From f00559462d5c688607574960c733aa5e22f74d3a Mon Sep 17 00:00:00 2001 From: Jesus Date: Fri, 9 Aug 2024 02:20:10 +0000 Subject: [PATCH] chore: update to 1.27.0 --- CHANGELOG.md | 6 +++ src/10-listen-on-ipv6-by-default.sh | 28 ++++++++------ src/15-local-resolvers.envsh | 12 ++++++ src/20-envsubst-on-templates.sh | 58 ++++++++++++++++++++++++++--- src/30-tune-worker-processes.sh | 4 +- src/Dockerfile | 42 ++++++++------------- src/docker-entrypoint.sh | 35 ++++++++++------- 7 files changed, 127 insertions(+), 58 deletions(-) create mode 100755 src/15-local-resolvers.envsh diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d610ba..3e18340 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -61,3 +61,9 @@ date: 13 January 2022 source: **mainline/alpine/** --- +## mainline/alpine 1.27.0 + +date: 8 August 2024 + +source: **mainline/alpine/** +--- diff --git a/src/10-listen-on-ipv6-by-default.sh b/src/10-listen-on-ipv6-by-default.sh index 9585152..b90bf0c 100755 --- a/src/10-listen-on-ipv6-by-default.sh +++ b/src/10-listen-on-ipv6-by-default.sh @@ -3,52 +3,58 @@ set -e -ME=$(basename $0) +entrypoint_log() { + if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then + echo "$@" + fi +} + +ME=$(basename "$0") DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf" # check if we have ipv6 available if [ ! -f "/proc/net/if_inet6" ]; then - echo >&3 "$ME: info: ipv6 not available" + entrypoint_log "$ME: info: ipv6 not available" exit 0 fi if [ ! -f "/$DEFAULT_CONF_FILE" ]; then - echo >&3 "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist" + entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE is not a file or does not exist" exit 0 fi # check if the file can be modified, e.g. not on a r/o filesystem -touch /$DEFAULT_CONF_FILE 2>/dev/null || { echo >&3 "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; } +touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; } # check if the file is already modified, e.g. on a container restart -grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { echo >&3 "$ME: info: IPv6 listen already enabled"; exit 0; } +grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; } if [ -f "/etc/os-release" ]; then . /etc/os-release else - echo >&3 "$ME: info: can not guess the operating system" + entrypoint_log "$ME: info: can not guess the operating system" exit 0 fi -echo >&3 "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE" +entrypoint_log "$ME: info: Getting the checksum of /$DEFAULT_CONF_FILE" case "$ID" in "debian") CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3) echo "$CHECKSUM /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || { - echo >&3 "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" + entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" exit 0 } ;; "alpine") CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2) echo "$CHECKSUM /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || { - echo >&3 "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" + entrypoint_log "$ME: info: /$DEFAULT_CONF_FILE differs from the packaged version" exit 0 } ;; *) - echo >&3 "$ME: info: Unsupported distribution" + entrypoint_log "$ME: info: Unsupported distribution" exit 0 ;; esac @@ -56,6 +62,6 @@ esac # enable ipv6 on default.conf listen sockets sed -i -E 's,listen 80;,listen 80;\n listen [::]:80;,' /$DEFAULT_CONF_FILE -echo >&3 "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE" +entrypoint_log "$ME: info: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE" exit 0 diff --git a/src/15-local-resolvers.envsh b/src/15-local-resolvers.envsh new file mode 100755 index 0000000..450a999 --- /dev/null +++ b/src/15-local-resolvers.envsh @@ -0,0 +1,12 @@ +#!/bin/sh +# vim:sw=2:ts=2:sts=2:et + +set -eu + +LC_ALL=C +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +[ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 + +NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) +export NGINX_LOCAL_RESOLVERS diff --git a/src/20-envsubst-on-templates.sh b/src/20-envsubst-on-templates.sh index 4f33029..3804165 100755 --- a/src/20-envsubst-on-templates.sh +++ b/src/20-envsubst-on-templates.sh @@ -2,29 +2,75 @@ set -e -ME=$(basename $0) +ME=$(basename "$0") + +entrypoint_log() { + if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then + echo "$@" + fi +} + +add_stream_block() { + local conffile="/etc/nginx/nginx.conf" + + if grep -q -E "\s*stream\s*\{" "$conffile"; then + entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates" + else + # check if the file can be modified, e.g. not on a r/o filesystem + touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; } + entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf" + cat << END >> "$conffile" +# added by "$ME" on "$(date)" +stream { + include $stream_output_dir/*.conf; +} +END + fi +} auto_envsubst() { local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}" local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}" local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}" + local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}" + local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}" + local filter="${NGINX_ENVSUBST_FILTER:-}" local template defined_envs relative_path output_path subdir - defined_envs=$(printf '${%s} ' $(env | cut -d= -f1)) + defined_envs=$(printf '${%s} ' $(awk "END { for (name in ENVIRON) { print ( name ~ /${filter}/ ) ? name : \"\" } }" < /dev/null )) [ -d "$template_dir" ] || return 0 if [ ! -w "$output_dir" ]; then - echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable" + entrypoint_log "$ME: ERROR: $template_dir exists, but $output_dir is not writable" return 0 fi find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do - relative_path="${template#$template_dir/}" - output_path="$output_dir/${relative_path%$suffix}" + relative_path="${template#"$template_dir/"}" + output_path="$output_dir/${relative_path%"$suffix"}" subdir=$(dirname "$relative_path") # create a subdirectory where the template file exists mkdir -p "$output_dir/$subdir" - echo >&3 "$ME: Running envsubst on $template to $output_path" + entrypoint_log "$ME: Running envsubst on $template to $output_path" envsubst "$defined_envs" < "$template" > "$output_path" done + + # Print the first file with the stream suffix, this will be false if there are none + if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then + mkdir -p "$stream_output_dir" + if [ ! -w "$stream_output_dir" ]; then + entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable" + return 0 + fi + add_stream_block + find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do + relative_path="${template#"$template_dir/"}" + output_path="$stream_output_dir/${relative_path%"$stream_suffix"}" + subdir=$(dirname "$relative_path") + # create a subdirectory where the template file exists + mkdir -p "$stream_output_dir/$subdir" + entrypoint_log "$ME: Running envsubst on $template to $output_path" + envsubst "$defined_envs" < "$template" > "$output_path" + done + fi } auto_envsubst diff --git a/src/30-tune-worker-processes.sh b/src/30-tune-worker-processes.sh index 5650587..defb994 100755 --- a/src/30-tune-worker-processes.sh +++ b/src/30-tune-worker-processes.sh @@ -4,7 +4,7 @@ set -eu LC_ALL=C -ME=$( basename "$0" ) +ME=$(basename "$0") PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE:-}" ] || exit 0 @@ -158,7 +158,7 @@ __EOF__ "/") foundroot="${found##* }$mountpoint" ;; - "$mountpoint") + "$mountpoint" | /../*) foundroot="${found##* }" ;; esac diff --git a/src/Dockerfile b/src/Dockerfile index 0016c13..09731ec 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -3,25 +3,20 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.15 +FROM alpine:3.19 LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.21.5 -ENV NJS_VERSION 0.7.1 -ENV PKG_RELEASE 1 +ENV NGINX_VERSION 1.27.0 +ENV PKG_RELEASE 2 RUN set -x \ # create nginx user/group first, to be consistent throughout docker variants && addgroup -g 101 -S nginx \ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ - && apkArch="$(cat /etc/apk/arch)" \ + && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ " \ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ @@ -30,18 +25,15 @@ RUN set -x \ x86_64|aarch64) \ # arches officially built by upstream set -x \ - && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \ - && apk add --no-cache --virtual .cert-deps \ - openssl \ + && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ + && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ echo "key verification succeeded!"; \ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ else \ echo "key verification failed!"; \ exit 1; \ fi \ - && apk del .cert-deps \ && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ @@ -55,7 +47,7 @@ RUN set -x \ libc-dev \ make \ openssl-dev \ - pcre-dev \ + pcre2-dev \ zlib-dev \ linux-headers \ libxslt-dev \ @@ -70,7 +62,7 @@ RUN set -x \ export HOME=${tempDir} \ && cd ${tempDir} \ && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ - && PKGOSSCHECKSUM=\"b0ed109a820a2e8921f313d653032b8e70d3020138d634039ebb9194dc3968493f6eb4d85bdbf18d2aea7229deddb98ca0f1d9825defcc5af45f68ee37845232 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && PKGOSSCHECKSUM=\"cd3333f4dfa4a873f6df73dfe24e047adc092d779aefb46577b6307ff0d0125543508694a80158b2bfc891167ad763b0d08287829df9924d4c22f50d063e76c0 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ @@ -80,21 +72,20 @@ RUN set -x \ && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ - && make all \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && make base \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ - && apk del .build-deps \ + && apk del --no-network .build-deps \ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \ ;; \ esac \ # remove checksum deps - && apk del .checksum-deps \ + && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can @@ -110,13 +101,11 @@ RUN set -x \ | sort -u \ )" \ && apk add --no-cache $runDeps \ - && apk del .gettext \ + && apk del --no-network .gettext \ && mv /tmp/envsubst /usr/local/bin/ \ # Bring in tzdata so users could set the timezones through the environment # variables && apk add --no-cache tzdata \ -# Bring in curl and ca-certificates to make registering on DNS SD easier - && apk add --no-cache curl ca-certificates \ # forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ @@ -131,6 +120,7 @@ COPY ./server /etc/nginx/server COPY docker-entrypoint.sh / COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d +COPY 15-local-resolvers.envsh /docker-entrypoint.d COPY 20-envsubst-on-templates.sh /docker-entrypoint.d COPY 30-tune-worker-processes.sh /docker-entrypoint.d ENTRYPOINT ["/docker-entrypoint.sh"] @@ -140,4 +130,4 @@ EXPOSE 443 STOPSIGNAL SIGQUIT -CMD ["nginx", "-g", "daemon off;"] +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/src/docker-entrypoint.sh b/src/docker-entrypoint.sh index 72d5cd9..8ea04f2 100755 --- a/src/docker-entrypoint.sh +++ b/src/docker-entrypoint.sh @@ -3,35 +3,44 @@ set -e -if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then - exec 3>&1 -else - exec 3>/dev/null -fi +entrypoint_log() { + if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then + echo "$@" + fi +} -if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then +if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then - echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" + entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" - echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/" + entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do case "$f" in + *.envsh) + if [ -x "$f" ]; then + entrypoint_log "$0: Sourcing $f"; + . "$f" + else + # warn on shell scripts without exec bit + entrypoint_log "$0: Ignoring $f, not executable"; + fi + ;; *.sh) if [ -x "$f" ]; then - echo >&3 "$0: Launching $f"; + entrypoint_log "$0: Launching $f"; "$f" else # warn on shell scripts without exec bit - echo >&3 "$0: Ignoring $f, not executable"; + entrypoint_log "$0: Ignoring $f, not executable"; fi ;; - *) echo >&3 "$0: Ignoring $f";; + *) entrypoint_log "$0: Ignoring $f";; esac done - echo >&3 "$0: Configuration complete; ready for start up" + entrypoint_log "$0: Configuration complete; ready for start up" else - echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration" + entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" fi fi