Skip to content

Commit 30a77bf

Browse files
fabriziofioruccifabriziofiorucci
authored
feat: Add support for custom uid:gid for NGINX Plus unprivileged images (#46)
1 parent f6c7ed0 commit 30a77bf

File tree

2 files changed

+92
-67
lines changed

2 files changed

+92
-67
lines changed

nginx/docker-image-builder/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ NGINX Docker Image builder
5151
-w - Add NGINX App Protect WAF (requires NGINX Plus)
5252
-O - Use NGINX Open Source instead of NGINX Plus
5353
-u - Build unprivileged image (only for NGINX Plus)
54+
-i [uid:gid] - Set NGINX UID and GID (only for unprivileged images)
5455
-a [2|3] - Add NGINX Agent v2 or v3
5556
5657
=== Examples:
@@ -64,6 +65,9 @@ NGINX Docker Image builder
6465
NGINX Plus, NGINX App Protect WAF and NGINX Agent unprivileged image:
6566
./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -a 2
6667
68+
NGINX Plus, NGINX App Protect WAF and NGINX Agent unprivileged image, custom UID and GID:
69+
./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -i 1234:1234 -a 2
70+
6771
NGINX Opensource and NGINX Agent image:
6872
./scripts/build.sh -O -t registry.ff.lan:31005/nginx-docker:oss-root -a 2
6973
```

nginx/docker-image-builder/scripts/build.sh

Lines changed: 88 additions & 67 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ $0 [options]\n\n
1414
-w\t\t\t- Add NGINX App Protect WAF (requires NGINX Plus)\n
1515
-O\t\t\t- Use NGINX Open Source instead of NGINX Plus\n
1616
-u\t\t\t- Build unprivileged image (only for NGINX Plus)\n
17+
-i [uid:gid]\t\t- Set NGINX UID and GID (only for unprivileged images)\n
1718
-a [2|3]\t\t- Add NGINX Agent v2 or v3\n\n
1819
=== Examples:\n\n
1920
NGINX Plus and NGINX Agent image:\n
@@ -25,107 +26,127 @@ NGINX Plus, NGINX App Protect WAF and NGINX Agent image:\n
2526
NGINX Plus, NGINX App Protect WAF and NGINX Agent unprivileged image:\n
2627
$0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -a 2\n\n
2728
29+
NGINX Plus, NGINX App Protect WAF and NGINX Agent unprivileged image, custom UID and GID:\n
30+
$0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -i 1234:1234 -a 2\n\n
31+
2832
NGINX Opensource and NGINX Agent image:\n
2933
$0 -O -t registry.ff.lan:31005/nginx-docker:oss-root -a 2\n"
3034

31-
while getopts 'ht:C:K:a:wOu' OPTION
35+
NGINX_UID=101
36+
NGINX_GID=101
37+
38+
while getopts 'ht:C:K:a:wOui:' OPTION
3239
do
33-
case "$OPTION" in
34-
h)
35-
echo -e $BANNER
36-
exit
37-
;;
38-
t)
39-
IMAGENAME=$OPTARG
40-
;;
41-
C)
42-
NGINX_CERT=$OPTARG
43-
;;
44-
K)
45-
NGINX_KEY=$OPTARG
46-
;;
47-
a)
48-
NGINX_AGENT=true
49-
NGINX_AGENT_VERSION=$OPTARG
50-
;;
51-
w)
52-
NAP_WAF=true
53-
;;
54-
O)
55-
NGINX_OSS=true
56-
;;
57-
u)
58-
UNPRIVILEGED=true
59-
;;
60-
esac
40+
case "$OPTION" in
41+
h)
42+
echo -e $BANNER
43+
exit
44+
;;
45+
t)
46+
IMAGENAME=$OPTARG
47+
;;
48+
C)
49+
NGINX_CERT=$OPTARG
50+
;;
51+
K)
52+
NGINX_KEY=$OPTARG
53+
;;
54+
a)
55+
NGINX_AGENT=true
56+
NGINX_AGENT_VERSION=$OPTARG
57+
;;
58+
w)
59+
NAP_WAF=true
60+
;;
61+
O)
62+
NGINX_OSS=true
63+
;;
64+
u)
65+
UNPRIVILEGED=true
66+
;;
67+
i)
68+
NGINX_UID=`echo $OPTARG | awk -F: '{print $1}'`
69+
NGINX_GID=`echo $OPTARG | awk -F: '{print $2}'`
70+
;;
71+
esac
6172
done
6273

6374
if [ -z "$1" ]
6475
then
65-
echo -e $BANNER
66-
exit
76+
echo -e $BANNER
77+
exit
6778
fi
6879

6980
if [ -z "${IMAGENAME}" ]
7081
then
71-
echo "Docker image name is required"
72-
exit
82+
echo "Docker image name is required"
83+
exit
7384
fi
7485

7586
if [ -z "${NGINX_AGENT_VERSION}" ]
7687
then
77-
echo "NGINX Agent version is required"
78-
exit
88+
echo "NGINX Agent version is required"
89+
exit
7990
fi
8091

8192
if ([ -z "${NGINX_OSS}" ] && ([ -z "${NGINX_CERT}" ] || [ -z "${NGINX_KEY}" ]) )
8293
then
83-
echo "NGINX certificate and key are required for automated installation"
84-
exit
94+
echo "NGINX certificate and key are required for NGINX Plus"
95+
exit
8596
fi
8697

87-
echo "=> Target docker image is $IMAGENAME"
98+
if ([ -z "${NGINX_UID}" ] || -z "${NGINX_GID}" ])
99+
then
100+
echo "Invalid UID and/or GID"
101+
exit
102+
fi
88103

89104
if [ "${NGINX_AGENT}" ]
90105
then
91-
if [ "${NGINX_AGENT_VERSION}" -eq "2" ] || [ "${NGINX_AGENT_VERSION}" -eq "3" ]
92-
then
93-
echo "=> Building with NGINX Agent v${NGINX_AGENT_VERSION}"
94-
else
95-
echo "NGINX Agent version must be either '2' or '3'"
96-
exit
97-
fi
106+
if [ "${NGINX_AGENT_VERSION}" -eq "2" ] || [ "${NGINX_AGENT_VERSION}" -eq "3" ]
107+
then
108+
echo "=> Building with NGINX Agent v${NGINX_AGENT_VERSION}"
109+
else
110+
echo "NGINX Agent version must be either '2' or '3'"
111+
exit
112+
fi
98113
fi
99114

115+
echo "=> Target docker image is $IMAGENAME"
116+
100117
if ([ ! -z "${NAP_WAF}" ] && [ -z "${NGINX_OSS}" ])
101118
then
102-
echo "=> Building with NGINX App Protect WAF"
103-
OPT_PLATFORM="--platform linux/amd64" # for NGINX App Protect WAF, which is only available for x86_64
119+
echo "=> Building with NGINX App Protect WAF"
120+
OPT_PLATFORM="--platform linux/amd64" # for NGINX App Protect WAF, which is only available for x86_64
104121
fi
105122

106123
if [ -z "${NGINX_OSS}" ]
107124
then
108-
if [ -z "${UNPRIVILEGED}" ]
109-
then
110-
DOCKERFILE_NAME=Dockerfile.plus
111-
echo "=> Building with NGINX Plus"
112-
else
113-
DOCKERFILE_NAME=Dockerfile.plus.unprivileged
114-
echo "=> Building with NGINX Plus unprivileged"
115-
fi
116-
117-
DOCKER_BUILDKIT=1 docker build --no-cache -f $DOCKERFILE_NAME \
118-
--secret id=nginx-key,src=$NGINX_KEY --secret id=nginx-crt,src=$NGINX_CERT \
119-
--build-arg NAP_WAF=$NAP_WAF --build-arg NGINX_AGENT=$NGINX_AGENT \
120-
--build-arg NGINX_AGENT_VERSION=$NGINX_AGENT_VERSION \
121-
$OPT_PLATFORM \
122-
-t $IMAGENAME .
125+
if [ -z "${UNPRIVILEGED}" ]
126+
then
127+
DOCKERFILE_NAME=Dockerfile.plus
128+
echo "=> Building with NGINX Plus"
129+
else
130+
DOCKERFILE_NAME=Dockerfile.plus.unprivileged
131+
echo "=> Building with NGINX Plus unprivileged"
132+
fi
133+
134+
echo "=> Using UID:GID $NGINX_UID:$NGINX_GID"
135+
136+
DOCKER_BUILDKIT=1 docker build --no-cache -f $DOCKERFILE_NAME \
137+
--secret id=nginx-key,src=$NGINX_KEY --secret id=nginx-crt,src=$NGINX_CERT \
138+
--build-arg NAP_WAF=$NAP_WAF --build-arg NGINX_AGENT=$NGINX_AGENT \
139+
--build-arg NGINX_AGENT_VERSION=$NGINX_AGENT_VERSION \
140+
--build-arg UID=$NGINX_UID \
141+
--build-arg GID=$NGINX_GID \
142+
$OPT_PLATFORM \
143+
-t $IMAGENAME .
123144
else
124-
echo "=> Building with NGINX Open Source"
125-
DOCKER_BUILDKIT=1 docker build --no-cache -f Dockerfile.oss \
126-
--build-arg NGINX_AGENT=$NGINX_AGENT \
127-
--build-arg NGINX_AGENT_VERSION=$NGINX_AGENT_VERSION \
128-
-t $IMAGENAME .
145+
echo "=> Building with NGINX Open Source"
146+
DOCKER_BUILDKIT=1 docker build --no-cache -f Dockerfile.oss \
147+
--build-arg NGINX_AGENT=$NGINX_AGENT \
148+
--build-arg NGINX_AGENT_VERSION=$NGINX_AGENT_VERSION \
149+
-t $IMAGENAME .
129150
fi
130151

131152
echo "=> Build complete for $IMAGENAME"

0 commit comments

Comments
 (0)