2020-08-19 10:50:20
浏览数 (2)
Dockerfile_redis_5.0
代码语言:javascript
复制FROM debian:buster-slim
# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
RUN groupadd -r -g 999 redis && useradd -r -g redis -u 999 redis
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
ENV GOSU_VERSION 1.11
RUN set -eux;
# save list of currently installed packages for later so we can clean up
savedAptMark="$(apt-mark showmanual)";
apt-get update;
apt-get install -y --no-install-recommends
ca-certificates
dirmngr
gnupg
wget
;
rm -rf /var/lib/apt/lists/*;
dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')";
wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch";
wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc";
# verify the signature
export GNUPGHOME="$(mktemp -d)";
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4;
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu;
gpgconf --kill all;
rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc;
# clean up fetch dependencies
apt-mark auto '.*' > /dev/null;
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null;
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false;
chmod x /usr/local/bin/gosu;
# verify that the binary works
gosu --version;
gosu nobody true
ENV REDIS_VERSION 5.0.8
ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-5.0.8.tar.gz
ENV REDIS_DOWNLOAD_SHA f3c7eac42f433326a8d981b50dba0169fdfaf46abb23fcda2f933a7552ee4ed7
RUN set -eux;
savedAptMark="$(apt-mark showmanual)";
apt-get update;
apt-get install -y --no-install-recommends
ca-certificates
wget
gcc
libc6-dev
make
;
rm -rf /var/lib/apt/lists/*;
wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL";
echo "$REDIS_DOWNLOAD_SHA *redis.tar.gz" | sha256sum -c -;
mkdir -p /usr/src/redis;
tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1;
rm redis.tar.gz;
# disable Redis protected mode [1] as it is unnecessary in context of Docker
# (ports are not automatically exposed when running inside Docker, but rather explicitly by specifying -p / -P)
# [1]: https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 1$' /usr/src/redis/src/server.h;
sed -ri 's!^(#define CONFIG_DEFAULT_PROTECTED_MODE) 1$!1 0!' /usr/src/redis/src/server.h;
grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 0$' /usr/src/redis/src/server.h;
# for future reference, we modify this directly in the source instead of just supplying a default configuration flag because apparently "if you specify any argument to redis-server, [it assumes] you are going to specify everything"
# see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
# (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
make -C /usr/src/redis -j "$(nproc)" all;
make -C /usr/src/redis install;
# TODO https://github.com/antirez/redis/pull/3494 (deduplicate "redis-server" copies)
serverMd5="$(md5sum /usr/local/bin/redis-server | cut -d' ' -f1)"; export serverMd5;
find /usr/local/bin/redis* -maxdepth 0
-type f -not -name redis-server
-exec sh -eux -c '
md5="$(md5sum "$1" | cut -d" " -f1)";
test "$md5" = "$serverMd5";
' -- '{}' ';'
-exec ln -svfT 'redis-server' '{}' ';'
;
rm -r /usr/src/redis;
apt-mark auto '.*' > /dev/null;
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null;
find /usr/local -type f -executable -exec ldd '{}' ';'
| awk '/=>/ { print $(NF-1) }'
| sort -u
| xargs -r dpkg-query --search
| cut -d: -f1
| sort -u
| xargs -r apt-mark manual
;
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false;
redis-cli --version;
redis-server --version
RUN mkdir /data && chown redis:redis /data
VOLUME /data
WORKDIR /data
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
EXPOSE 6379
CMD ["redis-server"]
Dockerfile_alpine_httpd_2.4
代码语言:javascript
复制FROM alpine:3.11
# ensure www-data user exists
RUN set -x
&& addgroup -g 82 -S www-data
&& adduser -u 82 -D -S -G www-data www-data
# 82 is the standard uid/gid for "www-data" in Alpine
# https://git.alpinelinux.org/cgit/aports/tree/main/apache2/apache2.pre-install?h=v3.8.1
# https://git.alpinelinux.org/cgit/aports/tree/main/lighttpd/lighttpd.pre-install?h=v3.8.1
# https://git.alpinelinux.org/cgit/aports/tree/main/nginx/nginx.pre-install?h=v3.8.1
ENV HTTPD_PREFIX /usr/local/apache2
ENV PATH $HTTPD_PREFIX/bin:$PATH
RUN mkdir -p "$HTTPD_PREFIX"
&& chown www-data:www-data "$HTTPD_PREFIX"
WORKDIR $HTTPD_PREFIX
ENV HTTPD_VERSION 2.4.43
ENV HTTPD_SHA256 a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43
# https://httpd.apache.org/security/vulnerabilities_24.html
ENV HTTPD_PATCHES=""
# see https://httpd.apache.org/docs/2.4/install.html#requirements
RUN set -eux;
runDeps='
apr-dev
apr-util-dbm_db
apr-util-dev
apr-util-ldap
perl
';
apk add --no-cache --virtual .build-deps
$runDeps
ca-certificates
coreutils
dpkg-dev dpkg
gcc
gnupg
libc-dev
# mod_md
curl-dev
jansson-dev
# mod_proxy_html mod_xml2enc
libxml2-dev
# mod_lua
lua-dev
make
# mod_http2
nghttp2-dev
# mod_session_crypto
openssl
openssl-dev
pcre-dev
tar
# mod_deflate
zlib-dev
# mod_brotli
brotli-dev
;
ddist() {
local f="$1"; shift;
local distFile="$1"; shift;
local success=;
local distUrl=;
for distUrl in
# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394
'https://www.apache.org/dyn/closer.cgi?action=download&filename='
# if the version is outdated (or we're grabbing the .asc file), we might have to pull from the dist/archive :/
https://www-us.apache.org/dist/
https://www.apache.org/dist/
https://archive.apache.org/dist/
; do
if wget -O "$f" "$distUrl$distFile" && [ -s "$f" ]; then
success=1;
break;
fi;
done;
[ -n "$success" ];
};
ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2";
echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -;
# see https://httpd.apache.org/download.cgi#verify
ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc";
export GNUPGHOME="$(mktemp -d)";
for key in
# gpg: key 791485A8: public key "Jim Jagielski (Release Signing Key) <jim@apache.org>" imported
A93D62ECC3C8EA12DB220EC934EA76E6791485A8
# gpg: key 995E35221AD84DFF: public key "Daniel Ruggeri (https://home.apache.org/~druggeri/) <druggeri@apache.org>" imported
B9E8213AEFB861AF35A41F2C995E35221AD84DFF
; do
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key";
done;
gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2;
command -v gpgconf && gpgconf --kill all || :;
rm -rf "$GNUPGHOME" httpd.tar.bz2.asc;
mkdir -p src;
tar -xf httpd.tar.bz2 -C src --strip-components=1;
rm httpd.tar.bz2;
cd src;
patches() {
while [ "$#" -gt 0 ]; do
local patchFile="$1"; shift;
local patchSha256="$1"; shift;
ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile";
echo "$patchSha256 *$patchFile" | sha256sum -c -;
patch -p0 < "$patchFile";
rm -f "$patchFile";
done;
};
patches $HTTPD_PATCHES;
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)";
./configure
--build="$gnuArch"
--prefix="$HTTPD_PREFIX"
--enable-mods-shared=reallyall
--enable-mpms-shared=all
# PIE and hardening flags are unnecessary as Alpine enables them automatically (https://alpinelinux.org/about/)
;
make -j "$(nproc)";
make install;
cd ..;
rm -r src man manual;
sed -ri
-e 's!^(s*CustomLog)s S !1 /proc/self/fd/1!g'
-e 's!^(s*ErrorLog)s S !1 /proc/self/fd/2!g'
-e 's!^(s*TransferLog)s S !1 /proc/self/fd/1!g'
"$HTTPD_PREFIX/conf/httpd.conf"
"$HTTPD_PREFIX/conf/extra/httpd-ssl.conf"
;
runDeps="$runDeps $(
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local
| tr ',' 'n'
| sort -u
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }'
)";
apk add --no-network --virtual .httpd-rundeps $runDeps;
apk del --no-network .build-deps;
# smoke test
httpd -v
# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
STOPSIGNAL SIGWINCH
COPY httpd-foreground /usr/local/bin/
EXPOSE 80
CMD ["httpd-foreground"]