/assemble new file mode 100755 index 00000000..0efe737d --- /dev/null +++ b/1.26-minimal/s2i/bin/assemble @@ -0,0 +1,50 @@ +#!/bin/bash + +set -e + +echo "---> Installing application source" +cp -Rf /tmp/src/. ./ + +# Fix source directory permissions +fix-permissions ./ + +if [ -f ./nginx.conf ]; then + echo "---> Copying nginx.conf configuration file..." + cp -v ./nginx.conf "${NGINX_CONF_PATH}" + rm -f ./nginx.conf +fi + +if [ -d ./nginx-cfg ]; then + echo "---> Copying nginx configuration files..." + if [ "$(ls -A ./nginx-cfg/*.conf)" ]; then + cp -av ./nginx-cfg/*.conf "${NGINX_CONFIGURATION_PATH}" + rm -rf ./nginx-cfg + fi + chmod -Rf g+rw ${NGINX_CONFIGURATION_PATH} +fi + +if [ -d ./nginx-default-cfg ]; then + echo "---> Copying nginx default server configuration files..." + if [ "$(ls -A ./nginx-default-cfg/*.conf)" ]; then + cp -av ./nginx-default-cfg/*.conf "${NGINX_DEFAULT_CONF_PATH}" + rm -rf ./nginx-default-cfg + fi + chmod -Rf g+rw ${NGINX_DEFAULT_CONF_PATH} +fi + +if [ -d ./nginx-start ]; then + echo "---> Copying nginx start-hook scripts..." + if [ "$(ls -A ./nginx-start/* 2>/dev/null)" ]; then + cp -av ./nginx-start/* "${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start/" + rm -rf ./nginx-start + fi +fi + +if [ -n "${NGINX_PERL_MODULE_PATH}" ] && [ -d ./nginx-perl ]; then + echo "---> Copying nginx perl module files..." + if [ "$(ls -A ./nginx-perl/*.pm)" ]; then + cp -av ./nginx-perl/*.pm "${NGINX_PERL_MODULE_PATH}" + rm -rf ./nginx-perl + fi + chmod -Rf g+rw ${NGINX_PERL_MODULE_PATH} +fi diff --git a/1.26-minimal/s2i/bin/run b/1.26-minimal/s2i/bin/run new file mode 100755 index 00000000..fd24fa40 --- /dev/null +++ b/1.26-minimal/s2i/bin/run @@ -0,0 +1,16 @@ +#!/bin/bash + +source /opt/app-root/etc/generate_container_user + +set -e + +source ${NGINX_CONTAINER_SCRIPTS_PATH}/common.sh + +process_extending_files ${NGINX_APP_ROOT}/src/nginx-start ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start + +if [ ! -v NGINX_LOG_TO_VOLUME -a -v NGINX_LOG_PATH ]; then + /bin/ln -sf /dev/stdout ${NGINX_LOG_PATH}/access.log + /bin/ln -sf /dev/stderr ${NGINX_LOG_PATH}/error.log +fi + +exec nginx -g "daemon off;" diff --git a/1.26-minimal/s2i/bin/usage b/1.26-minimal/s2i/bin/usage new file mode 100755 index 00000000..2abe6c1d --- /dev/null +++ b/1.26-minimal/s2i/bin/usage @@ -0,0 +1,19 @@ +#!/bin/sh + +DISTRO=`cat /etc/*-release | grep ^ID= | grep -Po '".*?"' | tr -d '"'` + +cat < Date: Mon, 20 Apr 2026 16:02:52 +0200 Subject: [PATCH 2/5] use postgresql as a template --- 1.26-minimal/Dockerfile.c11s | 92 ++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/1.26-minimal/Dockerfile.c11s b/1.26-minimal/Dockerfile.c11s index e69de29b..c779d209 100644 --- a/1.26-minimal/Dockerfile.c11s +++ b/1.26-minimal/Dockerfile.c11s @@ -0,0 +1,92 @@ +FROM quay.io/centos/centos:stream10 + +# PostgreSQL image for OpenShift. +# Volumes: +# * /var/lib/pgsql/data - Database cluster for PostgreSQL +# Environment: +# * $POSTGRESQL_USER - Database user name +# * $POSTGRESQL_PASSWORD - User's password +# * $POSTGRESQL_DATABASE - Name of the database to create +# * $POSTGRESQL_ADMIN_PASSWORD (Optional) - Password for the 'postgres' +# PostgreSQL administrative account + +ENV POSTGRESQL_VERSION=18 \ + POSTGRESQL_PREV_VERSION=16 \ + HOME=/var/lib/pgsql \ + PGUSER=postgres \ + # Path to be used in other layers to place s2i scripts into + STI_SCRIPTS_PATH=/usr/libexec/s2i \ + HOME=/opt/app-root/src \ + APP_DATA=/opt/app-root + +ENV SUMMARY="PostgreSQL is an advanced Object-Relational database management system" \ + DESCRIPTION="PostgreSQL is an advanced Object-Relational database management system (DBMS). \ +The image contains the client and server programs that you'll need to \ +create, run, maintain and access a PostgreSQL DBMS server." + +LABEL summary="$SUMMARY" \ + description="$DESCRIPTION" \ + io.k8s.description="$DESCRIPTION" \ + io.k8s.display-name="PostgreSQL 18" \ + io.openshift.expose-services="5432:postgresql" \ + io.openshift.tags="database,postgresql,postgresql18,postgresql-18" \ + io.openshift.s2i.assemble-user="26" \ + name="sclorg/postgresql-18-minimal-c11s" \ + com.redhat.component="postgresql-18-container" \ + version="1" \ + usage="podman run -d --name postgresql_database -e POSTGRESQL_USER=user -e POSTGRESQL_PASSWORD=pass -e POSTGRESQL_DATABASE=db -p 5432:5432 sclorg/postgresql-18-minimal-c11s" \ + maintainer="SoftwareCollections.org " + +EXPOSE 5432 + +COPY root/usr/libexec/fix-permissions /usr/libexec/fix-permissions + +# This image must forever use UID 26 for postgres user so our volumes are +# safe in the future. This should *never* change, the last test is there +# to make sure of that. +RUN INSTALL_PKGS="rsync tar gettext-envsubst nss_wrapper-libs glibc-locale-source xz" && \ + PSQL_PKGS="postgresql18-server postgresql18-contrib postgresql18-upgrade" && \ + INSTALL_PKGS="$INSTALL_PKGS postgresql18-pgaudit" && \ + PSQL_PKGS="$PSQL_PKGS postgresql18-pgvector" && \ + microdnf -y --setopt=tsflags=nodocs install $INSTALL_PKGS $PSQL_PKGS && \ + rpm -V $INSTALL_PKGS && \ + postgres -V | grep -qe "$POSTGRESQL_VERSION\." && echo "Found VERSION $POSTGRESQL_VERSION" && \ + microdnf -y clean all --enablerepo='*' && \ + mkdir -p ${HOME}/.pki/nssdb && \ + chown -R 1001:0 ${HOME}/.pki && \ + localedef -f UTF-8 -i en_US en_US.UTF-8 && \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" && \ + mkdir -p /var/lib/pgsql/data && \ + mkdir -p /run/postgresql && \ + /usr/libexec/fix-permissions /var/lib/pgsql /run/postgresql + +# Get prefix path and path to scripts rather than hard-code them in scripts +ENV CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/postgresql + +COPY root / +COPY ./s2i/bin/ $STI_SCRIPTS_PATH + +# Hard links are not supported in Testing Farm approach during sync to guest +# operation system. Therefore tests are failing on error +# /usr/libexec/s2i/run no such file or directory +RUN ln -s /usr/bin/run-postgresql $STI_SCRIPTS_PATH/run + + +# S2I permission fixes +# -------------------- +# 1. unless specified otherwise (or - equivalently - we are in OpenShift), s2i +# build process would be executed as 'uid=26(postgres) gid=26(postgres)'. +# Such process wouldn't be able to execute the default 'assemble' script +# correctly (it transitively executes 'fix-permissions' script). So let's +# add the 'postgres' user into 'root' group here +# +# 2. we call fix-permissions on $APP_DATA here directly (UID=0 during build +# anyways) to assure that s2i process is actually able to _read_ the +# user-specified scripting. +RUN usermod -a -G root postgres && \ + /usr/libexec/fix-permissions --read-only "$APP_DATA" + +USER 26 + +ENTRYPOINT ["container-entrypoint"] +CMD ["run-postgresql"] From 67c51503b32d5943910e7ff28f23b7c880502400 Mon Sep 17 00:00:00 2001 From: Nikola Davidova Date: Mon, 20 Apr 2026 16:19:54 +0200 Subject: [PATCH 3/5] update Dockerfile.c11s --- 1.26-minimal/Dockerfile.c11s | 149 +++++++++++++++++------------------ 1 file changed, 74 insertions(+), 75 deletions(-) diff --git a/1.26-minimal/Dockerfile.c11s b/1.26-minimal/Dockerfile.c11s index c779d209..013e1387 100644 --- a/1.26-minimal/Dockerfile.c11s +++ b/1.26-minimal/Dockerfile.c11s @@ -1,92 +1,91 @@ FROM quay.io/centos/centos:stream10 -# PostgreSQL image for OpenShift. -# Volumes: -# * /var/lib/pgsql/data - Database cluster for PostgreSQL -# Environment: -# * $POSTGRESQL_USER - Database user name -# * $POSTGRESQL_PASSWORD - User's password -# * $POSTGRESQL_DATABASE - Name of the database to create -# * $POSTGRESQL_ADMIN_PASSWORD (Optional) - Password for the 'postgres' -# PostgreSQL administrative account +EXPOSE 8080 +EXPOSE 8443 -ENV POSTGRESQL_VERSION=18 \ - POSTGRESQL_PREV_VERSION=16 \ - HOME=/var/lib/pgsql \ - PGUSER=postgres \ - # Path to be used in other layers to place s2i scripts into - STI_SCRIPTS_PATH=/usr/libexec/s2i \ - HOME=/opt/app-root/src \ - APP_DATA=/opt/app-root +ENV NAME=nginx \ + NGINX_VERSION=1.26 \ + NGINX_SHORT_VER=126 \ + VERSION=0 -ENV SUMMARY="PostgreSQL is an advanced Object-Relational database management system" \ - DESCRIPTION="PostgreSQL is an advanced Object-Relational database management system (DBMS). \ -The image contains the client and server programs that you'll need to \ -create, run, maintain and access a PostgreSQL DBMS server." +ENV SUMMARY="Platform for running nginx $NGINX_VERSION or building nginx-based application" \ + DESCRIPTION="Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP \ +protocols, with a strong focus on high concurrency, performance and low memory usage. The container \ +image provides a containerized packaging of the nginx $NGINX_VERSION daemon. The image can be used \ +as a base image for other applications based on nginx $NGINX_VERSION web server. \ +Nginx server image can be extended using source-to-image tool." -LABEL summary="$SUMMARY" \ - description="$DESCRIPTION" \ - io.k8s.description="$DESCRIPTION" \ - io.k8s.display-name="PostgreSQL 18" \ - io.openshift.expose-services="5432:postgresql" \ - io.openshift.tags="database,postgresql,postgresql18,postgresql-18" \ - io.openshift.s2i.assemble-user="26" \ - name="sclorg/postgresql-18-minimal-c11s" \ - com.redhat.component="postgresql-18-container" \ +LABEL summary="${SUMMARY}" \ + description="${DESCRIPTION}" \ + io.k8s.description="${DESCRIPTION}" \ + io.k8s.display-name="Nginx ${NGINX_VERSION}" \ + io.openshift.expose-services="8080:http" \ + io.openshift.expose-services="8443:https" \ + io.openshift.tags="builder,${NAME},${NAME}-${NGINX_SHORT_VER}" \ + com.redhat.component="${NAME}-${NGINX_SHORT_VER}-container" \ + name="sclorg/${NAME}-${NGINX_SHORT_VER}-minimal-c11s" \ version="1" \ - usage="podman run -d --name postgresql_database -e POSTGRESQL_USER=user -e POSTGRESQL_PASSWORD=pass -e POSTGRESQL_DATABASE=db -p 5432:5432 sclorg/postgresql-18-minimal-c11s" \ - maintainer="SoftwareCollections.org " - -EXPOSE 5432 + com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI" \ + maintainer="SoftwareCollections.org " \ + help="For more information visit https://github.com/sclorg/${NAME}-container" \ + usage="s2i build quay.io/sclorg/${NAME}-${NGINX_SHORT_VER}-minimal-c11s:latest " -COPY root/usr/libexec/fix-permissions /usr/libexec/fix-permissions +# Install nginx and required packages using microdnf +RUN INSTALL_PKGS="nginx nss_wrapper-libs gettext hostname findutils tar" && \ + microdnf -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + nginx -v 2>&1 | grep -qe "$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \ + microdnf -y clean all --enablerepo='*' -# This image must forever use UID 26 for postgres user so our volumes are -# safe in the future. This should *never* change, the last test is there -# to make sure of that. -RUN INSTALL_PKGS="rsync tar gettext-envsubst nss_wrapper-libs glibc-locale-source xz" && \ - PSQL_PKGS="postgresql18-server postgresql18-contrib postgresql18-upgrade" && \ - INSTALL_PKGS="$INSTALL_PKGS postgresql18-pgaudit" && \ - PSQL_PKGS="$PSQL_PKGS postgresql18-pgvector" && \ - microdnf -y --setopt=tsflags=nodocs install $INSTALL_PKGS $PSQL_PKGS && \ - rpm -V $INSTALL_PKGS && \ - postgres -V | grep -qe "$POSTGRESQL_VERSION\." && echo "Found VERSION $POSTGRESQL_VERSION" && \ - microdnf -y clean all --enablerepo='*' && \ - mkdir -p ${HOME}/.pki/nssdb && \ - chown -R 1001:0 ${HOME}/.pki && \ - localedef -f UTF-8 -i en_US en_US.UTF-8 && \ - test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" && \ - mkdir -p /var/lib/pgsql/data && \ - mkdir -p /run/postgresql && \ - /usr/libexec/fix-permissions /var/lib/pgsql /run/postgresql +# These variables are normally provided by s2i-core, but we're using minimal base +ENV HOME=/opt/app-root/src \ + STI_SCRIPTS_PATH=/usr/libexec/s2i \ + APP_ROOT=/opt/app-root -# Get prefix path and path to scripts rather than hard-code them in scripts -ENV CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/postgresql +ENV NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \ + NGINX_CONF_PATH=/etc/nginx/nginx.conf \ + NGINX_DEFAULT_CONF_PATH=${APP_ROOT}/etc/nginx.default.d \ + NGINX_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/nginx \ + NGINX_APP_ROOT=${APP_ROOT} \ + NGINX_LOG_PATH=/var/log/nginx COPY root / COPY ./s2i/bin/ $STI_SCRIPTS_PATH -# Hard links are not supported in Testing Farm approach during sync to guest -# operation system. Therefore tests are failing on error -# /usr/libexec/s2i/run no such file or directory -RUN ln -s /usr/bin/run-postgresql $STI_SCRIPTS_PATH/run +# Changing ownership and user rights to support following use-cases: +# 1) running container on OpenShift, whose default security model +# is to run the container under random UID, but GID=0 +# 2) for working root-less container with UID=1001, which does not have +# to have GID=0 +# 3) for default use-case, that is running container directly on operating system, +# with default UID and GID (1001:0) +# Supported combinations of UID:GID are thus following: +# UID=1001 && GID=0 +# UID=&& GID=0 +# UID=1001 && GID= +RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ + mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ + mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ + mkdir -p ${NGINX_APP_ROOT}/src/nginx-start/ && \ + mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ + mkdir -p ${NGINX_LOG_PATH} && \ + chown -R 1001:0 ${NGINX_CONF_PATH} && \ + chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ + chown -R 1001:0 ${NGINX_APP_ROOT}/src/nginx-start/ && \ + chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ + chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ + chmod ug+rw ${NGINX_CONF_PATH} && \ + chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ + chmod -R ug+rwX ${NGINX_APP_ROOT}/src/nginx-start/ && \ + chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ + chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run +USER 1001 -# S2I permission fixes -# -------------------- -# 1. unless specified otherwise (or - equivalently - we are in OpenShift), s2i -# build process would be executed as 'uid=26(postgres) gid=26(postgres)'. -# Such process wouldn't be able to execute the default 'assemble' script -# correctly (it transitively executes 'fix-permissions' script). So let's -# add the 'postgres' user into 'root' group here -# -# 2. we call fix-permissions on $APP_DATA here directly (UID=0 during build -# anyways) to assure that s2i process is actually able to _read_ the -# user-specified scripting. -RUN usermod -a -G root postgres && \ - /usr/libexec/fix-permissions --read-only "$APP_DATA" +STOPSIGNAL SIGQUIT -USER 26 +# Not using VOLUME statement since it's not working in OpenShift Online: +# https://github.com/sclorg/httpd-container/issues/30 +# VOLUME ["/usr/share/nginx/html"] +# VOLUME ["/var/log/nginx/"] -ENTRYPOINT ["container-entrypoint"] -CMD ["run-postgresql"] +CMD $STI_SCRIPTS_PATH/usage From 2b9327f209e115c87c1ae8f44d350eaac7827cfb Mon Sep 17 00:00:00 2001 From: Nikola Davidova Date: Mon, 20 Apr 2026 18:23:35 +0200 Subject: [PATCH 4/5] update Dockerfile.rhel11 --- 1.26-minimal/Dockerfile.rhel11 | 91 ++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/1.26-minimal/Dockerfile.rhel11 b/1.26-minimal/Dockerfile.rhel11 index e69de29b..85bdddab 100644 --- a/1.26-minimal/Dockerfile.rhel11 +++ b/1.26-minimal/Dockerfile.rhel11 @@ -0,0 +1,91 @@ +FROM ubi10-minimal:latest + +EXPOSE 8080 +EXPOSE 8443 + +ENV NAME=nginx \ + NGINX_VERSION=1.26 \ + NGINX_SHORT_VER=126 \ + VERSION=0 + +ENV SUMMARY="Platform for running nginx $NGINX_VERSION or building nginx-based application" \ + DESCRIPTION="Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP \ +protocols, with a strong focus on high concurrency, performance and low memory usage. The container \ +image provides a containerized packaging of the nginx $NGINX_VERSION daemon. The image can be used \ +as a base image for other applications based on nginx $NGINX_VERSION web server. \ +Nginx server image can be extended using source-to-image tool." + +LABEL summary="${SUMMARY}" \ + description="${DESCRIPTION}" \ + io.k8s.description="${DESCRIPTION}" \ + io.k8s.display-name="Nginx ${NGINX_VERSION}" \ + io.openshift.expose-services="8080:http" \ + io.openshift.expose-services="8443:https" \ + io.openshift.tags="builder,${NAME},${NAME}-${NGINX_SHORT_VER}" \ + com.redhat.component="${NAME}-${NGINX_SHORT_VER}-container" \ + name="rhel11/${NAME}-${NGINX_SHORT_VER}-minimal" \ + version="1" \ + com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#rhel" \ + maintainer="SoftwareCollections.org " \ + help="For more information visit https://github.com/sclorg/${NAME}-container" \ + usage="podman run -d --name nginx -p 8080:8080 rhel11/${NAME}-${NGINX_SHORT_VER}-minimal" + +# Install nginx and required packages using microdnf +RUN INSTALL_PKGS="nginx nss_wrapper-libs gettext hostname findutils tar" && \ + microdnf -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + nginx -v 2>&1 | grep -qe "$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \ + microdnf -y clean all --enablerepo='*' + +# These variables are normally provided by s2i-core, but we're using minimal base +ENV HOME=/opt/app-root/src \ + STI_SCRIPTS_PATH=/usr/libexec/s2i \ + APP_ROOT=/opt/app-root + +ENV NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \ + NGINX_CONF_PATH=/etc/nginx/nginx.conf \ + NGINX_DEFAULT_CONF_PATH=${APP_ROOT}/etc/nginx.default.d \ + NGINX_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/nginx \ + NGINX_APP_ROOT=${APP_ROOT} \ + NGINX_LOG_PATH=/var/log/nginx + +COPY root / +COPY ./s2i/bin/ $STI_SCRIPTS_PATH + +# Changing ownership and user rights to support following use-cases: +# 1) running container on OpenShift, whose default security model +# is to run the container under random UID, but GID=0 +# 2) for working root-less container with UID=1001, which does not have +# to have GID=0 +# 3) for default use-case, that is running container directly on operating system, +# with default UID and GID (1001:0) +# Supported combinations of UID:GID are thus following: +# UID=1001 && GID=0 +# UID=&& GID=0 +# UID=1001 && GID= +RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ + mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ + mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ + mkdir -p ${NGINX_APP_ROOT}/src/nginx-start/ && \ + mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ + mkdir -p ${NGINX_LOG_PATH} && \ + chown -R 1001:0 ${NGINX_CONF_PATH} && \ + chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ + chown -R 1001:0 ${NGINX_APP_ROOT}/src/nginx-start/ && \ + chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ + chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ + chmod ug+rw ${NGINX_CONF_PATH} && \ + chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ + chmod -R ug+rwX ${NGINX_APP_ROOT}/src/nginx-start/ && \ + chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ + chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run + +USER 1001 + +STOPSIGNAL SIGQUIT + +# Not using VOLUME statement since it's not working in OpenShift Online: +# https://github.com/sclorg/httpd-container/issues/30 +# VOLUME ["/usr/share/nginx/html"] +# VOLUME ["/var/log/nginx/"] + +CMD $STI_SCRIPTS_PATH/usage From 58e1e621728f6e65dc921406a969f12aec0660b4 Mon Sep 17 00:00:00 2001 From: Nikola Davidova Date: Wed, 29 Apr 2026 17:53:53 +0200 Subject: [PATCH 5/5] fix copy commands --- 1.26-minimal/Dockerfile.rhel11 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/1.26-minimal/Dockerfile.rhel11 b/1.26-minimal/Dockerfile.rhel11 index 85bdddab..f582d32b 100644 --- a/1.26-minimal/Dockerfile.rhel11 +++ b/1.26-minimal/Dockerfile.rhel11 @@ -48,8 +48,8 @@ ENV NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \ NGINX_APP_ROOT=${APP_ROOT} \ NGINX_LOG_PATH=/var/log/nginx -COPY root / -COPY ./s2i/bin/ $STI_SCRIPTS_PATH +COPY $NGINX_VERSION/root / +COPY $NGINX_VERSION/s2i/bin/ $STI_SCRIPTS_PATH # Changing ownership and user rights to support following use-cases: # 1) running container on OpenShift, whose default security model