@@ -56,7 +56,7 @@ LABEL name="NGINX Ingress Controller" \
5656COPY --link --chown=101:0 LICENSE /licenses/
5757
5858
59- # ############################################ NGINX files for NGINX Plus #############################################
59+ # ############################################ NGINX files #############################################
6060FROM scratch AS nginx-files
6161ARG IC_VERSION
6262ARG BUILD_OS
@@ -94,6 +94,8 @@ ADD --link --chown=101:0 --chmod=0755 build/scripts/common.sh common.sh
9494ADD --link --chown=101:0 --chmod=0755 build/scripts/nap-waf.sh nap-waf.sh
9595ADD --link --chown=101:0 --chmod=0755 build/scripts/nap-dos.sh nap-dos.sh
9696ADD --link --chown=101:0 --chmod=0755 build/scripts/agent.sh agent.sh
97+ ADD --link --chown=101:0 --chmod=0755 build/scripts/ubi-setup.sh ubi-setup.sh
98+ ADD --link --chown=101:0 --chmod=0755 build/scripts/ubi-clean.sh ubi-clean.sh
9799
98100
99101# ############################################ Patch Image #############################################
@@ -327,14 +329,11 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
327329 --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
328330 --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
329331 --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \
330- microdnf --nodocs install -y shadow-utils \
331- && cat /etc/yum.repos.d/nginx-plus.repo \
332- && groupadd --system --gid 101 nginx \
333- && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
334- && rpm --import /tmp/nginx_signing.key \
332+ --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \
333+ --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \
334+ ubi-setup.sh \
335335 && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
336- && microdnf remove -y shadow-utils \
337- && microdnf clean all
336+ && ubi-clean.sh
338337
339338
340339# ############################################ Base image for UBI with NGINX Plus and App Protect WAF #############################################
@@ -355,12 +354,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
355354 --mount=type=bind,from=nginx-files,src=app-protect-9.repo,target=/tmp/app-protect-9.repo \
356355 --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \
357356 --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \
357+ --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \
358+ --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \
358359 source /tmp/rhel_license \
359360 && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
360- && microdnf --nodocs install -y shadow-utils ca-certificates subscription-manager \
361- && groupadd --system --gid 101 nginx \
362- && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
363- && rpm --import /tmp/nginx_signing.key \
361+ && microdnf --nodocs install -y ca-certificates \
362+ && ubi-setup.sh \
364363 && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
365364 && if [ "${NGINX_AGENT}" = "true" ]; then microdnf --nodocs install -y nginx-agent; fi \
366365 && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \
@@ -374,8 +373,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
374373 && nap-waf.sh \
375374 ; fi \
376375 && subscription-manager unregister \
377- && microdnf remove -y shadow-utils subscription-manager \
378- && microdnf clean all && rm -rf /var/cache/dnf \
376+ && ubi-clean.sh \
379377 && if [ "${NGINX_AGENT}" = "true" ]; then \
380378 agent.sh \
381379 ; fi
@@ -398,12 +396,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
398396 --mount=type=bind,from=nginx-files,src=app-protect-v5-9.repo,target=/tmp/app-protect-9.repo \
399397 --mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \
400398 --mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \
399+ --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \
400+ --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \
401401 source /tmp/rhel_license \
402402 && rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
403- && microdnf --nodocs install -y shadow-utils ca-certificates subscription-manager \
404- && groupadd --system --gid 101 nginx \
405- && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
406- && rpm --import /tmp/nginx_signing.key \
403+ && microdnf --nodocs install -y ca-certificates \
404+ && ubi-setup.sh \
407405 && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
408406 && if [ "${NGINX_AGENT}" = "true" ]; then microdnf --nodocs install -y nginx-agent; fi \
409407 && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \
@@ -419,8 +417,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
419417 && rm -f /etc/yum.repos.d/app-protect-9.repo; \
420418 fi \
421419 && subscription-manager unregister \
422- && microdnf remove -y shadow-utils subscription-manager \
423- && microdnf clean all && rm -rf /var/cache/dnf \
420+ && ubi-clean.sh \
424421 && if [ "${NGINX_AGENT}" = "true" ]; then \
425422 agent.sh; \
426423 fi
0 commit comments