From e2f5d9066e2ac887dd48fcc5d5d1fd4ccf03add9 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sat, 4 Aug 2018 08:02:20 -0400 Subject: [PATCH] Update nginx image (#2893) --- images/e2e/Dockerfile | 2 +- images/nginx/Makefile | 4 +- images/nginx/{ => rootfs}/Dockerfile | 4 +- images/nginx/{ => rootfs}/build.sh | 37 ++++++++++--------- images/nginx/rootfs/entrypoint.sh | 19 ++++++++++ images/nginx/rootfs/etc/authbind/byport/443 | 0 images/nginx/rootfs/etc/authbind/byport/80 | 0 images/nginx/rootfs/etc/authbind/byuid/33 | 4 ++ .../{ => rootfs}/install_lua_resty_waf.sh | 0 9 files changed, 49 insertions(+), 21 deletions(-) rename images/nginx/{ => rootfs}/Dockerfile (95%) rename images/nginx/{ => rootfs}/build.sh (96%) create mode 100755 images/nginx/rootfs/entrypoint.sh create mode 100644 images/nginx/rootfs/etc/authbind/byport/443 create mode 100644 images/nginx/rootfs/etc/authbind/byport/80 create mode 100644 images/nginx/rootfs/etc/authbind/byuid/33 rename images/nginx/{ => rootfs}/install_lua_resty_waf.sh (100%) diff --git a/images/e2e/Dockerfile b/images/e2e/Dockerfile index 629263930..65e9a2120 100644 --- a/images/e2e/Dockerfile +++ b/images/e2e/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM quay.io/kubernetes-ingress-controller/nginx-amd64:0.55 +FROM quay.io/kubernetes-ingress-controller/nginx-amd64:0.57 RUN clean-install \ g++ \ diff --git a/images/nginx/Makefile b/images/nginx/Makefile index a54f2f6ab..43ea41805 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -13,7 +13,7 @@ # limitations under the License. # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.56 +TAG ?= 0.57 REGISTRY ?= quay.io/kubernetes-ingress-controller ARCH ?= $(shell go env GOARCH) DOCKER ?= docker @@ -67,7 +67,7 @@ all-push: $(addprefix sub-push-,$(ALL_ARCH)) container: .container-$(ARCH) .container-$(ARCH): - cp ./* $(TEMP_DIR) + cp -r ./rootfs/* $(TEMP_DIR) cd $(TEMP_DIR) && $(SED_I) 's|BASEIMAGE|$(BASEIMAGE)|g' Dockerfile cd $(TEMP_DIR) && $(SED_I) "s|ARCH|$(QEMUARCH)|g" Dockerfile diff --git a/images/nginx/Dockerfile b/images/nginx/rootfs/Dockerfile similarity index 95% rename from images/nginx/Dockerfile rename to images/nginx/rootfs/Dockerfile index f4f5b7282..8d1fd7862 100644 --- a/images/nginx/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -17,7 +17,7 @@ FROM BASEIMAGE CROSS_BUILD_COPY qemu-ARCH-static /usr/bin/ -COPY build.sh install_lua_resty_waf.sh / +COPY . / RUN clean-install bash @@ -30,4 +30,6 @@ RUN ln -sf /dev/stderr /var/log/nginx/error.log EXPOSE 80 443 +ENTRYPOINT [ "/entrypoint.sh" ] + CMD ["nginx", "-g", "daemon off;"] diff --git a/images/nginx/build.sh b/images/nginx/rootfs/build.sh similarity index 96% rename from images/nginx/build.sh rename to images/nginx/rootfs/build.sh index d24ef6fbf..3ea08deed 100755 --- a/images/nginx/build.sh +++ b/images/nginx/rootfs/build.sh @@ -36,6 +36,7 @@ export LUA_UPSTREAM_VERSION=0.07 export COOKIE_FLAG_VERSION=1.1.0 export NGINX_INFLUXDB_VERSION=f20cfb2458c338f162132f5a21eb021e2cbe6383 export GEOIP2_VERSION=2.0 +export NGINX_AJP_VERSION=bf6cd93f2098b59260de8d494f0f4b1f11a84627 export BUILD_PATH=/tmp/build @@ -92,6 +93,8 @@ clean-install \ luarocks \ libmaxminddb-dev \ libatomic-ops-dev \ + authbind \ + dumb-init \ || exit 1 if [[ ${ARCH} == "x86_64" ]]; then @@ -223,6 +226,9 @@ get_src 1897d7677d99c1cedeb95b2eb00652a4a7e8e604304c3053a93bd3ba7dd82884 \ get_src ebb4652c4f9a2e1ee31fddefc4c93ff78e651a4b2727d3453d026bccbd708d99 \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" +get_src 5f629a50ba22347c441421091da70fdc2ac14586619934534e5a0f8a1390a950 \ + "https://github.com/yaoweibin/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz" + # improve compilation times CORES=$(($(grep -c ^processor /proc/cpuinfo) - 0)) @@ -236,7 +242,7 @@ if [[ ${ARCH} == "x86_64" ]]; then fi # luajit is not available on ppc64le and s390x -if [[ (${ARCH} != "s390x") ]]; then +if [[ (${ARCH} != "ppc64le") && (${ARCH} != "s390x") ]]; then cd "$BUILD_PATH/luajit2-2.1-20180420" make make install @@ -470,6 +476,7 @@ WITH_MODULES="--add-module=$BUILD_PATH/ngx_devel_kit-$NDK_VERSION \ --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \ + --add-module=$BUILD_PATH/nginx_ajp_module-${NGINX_AJP_VERSION} \ --add-module=$BUILD_PATH/ngx_brotli" ./configure \ @@ -494,17 +501,12 @@ WITH_MODULES="--add-module=$BUILD_PATH/ngx_devel_kit-$NDK_VERSION \ --with-cc-opt="${CC_OPT}" \ --with-ld-opt="${LD_OPT}" \ --with-libatomic \ - ${WITH_MODULES} \ - && make || exit 1 \ - && make install || exit 1 - -# install su-exec to switch user and group id and exec -cd "$BUILD_PATH" -curl -sSL https://github.com/ncopa/su-exec/archive/master.tar.gz | tar zxpv -cd su-exec-master -make - -cp su-exec /usr/local/bin + --user=www-data \ + --group=www-data \ + ${WITH_MODULES} + +make || exit 1 +make install || exit 1 echo "Cleaning..." @@ -560,12 +562,8 @@ rm -rf $HOME/.hunter # update image permissions writeDirs=( \ /etc/nginx \ - /etc/ingress-controller/ssl \ - /etc/ingress-controller/auth \ - /var/log \ - /var/log/nginx \ /var/lib/nginx \ - /usr/share/nginx/html \ + /var/log/nginx \ /opt/modsecurity/var/log \ /opt/modsecurity/var/upload \ /opt/modsecurity/var/audit \ @@ -575,3 +573,8 @@ for dir in "${writeDirs[@]}"; do mkdir -p ${dir}; chown -R www-data.www-data ${dir}; done + +chmod 755 /etc/authbind/byuid/33 +chown www-data /etc/authbind/byuid/33 +chmod 755 /etc/authbind/byport/* +chown www-data /etc/authbind/byport/* diff --git a/images/nginx/rootfs/entrypoint.sh b/images/nginx/rootfs/entrypoint.sh new file mode 100755 index 000000000..46bb5e076 --- /dev/null +++ b/images/nginx/rootfs/entrypoint.sh @@ -0,0 +1,19 @@ +#!/usr/bin/dumb-init /bin/bash + +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +authbind --deep $@ diff --git a/images/nginx/rootfs/etc/authbind/byport/443 b/images/nginx/rootfs/etc/authbind/byport/443 new file mode 100644 index 000000000..e69de29bb diff --git a/images/nginx/rootfs/etc/authbind/byport/80 b/images/nginx/rootfs/etc/authbind/byport/80 new file mode 100644 index 000000000..e69de29bb diff --git a/images/nginx/rootfs/etc/authbind/byuid/33 b/images/nginx/rootfs/etc/authbind/byuid/33 new file mode 100644 index 000000000..a6b2542c7 --- /dev/null +++ b/images/nginx/rootfs/etc/authbind/byuid/33 @@ -0,0 +1,4 @@ +0.0.0.0:1-1023 +0.0.0.0:1-1023 +::0:1-1023 +::0:1-1023 diff --git a/images/nginx/install_lua_resty_waf.sh b/images/nginx/rootfs/install_lua_resty_waf.sh similarity index 100% rename from images/nginx/install_lua_resty_waf.sh rename to images/nginx/rootfs/install_lua_resty_waf.sh