diff --git a/build/dev-apko.sh b/build/dev-apko.sh index 9e6ada718..ff578acef 100755 --- a/build/dev-apko.sh +++ b/build/dev-apko.sh @@ -106,6 +106,7 @@ controller: image: "${DEV_IMAGE}" tag: "${TAG}" digest: "${DIGEST}" + runAsUser: 0 config: worker-processes: "1" podLabels: diff --git a/distroless-build/Makefile b/distroless-build/Makefile index cfb0c9d4a..8d6accf92 100644 --- a/distroless-build/Makefile +++ b/distroless-build/Makefile @@ -36,7 +36,7 @@ REPO ?= packages TEMPLATE ?= melange/nginx-templates.json MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace -APKO_OPTS ?= -k ${KEY}.pub --debug --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml +APKO_OPTS ?= -k ${KEY}.pub --debug --use-docker-mediatypes --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml KEY ?= melange.rsa REPO ?= $(shell pwd)/packages ARCHS?="amd64,arm64,arm/v6,arm/v7,s390x" @@ -52,10 +52,10 @@ keygen: ## Generate Key pair for use with signing apks melange: ## Build melange $FILE ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})' -ingress-melange: +ingress-build: ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_INGRESS_OPT} --template '$(shell cat ${TEMPLATE})' -nginx-melange: +nginx-build: ${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml --source-dir ${MELANGE_DIR}/${FILE} ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})' apko-build: ## Build an apko pipeline with $KEY and $FILE diff --git a/distroless-build/apko/ingress-debug.yaml b/distroless-build/apko/ingress-debug.yaml new file mode 100644 index 000000000..f55f03d34 --- /dev/null +++ b/distroless-build/apko/ingress-debug.yaml @@ -0,0 +1,217 @@ +contents: + repositories: + - https://dl-cdn.alpinelinux.org/alpine/edge/main + - https://dl-cdn.alpinelinux.org/alpine/edge/community + - '@local /work/packages' + packages: + - alpine-baselayout-data + - alpine-base + - apk-tools + - busybox + - dbg@local + - waitshutdown@local + - ingress-nginx@local + - dumb-init + - sudo + - bash + - strace + - libcap + - netcat-openbsd + - geoip-dev + - nginx@local + - opentracing@local + - msgpack-cpp@local + - datadog-cpp@local + - yaml-cpp@local + - zipkin-cpp@local + - modsecurity@local + - luaresty-balancer@local + - luacjson@local + - luajit@local + - lua-resty-cache@local + - lua-resty-cookie@local + - lua-resty-dns@local + - lua-resty-core@local + - lua-resty-global-throttle@local + - lua-resty-ipmatcher@local + - lua-resty-lock@local + - lua-resty-redis@local + - lua-resty-string@local + - lua-resty-upload@local +accounts: + groups: + - groupname: www-data + gid: 101 + users: + - username: www-data + uid: 101 + run-as: root + +annotations: + org.opencontainers.image.title: "NGINX Ingress Controller for Kubernetes" + org.opencontainers.image.documentation: "https://kubernetes.github.io/ingress-nginx/" + org.opencontainers.image.source: "https://github.com/kubernetes/ingress-nginx" + org.opencontainers.image.vendor: "The Kubernetes Authors" + org.opencontainers.image.licenses: "Apache-2.0" + +environment: + PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin:/usr/local/nginx/sbin/" + LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" + LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" + LUAJIT_INC: "/usr/local/include/luajit-2.1" + LUAJIT_LIB: "/usr/local/lib" + LUA_LIB_DIR: "/usr/local/lib/lua" + +work-dir: /etc/nginx + +paths: + - path: /usr/bin/nginx + type: hardlink + source: /usr/local/nginx/sbin/nginx + permissions: 0o777 + uid: 101 + gid: 101 + - path: /usr/local/certificates/ + type: directory + permissions: 0o777 + uid: 101 + gid: 101 + recursive: true + - path: /etc/ingress-controller/ssl + type: directory + permissions: 0o777 + uid: 101 + gid: 101 + recursive: true + - path: /etc/ingress-controller/auth + type: directory + permissions: 0o777 + uid: 101 + gid: 101 + recursive: true + - path: /usr/local/ + type: directory + permissions: 0o777 + uid: 101 + gid: 101 + recursive: true + - path: /usr/local/ + type: directory + permissions: 0o777 + uid: 101 + gid: 101 + recursive: true + - path: /usr/local/bin/lua + type: hardlink + source: /usr/local/bin/luajit + permissions: 0o777 + uid: 101 + gid: 101 + - path: /var/lib/ + type: directory + permissions: 0o777 + uid: 101 + gid: 101 + recursive: true + - path: /var/log/nginx/ + type: directory + uid: 101 + gid: 101 + permissions: 0o777 + recursive: true + - path: /var/lib/nginx/ + type: directory + uid: 101 + gid: 101 + permissions: 0o777 + recursive: true + - path: /var/lib/nginx/body + type: directory + uid: 101 + gid: 101 + permissions: 0o777 + recursive: true + - path: /usr/local/nginx + type: directory + uid: 101 + gid: 101 + permissions: 0o777 + recursive: true + - path: /run/nginx + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /run/nginx.pid + uid: 101 + gid: 101 + type: empty-file + permissions: 0o777 + recursive: true + - path: /etc/nginx/modules + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /etc/nginx + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /usr/local/nginx + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /opt/modsecurity/var/log + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /opt/modsecurity/var/upload + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /opt/modsecurity/var/audit + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /var/log + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /etc/ingress-controller + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /tmp/nginx + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /var/log/nginx/ + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true + - path: /var/log/audit + uid: 101 + gid: 101 + type: directory + permissions: 0o777 + recursive: true diff --git a/distroless-build/apko/ingress.yaml b/distroless-build/apko/ingress.yaml index ea3d87ba5..49ebf3bd1 100644 --- a/distroless-build/apko/ingress.yaml +++ b/distroless-build/apko/ingress.yaml @@ -4,15 +4,10 @@ contents: - https://dl-cdn.alpinelinux.org/alpine/edge/community - '@local /work/packages' packages: - - alpine-baselayout-data - - alpine-base - - apk-tools - - busybox - dbg@local - waitshutdown@local - ingress-nginx@local - dumb-init - - bash - geoip-dev - nginx@local - opentracing@local @@ -41,13 +36,19 @@ accounts: users: - username: www-data uid: 101 - run-as: 101 + run-as: root -environments: - PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin" +annotations: + org.opencontainers.image.title: "NGINX Ingress Controller for Kubernetes" + org.opencontainers.image.documentation: "https://kubernetes.github.io/ingress-nginx/" + org.opencontainers.image.source: "https://github.com/kubernetes/ingress-nginx" + org.opencontainers.image.vendor: "The Kubernetes Authors" + org.opencontainers.image.licenses: "Apache-2.0" + +environment: + PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin:/usr/local/nginx/sbin/" LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" - :u: "/usr/local/include/luajit-2.1" LUAJIT_INC: "/usr/local/include/luajit-2.1" LUAJIT_LIB: "/usr/local/lib" LUA_LIB_DIR: "/usr/local/lib/lua" @@ -55,48 +56,36 @@ environments: work-dir: /etc/nginx paths: + - path: /etc/ingress-controller/ssl + type: directory + permissions: 0o755 + uid: 101 + gid: 101 + recursive: true + - path: /etc/ingress-controller/auth + type: directory + permissions: 0o755 + uid: 101 + gid: 101 + recursive: true - path: /usr/local/ type: directory permissions: 0o755 uid: 101 gid: 101 recursive: true - - path: /usr/include/lua5.1 + - path: /usr/local/ type: directory permissions: 0o755 uid: 101 gid: 101 recursive: true - path: /usr/local/bin/lua - type: symlink + type: hardlink source: /usr/local/bin/luajit permissions: 0o755 uid: 101 gid: 101 - - path: /usr/local/include/lua - type: symlink - source: /usr/local/include/luajit-2.1 - uid: 101 - gid: 101 - permissions: 0o755 - - path: /usr/include/lua5.1 - type: symlink - source: /usr/local/include/luajit-2.1 - uid: 101 - gid: 101 - permissions: 0o755 - - path: /usr/local/nginx/sbin/nginx - type: symlink - source: /sbin/nginx - uid: 101 - gid: 101 - permissions: 0o755 - - path: /usr/bin/nginx - type: symlink - source: /usr/local/nginx/sbin/nginx - uid: 101 - gid: 101 - permissions: 0o755 - path: /var/lib/ type: directory permissions: 0o755 @@ -181,12 +170,6 @@ paths: type: directory permissions: 0o755 recursive: true - - path: /etc/ingress-controller - uid: 101 - gid: 101 - type: directory - permissions: 0o755 - recursive: true - path: /tmp/nginx uid: 101 gid: 101 diff --git a/distroless-build/melange/nginx.yaml b/distroless-build/melange/nginx.yaml index f0b73bb6d..57944c406 100644 --- a/distroless-build/melange/nginx.yaml +++ b/distroless-build/melange/nginx.yaml @@ -215,11 +215,16 @@ pipeline: set -o pipefail ls -lah + ls -lah etc/nginx export BUILD_PATH="${PWD}" echo "BUILD_PATH $BUILD_PATH" echo "Arch: $(uname -m)" + # improve compilation times + CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + + export MAKEFLAGS=-j${CORES} + export CTEST_BUILD_FLAGS=${MAKEFLAGS} - export HUNTER_INSTALL_DIR=$(cat _3rdParty/Hunter/install-root-dir) export LUAJIT_LIB=/usr/local/lib export LUA_LIB_DIR="$LUAJIT_LIB/lua" export LUAJIT_INC=/usr/local/include/luajit-2.1 @@ -230,9 +235,12 @@ pipeline: ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 ARCH=$(uname -m) - tree etc/nginx/ mkdir -p ${{targets.destdir}}/etc/nginx/ - cp -R etc/nginx/ ${{targets.destdir}}/etc/nginx/ + cp -R etc/nginx/geoip/ ${{targets.destdir}}/etc/nginx/ + cp -R etc/nginx/lua/ ${{targets.destdir}}/etc/nginx/ + cp -R etc/nginx/template/ ${{targets.destdir}}/etc/nginx/ + cp -R etc/nginx/nginx.conf ${{targets.destdir}}/etc/nginx/ + cp -R etc/nginx/opentracing.json ${{targets.destdir}}/etc/nginx/ tree ${{targets.destdir}}/etc/nginx/ # Get Brotli source and deps @@ -339,23 +347,6 @@ pipeline: --with-http_secure_link_module \ --with-http_gunzip_module" - # "Combining -flto with -g is currently experimental and expected to produce unexpected results." - # https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html - CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ - -Wformat \ - -Werror=format-security \ - -Wno-deprecated-declarations \ - -fno-strict-aliasing \ - -D_FORTIFY_SOURCE=2 \ - --param=ssp-buffer-size=4 \ - -DTCP_FASTOPEN=23 \ - -fPIC \ - -I$HUNTER_INSTALL_DIR/include \ - -Wno-cast-function-type" - - LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib" - - WITH_FLAGS="--with-debug \ --with-compat \ --with-pcre-jit \ @@ -403,10 +394,9 @@ pipeline: --param=ssp-buffer-size=4 \ -DTCP_FASTOPEN=23 \ -fPIC \ - -I$HUNTER_INSTALL_DIR/include \ -Wno-cast-function-type" - LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L$HUNTER_INSTALL_DIR/lib" + LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" if [[ ${ARCH} != "aarch64" ]]; then WITH_FLAGS="${WITH_FLAGS} --with-file-aio" @@ -459,6 +449,8 @@ pipeline: echo "::::::::::::::::::::::::::::::::::::::::::::" make DESTDIR="${{targets.destdir}}" install + setcap cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ + && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ echo "::::::::::::::::::::::::::::::::::::::::::::" echo ":::::::::::::::: CLEANUP :::::::::::::::::::" @@ -468,10 +460,10 @@ pipeline: rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests - setcap cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ - && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \ + echo "Clean up everything else" cd ${BUILD_PATH} + rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \ ${BUILD_PATH}/set-misc-nginx-module-{{ .SETMISC_VERSION }} \ ${BUILD_PATH}/headers-more-nginx-module-{{ .MORE_HEADERS_VERSION }} \ diff --git a/distroless-build/melange/nginx/etc/nginx/geoip/GeoIP.dat b/distroless-build/melange/nginx/etc/nginx/geoip/GeoIP.dat new file mode 100644 index 000000000..be8b031f7 Binary files /dev/null and b/distroless-build/melange/nginx/etc/nginx/geoip/GeoIP.dat differ diff --git a/distroless-build/melange/nginx/etc/nginx/geoip/GeoIPASNum.dat b/distroless-build/melange/nginx/etc/nginx/geoip/GeoIPASNum.dat new file mode 100644 index 000000000..85c2cb329 Binary files /dev/null and b/distroless-build/melange/nginx/etc/nginx/geoip/GeoIPASNum.dat differ diff --git a/distroless-build/melange/nginx/etc/nginx/geoip/GeoLiteCity.dat b/distroless-build/melange/nginx/etc/nginx/geoip/GeoLiteCity.dat new file mode 100644 index 000000000..1adb8c3c4 Binary files /dev/null and b/distroless-build/melange/nginx/etc/nginx/geoip/GeoLiteCity.dat differ