chore: make read-only FS a separate image variant

Use bake matrix to simplify target descriptions and add "read-only" as new image variant.
coreruleset · Feb 9, 2025 · d9addbb · d9addbb
1 parent 965b76d
commit d9addbb
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 74 deletions.
diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -1,6 +1,6 @@
 ARG HTTPD_VERSION="n/a"
 
-FROM httpd:${HTTPD_VERSION} AS build
+FROM image AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG LUA_VERSION="n/a"
@@ -36,7 +36,7 @@ RUN set -eux; \
     make install; \
     make clean
 
-FROM httpd:${HTTPD_VERSION} AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -56,7 +56,7 @@ RUN set -eux; \
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM httpd:${HTTPD_VERSION}
+FROM image
 
 ARG MODSEC2_VERSION
 ARG LUA_VERSION

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -1,6 +1,6 @@
 ARG HTTPD_VERSION="n/a"
 
-FROM httpd:${HTTPD_VERSION}-alpine AS build
+FROM image AS build
 
 ARG MODSEC2_VERSION="n/a"
 ARG LUA_VERSION="n/a"
@@ -46,7 +46,7 @@ RUN set -eux; \
     make install; \
     make clean
 
-FROM httpd:${HTTPD_VERSION}-alpine AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -66,7 +66,7 @@ RUN set -eux; \
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM httpd:${HTTPD_VERSION}-alpine
+FROM image
 
 ARG MODSEC2_VERSION
 ARG LUA_VERSION

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -96,16 +96,11 @@ function "vtag" {
 group "default" {
     targets = [
         "apache",
-        "apache-alpine",
-        "nginx",
-        "nginx-alpine",
+        "nginx"
     ]
 }
 
-target "docker-metadata-action" {}
-
 target "platforms-base" {
-    inherits = ["docker-metadata-action"]
     context="."
     platforms = ["linux/amd64", "linux/arm64/v8", "linux/arm/v7", "linux/i386"]
     labels = {
@@ -121,53 +116,82 @@ target "platforms-base" {
 }
 
 target "apache" {
-    inherits = ["platforms-base"]
-    dockerfile="apache/Dockerfile"
-    args = {
-        HTTPD_VERSION = "${httpd-version}"
-        LUA_MODULES = join(" ", lua-modules-debian)
+    matrix = {
+        base = [
+            {
+                name = "debian"
+                dockerfile="apache/Dockerfile"
+                image = "docker-image://httpd:${httpd-version}"
+                lua_modules = join(" ", lua-modules-debian)
+                tag_base = "apache"
+            },
+            {
+                name = "alpine"
+                dockerfile = "apache/Dockerfile-alpine"
+                image = "docker-image://httpd:${httpd-version}-alpine"
+                lua_modules = join(" ", lua-modules-alpine)
+                tag_base = "apache-alpine"
+            }
+        ]
     }
-    tags = concat(tag("apache"),
-        vtag("${crs-version}", "apache")
-    )
-}
 
-target "apache-alpine" {
     inherits = ["platforms-base"]
-    dockerfile="apache/Dockerfile-alpine"
+    name = "apache-${base.name}"
+    contexts = {
+        image = base.image
+    }
+    dockerfile = base.dockerfile
     args = {
-        HTTPD_VERSION = "${httpd-version}"
-        LUA_MODULES = join(" ", lua-modules-alpine)
+        LUA_MODULES = base.lua_modules
     }
-    tags = concat(tag("apache-alpine"),
-        vtag("${crs-version}", "apache-alpine")
+    tags = concat(tag(base.tag_base),
+        vtag("${crs-version}", base.tag_base)
     )
 }
 
 target "nginx" {
-    inherits = ["platforms-base"]
-    dockerfile="nginx/Dockerfile"
-    args = {
-        LUA_MODULES = join(" ", lua-modules-debian)
-        NGINX_VERSION = "${nginx-version}"
-        NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
-        NGINX_HOME = "/etc/nginx"
+    matrix = {
+        base = [
+            {
+                name = "debian"
+                dockerfile = "nginx/Dockerfile"
+                image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}"
+                lua_modules = join(" ", lua-modules-debian)
+                tag_base = "nginx"
+            },
+            {
+                name = "alpine"
+                dockerfile = "nginx/Dockerfile-alpine"
+                image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}-alpine"
+                lua_modules = join(" ", lua-modules-alpine)
+                tag_base = "nginx-alpine"
+            }
+        ],
+        read-only-fs = [
+            {
+                name = "writable"
+                read-only = "false"
+            },
+            {
+                name = "read-only"
+                read-only = "true"
+            }
+        ]
     }
-    tags = concat(tag("nginx"),
-        vtag("${crs-version}", "nginx")
-    )
-}
-
-target "nginx-alpine" {
     inherits = ["platforms-base"]
-    dockerfile="nginx/Dockerfile-alpine"
+    name = "nginx-${base.name}-${read-only-fs.name}"
+    contexts = {
+        image = base.image
+    }
+    dockerfile = base.dockerfile
     args = {
-        LUA_MODULES = join(" ", lua-modules-alpine)
-        NGINX_VERSION = "${nginx-version}"
+        NGINX_VERSION = nginx-version
+        LUA_MODULES = base.lua_modules
         NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
         NGINX_HOME = "/etc/nginx"
+        READ_ONLY_FS = read-only-fs.read-only
     }
-    tags = concat(tag("nginx-alpine"),
-        vtag("${crs-version}", "nginx-alpine")
+    tags = concat(tag(base.tag_base),
+        vtag("${crs-version}", base.tag_base)
     )
 }
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,12 +1,12 @@
-ARG NGINX_VERSION="n/a"
-
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS build
+FROM image AS build
 
+ARG NGINX_VERSION="n/a"
 ARG MODSEC3_VERSION="n/a"
 ARG LMDB_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
 ARG NGINX_HOME="n/a"
+ARG READ_ONLY_FS="false"
 
 USER root
 
@@ -87,7 +87,7 @@ RUN set -eux; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe2048.txt -o /usr/share/TLS/dhparam-2048.pem; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe4096.txt -o /usr/share/TLS/dhparam-4096.pem
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION} AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -115,13 +115,14 @@ RUN curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CR
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}
+FROM image
 
 ARG MODSEC3_VERSION
 ARG LMDB_VERSION
 ARG LUA_VERSION
 ARG LUA_MODULES
 ARG NGINX_HOME
+ARG READ_ONLY_FS
 
 LABEL maintainer="Felipe Zipitria <felipe.zipitria@owasp.org>"
 
@@ -254,17 +255,25 @@ RUN set -eux; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3.0; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so; \
-    ln -sv /opt/owasp-crs /etc/modsecurity.d/; \
-    # move files that need to be writable so we can use tmpfs for them later
-    mkdir -p /usr/local/bootstrap/nginx /usr/local/bootstrap/modsecurity.d /usr/local/bootstrap/owasp-crs; \
-    mv "${NGINX_HOME}/"* /usr/local/bootstrap/nginx/; \
-    mv /etc/modsecurity.d/* /usr/local/bootstrap/modsecurity.d/; \
-    mv /opt/owasp-crs/* /usr/local/bootstrap/owasp-crs/; \
+    ln -sv /opt/owasp-crs /etc/modsecurity.d/
+
+RUN set -eux; \
+    if [ "${READ_ONLY_FS}" = "true" ]; then \
+        # move files that need to be writable so we can use tmpfs for them later
+        mkdir -p /usr/local/bootstrap/nginx /usr/local/bootstrap/modsecurity.d /usr/local/bootstrap/owasp-crs; \
+        mv "${NGINX_HOME}/"* /usr/local/bootstrap/nginx/; \
+        mv /etc/modsecurity.d/* /usr/local/bootstrap/modsecurity.d/; \
+        mv /opt/owasp-crs/* /usr/local/bootstrap/owasp-crs/; \
+        chown nginx:nginx \
+            "${NGINX_HOME}" \
+            /usr/local/bootstrap/*; \
+    else \
+        # only run this script in read-only configuration
+        rm /docker-entrypoint.d/0-move-writeables.sh; \
+    fi; \
     chown nginx:nginx \
         /opt/owasp-crs \
-        /etc/modsecurity.d \
-        "${NGINX_HOME}" \
-        /usr/local/bootstrap/*
+        /etc/modsecurity.d
 
 USER nginx
 

diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine
@@ -1,11 +1,11 @@
-ARG NGINX_VERSION="n/a"
-
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine AS build
+FROM image AS build
 
+ARG NGINX_VERSION="n/a"
 ARG MODSEC3_VERSION="n/a"
 ARG LUA_VERSION="n/a"
 ARG NGINX_DYNAMIC_MODULES="n/a"
 ARG NGINX_HOME="n/a"
+ARG READ_ONLY_FS="false"
 
 USER root
 
@@ -66,7 +66,7 @@ RUN set -eux; \
         git clone -b "${version}" --depth 1 "https://github.com/${owner}/${name}.git"; \
         modules="${modules} --add-dynamic-module=../${name}"; \
     done; \
-    curl -sSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz; \
+    curl -sSL "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o nginx-${NGINX_VERSION}.tar.gz; \
     tar -xzf nginx-${NGINX_VERSION}.tar.gz; \
     cd ./nginx-${NGINX_VERSION}; \
     ./configure --with-compat ${modules}; \
@@ -83,7 +83,7 @@ RUN set -eux; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe2048.txt -o /usr/share/TLS/dhparam-2048.pem; \
     curl -sSL https://ssl-config.mozilla.org/ffdhe4096.txt -o /usr/share/TLS/dhparam-4096.pem
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine AS crs_release
+FROM image AS crs_release
 
 ARG CRS_RELEASE
 
@@ -110,12 +110,13 @@ RUN curl -sSL https://github.com/coreruleset/coreruleset/releases/download/v${CR
     rm -f v${CRS_RELEASE}-minimal.tar.gz coreruleset-${CRS_RELEASE}-minimal.tar.gz.asc; \
     mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf
 
-FROM nginxinc/nginx-unprivileged:${NGINX_VERSION}-alpine
+FROM image
 
 ARG MODSEC3_VERSION
 ARG LUA_VERSION
 ARG LUA_MODULES
 ARG NGINX_HOME
+ARG READ_ONLY_FS
 
 LABEL maintainer="Felipe Zipitria <felipe.zipitria@owasp.org>"
 
@@ -251,17 +252,25 @@ RUN set -eux; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3.0; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so.3; \
     ln -s /usr/local/modsecurity/lib/libmodsecurity.so.${MODSEC3_VERSION} /usr/local/modsecurity/lib/libmodsecurity.so; \
-    ln -sv /opt/owasp-crs /etc/modsecurity.d/; \
-    # move files that need to be writable so we can use tmpfs for them later
-    mkdir -p /usr/local/bootstrap/nginx /usr/local/bootstrap/modsecurity.d /usr/local/bootstrap/owasp-crs; \
-    mv "${NGINX_HOME}/"* /usr/local/bootstrap/nginx/; \
-    mv /etc/modsecurity.d/* /usr/local/bootstrap/modsecurity.d/; \
-    mv /opt/owasp-crs/* /usr/local/bootstrap/owasp-crs/; \
+    ln -sv /opt/owasp-crs /etc/modsecurity.d/
+
+RUN set -eux; \
+    if [ "${READ_ONLY_FS}" = "true" ]; then \
+        # move files that need to be writable so we can use tmpfs for them later
+        mkdir -p /usr/local/bootstrap/nginx /usr/local/bootstrap/modsecurity.d /usr/local/bootstrap/owasp-crs; \
+        mv "${NGINX_HOME}/"* /usr/local/bootstrap/nginx/; \
+        mv /etc/modsecurity.d/* /usr/local/bootstrap/modsecurity.d/; \
+        mv /opt/owasp-crs/* /usr/local/bootstrap/owasp-crs/; \
+        chown nginx:nginx \
+            "${NGINX_HOME}" \
+            /usr/local/bootstrap/*; \
+    else \
+        # only run this script in read-only configuration
+        rm /docker-entrypoint.d/0-move-writeables.sh; \
+    fi; \
     chown nginx:nginx \
         /opt/owasp-crs \
-        /etc/modsecurity.d \
-        "${NGINX_HOME}" \
-        /usr/local/bootstrap/*
+        /etc/modsecurity.d
 
 USER nginx