Migrate to alpine linux

images/nginx/Makefile

@@ -32,9 +32,6 @@ IMGNAME = nginx
 IMAGE = $(REGISTRY)/$(IMGNAME)
 MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)
 
-# Set default base image dynamically for each arch
-BASEIMAGE?=quay.io/kubernetes-ingress-controller/debian-base-$(ARCH):0.1
-
 ifeq ($(ARCH),arm)
 	QEMUARCH=arm
 endif
@@ -62,7 +59,6 @@ all-push: $(addprefix sub-push-,$(ALL_ARCH))
 container: .container-$(ARCH)
 .container-$(ARCH):
 	cp -r ./rootfs/* $(TEMP_DIR)
-	cd $(TEMP_DIR) && $(SED_I) 's|BASEIMAGE|$(BASEIMAGE)|g' Dockerfile
 	cd $(TEMP_DIR) && $(SED_I) "s|ARCH|$(QEMUARCH)|g" Dockerfile
 
 ifeq ($(ARCH),amd64)

images/nginx/README.md

@@ -1,6 +1,4 @@
-OpenResty base image using [debian-base](https://quay.io/kubernetes-ingress-controller/debian-base-amd64)
+NGINX base image using [alpine](https://www.alpinelinux.org/)
-
-OpenResty® is a dynamic web platform based on NGINX and LuaJIT.
 
 This custom image contains:
 
@@ -20,7 +18,7 @@ This image provides a default configuration file with no backend servers.
 _Using docker_
 
 ```console
-docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro quay.io/kubernetes-ingress-controller/nginx:0.90
+docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro quay.io/kubernetes-ingress-controller/nginx:0.95
 ```
 
 _Creating a replication controller_

images/nginx/rc.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginxsvc
+  name: nginx
   labels:
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
@@ -38,7 +38,7 @@ spec:
     spec:
       containers:
         - name: nginx
-          image: quay.io/kubernetes-ingress-controller/nginx:0.90
+          image: quay.io/kubernetes-ingress-controller/nginx:0.95
           ports:
             - containerPort: 80
             - containerPort: 443

images/nginx/rootfs/Dockerfile

@@ -13,18 +13,17 @@
 # limitations under the License.
 
 
-FROM BASEIMAGE as builder
+FROM alpine:3.11 as builder
 
 CROSS_BUILD_COPY qemu-ARCH-static /usr/bin/
 
-RUN clean-install bash
-
 COPY . /
 
-RUN /build.sh
+RUN apk add -U bash \
+  && /build.sh
 
 # Use a multi-stage build
-FROM BASEIMAGE
+FROM alpine:3.11
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 
@@ -33,33 +32,29 @@ ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
 
 COPY --from=builder /usr/local /usr/local
 COPY --from=builder /opt /opt
-COPY --chown=www-data:www-data --from=builder /etc/nginx /etc/nginx
+COPY --from=builder /etc/nginx /etc/nginx
 
-RUN apt-get update && apt-get dist-upgrade -y \
+RUN apk add -U --no-cache \
-  && clean-install \
     bash \
-    curl ca-certificates \
-    libgeoip1 \
-    patch \
-    libpcre3 \
-    zlib1g \
-    libaio1 \
     openssl \
-    util-linux \
+    pcre \
-    lmdb-utils \
+    zlib \
-    libcurl4 \
+    geoip \
-    libprotobuf17 \
+    curl ca-certificates \
-    libz3-4 \
+    patch \
-    procps \
+    yajl \
-    libxml2 libpcre++0v5 \
+    lmdb \
-    liblmdb0 \
+    libxml2 \
-    libmaxminddb0 \
+    libmaxminddb \
+    yaml-cpp \
     dumb-init \
     nano \
-    libyaml-cpp0.6 \
+    tzdata \
-    libyajl2 \
   && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
   && ln -s /usr/local/lib/mimalloc-1.2/libmimalloc.so /usr/local/lib/libmimalloc.so \
+  && addgroup -Sg 101 www-data \
+  && adduser -S -D -H -u 101 -h /usr/local/nginx \
+    -s /sbin/nologin -G www-data -g www-data www-data \
   && bash -eu -c ' \
   writeDirs=( \
     /var/log/nginx \

images/nginx/rootfs/build.sh

@@ -67,47 +67,47 @@ get_src()
   rm -rf "$f"
 }
 
-apt-get update && apt-get dist-upgrade -y
+apk update
+apk upgrade
 
 # install required packages to build
-clean-install \
+apk add \
   bash \
-  build-essential \
+  gcc \
+  clang \
+  libc-dev \
+  make \
+  automake \
+  openssl-dev \
+  pcre-dev \
+  zlib-dev \
+  linux-headers \
+  libxslt-dev \
+  gd-dev \
+  geoip-dev \
+  perl-dev \
+  libedit-dev \
+  mercurial \
+  alpine-sdk \
+  findutils \
   curl ca-certificates \
-  libgeoip1 \
+  geoip-dev \
-  libgeoip-dev \
   patch \
-  libpcre3 \
-  libpcre3-dev \
-  libssl-dev \
-  zlib1g \
-  zlib1g-dev \
-  libaio1 \
   libaio-dev \
   openssl \
-  libperl-dev \
   cmake \
   util-linux \
-  lmdb-utils \
+  lmdb-tools \
   wget \
-  libcurl4-openssl-dev \
+  curl-dev \
-  libprotobuf-dev protobuf-compiler \
+  libprotobuf \
-  libz-dev \
+  git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 pcre-dev libxml2-dev \
-  git g++ pkgconf flex bison doxygen libyajl-dev liblmdb-dev libtool dh-autoreconf libxml2 libpcre++-dev libxml2-dev \
   python \
   libmaxminddb-dev \
   bc \
   unzip \
   dos2unix mercurial \
-  libyaml-cpp0.6 \
+  yaml-cpp
-  || exit 1
-
-# https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1667178.html
-if [[ ${ARCH} == "armv7l" ]]; then
-  echo "Fixing ca-certificates"
-  touch /etc/ssl/certs/ca-certificates.crt
-  c_rehash
-fi
 
 mkdir -p /etc/nginx
 
@@ -229,18 +229,6 @@ cd "$BUILD_PATH/luajit2-$LUAJIT_VERSION"
 make CCDEBUG=-g
 make install
 
-if [[ ${ARCH} == "armv7l" ]]; then
-  export PCRE_DIR=/usr/lib/arm-linux-gnueabihf
-fi
-
-if [[ ${ARCH} == "x86_64" ]]; then
-  export PCRE_DIR=/usr/lib/x86_64-linux-gnu
-fi
-
-if [[ ${ARCH} == "aarch64" ]]; then
-  export PCRE_DIR=/usr/lib/aarch64-linux-gnu
-fi
-
 cd "$BUILD_PATH"
 
 # install openresty-gdb-utils
@@ -554,7 +542,7 @@ export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1
 ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1
 
 if [[ ${ARCH} != "armv7l" ]]; then
-  luarocks install lrexlib-pcre 2.7.2-1 PCRE_LIBDIR=${PCRE_DIR}
+  luarocks install lrexlib-pcre 2.7.2-1
 fi
 
 cd "$BUILD_PATH/lua-resty-core-$LUA_RESTY_CORE"
@@ -583,7 +571,6 @@ make install
 cd "$BUILD_PATH/lua-resty-string-0.11"
 make install
 
-
 # build Lua bridge tracer
 cd "$BUILD_PATH/lua-bridge-tracer-$LUA_BRIDGE_TRACER_VERSION"
 mkdir .build
@@ -613,6 +600,9 @@ writeDirs=( \
   /var/log/nginx \
 );
 
+addgroup -Sg 101 www-data
+adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
+
 for dir in "${writeDirs[@]}"; do
   mkdir -p ${dir};
   chown -R www-data.www-data ${dir};