From 0497bbc819694b7fd85ec946ec54281d4a0acdc6 Mon Sep 17 00:00:00 2001 From: Karen Santana Date: Tue, 19 May 2026 14:11:06 +0100 Subject: [PATCH 1/4] Add Dockerfile for rootless image build --- Makefile | 23 +++- test/config/nginx/nginx-rootless-oss.conf | 56 ++++++++++ test/config/nginx/nginx-rootless-plus.conf | 56 ++++++++++ test/docker/nginx-rootless-oss/deb/Dockerfile | 94 ++++++++++++++++ .../docker/nginx-rootless-plus/deb/Dockerfile | 95 ++++++++++++++++ test/docker/rootless-entrypoint.sh | 105 ++++++++++++++++++ 6 files changed, 428 insertions(+), 1 deletion(-) create mode 100644 test/config/nginx/nginx-rootless-oss.conf create mode 100644 test/config/nginx/nginx-rootless-plus.conf create mode 100644 test/docker/nginx-rootless-oss/deb/Dockerfile create mode 100644 test/docker/nginx-rootless-plus/deb/Dockerfile create mode 100644 test/docker/rootless-entrypoint.sh diff --git a/Makefile b/Makefile index b01c24907e..939c54e386 100644 --- a/Makefile +++ b/Makefile @@ -259,7 +259,28 @@ build-test-oss-image: --build-arg PACKAGES_REPO=$(OSS_PACKAGES_REPO) \ --build-arg BASE_IMAGE=$(BASE_IMAGE) \ --build-arg ENTRY_POINT=./test/docker/entrypoint.sh - + +.PHONY: build-rootless-oos-image +build-rootless-oss-image: local-deb-package + $(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t nginx_agent_rootless_oss_$(IMAGE_TAG) . \ + --no-cache -f ./test/docker/nginx-rootless-oss/deb/Dockerfile \ + --target install-agent-local \ + --build-arg PACKAGE_NAME=$(PACKAGE_NAME) \ + --build-arg PACKAGES_REPO=$(OSS_PACKAGES_REPO) \ + --build-arg BASE_IMAGE=$(BASE_IMAGE) \ + --build-arg ENTRY_POINT=./test/docker/rootless-entrypoint.sh + +.PHONY: build-rootless-plus-image +build-rootless-plus-image: + $(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t nginx_agent_rootless_plus_$(IMAGE_TAG) . \ + --no-cache -f ./test/docker/nginx-rootless-plus/deb/Dockerfile \ + --secret id=nginx-crt,src=$(CERTS_DIR)/nginx-repo.crt \ + --secret id=nginx-key,src=$(CERTS_DIR)/nginx-repo.key \ + --build-arg PACKAGE_NAME=$(PACKAGE_NAME) \ + --build-arg PACKAGES_REPO=$(OSS_PACKAGES_REPO) \ + --build-arg BASE_IMAGE=$(BASE_IMAGE) \ + --build-arg ENTRY_POINT=./test/docker/rootless-entrypoint.sh + .PHONY: build-mock-management-otel-collector-image build-mock-management-otel-collector-image: build-mock-management-otel-collector $(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t mock-collector . \ diff --git a/test/config/nginx/nginx-rootless-oss.conf b/test/config/nginx/nginx-rootless-oss.conf new file mode 100644 index 0000000000..e1501da594 --- /dev/null +++ b/test/config/nginx/nginx-rootless-oss.conf @@ -0,0 +1,56 @@ +pid /tmp/nginx.pid; +worker_processes 1; +error_log /var/log/nginx/error.log; + +events { + worker_connections 1024; +} + +http { + proxy_temp_path /var/cache/nginx/proxy_temp; + client_body_temp_path /var/cache/nginx/client_temp; + fastcgi_temp_path /var/cache/nginx/fastcgi_temp; + uwsgi_temp_path /var/cache/nginx/uwsgi_temp; + scgi_temp_path /var/cache/nginx/scgi_temp; + + include mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '"$bytes_sent" "$request_length" "$request_time" ' + '"$gzip_ratio" $server_protocol '; + + access_log /var/log/nginx/access.log main; + + sendfile on; + keepalive_timeout 65; + + server { + listen 8080; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + ## + # Enable Metrics + ## + location /api { + stub_status; + allow 127.0.0.1; + deny all; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} + diff --git a/test/config/nginx/nginx-rootless-plus.conf b/test/config/nginx/nginx-rootless-plus.conf new file mode 100644 index 0000000000..c8cdb94aec --- /dev/null +++ b/test/config/nginx/nginx-rootless-plus.conf @@ -0,0 +1,56 @@ +pid /tmp/nginx.pid; +worker_processes 1; +error_log /var/log/nginx/error.log; + +events { + worker_connections 1024; +} + +http { + proxy_temp_path /var/cache/nginx/proxy_temp; + client_body_temp_path /var/cache/nginx/client_temp; + fastcgi_temp_path /var/cache/nginx/fastcgi_temp; + uwsgi_temp_path /var/cache/nginx/uwsgi_temp; + scgi_temp_path /var/cache/nginx/scgi_temp; + + include mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '"$bytes_sent" "$request_length" "$request_time" ' + '"$gzip_ratio" $server_protocol '; + + access_log /var/log/nginx/access.log main; + + sendfile on; + keepalive_timeout 65; + + server { + listen 8080; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + ## + # Enable Metrics + ## + location /api/ { + api write=on; + allow 127.0.0.1; + deny all; + status_zone my_location_zone1; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/test/docker/nginx-rootless-oss/deb/Dockerfile b/test/docker/nginx-rootless-oss/deb/Dockerfile new file mode 100644 index 0000000000..fe4a0d5ce1 --- /dev/null +++ b/test/docker/nginx-rootless-oss/deb/Dockerfile @@ -0,0 +1,94 @@ +# Dockerfile for running NGINX Agent with rootless user +ARG BASE_IMAGE +FROM ${BASE_IMAGE} as install-nginx-rootless +LABEL maintainer="NGINX Docker Maintainers " + +ARG DEBIAN_FRONTEND=noninteractive +ARG ENTRY_POINT +ARG PACKAGE_NAME +ARG PACKAGES_REPO + +WORKDIR /agent +COPY ./build /agent/build +COPY $ENTRY_POINT /agent/entrypoint.sh +RUN chmod +x /agent/entrypoint.sh + +# Install system dependencies and create nginx user +RUN set -x \ + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + ca-certificates \ + gnupg2 \ + curl \ + lsb-release \ + procps \ + nginx \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Create necessary directories and set permissions for nginx user +RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx/conf.d /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ + && chown -R nginx:nginx /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ + && chmod 755 /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ + && touch /var/lib/nginx/nginx.id || true + +# Copy custom nginx config for rootless setup +COPY ./test/config/nginx/nginx-rootless-oss.conf /etc/nginx/nginx.conf +RUN chown nginx:nginx /etc/nginx/nginx.conf \ + && chmod 644 /etc/nginx/nginx.conf + +# Grant CAP_NET_BIND_SERVICE to allow binding to privileged ports as non-root +RUN apt-get update && apt-get install -y libcap2-bin \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +STOPSIGNAL SIGTERM + +# Expose ports (80 for HTTP with capability, 443 for HTTPS with capability) +EXPOSE 80 443 + +# Switch to nginx user +USER nginx + +WORKDIR /etc/nginx-agent +ENTRYPOINT ["/agent/entrypoint.sh"] + +# Install agent from local package +FROM install-nginx-rootless as install-agent-local + +ARG PACKAGE_NAME + +USER root +RUN apt-get update && apt-get install -y /agent/build/$PACKAGE_NAME.deb \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Fix permissions for nginx agent config and directories +RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \ + && chmod 755 /etc/nginx-agent \ + && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent + +USER nginx + +# Install agent from repository +FROM install-nginx-rootless as install-agent-repo + +USER root + +RUN curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/ubuntu/ `lsb_release -cs` agent\n" > /etc/apt/sources.list.d/nginx-agent.list + +RUN apt-get update && apt-get install -y nginx-agent \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Fix permissions for nginx agent config and directories +RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \ + && chmod 755 /etc/nginx-agent \ + && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent + +USER nginx + diff --git a/test/docker/nginx-rootless-plus/deb/Dockerfile b/test/docker/nginx-rootless-plus/deb/Dockerfile new file mode 100644 index 0000000000..1e127ad652 --- /dev/null +++ b/test/docker/nginx-rootless-plus/deb/Dockerfile @@ -0,0 +1,95 @@ +# Dockerfile for running NGINX Agent with NGINX Plus and rootless user +ARG BASE_IMAGE +FROM ${BASE_IMAGE} as install-nginx-plus-rootless +LABEL maintainer="NGINX Docker Maintainers " + +ARG DEBIAN_FRONTEND=noninteractive +ARG ENTRY_POINT +ARG PACKAGE_NAME +ARG PACKAGES_REPO + +WORKDIR /agent +COPY ./build /agent/build +COPY $ENTRY_POINT /agent/entrypoint.sh +RUN chmod +x /agent/entrypoint.sh + +ENV PLUS_VERSION=R32 + +RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \ + --mount=type=secret,id=nginx-key,dst=nginx-repo.key \ + set -x \ +# Create nginx user/group first, to be consistent throughout Docker variants + && groupadd --system --gid 101 nginx \ + && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --uid 101 nginx \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + ca-certificates \ + gpg \ + lsb-release \ + git \ + wget \ + make \ +# Install the latest release of NGINX Plus and/or NGINX Plus modules +# Uncomment individual modules if necessary +# Use versioned packages over defaults to specify a release + && nginxPackages=" \ + nginx-plus \ + " \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslCert \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \ + && echo "Acquire::https::pkgs.nginx.com::SslKey \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \ + && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/${PLUS_VERSION}/ubuntu/ `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ + && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \ + && mkdir -p /etc/ssl/nginx \ + && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \ + && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + $nginxPackages \ + curl \ + gettext-base \ + jq \ + gnupg2 \ + && apt-get remove --purge -y lsb-release \ + && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \ + && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx + + +# Copy custom nginx config for rootless setup +COPY ./test/config/nginx/nginx-rootless-plus.conf /etc/nginx/nginx.conf +RUN chown nginx:nginx /etc/nginx/nginx.conf \ + && chmod 644 /etc/nginx/nginx.conf + +# Create necessary directories and set permissions for nginx user +RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx/conf.d /var/log/nginx-agent /var/log/app_protect /etc/nginx-agent /etc/nginx/ssl \ + && chown -R nginx:nginx /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /var/log/app_protect /etc/nginx-agent /etc/nginx/ssl \ + && chmod 755 /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ + && touch /var/lib/nginx/nginx.id || true + +# Grant CAP_NET_BIND_SERVICE so nginx (running non-root) can bind privileged ports +RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +RUN apt-get update && apt-get install -y /agent/build/$PACKAGE_NAME.deb \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Fix permissions for nginx agent config and directories +RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \ + && chmod 755 /etc/nginx-agent \ + && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent /var/lib/nginx /var/run/nginx + +STOPSIGNAL SIGTERM + +# Expose ports (80 for HTTP with capability, 443 for HTTPS with capability) +EXPOSE 80 443 + +# Switch to nginx user +USER nginx + +WORKDIR /etc/nginx-agent + +ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/test/docker/rootless-entrypoint.sh b/test/docker/rootless-entrypoint.sh new file mode 100644 index 0000000000..4c27484b6a --- /dev/null +++ b/test/docker/rootless-entrypoint.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +set -uxo pipefail + +handle_term() { + echo "received TERM signal" + echo "stopping nginx-agent ..." + kill -TERM "${agent_pid}" 2>/dev/null || true + wait "${agent_pid}" 2>/dev/null || true + echo "stopping nginx ..." + kill -TERM "${nginx_pid}" 2>/dev/null || true + wait "${nginx_pid}" 2>/dev/null || true + # stop app protect plugin if running + if [ -n "${plugin_pid:-}" ]; then + echo "stopping bd-socket-plugin ..." + kill -TERM "${plugin_pid}" 2>/dev/null || true + wait "${plugin_pid}" 2>/dev/null || true + fi +} + +handle_quit() { + echo "received QUIT signal" + echo "stopping nginx-agent ..." + kill -QUIT "${agent_pid}" 2>/dev/null || true + wait "${agent_pid}" 2>/dev/null || true + echo "stopping nginx ..." + kill -QUIT "${nginx_pid}" 2>/dev/null || true + wait "${nginx_pid}" 2>/dev/null || true + # stop app protect plugin if running + if [ -n "${plugin_pid:-}" ]; then + echo "stopping bd-socket-plugin ..." + kill -QUIT "${plugin_pid}" 2>/dev/null || true + wait "${plugin_pid}" 2>/dev/null || true + fi +} + +trap 'handle_term' TERM +trap 'handle_quit' QUIT + +set -e + +mkdir -p \ + /tmp/proxy_temp \ + /tmp/client_temp \ + /tmp/fastcgi_temp \ + /tmp/uwsgi_temp \ + /tmp/scgi_temp + +# Start App Protect plugin only if the binary exists (NGINX Plus) +if [ -x "/usr/share/ts/bin/bd-socket-plugin" ]; then + mkdir -p /var/log/app_protect + chown nginx:nginx /var/log/app_protect 2>/dev/null || true + echo "starting bd-socket-plugin as nginx user..." + /usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 307200000 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config >> /var/log/app_protect/bd-socket-plugin.log 2>&1 & + plugin_pid=$! + echo "Started bd-socket-plugin with PID ${plugin_pid}" +else + echo "bd-socket-plugin not found, skipping (this is expected for OSS builds)" +fi + +nginx -g "daemon off;" & +nginx_pid=$! + +echo "Started nginx with PID $nginx_pid" + +timeout=30 +elapsed=0 + +while [ "$elapsed" -lt "$timeout" ]; do + if pgrep nginx >/dev/null 2>&1; then + echo "nginx is running" + break + fi + + sleep 1 + elapsed=$((elapsed + 1)) +done + +if [ "$elapsed" -ge "$timeout" ]; then + echo "nginx did not start within ${timeout}s" + exit 1 +fi + +cat /etc/nginx-agent/nginx-agent.conf; + +# start nginx-agent, pass args +echo "starting nginx-agent ..." +nginx-agent "$@" & + +agent_pid=$! + +if [ $? != 0 ]; then + echo "couldn't start the agent, please check the log file" + exit 1 +fi + +wait_term() +{ + wait ${agent_pid} + wait ${nginx_pid} +} + +wait_term + +echo "nginx-agent process has stopped, exiting." From 0e4623870871643074e77283385bb66101a15837 Mon Sep 17 00:00:00 2001 From: Karen Santana Date: Tue, 19 May 2026 15:20:48 +0100 Subject: [PATCH 2/4] Update dependencies --- api/grpc/mpi/v1/command_grpc.pb.go | 2 +- api/grpc/mpi/v1/files_grpc.pb.go | 2 +- go.sum | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/api/grpc/mpi/v1/command_grpc.pb.go b/api/grpc/mpi/v1/command_grpc.pb.go index 2efba7b3c2..fe7c799902 100644 --- a/api/grpc/mpi/v1/command_grpc.pb.go +++ b/api/grpc/mpi/v1/command_grpc.pb.go @@ -8,7 +8,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.6.1 +// - protoc-gen-go-grpc v1.6.2 // - protoc (unknown) // source: mpi/v1/command.proto diff --git a/api/grpc/mpi/v1/files_grpc.pb.go b/api/grpc/mpi/v1/files_grpc.pb.go index fec381a551..d5b8b3b5a7 100644 --- a/api/grpc/mpi/v1/files_grpc.pb.go +++ b/api/grpc/mpi/v1/files_grpc.pb.go @@ -5,7 +5,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.6.1 +// - protoc-gen-go-grpc v1.6.2 // - protoc (unknown) // source: mpi/v1/files.proto diff --git a/go.sum b/go.sum index 9a2bd05ad5..43e59c9fdf 100644 --- a/go.sum +++ b/go.sum @@ -221,8 +221,6 @@ github.com/foxboron/go-tpm-keyfiles v0.0.0-20251226215517-609e4778396f/go.mod h1 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= -github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fsnotify/fsnotify v1.10.1 h1:b0/UzAf9yR5rhf3RPm9gf3ehBPpf0oZKIjtpKrx59Ho= github.com/fsnotify/fsnotify v1.10.1/go.mod h1:TLheqan6HD6GBK6PrDWyDPBaEV8LspOxvPSjC+bVfgo= github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ= @@ -1083,8 +1081,6 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= -golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4= golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= From 3000b3eab852079a06121c66952225f36c1f9d88 Mon Sep 17 00:00:00 2001 From: Karen Santana Date: Fri, 22 May 2026 11:03:33 +0100 Subject: [PATCH 3/4] Remove permissions redundancy --- test/docker/nginx-rootless-oss/deb/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/test/docker/nginx-rootless-oss/deb/Dockerfile b/test/docker/nginx-rootless-oss/deb/Dockerfile index fe4a0d5ce1..268b78efee 100644 --- a/test/docker/nginx-rootless-oss/deb/Dockerfile +++ b/test/docker/nginx-rootless-oss/deb/Dockerfile @@ -29,9 +29,9 @@ RUN set -x \ && rm -rf /var/lib/apt/lists/* # Create necessary directories and set permissions for nginx user -RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx/conf.d /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ - && chown -R nginx:nginx /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ - && chmod 755 /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \ +RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx/conf.d /etc/nginx/ssl \ + && chown -R nginx:nginx /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /etc/nginx/ssl \ + && chmod 755 /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /etc/nginx/ssl \ && touch /var/lib/nginx/nginx.id || true # Copy custom nginx config for rootless setup @@ -62,13 +62,14 @@ FROM install-nginx-rootless as install-agent-local ARG PACKAGE_NAME USER root + RUN apt-get update && apt-get install -y /agent/build/$PACKAGE_NAME.deb \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* # Fix permissions for nginx agent config and directories RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \ - && chmod 755 /etc/nginx-agent \ + && chmod 755 /etc/nginx-agent /var/log/nginx-agent \ && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent USER nginx @@ -87,8 +88,7 @@ RUN apt-get update && apt-get install -y nginx-agent \ # Fix permissions for nginx agent config and directories RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \ - && chmod 755 /etc/nginx-agent \ + && chmod 755 /etc/nginx-agent /var/log/nginx-agent \ && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent USER nginx - From f7112dfa25c7b0cade3b7e67bc4d41a47340f3ee Mon Sep 17 00:00:00 2001 From: Karen Santana Date: Tue, 26 May 2026 14:43:11 +0100 Subject: [PATCH 4/4] Fix typo --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 939c54e386..3edbde6025 100644 --- a/Makefile +++ b/Makefile @@ -260,7 +260,7 @@ build-test-oss-image: --build-arg BASE_IMAGE=$(BASE_IMAGE) \ --build-arg ENTRY_POINT=./test/docker/entrypoint.sh -.PHONY: build-rootless-oos-image +.PHONY: build-rootless-oss-image build-rootless-oss-image: local-deb-package $(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t nginx_agent_rootless_oss_$(IMAGE_TAG) . \ --no-cache -f ./test/docker/nginx-rootless-oss/deb/Dockerfile \