devbox
小蓝xlanll
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Nginx官方镜像Dockerfile浅析_nginx dockerfile

作者:小蓝xlanll | 2024-05-24 07:18:22

nginx dockerfile

目录

Dockerfile获取

dfimage逆向获取

Nginx官网获取

Dockerfile分析

启动命令分析

Docker 容器入口点脚本分析

exec "$@"

exec 命令

"$@" 参数

总结

        在云原生技术快速发展的今天,Docker 作为容器技术的代表,为软件的打包、分发和部署提供了一种轻量级、可移植的解决方案。Dockerfile 作为 Docker 的核心组件之一,其设计和编写直接关系到容器镜像的构建效率和运行时的性能。了解和掌握 Dockerfile 的关键技术点,对于任何希望在云原生领域内进行开发和运维的工程师来说都是至关重要的。

        本文旨在通过分析 Nginx 官方 Docker 镜像的 Dockerfile,探讨 Dockerfile 的获取方法、结构和编写策略,以及容器启动脚本的作用和设计原则。我们将深入讨论在 Dockerfile 中使用 exec "$@" 的好处,以及这种做法在其他镜像设计中的应用价值,为构建更加高效、可靠的容器化应用打下坚实的基础。

Dockerfile获取

dfimage逆向获取

  1. alias dfimage='docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage'
  2.     /usr/bin/docker
  3.  
  4. dfimage nginx:1.25.4

  1. dfimage='docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage'
  2.     /usr/bin/docker nginx:1.25.4

逆向Dockerfile

  1. CMD ["bash"]
  2. LABEL maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>
  3. ENV NGINX_VERSION=1.25.4
  4. ENV NJS_VERSION=0.8.3
  5. ENV PKG_RELEASE=1~bookworm
  6. RUN RUN set -x  \
  7. 	&& groupadd --system --gid 101 nginx  \
  8. 	&& useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx  \
  9. 	&& apt-get update  \
  10. 	&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates  \
  11. 	&& NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; export GNUPGHOME="$(mktemp -d)"; found=''; for server in hkp://keyserver.ubuntu.com:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY"  \
  12. 	&& found=yes  \
  13. 	&& break; done; test -z "$found"  \
  14. 	&& echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY"  \
  15. 	&& exit 1; gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; rm -rf "$GNUPGHOME"; apt-get remove --purge --auto-remove -y gnupg1  \
  16. 	&& rm -rf /var/lib/apt/lists/*  \
  17. 	&& dpkgArch="$(dpkg --print-architecture)"  \
  18. 	&& nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} "  \
  19. 	&& case "$dpkgArch" in amd64|arm64) echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list  \
  20. 	&& apt-get update ;; *) echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list  \
  21. 	&& tempDir="$(mktemp -d)"  \
  22. 	&& chmod 777 "$tempDir"  \
  23. 	&& savedAptMark="$(apt-mark showmanual)"  \
  24. 	&& apt-get update  \
  25. 	&& apt-get build-dep -y $nginxPackages  \
  26. 	&& ( cd "$tempDir"  \
  27. 	&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages )  \
  28. 	&& apt-mark showmanual | xargs apt-mark auto > /dev/null  \
  29. 	&& { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; }  \
  30. 	&& ls -lAFh "$tempDir"  \
  31. 	&& ( cd "$tempDir"  \
  32. 	&& dpkg-scanpackages . > Packages )  \
  33. 	&& grep '^Package: ' "$tempDir/Packages"  \
  34. 	&& echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list  \
  35. 	&& apt-get -o Acquire::GzipIndexes=false update ;; esac  \
  36. 	&& apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base curl  \
  37. 	&& apt-get remove --purge --auto-remove -y  \
  38. 	&& rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list  \
  39. 	&& if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove  \
  40. 	&& rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi  \
  41. 	&& ln -sf /dev/stdout /var/log/nginx/access.log  \
  42. 	&& ln -sf /dev/stderr /var/log/nginx/error.log  \
  43. 	&& mkdir /docker-entrypoint.d # buildkit
  44. COPY docker-entrypoint.sh / # buildkit
  45. 	docker-entrypoint.sh
  46.  
  47. COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d # buildkit
  48. 	docker-entrypoint.d/
  49. 	docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
  50.  
  51. COPY 15-local-resolvers.envsh /docker-entrypoint.d # buildkit
  52. 	docker-entrypoint.d/
  53. 	docker-entrypoint.d/15-local-resolvers.envsh
  54.  
  55. COPY 20-envsubst-on-templates.sh /docker-entrypoint.d # buildkit
  56. 	docker-entrypoint.d/
  57. 	docker-entrypoint.d/20-envsubst-on-templates.sh
  58.  
  59. COPY 30-tune-worker-processes.sh /docker-entrypoint.d # buildkit
  60. 	docker-entrypoint.d/
  61. 	docker-entrypoint.d/30-tune-worker-processes.sh
  62.  
  63. ENTRYPOINT ["/docker-entrypoint.sh"]
  64. EXPOSE map[80/tcp:{}]
  65. STOPSIGNAL SIGQUIT
  66. CMD ["nginx" "-g" "daemon off;"]

Nginx官网获取

docker-nginx/mainline/debian/Dockerfile at 1f227619c1f1baa0bed8bed844ea614437ff14fb · nginxinc/docker-nginx · GitHub

官网Dockerfile

  1. #
  2. # NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
  3. #
  4. # PLEASE DO NOT EDIT IT DIRECTLY.
  5. #
  6. FROM debian:bookworm-slim
  7.  
  8. LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
  9.  
  10. ENV NGINX_VERSION   1.25.4
  11. ENV NJS_VERSION     0.8.3
  12. ENV PKG_RELEASE     1~bookworm
  13.  
  14. RUN set -x \
  15. # create nginx user/group first, to be consistent throughout docker variants
  16.     && groupadd --system --gid 101 nginx \
  17.     && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
  18.     && apt-get update \
  19.     && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
  20.     && \
  21.     NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
  22.     NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
  23.     export GNUPGHOME="$(mktemp -d)"; \
  24.     found=''; \
  25.     for server in \
  26.         hkp://keyserver.ubuntu.com:80 \
  27.         pgp.mit.edu \
  28.     ; do \
  29.         echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
  30.         gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
  31.     done; \
  32.     test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
  33.     gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
  34.     rm -rf "$GNUPGHOME"; \
  35.     apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
  36.     && dpkgArch="$(dpkg --print-architecture)" \
  37.     && nginxPackages=" \
  38.         nginx=${NGINX_VERSION}-${PKG_RELEASE} \
  39.         nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
  40.         nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
  41.         nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
  42.         nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
  43.     " \
  44.     && case "$dpkgArch" in \
  45.         amd64|arm64) \
  46. # arches officialy built by upstream
  47.             echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
  48.             && apt-get update \
  49.             ;; \
  50.         *) \
  51. # we're on an architecture upstream doesn't officially build for
  52. # let's build binaries from the published source packages
  53.             echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
  54.             \
  55. # new directory for storing sources and .deb files
  56.             && tempDir="$(mktemp -d)" \
  57.             && chmod 777 "$tempDir" \
  58. # (777 to ensure APT's "_apt" user can access it too)
  59.             \
  60. # save list of currently-installed packages so build dependencies can be cleanly removed later
  61.             && savedAptMark="$(apt-mark showmanual)" \
  62.             \
  63. # build .deb files from upstream's source packages (which are verified by apt-get)
  64.             && apt-get update \
  65.             && apt-get build-dep -y $nginxPackages \
  66.             && ( \
  67.                 cd "$tempDir" \
  68.                 && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
  69.                     apt-get source --compile $nginxPackages \
  70.             ) \
  71. # we don't remove APT lists here because they get re-downloaded and removed later
  72.             \
  73. # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
  74. # (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
  75.             && apt-mark showmanual | xargs apt-mark auto > /dev/null \
  76.             && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
  77.             \
  78. # create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
  79.             && ls -lAFh "$tempDir" \
  80.             && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \
  81.             && grep '^Package: ' "$tempDir/Packages" \
  82.             && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
  83. # work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
  84. #   Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
  85. #   ...
  86. #   E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages  Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
  87.             && apt-get -o Acquire::GzipIndexes=false update \
  88.             ;; \
  89.     esac \
  90.     \
  91.     && apt-get install --no-install-recommends --no-install-suggests -y \
  92.                         $nginxPackages \
  93.                         gettext-base \
  94.                         curl \
  95.     && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
  96.     \
  97. # if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
  98.     && if [ -n "$tempDir" ]; then \
  99.         apt-get purge -y --auto-remove \
  100.         && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
  101.     fi \
  102. # forward request and error logs to docker log collector
  103.     && ln -sf /dev/stdout /var/log/nginx/access.log \
  104.     && ln -sf /dev/stderr /var/log/nginx/error.log \
  105. # create a docker-entrypoint.d directory
  106.     && mkdir /docker-entrypoint.d
  107.  
  108. COPY docker-entrypoint.sh /
  109. COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d
  110. COPY 15-local-resolvers.envsh /docker-entrypoint.d
  111. COPY 20-envsubst-on-templates.sh /docker-entrypoint.d
  112. COPY 30-tune-worker-processes.sh /docker-entrypoint.d
  113. ENTRYPOINT ["/docker-entrypoint.sh"]
  114.  
  115. EXPOSE 80
  116.  
  117. STOPSIGNAL SIGQUIT
  118.  
  119. CMD ["nginx", "-g", "daemon off;"]

Dockerfile分析

启动命令分析

  1. ENTRYPOINT ["/docker-entrypoint.sh"]
  2. EXPOSE map[80/tcp:{}]
  3. STOPSIGNAL SIGQUIT
  4. CMD ["nginx" "-g" "daemon off;"]

  • ENTRYPOINT 设置了容器启动时执行的主命令,即执行 /docker-entrypoint.sh 脚本。

  • CMD 提供了额外的参数,这些参数将传递给 /docker-entrypoint.sh。

这意味着当容器启动时,实际执行的命令会是 /docker-entrypoint.sh nginx -g "daemon off;"。这里,nginx -g "daemon off;" 是作为参数传递给 /docker-entrypoint.sh 脚本的。

Docker 容器入口点脚本分析

docker-entrypoint.sh

  1. #!/bin/sh
  2. # vim:sw=4:ts=4:et
  3.  
  4. set -e  # 如果任何语句的执行结果不是true则立即退出脚本
  5.  
  6. # 定义一个用于输出日志的函数
  7. entrypoint_log() {
  8.     # 如果环境变量NGINX_ENTRYPOINT_QUIET_LOGS未设置或为空,打印日志信息
  9.     if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
  10.         echo "$@"
  11.     fi
  12. }
  13.  
  14. # 检查传递给脚本的第一个参数是否是nginx或nginx-debug
  15. if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
  16.     # 查找/docker-entrypoint.d/目录下是否有文件存在
  17.     if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
  18.         entrypoint_log "$0: /docker-entrypoint.d/ 目录不为空,尝试进行配置"
  19.  
  20.         entrypoint_log "$0: 在 /docker-entrypoint.d/ 目录中查找shell脚本"
  21.         # 遍历目录下所有文件,并按版本号排序
  22.         find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
  23.             case "$f" in
  24.                 *.envsh)
  25.                     # 如果文件具有执行权限,使用source命令执行它
  26.                     if [ -x "$f" ]; then
  27.                         entrypoint_log "$0: 正在加载 $f";
  28.                         . "$f"
  29.                     else
  30.                         # 如果文件没有执行权限,打印警告日志
  31.                         entrypoint_log "$0: 忽略 $f,没有执行权限";
  32.                     fi
  33.                     ;;
  34.                 *.sh)
  35.                     # 如果文件具有执行权限,直接执行它
  36.                     if [ -x "$f" ]; then
  37.                         entrypoint_log "$0: 正在执行 $f";
  38.                         "$f"
  39.                     else
  40.                         # 如果文件没有执行权限,打印警告日志
  41.                         entrypoint_log "$0: 忽略 $f,没有执行权限";
  42.                     fi
  43.                     ;;
  44.                 # 忽略其他类型的文件
  45.                 *) entrypoint_log "$0: 忽略 $f";;
  46.             esac
  47.         done
  48.  
  49.         entrypoint_log "$0: 配置完成;准备启动"
  50.     else
  51.         entrypoint_log "$0: 在 /docker-entrypoint.d/ 目录中未找到文件,跳过配置"
  52.     fi
  53. fi
  54.  
  55. # 使用传递给脚本的参数替换当前进程,通常用于启动主程序
  56. exec "$@"

exec "$@"

        exec "$@"是上面docker-entrypoint.sh脚本的最后一行,这行命令是 Docker 容器入口点脚本的核心部分,它负责执行容器启动时用户指定的命令。

exec 命令

  • exec 用于执行命令并用该命令替换当前的 shell 进程。这意味着 exec 后面的命令将接管当前的进程,并且当 exec 执行的命令结束时,进程也会结束。

  • 使用 exec 执行命令的好处是,它不会启动新的进程,而是直接在当前进程中运行命令。在 Docker 容器的环境中,这意味着执行的命令(如 nginx)将成为容器进程的主进程。这对于 Docker 容器的生命周期管理非常重要。

"$@" 参数

  • "$@" 是一个特殊的 shell 参数,代表传递给脚本的所有命令行参数的列表,且每个参数都作为独立的引用字符串处理。

  • 在 Docker 容器的上下文中,当运行一个容器并传递命令行参数时,这些参数会被传递给容器的入口点脚本。"$@" 就是用来接收这些参数的。

  • 例如,如果运行 docker run [image] nginx -g "daemon off;",那么 nginx -g "daemon off;" 就是传递给入口点脚本的参数,"$@" 就会包含这些参数。

       

总结

        综上所述,exec "$@" 这行命令的作用是执行传递给入口点脚本的命令(如 nginx -g "daemon off;"),并且以这个命令为容器的主进程。这保证了容器直接运行指定服务,如 Nginx,并且当该服务停止时,容器也会停止。

        在设计其他镜像时,尤其是需要处理信号或需要确保容器优雅停止的场景中,使用 exec "$@" 可以提供类似的优势。例如,数据库镜像、Web 服务器镜像或任何长期运行的服务都可以从这种模式中受益。它确保了容器能够接收到停止信号并优雅地终止,同时也避免了资源泄漏的问题。

        总的来说,使用 exec "$@" 是一种常见的最佳实践,可以提高容器的运行效率和可靠性。在设计容器镜像时,尤其是当容器需要优雅地处理停止和重启信号时,应该考虑采用这种模式。

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/616387
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号