nginx · karensantana · May 19, 2026 · May 19, 2026 · May 22, 2026 · May 26, 2026
@@ -259,7 +259,28 @@ build-test-oss-image:
 		--build-arg PACKAGES_REPO=$(OSS_PACKAGES_REPO) \
 		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
 		--build-arg ENTRY_POINT=./test/docker/entrypoint.sh
-
+
+.PHONY: build-rootless-oos-image
+build-rootless-oss-image: local-deb-package
+	$(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t nginx_agent_rootless_oss_$(IMAGE_TAG) . \
+		--no-cache -f ./test/docker/nginx-rootless-oss/deb/Dockerfile \
+		--target install-agent-local \
+		--build-arg PACKAGE_NAME=$(PACKAGE_NAME) \
+		--build-arg PACKAGES_REPO=$(OSS_PACKAGES_REPO) \
+		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
+		--build-arg ENTRY_POINT=./test/docker/rootless-entrypoint.sh
+
+.PHONY: build-rootless-plus-image
+build-rootless-plus-image:
+	$(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t nginx_agent_rootless_plus_$(IMAGE_TAG) . \
+		--no-cache -f ./test/docker/nginx-rootless-plus/deb/Dockerfile \
+		--secret id=nginx-crt,src=$(CERTS_DIR)/nginx-repo.crt \
+		--secret id=nginx-key,src=$(CERTS_DIR)/nginx-repo.key \
+		--build-arg PACKAGE_NAME=$(PACKAGE_NAME) \
+		--build-arg PACKAGES_REPO=$(OSS_PACKAGES_REPO) \
+		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
+		--build-arg ENTRY_POINT=./test/docker/rootless-entrypoint.sh
+
 .PHONY: build-mock-management-otel-collector-image
 build-mock-management-otel-collector-image: build-mock-management-otel-collector
 	$(CONTAINER_BUILDENV) $(CONTAINER_CLITOOL) build -t mock-collector . \

@@ -221,8 +221,6 @@ github.com/foxboron/go-tpm-keyfiles v0.0.0-20251226215517-609e4778396f/go.mod h1
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
-github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fsnotify/fsnotify v1.10.1 h1:b0/UzAf9yR5rhf3RPm9gf3ehBPpf0oZKIjtpKrx59Ho=
 github.com/fsnotify/fsnotify v1.10.1/go.mod h1:TLheqan6HD6GBK6PrDWyDPBaEV8LspOxvPSjC+bVfgo=
 github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
@@ -1083,8 +1081,6 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
 golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

@@ -0,0 +1,56 @@
+pid /tmp/nginx.pid;
+worker_processes  1;
+error_log  /var/log/nginx/error.log;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    proxy_temp_path       /var/cache/nginx/proxy_temp;
+    client_body_temp_path /var/cache/nginx/client_temp;
+    fastcgi_temp_path     /var/cache/nginx/fastcgi_temp;
+    uwsgi_temp_path       /var/cache/nginx/uwsgi_temp;
+    scgi_temp_path        /var/cache/nginx/scgi_temp;
+
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for" '
+                  '"$bytes_sent" "$request_length" "$request_time" '
+                  '"$gzip_ratio" $server_protocol ';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen       8080;
+        server_name  localhost;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        ##
+        # Enable Metrics
+        ##
+        location /api {
+            stub_status;
+            allow 127.0.0.1;
+            deny all;
+        }
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}
+
@@ -0,0 +1,56 @@
+pid /tmp/nginx.pid;
+worker_processes  1;
+error_log  /var/log/nginx/error.log;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    proxy_temp_path       /var/cache/nginx/proxy_temp;
+    client_body_temp_path /var/cache/nginx/client_temp;
+    fastcgi_temp_path     /var/cache/nginx/fastcgi_temp;
+    uwsgi_temp_path       /var/cache/nginx/uwsgi_temp;
+    scgi_temp_path        /var/cache/nginx/scgi_temp;
+
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for" '
+                  '"$bytes_sent" "$request_length" "$request_time" '
+                  '"$gzip_ratio" $server_protocol ';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen       8080;
+        server_name  localhost;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        ##
+        # Enable Metrics
+        ##
+        location /api/ {
+            api write=on;
+            allow 127.0.0.1;
+            deny all;
+            status_zone my_location_zone1;
+        }
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}
@@ -0,0 +1,94 @@
+# Dockerfile for running NGINX Agent with rootless user
+ARG BASE_IMAGE
+FROM ${BASE_IMAGE} as install-nginx-rootless
+LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG ENTRY_POINT
+ARG PACKAGE_NAME
+ARG PACKAGES_REPO
+
+WORKDIR /agent
+COPY ./build /agent/build
+COPY $ENTRY_POINT /agent/entrypoint.sh
+RUN chmod +x /agent/entrypoint.sh
+
+# Install system dependencies and create nginx user
+RUN set -x \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+        ca-certificates \
+        gnupg2 \
+        curl \
+        lsb-release \
+        procps \
+        nginx \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create necessary directories and set permissions for nginx user
+RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx/conf.d /etc/nginx/ssl \
+    && chown -R nginx:nginx /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx  /etc/nginx/ssl \
+    && chmod 755 /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /etc/nginx/ssl \
+    && touch /var/lib/nginx/nginx.id || true
+
+# Copy custom nginx config for rootless setup
+COPY ./test/config/nginx/nginx-rootless-oss.conf /etc/nginx/nginx.conf
+RUN chown nginx:nginx /etc/nginx/nginx.conf \
+    && chmod 644 /etc/nginx/nginx.conf
+
+# Grant CAP_NET_BIND_SERVICE to allow binding to privileged ports as non-root
+RUN apt-get update && apt-get install -y libcap2-bin \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+STOPSIGNAL SIGTERM
+
+# Expose ports (80 for HTTP with capability, 443 for HTTPS with capability)
+EXPOSE 80 443
+
+# Switch to nginx user
+USER nginx
+
+WORKDIR /etc/nginx-agent
+ENTRYPOINT ["/agent/entrypoint.sh"]
+
+# Install agent from local package
+FROM install-nginx-rootless as install-agent-local
+
+ARG PACKAGE_NAME
+
+USER root
+
+RUN apt-get update && apt-get install -y /agent/build/$PACKAGE_NAME.deb \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Fix permissions for nginx agent config and directories
+RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \
+    && chmod 755 /etc/nginx-agent /var/log/nginx-agent \
+    && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent
+
+USER nginx
+
+# Install agent from repository
+FROM install-nginx-rootless as install-agent-repo
+
+USER root
+
+RUN curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
+    && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/ubuntu/ `lsb_release -cs` agent\n" > /etc/apt/sources.list.d/nginx-agent.list
+
+RUN apt-get update && apt-get install -y nginx-agent \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Fix permissions for nginx agent config and directories
+RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \
+    && chmod 755 /etc/nginx-agent /var/log/nginx-agent \
+    && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent
+
+USER nginx
@@ -0,0 +1,95 @@
+# Dockerfile for running NGINX Agent with NGINX Plus and rootless user
+ARG BASE_IMAGE
+FROM ${BASE_IMAGE} as install-nginx-plus-rootless
+LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG ENTRY_POINT
+ARG PACKAGE_NAME
+ARG PACKAGES_REPO
+
+WORKDIR /agent
+COPY ./build /agent/build
+COPY $ENTRY_POINT /agent/entrypoint.sh
+RUN chmod +x /agent/entrypoint.sh
+
+ENV PLUS_VERSION=R32
+
+RUN --mount=type=secret,id=nginx-crt,dst=nginx-repo.crt \
+    --mount=type=secret,id=nginx-key,dst=nginx-repo.key \
+    set -x \
+# Create nginx user/group first, to be consistent throughout Docker variants
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --uid 101 nginx \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+                        ca-certificates \
+                        gpg \
+                        lsb-release \
+                        git \
+                        wget \
+                        make \
+# Install the latest release of NGINX Plus and/or NGINX Plus modules
+# Uncomment individual modules if necessary
+# Use versioned packages over defaults to specify a release
+    && nginxPackages=" \
+        nginx-plus \
+    " \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Peer \"true\";" > /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90nginx \
+    && echo "Acquire::https::pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
+    && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/${PLUS_VERSION}/ubuntu/ `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
+    && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
+    && mkdir -p /etc/ssl/nginx \
+    && cat nginx-repo.crt > /etc/ssl/nginx/nginx-repo.crt \
+    && cat nginx-repo.key > /etc/ssl/nginx/nginx-repo.key \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+                        $nginxPackages \
+                        curl \
+                        gettext-base \
+                        jq \
+                        gnupg2 \
+    && apt-get remove --purge -y lsb-release \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx-plus.list \
+    && rm -rf /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx 
+
+
+# Copy custom nginx config for rootless setup
+COPY ./test/config/nginx/nginx-rootless-plus.conf /etc/nginx/nginx.conf
+RUN chown nginx:nginx /etc/nginx/nginx.conf \
+    && chmod 644 /etc/nginx/nginx.conf
+
+# Create necessary directories and set permissions for nginx user
+RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx/conf.d /var/log/nginx-agent /var/log/app_protect /etc/nginx-agent /etc/nginx/ssl \
+    && chown -R nginx:nginx /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /var/log/app_protect /etc/nginx-agent /etc/nginx/ssl \
+    && chmod 755 /var/log/nginx /var/cache/nginx /var/run/nginx /var/lib/nginx /etc/nginx /var/log/nginx-agent /etc/nginx-agent /etc/nginx/ssl \
+    && touch /var/lib/nginx/nginx.id || true
+
+# Grant CAP_NET_BIND_SERVICE so nginx (running non-root) can bind privileged ports
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN apt-get update && apt-get install -y /agent/build/$PACKAGE_NAME.deb \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Fix permissions for nginx agent config and directories
+RUN if [[ -f /etc/nginx-agent/nginx-agent.conf ]]; then chmod 644 /etc/nginx-agent/nginx-agent.conf; fi \
+    && chmod 755 /etc/nginx-agent \
+    && chown -R nginx:nginx /etc/nginx-agent /var/log/nginx-agent /var/lib/nginx-agent /var/lib/nginx /var/run/nginx
+
+STOPSIGNAL SIGTERM
+
+# Expose ports (80 for HTTP with capability, 443 for HTTPS with capability)
+EXPOSE 80 443
+
+# Switch to nginx user
+USER nginx
+
+WORKDIR /etc/nginx-agent
+
+ENTRYPOINT ["/agent/entrypoint.sh"]