Skip to content

Commit 54fe0f0

Browse files
sjbermansjberman
authored
Update dockerfile packages (#4448)
Update packages for CVEs. Also removed unnecessary library from UBI build.
1 parent f536ed9 commit 54fe0f0

File tree

3 files changed

+6
-5
lines changed

3 files changed

+6
-5
lines changed

build/Dockerfile.nginx

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ ARG NJS_DIR
1212
ARG NGINX_CONF_DIR
1313
ARG BUILD_AGENT
1414

15+
# Fixes for CVEs; can be removed once base image is updated
16+
RUN apk update && apk add --no-cache 'libpng>=1.6.53-r0' 'ssl_client>=1.37.0-r20' 'busybox-binsh>=1.37.0-r20'
17+
1518
RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
1619
printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
1720
&& apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v}

build/ubi/Dockerfile.nginx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s
4343
&& microdnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \
4444
# Install nginx-agent
4545
&& microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
46-
# Clean up (only remove what we can)
46+
# Clean up
4747
&& microdnf clean all \
4848
&& rm -rf /var/cache/yum
4949

build/ubi/Dockerfile.nginxplus

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,8 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos
3636
--mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \
3737
--mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
3838
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
39-
# Install shadow-utils for useradd
40-
microdnf --nodocs install -y shadow-utils \
41-
&& rpm --import /tmp/nginx_signing.key \
39+
# Import NGINX signing key
40+
rpm --import /tmp/nginx_signing.key \
4241
# Install c-ares from the dependencies image (contains required libs)
4342
&& rpm -Uvh /ubi-bin/c-ares-*.rpm \
4443
# Create nginx user with consistent UID/GID
@@ -50,7 +49,6 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos
5049
# Install nginx-agent
5150
&& microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \
5251
# Clean up
53-
&& microdnf remove -y shadow-utils \
5452
&& microdnf clean all \
5553
&& rm -rf /var/cache/yum
5654

0 commit comments

Comments
 (0)