From 1ced9a51c849c9deac79a066171e7bc098dc16e7 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Tue, 7 Jul 2020 20:52:35 -0400 Subject: [PATCH] Update nginx modules --- images/nginx/Makefile | 2 +- images/nginx/rootfs/build.sh | 56 ++++------- .../nginx-1.17.8-delayed_posted_events.patch | 98 +++++++++++++++++++ ...nginx-1.17.8-init_cycle_pool_release.patch | 59 +++++++++++ .../patches/nginx-1.17.8-no_Werror.patch | 36 +++++++ ...nx-1.17.8-stream_ssl_preread_no_skip.patch | 13 +++ 6 files changed, 227 insertions(+), 37 deletions(-) create mode 100644 images/nginx/rootfs/patches/nginx-1.17.8-delayed_posted_events.patch create mode 100644 images/nginx/rootfs/patches/nginx-1.17.8-init_cycle_pool_release.patch create mode 100644 images/nginx/rootfs/patches/nginx-1.17.8-no_Werror.patch create mode 100644 images/nginx/rootfs/patches/nginx-1.17.8-stream_ssl_preread_no_skip.patch diff --git a/images/nginx/Makefile b/images/nginx/Makefile index f3f246dbc..171969242 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -21,7 +21,7 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.106 +TAG ?= 0.107 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/nginx diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index bfe2983d5..d055a4e58 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -30,14 +30,14 @@ export ZIPKIN_CPP_VERSION=0.5.2 export JAEGER_VERSION=0.4.2 export MSGPACK_VERSION=3.2.1 export DATADOG_CPP_VERSION=1.1.5 -export MODSECURITY_VERSION=1.0.1 +export MODSECURITY_VERSION=b55a5778c539529ae1aa10ca49413771d52bb62e export MODSECURITY_LIB_VERSION=v3.0.4 export OWASP_MODSECURITY_CRS_VERSION=v3.2.0 -export LUA_NGX_VERSION=0.10.15 -export LUA_STREAM_NGX_VERSION=0.0.7 +export LUA_NGX_VERSION=0.10.17 +export LUA_STREAM_NGX_VERSION=0.0.8 export LUA_UPSTREAM_VERSION=0.07 export LUA_BRIDGE_TRACER_VERSION=0.1.1 -export LUA_CJSON_VERSION=2.1.0.7 +export LUA_CJSON_VERSION=2.1.0.8 export NGINX_INFLUXDB_VERSION=5b09391cb7b9a889687c0aa67964c06a2d933e8b export GEOIP2_VERSION=3.3 export NGINX_AJP_VERSION=bf6cd93f2098b59260de8d494f0f4b1f11a84627 @@ -45,12 +45,14 @@ export NGINX_AJP_VERSION=bf6cd93f2098b59260de8d494f0f4b1f11a84627 export LUAJIT_VERSION=31116c4d25c4283a52b2d87fed50101cf20f5b77 export LUA_RESTY_BALANCER=0.03 -export LUA_RESTY_CACHE=0.10rc1 -export LUA_RESTY_CORE=0.1.17 +export LUA_RESTY_CACHE=0.10 +export LUA_RESTY_CORE=0.1.19 export LUA_RESTY_COOKIE_VERSION=766ad8c15e498850ac77f5e0265f1d3f30dc4027 export LUA_RESTY_DNS=0.21 export LUA_RESTY_HTTP=0.15 export LUA_RESTY_LOCK=0.08 +export LUA_RESTY_UPLOAD_VERSION=0.10 +export LUA_RESTY_STRING_VERSION=0.12 export BUILD_PATH=/tmp/build @@ -144,8 +146,8 @@ get_src 015c4187f7a6426a2b5196f0ccd982aa87f010cf61f507ae3ce5c90523f92301 \ get_src 30affaf0f3a84193f7127cc0135da91773ce45d902414082273dae78914f73df \ "https://github.com/rnburn/zipkin-cpp-opentracing/archive/v$ZIPKIN_CPP_VERSION.tar.gz" -get_src c969a78659bb47c84929de0b9adc1f8c512a51ec9dd3b162cb568ae228d3d59e \ - "https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$MODSECURITY_VERSION.tar.gz" +get_src 3f943d1ac7bbf64b010a57b8738107c1412cb31c55c73f0772b4148614493b7b \ + "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" get_src 21257af93a64fee42c04ca6262d292b2e4e0b7b0660c511db357b32fd42ef5d3 \ "https://github.com/jaegertracing/jaeger-client-cpp/archive/v$JAEGER_VERSION.tar.gz" @@ -153,10 +155,10 @@ get_src 21257af93a64fee42c04ca6262d292b2e4e0b7b0660c511db357b32fd42ef5d3 \ get_src 464f46744a6be778626d11452c4db3c2d09461080c6db42e358e21af19d542f6 \ "https://github.com/msgpack/msgpack-c/archive/cpp-$MSGPACK_VERSION.tar.gz" -get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \ +get_src 1ebdcb041ca3bd238813ef6de352285e7418e6001c41a0a260b447260e37716e \ "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" -get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \ +get_src f2c4b7966dbb5c88edb5692616bf0eeca330ee2d43ae04c1cb96ef8fb072ba46 \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" get_src 2a69815e4ae01aa8b170941a8e1a10b6f6a9aab699dee485d58f021dd933829a \ @@ -181,24 +183,24 @@ get_src 5f629a50ba22347c441421091da70fdc2ac14586619934534e5a0f8a1390a950 \ "https://github.com/yaoweibin/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz" get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \ - "https://github.com/openresty/lua-resty-upload/archive/v0.10.tar.gz" + "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" -get_src 095615fe94e64615c4a27f4f4475b91c047cf8d10bc2dbde8d5ba6aa625fc5ab \ - "https://github.com/openresty/lua-resty-string/archive/v0.11.tar.gz" +get_src bfd8c4b6c90aa9dcbe047ac798593a41a3f21edcb71904d50d8ac0e8c77d1132 \ + "https://github.com/openresty/lua-resty-string/archive/v$LUA_RESTY_STRING_VERSION.tar.gz" get_src 82209d5a5d9545c6dde3db7857f84345db22162fdea9743d5e2b2094d8d407f8 \ "https://github.com/openresty/lua-resty-balancer/archive/v$LUA_RESTY_BALANCER.tar.gz" -get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ +get_src 040878ed9a485ca7f0f8128e4e979280bcf501af875704c8830bec6a68f128f7 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" -get_src 59d2f18ecadba48be61061004c8664eaed1111a3372cd2567cb24c5a47eb41fe \ +get_src bd6bee4ccc6cf3307ab6ca0eea693a921fab9b067ba40ae12a652636da588ff7 \ "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" get_src f818b5cef0881e5987606f2acda0e491531a0cb0c126d8dca02e2343edf641ef \ "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" -get_src f6b57d83a937899f97a98372c1e2631dd1ab8f580fc0ffeac0b27b4d42225a99 \ +get_src dae9fb572f04e7df0dabc228f21cdd8bbfa1ff88e682e983ef558585bc899de0 \ "https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz" get_src 2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2 \ @@ -235,29 +237,12 @@ cd "$BUILD_PATH" # Git tuning git config --global --add core.compression -1 -# install openresty-gdb-utils -cd / -git clone --depth=1 https://github.com/openresty/openresty-gdb-utils.git -cat > ~/.gdbinit << EOF -directory /openresty-gdb-utils - -py import sys -py sys.path.append("/openresty-gdb-utils") - -source luajit20.gdb -source ngx-lua.gdb -source luajit21.py -source ngx-raw-req.py -set python print-stack full -EOF - # build opentracing lib cd "$BUILD_PATH/opentracing-cpp-$OPENTRACING_CPP_VERSION" mkdir .build cd .build cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_CXX_FLAGS="-fPIC" \ -DBUILD_TESTING=OFF \ -DBUILD_MOCKTRACER=OFF \ .. @@ -326,7 +311,6 @@ cd "$BUILD_PATH/msgpack-c-cpp-$MSGPACK_VERSION" mkdir .build cd .build cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_CXX_FLAGS="-fPIC" \ -DBUILD_SHARED_LIBS=OFF \ -DBUILD_TESTING=OFF \ -DBUILD_MOCKTRACER=OFF \ @@ -564,10 +548,10 @@ make install cd "$BUILD_PATH/lua-resty-http-$LUA_RESTY_HTTP" make install -cd "$BUILD_PATH/lua-resty-upload-0.10" +cd "$BUILD_PATH/lua-resty-upload-$LUA_RESTY_UPLOAD_VERSION" make install -cd "$BUILD_PATH/lua-resty-string-0.11" +cd "$BUILD_PATH/lua-resty-string-$LUA_RESTY_STRING_VERSION" make install # build Lua bridge tracer diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-delayed_posted_events.patch b/images/nginx/rootfs/patches/nginx-1.17.8-delayed_posted_events.patch new file mode 100644 index 000000000..687584324 --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-delayed_posted_events.patch @@ -0,0 +1,98 @@ +diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c +index 57af8132..4853945f 100644 +--- a/src/event/ngx_event.c ++++ b/src/event/ngx_event.c +@@ -196,6 +196,9 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) + ngx_uint_t flags; + ngx_msec_t timer, delta; + ++ ngx_queue_t *q; ++ ngx_event_t *ev; ++ + if (ngx_timer_resolution) { + timer = NGX_TIMER_INFINITE; + flags = 0; +@@ -215,6 +218,13 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) + #endif + } + ++ if (!ngx_queue_empty(&ngx_posted_delayed_events)) { ++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, ++ "posted delayed event queue not empty" ++ " making poll timeout 0"); ++ timer = 0; ++ } ++ + if (ngx_use_accept_mutex) { + if (ngx_accept_disabled > 0) { + ngx_accept_disabled--; +@@ -257,6 +267,35 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) + } + + ngx_event_process_posted(cycle, &ngx_posted_events); ++ ++ while (!ngx_queue_empty(&ngx_posted_delayed_events)) { ++ q = ngx_queue_head(&ngx_posted_delayed_events); ++ ++ ev = ngx_queue_data(q, ngx_event_t, queue); ++ if (ev->delayed) { ++ /* start of newly inserted nodes */ ++ for (/* void */; ++ q != ngx_queue_sentinel(&ngx_posted_delayed_events); ++ q = ngx_queue_next(q)) ++ { ++ ev = ngx_queue_data(q, ngx_event_t, queue); ++ ev->delayed = 0; ++ ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, ++ "skipping delayed posted event %p," ++ " till next iteration", ev); ++ } ++ ++ break; ++ } ++ ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, ++ "delayed posted event %p", ev); ++ ++ ngx_delete_posted_event(ev); ++ ++ ev->handler(ev); ++ } + } + + +@@ -600,6 +639,7 @@ ngx_event_process_init(ngx_cycle_t *cycle) + + ngx_queue_init(&ngx_posted_accept_events); + ngx_queue_init(&ngx_posted_events); ++ ngx_queue_init(&ngx_posted_delayed_events); + + if (ngx_event_timer_init(cycle->log) == NGX_ERROR) { + return NGX_ERROR; +diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c +index d851f3d1..b6cea009 100644 +--- a/src/event/ngx_event_posted.c ++++ b/src/event/ngx_event_posted.c +@@ -12,6 +12,7 @@ + + ngx_queue_t ngx_posted_accept_events; + ngx_queue_t ngx_posted_events; ++ngx_queue_t ngx_posted_delayed_events; + + + void +diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h +index 145d30fe..6c388553 100644 +--- a/src/event/ngx_event_posted.h ++++ b/src/event/ngx_event_posted.h +@@ -43,6 +43,9 @@ void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted); + + extern ngx_queue_t ngx_posted_accept_events; + extern ngx_queue_t ngx_posted_events; ++extern ngx_queue_t ngx_posted_delayed_events; ++ ++#define HAVE_POSTED_DELAYED_EVENTS_PATCH + + + #endif /* _NGX_EVENT_POSTED_H_INCLUDED_ */ diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-init_cycle_pool_release.patch b/images/nginx/rootfs/patches/nginx-1.17.8-init_cycle_pool_release.patch new file mode 100644 index 000000000..bd621eb68 --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-init_cycle_pool_release.patch @@ -0,0 +1,59 @@ +diff -rup nginx-1.17.8/src/core/nginx.c nginx-1.17.8-patched/src/core/nginx.c +--- nginx-1.17.8/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 ++++ nginx-1.17.8-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 +@@ -186,6 +186,7 @@ static u_char *ngx_prefix; + static u_char *ngx_conf_file; + static u_char *ngx_conf_params; + static char *ngx_signal; ++ngx_pool_t *saved_init_cycle_pool = NULL; + + + static char **ngx_os_environ; +@@ -253,6 +254,8 @@ main(int argc, char *const *argv) + return 1; + } + ++ saved_init_cycle_pool = init_cycle.pool; ++ + if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { + return 1; + } +diff -rup nginx-1.17.8/src/core/ngx_core.h nginx-1.17.8-patched/src/core/ngx_core.h +--- nginx-1.17.8/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.17.8-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 +@@ -108,4 +108,6 @@ void ngx_cpuinfo(void); + #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 + #endif + ++extern ngx_pool_t *saved_init_cycle_pool; ++ + #endif /* _NGX_CORE_H_INCLUDED_ */ +diff -rup nginx-1.17.8/src/core/ngx_cycle.c nginx-1.17.8-patched/src/core/ngx_cycle.c +--- nginx-1.17.8/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.17.8-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 +@@ -748,6 +748,10 @@ old_shm_zone_done: + + if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { + ++ if (ngx_is_init_cycle(old_cycle)) { ++ saved_init_cycle_pool = NULL; ++ } ++ + ngx_destroy_pool(old_cycle->pool); + cycle->old_cycle = NULL; + +diff -rup nginx-1.17.8/src/os/unix/ngx_process_cycle.c nginx-1.17.8-patched/src/os/unix/ngx_process_cycle.c +--- nginx-1.17.8/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 ++++ nginx-1.17.8-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 +@@ -783,6 +783,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc + ngx_exit_cycle.files_n = ngx_cycle->files_n; + ngx_cycle = &ngx_exit_cycle; + ++ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) { ++ ngx_destroy_pool(saved_init_cycle_pool); ++ saved_init_cycle_pool = NULL; ++ } ++ + ngx_destroy_pool(cycle->pool); + + exit(0); diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-no_Werror.patch b/images/nginx/rootfs/patches/nginx-1.17.8-no_Werror.patch new file mode 100644 index 000000000..753d86adc --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-no_Werror.patch @@ -0,0 +1,36 @@ +diff -urp nginx-1.17.8/auto/cc/clang nginx-1.17.8-patched/auto/cc/clang +--- nginx-1.17.8/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.17.8-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 +@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali + CFLAGS="$CFLAGS -Wno-unused-parameter" + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.17.8/auto/cc/gcc nginx-1.17.8-patched/auto/cc/gcc +--- nginx-1.17.8/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.17.8-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 +@@ -168,7 +168,7 @@ esac + + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.17.8/auto/cc/icc nginx-1.17.8-patched/auto/cc/icc +--- nginx-1.17.8/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.17.8-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 +@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in + esac + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/nginx-1.17.8-stream_ssl_preread_no_skip.patch new file mode 100644 index 000000000..e45e9f69a --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-stream_ssl_preread_no_skip.patch @@ -0,0 +1,13 @@ +diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c +index e3d11fd9..3717b5fe 100644 +--- a/src/stream/ngx_stream_ssl_preread_module.c ++++ b/src/stream/ngx_stream_ssl_preread_module.c +@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) + + rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); + if (rc != NGX_AGAIN) { +- return rc; ++ return rc == NGX_OK ? NGX_DECLINED : rc; + } + + p += len;