diff --git a/Makefile b/Makefile index 1c35c12b23..3ff56fc472 100644 --- a/Makefile +++ b/Makefile @@ -110,7 +110,7 @@ clean-chroot-image: ## Removes local image .PHONY: build build: ## Build ingress controller, debug tool and pre-stop hook. - E2E_IMAGE=golang:$(GO_VERSION)-alpine3.20 USE_SHELL=/bin/sh build/run-in-docker.sh \ + E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \ MAC_OS=$(MAC_OS) \ PKG=$(PKG) \ ARCH=$(ARCH) \ diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json index fb4fc057fb..69482c7bec 100644 --- a/docs/examples/customization/sysctl/patch.json +++ b/docs/examples/customization/sysctl/patch.json @@ -4,7 +4,7 @@ "spec": { "initContainers": [{ "name": "sysctl", - "image": "alpine:3.20", + "image": "alpine:3.21", "securityContext": { "privileged": true }, diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index 7f7003f101..3978c8f4ba 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.20 +FROM alpine:3.21 RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk update \ diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index 345f92ba3d..478e4c22da 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -14,7 +14,7 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.20 as builder +FROM golang:${GOLANG_VERSION}-alpine3.21 as builder RUN apk update \ && apk upgrade && apk add git diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index 5942ac5b93..ca142e6638 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.20 as builder +FROM golang:${GOLANG_VERSION}-alpine3.21 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index 2b91887c95..7d8e95c47f 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.20 as builder +FROM golang:${GOLANG_VERSION}-alpine3.21 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index f07b1d667b..39be2990f4 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.20 as build +FROM golang:${GOLANG_VERSION}-alpine3.21 as build WORKDIR /go/src/greeter-server diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 1d2b6b6230..0786301702 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.20 as builder +FROM alpine:3.21 as builder COPY . / @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.20 +FROM alpine:3.21 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin @@ -66,7 +66,7 @@ RUN apk update \ ); \ for dir in "${writeDirs[@]}"; do \ mkdir -p ${dir}; \ - chown -R www-data.www-data ${dir}; \ + chown -R www-data:www-data ${dir}; \ done' EXPOSE 80 443 diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 3baf775fca..a3ec54c9c0 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -414,6 +414,21 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf " > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf +# NGINX compiles a small test program to check if an added module works as expected. +# +# ModSecurity-nginx provides 'printf("hello");' as a test, but newer versions of GCC, +# as included in Alpine 3.21, do not allow implicit declaration of function 'printf': +# +# objs/autotest.c:7:5: error: implicit declaration of function 'printf' [-Wimplicit-function-declaration] +# +# For this reason we replace 'printf("hello");' by 'msc_init();', which is always available. +# +# This fix is taken from a PR, that has been proposed to the ModSecurity-nginx project: +# +# https://github.com/owasp-modsecurity/ModSecurity-nginx/pull/275 +# +sed -i "s/ngx_feature_test='printf(\"hello\");'/ngx_feature_test='msc_init();'/" $BUILD_PATH/ModSecurity-nginx/config + # build nginx cd "$BUILD_PATH/nginx-$NGINX_VERSION" @@ -609,7 +624,7 @@ adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www- for dir in "${writeDirs[@]}"; do mkdir -p ${dir}; - chown -R www-data.www-data ${dir}; + chown -R www-data:www-data ${dir}; done rm -rf /etc/nginx/owasp-modsecurity-crs/.git diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 7bcc2f25cc..d871461bfb 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -15,7 +15,7 @@ ARG BASE_IMAGE ARG GOLANG_VERSION ARG ETCD_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.20 as GO +FROM golang:${GOLANG_VERSION}-alpine3.21 as GO FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd FROM ${BASE_IMAGE} diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index a04cfe3dec..9b7753b5d0 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -59,7 +59,7 @@ RUN bash -xeu -c ' \ ); \ for dir in "${writeDirs[@]}"; do \ mkdir -p ${dir}; \ - chown -R www-data.www-data ${dir}; \ + chown -R www-data:www-data ${dir}; \ done' \ # LD_LIBRARY_PATH does not work so below is needed for opentelemetry/other modules # Put libs of newer modules under `/modules_mount//lib` and add that path below diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index b719f2fc32..481b311e2a 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.20 +FROM alpine:3.21 ARG TARGETARCH ARG VERSION @@ -78,7 +78,7 @@ RUN bash -xeu -c ' \ ); \ for dir in "${writeDirs[@]}"; do \ mkdir -p ${dir}; \ - chown -R www-data.www-data ${dir}; \ + chown -R www-data:www-data ${dir}; \ done' \ # LD_LIBRARY_PATH does not work so below is needed for opentelemetry/other modules # Put libs of newer modules under `/modules_mount//lib` and add that path below @@ -103,7 +103,7 @@ RUN ln -sf /chroot/etc/nginx /etc/nginx \ && touch /chroot/var/log/nginx/access.log \ && chown www-data:www-data /chroot/var/log/nginx/access.log \ && echo "" > /chroot/etc/resolv.conf \ - && chown -R www-data.www-data /chroot/var/log/nginx /chroot/etc/resolv.conf \ + && chown -R www-data:www-data /chroot/var/log/nginx /chroot/etc/resolv.conf \ && mknod -m 0666 /chroot/dev/null c 1 3 \ && mknod -m 0666 /chroot/dev/random c 1 8 \ && mknod -m 0666 /chroot/dev/urandom c 1 9 \ diff --git a/rootfs/chroot.sh b/rootfs/chroot.sh index 38547b69c9..4875ae5352 100755 --- a/rootfs/chroot.sh +++ b/rootfs/chroot.sh @@ -39,7 +39,7 @@ writeDirs=( \ for dir in "${writeDirs[@]}"; do mkdir -p ${dir}; - chown -R www-data.www-data ${dir}; + chown -R www-data:www-data ${dir}; done mkdir -p /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run @@ -47,4 +47,5 @@ cp /etc/passwd /etc/group /etc/hosts /chroot/etc/ cp -a /usr/* /chroot/usr/ cp -a /etc/nginx/* /chroot/etc/nginx/ cp -a /etc/ingress-controller/* /chroot/etc/ingress-controller/ -cp /lib/ld-musl-* /lib/libcrypto* /lib/libssl* /lib/libz* /chroot/lib/ +cp /lib/ld-musl-* /chroot/lib/ +cp /usr/lib/libcrypto* /usr/lib/libssl* /usr/lib/libz* /chroot/usr/lib/ diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index 5e74174779..c16545e439 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,7 +1,7 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.20 +FROM alpine:3.21 RUN apk update \ && apk upgrade && apk add -U --no-cache \