-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Alpine Linux, multistage build #37
Conversation
RUN apt-get update && apt-get -y upgrade && \ | ||
apt-get install -y wget libpcre3-dev build-essential libssl-dev zlib1g-dev && \ | ||
rm -rf /var/lib/apt/lists/* | ||
ARG NGINX_VER='1.22.1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having to maintain the latest nginx version is what led to the currently outdated nginx version in the current code. Having the version hardcoded in a variable is not a big improvement for maintainability over the current state of having it in the URL below. In both cases, the repo here has to be updated for every nginx release.
Could the official nginx:latest
docker image be used as base, instead of having the specific version in the source code here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Compare #23
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I moved the nginx version to an ARG is because it is referenced in multiple places, so declaring it as a variable will make it less likely to be missed somewhere when it is changed. This also resulted in more general commands. For instance, rm -rf nginx-1.*
was used to clean up, but this would fail once nginx 2.X was used, whereas rm -rf "nginx-${NGINX_VER}*"
will have the intended effect regardless of nginx version.
As for using nginx:latest
, there are several reasons not to do this. First, it is considered best practice to pin a specific version, or at least a major version. Otherwise, builds could start failing for users when a new major version is released. Second, it looks like this project is using a build option (--with-ipv6
) for nginx that is not used in the official image, and the official image includes many build options that are not needed by this project. Finally, LibreSSL has advantages over OpenSSL, and using the official image would confine the project to using OpenSSL.
You are correct that pinning the version requires manual changes for updates, but this is usually preferable to using the latest tag, and it would be possible to use something like GitHub Actions to automatically make a PR when a new version of nginx is released. That way we could get the best of both worlds.
RUN apt-get update && apt-get -y upgrade && \ | ||
apt-get install -y wget libpcre3-dev build-essential libssl-dev zlib1g-dev && \ | ||
rm -rf /var/lib/apt/lists/* | ||
ARG NGINX_VER='1.22.1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
Use Dependabot to keep images in dockerfiles up-to-date.
create dependabot.yml
specify directories
Thanks for the PR! We've switched to just using the upstream nginx alpine image in #45 |
These changes result in a much smaller image with fewer known security vulnerabilities (see screenshot), and compile nginx with LibreSSL. I also made some readability changes and modified the init script to allow for non-interactive use.
I have successfully sent messages through the proxy using these changes.
Thank you for your work on this. I hope these changes are useful to your efforts.