-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathDockerfile-ubuntu-22.04
70 lines (56 loc) · 2.16 KB
/
Dockerfile-ubuntu-22.04
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
FROM behance/docker-base:5.1.0-ubuntu-22.04 AS base
### Stage 1 - add/remove packages ###
# Ensure scripts are available for use in next command
COPY ./container/root/scripts/* /scripts/
# Env vars used during the build process
ENV CONTAINER_PORT=8080 \
CONF_NGINX_SITE="/etc/nginx/sites-available/default" \
NOT_ROOT_USER=www-data
# - Update security packages, plus ca-certificates required for https
# - Install nginx
# - Install njs
RUN /bin/bash -e /security_updates.sh && \
/bin/bash -e /scripts/install_nginx.sh && \
/bin/bash -e /scripts/install_njs.sh
# Overlay the root filesystem from this repo
COPY --chown=www-data ./container/root /
# Set nginx to listen on defined port
#
# NOTE: order of operations is important, new config had to already installed
# from repo (above)
#
# - Make temp directory for .nginx runtime files
# - Fix woff mime type support
# - Set permissions to allow image to be run under a non root user
RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \
mkdir /tmp/.nginx && \
/bin/bash -e /scripts/fix_woff_support.sh && \
/bin/bash -e /scripts/set_permissions.sh
# Clean up
RUN /bin/bash -e /scripts/cleanup.sh && \
/bin/bash -e /clean.sh
### Stage 2 --- collapse layers ###
FROM scratch
COPY --from=base / .
# Using a non-privileged port to prevent having to use setcap internally
EXPOSE ${CONTAINER_PORT}
# Env vars used during runtime
ENV CONTAINER_ROLE=web \
CONTAINER_PORT=8080 \
CONF_NGINX_SITE="/etc/nginx/sites-available/default" \
CONF_NGINX_SERVER="/etc/nginx/nginx.conf" \
NOT_ROOT_USER=www-data
# Use in multi-phase builds, when an init process requests for the container
# to gracefully exit, so that it may be committed
#
# Used with alternative CMD (worker.sh), leverages supervisor to maintain
# long-running processes
ENV SIGNAL_BUILD_STOP=99 \
S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
S6_KILL_FINISH_MAXTIME=55000 \
S6_KILL_GRACETIME=3000
RUN goss -g /tests/ubuntu/nginx.goss.yaml validate && \
/aufs_hack.sh
# NOTE: intentionally NOT using s6 init as the entrypoint
# This would prevent container debugging if any of those service crash
CMD ["/bin/bash", "/run.sh"]