@@ -145,10 +145,16 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
145145 --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
146146 --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \
147147 --mount=type=bind,from=nginx-files,src=debian-plus-11.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \
148- --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/etc/apt/sources.list.d /app-protect.sources \
149- --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/etc/apt/sources.list.d /app-protect-dos.sources \
148+ --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/tmp /app-protect.sources \
149+ --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/tmp /app-protect-dos.sources \
150150 # # the code below is duplicated from the debian-plus image because NAP doesn't support debian 12
151- apt-get update \
151+ if [ -z "${NAP_MODULES##*waf*}" ]; then \
152+ cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources; \
153+ fi \
154+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
155+ cp /tmp/app-protect-dos.sources /etc/apt/sources.list.d/app-protect-dos.sources; \
156+ fi \
157+ && apt-get update \
152158 && apt-get upgrade -y \
153159 && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates sq \
154160 && groupadd --system --gid 101 nginx \
@@ -169,6 +175,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
169175 && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
170176 && ldconfig \
171177 # # end of duplicated code
178+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
179+ rm -f /etc/apt/sources.list.d/app-protect.sources; \
180+ fi \
181+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
182+ rm -f /etc/apt/sources.list.d/app-protect-dos.sources; \
183+ fi \
172184 && rm -rf /var/lib/apt/lists/*
173185
174186# Uncomment the lines below if you want to install a custom CA certificate
@@ -205,11 +217,17 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
205217 --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
206218 --mount=type=bind,from=nginx-files,src=nginx-plus-8.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \
207219 --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
208- --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/etc/yum.repos.d /app-protect-8.repo \
209- --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/etc/yum.repos.d /app-protect-dos-8.repo \
220+ --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/tmp /app-protect-8.repo \
221+ --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/tmp /app-protect-dos-8.repo \
210222 source /tmp/rhel_license \
211- # # the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions
212- dnf --nodocs install -y shadow-utils ca-certificates \
223+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
224+ cp /tmp/app-protect-8.repo /etc/yum.repos.d/app-protect-8.repo; \
225+ fi \
226+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
227+ cp /tmp/app-protect-dos-8.repo /etc/yum.repos.d/app-protect-dos-8.repo; \
228+ fi \
229+ # # the code below is duplicated from the ubi-plus image because NAP DOS doesn't support UBI 9 and minimal versions
230+ && dnf --nodocs install -y shadow-utils ca-certificates \
213231 && dnf update -y \
214232 && groupadd --system --gid 101 nginx \
215233 && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
@@ -233,6 +251,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
233251 # fix for CVEs
234252 && dnf upgrade -y curl ncurses \
235253 && subscription-manager unregister \
254+ && if [ -z "${NAP_MODULES##*waf*}" ]; then \
255+ rm -f /etc/yum.repos.d/app-protect-8.repo; \
256+ fi \
257+ && if [ -z "${NAP_MODULES##*dos*}" ]; then \
258+ rm -f /etc/yum.repos.d/app-protect-dos-8.repo; \
259+ fi \
236260 && dnf clean all
237261
238262# Uncomment the lines below if you want to install a custom CA certificate
0 commit comments