feat(library) -> add nginx 1.31#280
Conversation
Signed-off-by: Tushar Verma <tusharVermaiota@proton.me>
There was a problem hiding this comment.
Pull request overview
Adds a new Unikraft library image definition for unikraft.org/nginx:1.31, intended to provide an updated Nginx base (Alpine-based) and address the CVE mentioned in the PR description.
Changes:
- Introduces a new
library/nginx/1.31image definition (Kraftfile + scratch rootfs Dockerfile). - Adds a custom Nginx configuration (single-process, tokens off, gzip, basic security headers).
- Adds the default Nginx welcome page and a versioned README for running the image.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| library/nginx/1.31/wwwroot/index.html | Adds the default Nginx welcome page content. |
| library/nginx/1.31/README.md | Documents how to run/query the new unikraft.org/nginx:1.31 image. |
| library/nginx/1.31/Kraftfile | Defines the Unikraft build configuration and lwIP settings for Nginx 1.31. |
| library/nginx/1.31/Dockerfile | Builds a minimal scratch rootfs by copying Nginx + runtime deps from nginx:1.31.0-alpine. |
| library/nginx/1.31/conf/nginx.conf | Adds the Nginx runtime configuration for the image. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| user root root; | ||
|
|
||
|
|
||
| worker_rlimit_nofile 1024; |
There was a problem hiding this comment.
@vTusharr What is the reasoning for adding this limit, is it something enforced by the new version of nginx?
There was a problem hiding this comment.
Ah no , its not required by this version of nginx .
The limit came from a common nginx tuning guideline , most production configs recommend setting it to at least worker_processes * worker_connections * 2 + 100 fd tho libposix_fdtab_maxfds have it default @ 1024
There was a problem hiding this comment.
So i think we can either drop this [but i am not sure how will runtime will react when it runs out of fdtabs ]
or like add a comment to kraftfile indicating for libposix_fdtab_maxfds so one can change it to their needs
There was a problem hiding this comment.
I think it is fine to drop this in the standard config. If I understand that config option correctly, with no explicit value set, the process will only be limited by the open fds limit on the OS, which is something to be configured outside of the nginx config.
There was a problem hiding this comment.
Still waiting for WASP permissions to start the testing. @vTusharr In the meantime, please fix the issues mentioned by Copilot. Also, see my follow-up comment.
| user root root; | ||
|
|
||
|
|
||
| worker_rlimit_nofile 1024; |
There was a problem hiding this comment.
@vTusharr What is the reasoning for adding this limit, is it something enforced by the new version of nginx?
cd969f7 to
5eff2f7
Compare
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Tushar <104261506+vTusharr@users.noreply.github.com>
| COPY --from=build /etc/group /etc/group | ||
| COPY --from=build /var/log/nginx /var/log/nginx | ||
| COPY --from=build /var/cache/nginx /var/cache/nginx | ||
| COPY --from=build /run /run |
There was a problem hiding this comment.
I think thats debian base specific , @razvanvirtan ?
There was a problem hiding this comment.
It looks like it works even without that. Still, one last question before merging: why using the alpine image instead of the bookworm one? If no significant reason, I would switch to bookworm, to keep this uniform with the nginx 1.25 port
There was a problem hiding this comment.
Ah ok so first i had tried the official image which now no longer ships with bookworm but with trixie which i think have updated glibc and was crashing so it led me to musl based alphine
One thing we can do is use bookworm as a base and build the binary then use that .
There was a problem hiding this comment.
We should be good with alpine as well, just wanted to check we have a reason for it 👍
| CONFIG_LWIP_NUM_TCPCON: 1024 | ||
| CONFIG_LWIP_NUM_TCPLISTENERS: 64 |
Adds an nginx 1.31.0 image based on alpine as a base , modelled on the existing 1.25 image.
circumventing CVE which is present in earlier version