From 752b805458ec0ca738638479d0b2acc71e6d3df0 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Thu, 9 Dec 2021 12:41:30 +0100 Subject: [PATCH 01/23] hardcode for testing --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a0fd4a57..13f00c08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic # Build stage -FROM ${BUILDER_ROOTFS_IMAGE} AS builder +FROM mendix/rootfs:bionic AS builder # Build-time variables ARG BUILD_PATH=project @@ -76,7 +76,7 @@ RUN mkdir -p /tmp/buildcache /var/mendix/build /var/mendix/build/.local &&\ chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\ chmod -R g=u /opt/mendix /var/mendix -FROM ${ROOTFS_IMAGE} +FROM mendix/rootfs:ubi8 LABEL Author="Mendix Digital Ecosystems" LABEL maintainer="digitalecosystems@mendix.com" From 307c2e285f7008f40f254317314bb2050751206d Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Thu, 9 Dec 2021 12:51:34 +0100 Subject: [PATCH 02/23] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 13f00c08..575c1c29 100644 --- a/Dockerfile +++ b/Dockerfile @@ -76,7 +76,7 @@ RUN mkdir -p /tmp/buildcache /var/mendix/build /var/mendix/build/.local &&\ chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\ chmod -R g=u /opt/mendix /var/mendix -FROM mendix/rootfs:ubi8 +FROM mendix/rootfs:bionic LABEL Author="Mendix Digital Ecosystems" LABEL maintainer="digitalecosystems@mendix.com" From 5e3bb017b31e38a04adbff332b0fe41d5bea6a49 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Thu, 9 Dec 2021 12:53:50 +0100 Subject: [PATCH 03/23] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 575c1c29..1f81e3d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic # Build stage -FROM mendix/rootfs:bionic AS builder +FROM mendix/rootfs:ubi8 AS builder # Build-time variables ARG BUILD_PATH=project @@ -76,7 +76,7 @@ RUN mkdir -p /tmp/buildcache /var/mendix/build /var/mendix/build/.local &&\ chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\ chmod -R g=u /opt/mendix /var/mendix -FROM mendix/rootfs:bionic +FROM mendix/rootfs:ubi8 LABEL Author="Mendix Digital Ecosystems" LABEL maintainer="digitalecosystems@mendix.com" From e986626612150377efa44128c2a7168676616627 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Thu, 9 Dec 2021 13:12:11 +0100 Subject: [PATCH 04/23] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1f81e3d7..13f00c08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic # Build stage -FROM mendix/rootfs:ubi8 AS builder +FROM mendix/rootfs:bionic AS builder # Build-time variables ARG BUILD_PATH=project From c9ecc08bd5a394132b01dd2af94fbe90ddefd0a2 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Thu, 9 Dec 2021 13:41:11 +0100 Subject: [PATCH 05/23] update dockerfile to reflect ocp3 move ARG under FROM --- Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 13f00c08..639f26d3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,12 +3,14 @@ # # Author: Mendix Digital Ecosystems, digitalecosystems@mendix.com # Version: 2.1.0 -ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 -ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic # Build stage FROM mendix/rootfs:bionic AS builder +// move down for ocp3 (have builder first) +ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 +ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic + # Build-time variables ARG BUILD_PATH=project ARG DD_API_KEY From e914052468910a32e65460f2d5f441bda7f0e67e Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Thu, 9 Dec 2021 13:44:33 +0100 Subject: [PATCH 06/23] comment with# instead of // --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 639f26d3..efd416b1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ # Build stage FROM mendix/rootfs:bionic AS builder -// move down for ocp3 (have builder first) +# (cut) move down for ocp3 (have builder first) ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic From c331ae3f7fa44e3f529623111d75e83a583148a5 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 10:09:35 +0100 Subject: [PATCH 07/23] nginx rights --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index efd416b1..0592830c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -119,6 +119,7 @@ RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\ RUN chmod +rx /opt/mendix/build/startup &&\ chown -R ${USER_UID}:0 /opt/mendix &&\ chmod -R g=u /opt/mendix &&\ + chmod -R g=u /usr/sbin/nginx &&\ ln -s /opt/mendix/.java /root USER ${USER_UID} From 62906d7c6d1f03ce7b08624da70490a27a42a9ae Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 10:18:29 +0100 Subject: [PATCH 08/23] force delete -pid --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 0592830c..e853c62c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -121,6 +121,8 @@ RUN chmod +rx /opt/mendix/build/startup &&\ chmod -R g=u /opt/mendix &&\ chmod -R g=u /usr/sbin/nginx &&\ ln -s /opt/mendix/.java /root + +RUN rm /run/nginx.pid || true USER ${USER_UID} From 69ff212b998f8f81c27f6a4634b6c5b333a537f9 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 10:35:11 +0100 Subject: [PATCH 09/23] nginx 777 : 1001 --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e853c62c..91772033 100644 --- a/Dockerfile +++ b/Dockerfile @@ -118,8 +118,9 @@ RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\ # 4. Ensure that running Java 8 as root will still be able to load offline licenses RUN chmod +rx /opt/mendix/build/startup &&\ chown -R ${USER_UID}:0 /opt/mendix &&\ - chmod -R g=u /opt/mendix &&\ - chmod -R g=u /usr/sbin/nginx &&\ + chown -R ${USER_UID}:0 /etc/nginx &&\ + chmod -R 777 /opt/mendix &&\ + chmod -R 777 /etc/nginx &&\ ln -s /opt/mendix/.java /root RUN rm /run/nginx.pid || true From 8d811b0fcd47d31d602c02b17eb96b1deef4fb85 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 10:44:19 +0100 Subject: [PATCH 10/23] remove nginx user --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 91772033..572dfb2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -125,6 +125,8 @@ RUN chmod +rx /opt/mendix/build/startup &&\ RUN rm /run/nginx.pid || true +RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf + USER ${USER_UID} # Copy jre from build container From fd89d1107a5a726af66104317abc818d9c26182f Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 11:52:28 +0100 Subject: [PATCH 11/23] =?UTF-8?q?=C2=B4debug=20nginx=20conf=20user=20chang?= =?UTF-8?q?e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 572dfb2c..cf4f67f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -125,7 +125,7 @@ RUN chmod +rx /opt/mendix/build/startup &&\ RUN rm /run/nginx.pid || true -RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf +RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf USER ${USER_UID} From 1c0b4a92e774d71ed84c88eb9d918e1ff43ef375 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 13:22:50 +0100 Subject: [PATCH 12/23] add netstat for debugging --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index cf4f67f8..a8a3fd95 100644 --- a/Dockerfile +++ b/Dockerfile @@ -127,6 +127,8 @@ RUN rm /run/nginx.pid || true RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf +RUN apt install net-tools + USER ${USER_UID} # Copy jre from build container From a81bf308816609e35744a783f443773180d0f4ff Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 13:27:19 +0100 Subject: [PATCH 13/23] yum - we are on ubi8 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a8a3fd95..069b14a8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -127,7 +127,7 @@ RUN rm /run/nginx.pid || true RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf -RUN apt install net-tools +RUN yum install net-tools USER ${USER_UID} From 0e57252d678e0d7f34f80542908d6c1835c4e516 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 13:33:17 +0100 Subject: [PATCH 14/23] revert netstat install --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 069b14a8..25950f21 100644 --- a/Dockerfile +++ b/Dockerfile @@ -127,7 +127,8 @@ RUN rm /run/nginx.pid || true RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf -RUN yum install net-tools +# makes the build hang, so no netstat +# RUN yum install net-tools USER ${USER_UID} From c2e35e89c2f18f283780495e17a285da178f1aa1 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 13:34:38 +0100 Subject: [PATCH 15/23] force y on yum install --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 25950f21..fdaa3e6e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -127,8 +127,7 @@ RUN rm /run/nginx.pid || true RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf -# makes the build hang, so no netstat -# RUN yum install net-tools +RUN yum -y install net-tools USER ${USER_UID} From 1cde9982228bb96cfb663da3993ba65e0b02023f Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 14:13:10 +0100 Subject: [PATCH 16/23] more security hacks --- Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index fdaa3e6e..cbb5d0af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -125,7 +125,10 @@ RUN chmod +rx /opt/mendix/build/startup &&\ RUN rm /run/nginx.pid || true +# remove user forcing RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf +# nginx get pid out of /run folder +RUN sed -i.bak 's/run/tmp/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf RUN yum -y install net-tools @@ -149,4 +152,7 @@ WORKDIR /opt/mendix/build ENV PORT 8080 EXPOSE $PORT +# port as configured in nginx +EXPOSE 80 + ENTRYPOINT ["/opt/mendix/build/startup","/opt/mendix/buildpack/buildpack/start.py"] From 2de3d83b4ae2707adc6ddac594feeccb54c575e4 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 14:28:25 +0100 Subject: [PATCH 17/23] bind to port 8080 --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index cbb5d0af..85d9e372 100644 --- a/Dockerfile +++ b/Dockerfile @@ -130,6 +130,9 @@ RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.co # nginx get pid out of /run folder RUN sed -i.bak 's/run/tmp/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf +# nginx get pid out of /run folder +RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf + RUN yum -y install net-tools USER ${USER_UID} @@ -152,7 +155,4 @@ WORKDIR /opt/mendix/build ENV PORT 8080 EXPOSE $PORT -# port as configured in nginx -EXPOSE 80 - ENTRYPOINT ["/opt/mendix/build/startup","/opt/mendix/buildpack/buildpack/start.py"] From eff8143e7f0590c5e67a87475f3deece6a4ac51b Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 14:38:18 +0100 Subject: [PATCH 18/23] nginx.pid - 777 --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 85d9e372..c4510b97 100644 --- a/Dockerfile +++ b/Dockerfile @@ -123,12 +123,10 @@ RUN chmod +rx /opt/mendix/build/startup &&\ chmod -R 777 /etc/nginx &&\ ln -s /opt/mendix/.java /root -RUN rm /run/nginx.pid || true +RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid # remove user forcing RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf -# nginx get pid out of /run folder -RUN sed -i.bak 's/run/tmp/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf # nginx get pid out of /run folder RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf From dffb2b64e94041ba0b5fcb5ebaf279bfcac03bc5 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 16:31:08 +0100 Subject: [PATCH 19/23] better comments to understand changes --- Dockerfile | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index c4510b97..75d0eb6c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ # Author: Mendix Digital Ecosystems, digitalecosystems@mendix.com # Version: 2.1.0 -# Build stage +# Build stage (cut) no $ and dynamic setting - hardcode FROM mendix/rootfs:bionic AS builder # (cut) move down for ocp3 (have builder first) @@ -115,22 +115,26 @@ RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\ # 1. Make the startup script executable # 2. Update ownership of /opt/mendix so that the app can run as a non-root user # 3. Update permissions of /opt/mendix so that the app can run as a non-root user -# 4. Ensure that running Java 8 as root will still be able to load offline licenses +# 4. Update ownership of /etc/nginx so that the app can run as a non-root user +# 5. Update permissions of /etc/nginx so that the app can run as a non-root user +# 6. Ensure that running Java 8 as root will still be able to load offline licenses RUN chmod +rx /opt/mendix/build/startup &&\ chown -R ${USER_UID}:0 /opt/mendix &&\ - chown -R ${USER_UID}:0 /etc/nginx &&\ chmod -R 777 /opt/mendix &&\ + chown -R ${USER_UID}:0 /etc/nginx &&\ chmod -R 777 /etc/nginx &&\ ln -s /opt/mendix/.java /root +# allow non-root user to write the pid file RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid -# remove user forcing +# remove user forcing (user nginx) RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf -# nginx get pid out of /run folder +# fix listening - for non root port has to be > 1024 - makes it consistent with EXPOSE below RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf +# temp to diagnose nginx issues RUN yum -y install net-tools USER ${USER_UID} From 12fd575c5cee36c20d81f95723635ec5dbda56e6 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 16:35:12 +0100 Subject: [PATCH 20/23] better comments to understand the changes --- Dockerfile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 75d0eb6c..75a59938 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,8 @@ # Author: Mendix Digital Ecosystems, digitalecosystems@mendix.com # Version: 2.1.0 -# Build stage (cut) no $ and dynamic setting - hardcode +# Build stage +# (cut) no $ and dynamic setting - hardcode FROM mendix/rootfs:bionic AS builder # (cut) move down for ocp3 (have builder first) @@ -78,6 +79,7 @@ RUN mkdir -p /tmp/buildcache /var/mendix/build /var/mendix/build/.local &&\ chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\ chmod -R g=u /opt/mendix /var/mendix +# (cut) no $ and dynamic setting - hardcode (same as above) FROM mendix/rootfs:ubi8 LABEL Author="Mendix Digital Ecosystems" LABEL maintainer="digitalecosystems@mendix.com" @@ -115,8 +117,8 @@ RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\ # 1. Make the startup script executable # 2. Update ownership of /opt/mendix so that the app can run as a non-root user # 3. Update permissions of /opt/mendix so that the app can run as a non-root user -# 4. Update ownership of /etc/nginx so that the app can run as a non-root user -# 5. Update permissions of /etc/nginx so that the app can run as a non-root user +# 4. (cut) Update ownership of /etc/nginx so that the app can run as a non-root user +# 5. (cut) Update permissions of /etc/nginx so that the app can run as a non-root user # 6. Ensure that running Java 8 as root will still be able to load offline licenses RUN chmod +rx /opt/mendix/build/startup &&\ chown -R ${USER_UID}:0 /opt/mendix &&\ @@ -128,10 +130,10 @@ RUN chmod +rx /opt/mendix/build/startup &&\ # allow non-root user to write the pid file RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid -# remove user forcing (user nginx) +# NGINX remove user forcing (user nginx) RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf -# fix listening - for non root port has to be > 1024 - makes it consistent with EXPOSE below +# NGINX fix listening - for non root port has to be > 1024 - makes it consistent with EXPOSE below RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf # temp to diagnose nginx issues From 3cd8cc03bb9f63e92dc149340bbe2114d073361f Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Fri, 10 Dec 2021 16:37:03 +0100 Subject: [PATCH 21/23] documentation --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 75a59938..174037da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # (cut) no $ and dynamic setting - hardcode FROM mendix/rootfs:bionic AS builder -# (cut) move down for ocp3 (have builder first) +# (cut) moved down for ocp3 (have builder FROM clause first) ARG ROOTFS_IMAGE=mendix/rootfs:ubi8 ARG BUILDER_ROOTFS_IMAGE=mendix/rootfs:bionic @@ -127,16 +127,16 @@ RUN chmod +rx /opt/mendix/build/startup &&\ chmod -R 777 /etc/nginx &&\ ln -s /opt/mendix/.java /root -# allow non-root user to write the pid file +# NGINX allow non-root user to write the pid file RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid # NGINX remove user forcing (user nginx) -RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf +RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf # NGINX fix listening - for non root port has to be > 1024 - makes it consistent with EXPOSE below -RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf && cat /etc/nginx/nginx.conf +RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf -# temp to diagnose nginx issues +# (cut) temp to diagnose nginx issues RUN yum -y install net-tools USER ${USER_UID} From 856ad24a6a997697df5b8ceac84756563016aae3 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Tue, 15 Mar 2022 14:21:34 +0100 Subject: [PATCH 22/23] port can be set via DC (PORT env var) --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 174037da..402de8cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -134,7 +134,8 @@ RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf # NGINX fix listening - for non root port has to be > 1024 - makes it consistent with EXPOSE below -RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf +# (cut) needs DC variable called PORT .. +# RUN sed -i.bak 's/80/8080/' /etc/nginx/nginx.conf # (cut) temp to diagnose nginx issues RUN yum -y install net-tools From 240a15a5a254a3aff19ee4ab9cf9e892d6c67f99 Mon Sep 17 00:00:00 2001 From: Clemens Utschig <40628552+clemensutschig@users.noreply.github.com> Date: Tue, 15 Mar 2022 14:27:24 +0100 Subject: [PATCH 23/23] remove NGINX permissions --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 402de8cc..bbb32035 100644 --- a/Dockerfile +++ b/Dockerfile @@ -123,15 +123,15 @@ RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\ RUN chmod +rx /opt/mendix/build/startup &&\ chown -R ${USER_UID}:0 /opt/mendix &&\ chmod -R 777 /opt/mendix &&\ - chown -R ${USER_UID}:0 /etc/nginx &&\ - chmod -R 777 /etc/nginx &&\ ln -s /opt/mendix/.java /root +# chown -R ${USER_UID}:0 /etc/nginx &&\ +# chmod -R 777 /etc/nginx &&\ # NGINX allow non-root user to write the pid file -RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid +# RUN chown -R ${USER_UID}:0 /run/nginx.pid && chmod -R 777 /run/nginx.pid # NGINX remove user forcing (user nginx) -RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf +# RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf # NGINX fix listening - for non root port has to be > 1024 - makes it consistent with EXPOSE below # (cut) needs DC variable called PORT ..