Apt-get update failing with nginx base image

I am trying to build an nginx container using jenkins pipeline but it has recently started failing (think it is since nginx stable version changed)

This is my dockerfile:

FROM nginx:stable

# Install ansible and ca-certificates

RUN apt-get update
RUN apt-get install -y netcat ca-certificates python3-pip ansible less unzip jq curl vim && apt-get clean

apt-get update command is failing:

  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8

if i set the nginx version to nginx:1.24, it works fine. I have tried a few up to date tags and they all produce the same error as above

Don’t use latest and stable tags (basically latest stable) only specific versions. If you already pulled the image, it won’t be updated but the remote repository can change. If you manually pull these latest images again, you can end up with a completely new nginx which can be incompatible with what you need it for.

Thanks for the reply,

As I mentioned above, it works fine with nginx:1.24 but this is out of support. As soon as I try any more up-to-date version of nginx, I get the errors shared above

You are right, I missed that. I saw the stable and tag basically stopped their. Using the stable tag is still not a god idea . You could use 1.26.1 instead and it would possibly solve the problem temporarily since it would invalidate the cache. Or building the image with the --no-cache flag could also work so apt-get update could run again. The way you update the APT cache it just runs once and never again until you delete the build cache so the repo can change. When you try another version, that makes all layer run again. In your Dockerfile the apt-get clean command can’t delete the apt cache, since it is in a previous filesystem layer so it just hides it.

One more problem will be (because I tried) the netcat package. It looks like the netcat name doesn’t work with this debian version so you should probably install netcat-traditional or netcat-openbsd.

This is how your Dockerfile should look like:

FROM nginx:stable

# Install ansible and ca-certificates

RUN apt-get update \
  && apt-get install -y netcat-traditional ca-certificates python3-pip ansible less unzip jq curl vim \
  && apt-get clean

Or with a specific version:

FROM nginx:1.26.1

# Install ansible and ca-certificates

RUN apt-get update \
  && apt-get install -y netcat-traditional ca-certificates python3-pip ansible less unzip jq curl vim \
  && apt-get clean

Or at least with the major and minor versions

FROM nginx:1.26

# Install ansible and ca-certificates

RUN apt-get update \
  && apt-get install -y netcat-traditional ca-certificates python3-pip ansible less unzip jq curl vim \
  && apt-get clean