krd/angie-conv-image
1
0
Fork 0
Code Activity

initial commit

Browse Source
This commit is contained in:
Konstantin Demin
2025-06-05 11:01:19 +03:00
commit 48f13f97a3
297 changed files with 7136 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
image-entry.d/00-common.envsh Normal file
View File

@@ -0,0 +1,245 @@
#!/bin/sh
volume_root='/run/ngx'
target_root="${volume_root}/conf"
persist_dirs='cache lib log'
empty_dir='/var/lib/empty'
## unexporting variable in (POSIX) sh is PITA =/
# have_envvar() {
# [ -n "$1" ] || return 1
# grep -Ezq "^$1=" /proc/$$/environ || return
# }
# unexport() {
# local ___k ___v
# for ___k ; do
# [ -n "${___k}" ] || continue
# have_envvar "${___k}" || continue
# ___v=$(eval printf '%s' "\"\${${___k}}\"")
# eval "unset ${___k}"
# eval "${___k}=$(env printf '%s' \"\${___v}\")"
# done
# }
## likely the same as in https://pkg.go.dev/strconv#ParseBool
gobool_to_int() {
## local value=$1
## local default=$2
case "${1:-_}" in
1 | [Tt] | [Tt][Rr][Uu][Ee] ) echo 1 ;;
0 | [Ff] | [Ff][Aa][Ll][Ss][Ee] ) echo 0 ;;
* ) echo "${2:-error}" ;;
esac
}
[ -n "${__IEP_SRC:-}" ] || __IEP_SRC="$0"
log_always() {
if [ "${IEP_DEBUG}" = 1 ] ; then
echo "# $(date +'%Y-%m-%d %H:%M:%S.%03N %z'): ${__IEP_SRC}${*:+: $*}"
else
echo "# ${__IEP_SRC}${*:+: $*}"
fi >&2
}
log() {
[ "${IEP_VERBOSE}" = 0 ] || log_always "$@"
}
ln_s() {
if [ "${IEP_VERBOSE}" = 0 ] ; then
ln -s "$@" || return
else
ln -sv "$@" || return
fi
}
cp_a() {
if [ "${IEP_VERBOSE}" = 0 ] ; then
cp -a "$@" || return
else
cp -av "$@" || return
fi
}
ln_cp() {
if [ -h "$1" ] ; then
ln_s "$(readlink -e "$1")" "$2"
else
cp_a "$1" "$2"
fi
}
have_cmd() { command -v "$1" >/dev/null 2>&1 || return ; }
strip_suffix() { printf '%s' "${1%"$2"}" | tr -s '/' ; }
user_install() {
if [ "${IEP_ROOT}" = 1 ] ; then
install -o "${NGX_USER}" -g "${NGX_GROUP}" "$@"
else
install "$@"
fi
}
expand_file_envsubst() {
local __ret __src __dst
__ret=0
for __src ; do
[ -n "${__src}" ] || continue
if ! [ -f "${__src}" ] ; then
__ret=1
log_always "file not found: ${__src}"
continue
fi
case "${__src}" in
*.in ) ;;
* )
__ret=1
log "expand_file_envsubst: file name extension mismatch: ${__src}"
continue
;;
esac
__dst=$(strip_suffix "${__src}" '.in')
if [ -e "${__dst}" ] ; then
__ret=1
log "expand_file_envsubst: destination file already exists: ${__dst}"
continue
fi
log "Running envsubst: ${__src} -> ${__dst}"
envsubst.sh < "${__src}" > "${__dst}" || __ret=1
done
return ${__ret}
}
expand_file_j2cfg() {
j2cfg-single "$@" || return $?
}
expand_dir_envsubst() {
local __template_list __have_args __ret __orig_file
__template_list=$(mktemp) || return
find "$@" -follow -name '*.in' -type f \
| sort -uV > "${__template_list}"
__ret=0
if [ -s "${__template_list}" ] ; then
__have_args="${ENVSUBST_ARGS:+1}"
if [ -z "${__have_args}" ] ; then
## optimize envsubst.sh invocation by caching argument list
## ref: envsubst.sh
ENVSUBST_ARGS=$(mktemp) || return
envsubst-args.sh > "${ENVSUBST_ARGS}"
export ENVSUBST_ARGS
fi
while read -r __orig_file ; do
[ -n "${__orig_file}" ] || continue
expand_file_envsubst "${__orig_file}" || __ret=1
done < "${__template_list}"
if [ -z "${__have_args}" ] ; then
rm -f "${ENVSUBST_ARGS}" ; unset ENVSUBST_ARGS
fi
unset __have_args
fi
rm -f "${__template_list}" ; unset __template_list
return ${__ret}
}
expand_dir_j2cfg() {
local __template_list __ret
__template_list=$(mktemp) || return
find "$@" -follow -name '*.j2' -type f -printf '%p\0' \
| sort -zuV > "${__template_list}"
__ret=0
if [ -s "${__template_list}" ] ; then
xargs -0r -n 1000 -a "${__template_list}" \
j2cfg-multi < /dev/null || __ret=1
fi
rm -f "${__template_list}" ; unset __template_list
return ${__ret}
}
is_builtin_module() {
[ -n "${1:-}" ] || return 1
[ -n "${2:-}" ] || return 1
[ -f "/etc/angie.dist/builtin.$1" ] || return 1
[ -s "/etc/angie.dist/builtin.$1" ] || return 1
grep -Fxq -e "$2" "/etc/angie.dist/builtin.$1" || return 1
}
append_list() {
if [ -n "$2" ] ; then
printf '%s' "${1:-}${1:+ }$2"
else
printf '%s' "$1"
fi
}
prepend_list() {
if [ -n "$2" ] ; then
printf '%s' "$2${1:+ }${1:-}"
else
printf '%s' "$1"
fi
}
list_have_item() {
[ -n "$1" ] || return 1
[ -n "$2" ] || return 1
case " $1 " in
*" $2 "* ) return 0 ;;
esac
return 1
}
normalize_list() {
[ -n "$1" ] || return 0
printf '%s' "$1" \
| sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
}
sort_dedup_list() {
[ -n "$1" ] || return 0
printf '%s' "$1" \
| tr -s '[:space:]' '\n' | sort -uV \
| sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
}
float_div() {
mawk -v "a=$1" -v "b=$2" 'BEGIN{print a/b;exit;}' </dev/null
}
find_fast() {
find "$@" -printf . -quit | grep -Fq .
}
randN() {
od -v -A n -t x1 -N "$1" < /dev/urandom | tr -d '[:space:]'
}
re_ipv4_oct='[0-9]|[1-9][0-9]|[1-9][0-9][0-9]|2[0-4][0-9]|25[0-5]'
re_ipv4_addr="^${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\$"
is_ipv4_address() {
[ -n "$1" ] || return 1
printf '%s' "$1" | grep -zEq "${re_ipv4_addr}" || return 1
}

34
image-entry.d/01-defaults.envsh Executable file
View File

@@ -0,0 +1,34 @@
#!/bin/sh
unset NGX_DEBUG
NGX_DEBUG=$(/usr/sbin/angie --build-env 2>&1 | mawk '$1=="DEBUG:" {print $2;exit;}')
NGX_DEBUG="${NGX_DEBUG:-0}"
case "${NGX_DEBUG}" in
0 | 1 ) ;;
* ) NGX_DEBUG=1 ;;
esac
export NGX_DEBUG
unset NGX_PRO
NGX_PRO=$(/usr/sbin/angie -v 2>&1 | mawk 'NR==1 {print $4;exit;}' | tr '[:upper:]' '[:lower:]')
NGX_PRO="${NGX_PRO:-0}"
case "${NGX_PRO}" in
'(pro)' ) NGX_PRO=1 ;;
* ) NGX_PRO=0 ;;
esac
export NGX_PRO
set -a
NGX_STRICT_LOAD=$(gobool_to_int "${NGX_STRICT_LOAD:-1}" 1)
NGX_HTTP=$(gobool_to_int "${NGX_HTTP:-1}" 1)
NGX_MAIL=$(gobool_to_int "${NGX_MAIL:-0}" 0)
NGX_STREAM=$(gobool_to_int "${NGX_STREAM:-0}" 0)
set +a
if [ "${NGX_HTTP}${NGX_MAIL}${NGX_STREAM}" = '000' ] ; then
log_always '========================================='
log_always 'WARNING!'
log_always 'Angie is almost completely TURNED OFF'
log_always '========================================='
fi

6
image-entry.d/02-nonroot.envsh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/sh
unset IEP_ROOT ; IEP_ROOT=1
# [ "$(env stat -Lc %u /proc/$$)" = 0 ] || IEP_ROOT=0
[ "$(id -u)" = 0 ] || IEP_ROOT=0
export IEP_ROOT

30
image-entry.d/03-local-ip-addresses.envsh Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/sh
## allow these addresses to be provided in case of:
## - local development/testing
## - `hostname -I' random failures or misbehavior
if [ -z "${NGX_IP_ADDRESSES:-}" ] ; then
NGX_IP_ADDRESSES=$(hostname -I)
fi
NGX_IP_ADDRESSES=$(normalize_list "${NGX_IP_ADDRESSES}")
export NGX_IP_ADDRESSES
unset i NGX_IPV4_ADDRESSES NGX_IPV6_ADDRESSES
for i in ${NGX_IP_ADDRESSES} ; do
case "$i" in
*:* )
## TODO: IPv6 address validation
NGX_IPV6_ADDRESSES=$(append_list "${NGX_IPV6_ADDRESSES}" "$i")
;;
* )
if ! is_ipv4_address "$i" ; then
log_always "invalid IPv4 address: $i"
continue
fi
NGX_IPV4_ADDRESSES=$(append_list "${NGX_IPV4_ADDRESSES}" "$i")
;;
esac
done
unset i
export NGX_IPV4_ADDRESSES NGX_IPV6_ADDRESSES

109
image-entry.d/04-resolver.envsh Executable file
View File

@@ -0,0 +1,109 @@
#!/bin/sh
unset _NGX_RESOLVER_STACK _NGX_RESOLVER_TIMEOUT
## here should be SANE defaults (!)
_NGX_RESOLVER_STACK=ipv4
_NGX_RESOLVER_TIMEOUT=10s
if [ -z "${NGX_RESOLVER_STACK:-}" ] ; then
NGX_RESOLVER_STACK=${_NGX_RESOLVER_STACK}
else
NGX_RESOLVER_STACK=$(printf '%s' "${NGX_RESOLVER_STACK}" | tr '[:upper:]' '[:lower:]')
case "${NGX_RESOLVER_STACK}" in
none | ipv4 | ipv6 | any ) ;;
## adjust
0 | no )
NGX_RESOLVER_STACK=none
;;
4 | ip4 | v4 )
NGX_RESOLVER_STACK=ipv4
;;
6 | ip6 | v6 )
NGX_RESOLVER_STACK=ipv6
;;
all | dual )
NGX_RESOLVER_STACK=any
;;
* )
log_always "NGX_RESOLVER_STACK: unrecognized value: ${NGX_RESOLVER_STACK}"
log_always "setting NGX_RESOLVER_STACK=${_NGX_RESOLVER_STACK}"
NGX_RESOLVER_STACK=${_NGX_RESOLVER_STACK}
;;
esac
fi
export NGX_RESOLVER_STACK
if [ "${NGX_RESOLVER_STACK}" = 'none' ] ; then
unset NGX_RESOLV_CONF NGX_RESOLVER_TIMEOUT NGX_RESOLVERS
else
if [ -z "${NGX_RESOLVER_TIMEOUT:-}" ] ; then
NGX_RESOLVER_TIMEOUT=${_NGX_RESOLVER_TIMEOUT}
else
case "${NGX_RESOLVER_TIMEOUT}" in
[1-9] | [1-9][0-9] )
## convert implicit "seconds" to explicit
NGX_RESOLVER_TIMEOUT="${NGX_RESOLVER_TIMEOUT}s"
;;
## adjust
[1-9][Ss] | [1-9][0-9][Ss] )
NGX_RESOLVER_TIMEOUT="${NGX_RESOLVER_TIMEOUT%?}s"
;;
[1-9][Mm][Ss] | [1-9][0-9][Mm][Ss] | [1-9][0-9][0-9][Mm][Ss] | [1-9][0-9][0-9][0-9][Mm][Ss] | [1-9][0-9][0-9][0-9][0-9][Mm][Ss] )
NGX_RESOLVER_TIMEOUT="${NGX_RESOLVER_TIMEOUT%??}ms"
;;
* )
log_always "NGX_RESOLVER_TIMEOUT: unrecognized value: ${NGX_RESOLVER_TIMEOUT}"
log_always "setting NGX_RESOLVER_TIMEOUT=${_NGX_RESOLVER_TIMEOUT}"
NGX_RESOLVER_TIMEOUT=${_NGX_RESOLVER_TIMEOUT}
;;
esac
fi
export NGX_RESOLVER_TIMEOUT
unset _resolv_conf
while [ -z "${NGX_RESOLVERS+x}" ] ; do
_resolv_conf="${NGX_RESOLV_CONF-/etc/resolv.conf}"
[ -n "${_resolv_conf}" ] || break
[ -f "${_resolv_conf}" ] || break
[ -s "${_resolv_conf}" ] || break
unset i
while read -r i ; do
[ -n "$i" ] || continue
case "$i" in
## NB: /etc/resolv.conf allows (!) IPv6 addresses in dotted form (RFC 2373) but this is discouraged
*:* )
## TODO: IPv6 address validation
i="[$i]"
case "${NGX_RESOLVER_STACK}" in
any | ipv6 )
NGX_RESOLVERS=$(append_list "${NGX_RESOLVERS}" "$i")
;;
esac
;;
* )
if ! is_ipv4_address "$i" ; then
log_always "invalid IPv4 address: $i"
continue
fi
case "${NGX_RESOLVER_STACK}" in
any | ipv4 )
NGX_RESOLVERS=$(append_list "${NGX_RESOLVERS}" "$i")
;;
esac
;;
esac
done <<-EOF
$(mawk '$1 == "nameserver" {print $2}' < "${_resolv_conf}")
EOF
unset i
done
unset _resolv_conf
[ -z "${NGX_RESOLVERS}" ] || export NGX_RESOLVERS
fi
unset _NGX_RESOLVER_STACK _NGX_RESOLVER_TIMEOUT

12
image-entry.d/05-ca-certificates.envsh Executable file
View File

@@ -0,0 +1,12 @@
#!/bin/sh
if [ -z "${NGX_SSL_CERT_FILE:-}" ] ; then
unset NGX_SSL_CERT_FILE
if [ -n "${SSL_CERT_FILE:-}" ] ; then
log_always "SSL_CERT_FILE is already set (=${SSL_CERT_FILE})"
NGX_SSL_CERT_FILE=${SSL_CERT_FILE}
else
NGX_SSL_CERT_FILE="${volume_root}/ca.pem"
fi
fi
export NGX_SSL_CERT_FILE

9
image-entry.d/10-core.envsh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
set -a
NGX_CORE_MODULES="${NGX_CORE_MODULES:-}"
NGX_CORE_CONFLOAD="${NGX_CORE_CONFLOAD:-}"
NGX_CORE_EVENTS_CONFLOAD="${NGX_CORE_EVENTS_CONFLOAD:-}"
set +a

56
image-entry.d/11-core-modules.envsh Executable file
View File

@@ -0,0 +1,56 @@
#!/bin/sh
unset core_modules core_confload
core_modules=
core_confload="${NGX_CORE_CONFLOAD:-}"
## filter out builtin core modules
unset i
for i in ${NGX_CORE_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module core "$i" ; then
log "$i is builtin module, moving to NGX_CORE_CONFLOAD"
core_confload=$(append_list "${core_confload}" "$i")
continue
fi
## naive deduplication
if list_have_item "${core_modules}" "$i" ; then
log "$i is already specified"
continue
fi
core_modules=$(append_list "${core_modules}" "$i")
done ; unset i
if [ -n "${core_modules:-}" ] ; then
## angie-module-wamr: depends on angie-module-wasm
## angie-module-wasmtime: depends on angie-module-wasm
unset want_wasm ; want_wasm=0
if list_have_item "${core_modules}" wamr ; then
want_wasm=1
elif list_have_item "${core_modules}" wasmtime ; then
want_wasm=1
fi
if [ ${want_wasm} = 1 ] ; then
## forcefully move 'wasm' to beginning of list
core_modules=$(printf '%s' " ${core_modules} " | sed -zE 's/ wasm / /;s/^/wasm/;s/ $//')
fi
unset want_wasm
fi
set -a
NGX_CORE_MODULES="${core_modules}"
NGX_CORE_CONFLOAD=$(sort_dedup_list "${core_confload}")
NGX_CORE_EVENTS_CONFLOAD=$(sort_dedup_list "${NGX_CORE_EVENTS_CONFLOAD}")
set +a
unset core_modules core_confload

76
image-entry.d/12-core-user.envsh Executable file
View File

@@ -0,0 +1,76 @@
#!/bin/sh
if [ "${IEP_ROOT}" = 0 ] ; then
log "Running as non-root: user/group configuration may be excessive"
fi
unset _NGX_USER _NGX_GROUP
## here should be SANE defaults (!)
_NGX_USER=angie
_NGX_GROUP=angie
if [ -z "${NGX_USER:-}" ] ; then
NGX_USER=${_NGX_USER}
else
case "${NGX_USER}" in
"${_NGX_USER}" ) ;;
[1-9]* )
## numeric id - remap to name
_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
if [ -n "${_user_name}" ] ; then
NGX_USER=${_user_name}
else
log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}"
log_always "setting NGX_USER=${_NGX_USER}"
NGX_USER=${_NGX_USER}
fi
unset _user_name
;;
* )
_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
if [ -n "${_user_name}" ] ; then
NGX_USER=${_user_name}
else
log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}"
log_always "setting NGX_USER=${_NGX_USER}"
NGX_USER=${_NGX_USER}
fi
unset _user_name
;;
esac
fi
export NGX_USER
if [ -z "${NGX_GROUP:-}" ] ; then
NGX_GROUP=${_NGX_GROUP}
else
case "${NGX_GROUP}" in
"${_NGX_GROUP}" ) ;;
[1-9]* )
## numeric id - remap to name
_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
if [ -n "${_group_name}" ] ; then
NGX_GROUP=${_group_name}
else
log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}"
log_always "setting NGX_GROUP=${_NGX_GROUP}"
NGX_GROUP=${_NGX_GROUP}
fi
unset _group_name
;;
* )
_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
if [ -n "${_group_name}" ] ; then
NGX_GROUP=${_group_name}
else
log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}"
log_always "setting NGX_GROUP=${_NGX_GROUP}"
NGX_GROUP=${_NGX_GROUP}
fi
unset _group_name
;;
esac
fi
export NGX_GROUP
unset _NGX_USER _NGX_GROUP

206
image-entry.d/13-core-worker.envsh Executable file
View File

@@ -0,0 +1,206 @@
#!/bin/sh
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS
## here should be SANE defaults (!)
_NGX_WORKER_PROCESSES=2
_NGX_WORKER_PRIORITY=0
_NGX_WORKER_RLIMIT_NOFILE=16384
_NGX_WORKER_CONNECTIONS=4096
_NGX_WORKER_AIO_REQUESTS=32
if [ -z "${NGX_WORKER_PROCESSES:-}" ] ; then
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
else
case "${NGX_WORKER_PROCESSES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
[Aa][Uu][Tt][Oo] )
## adjust
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
NGX_WORKER_PROCESSES=auto
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
* )
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
esac
fi
export NGX_WORKER_PROCESSES
if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
unset NGX_WORKER_CPU_AFFINITY
else
## let Angie handle this
set -a
NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
set +a
fi
if [ -z "${NGX_WORKER_CONNECTIONS:-}" ] ; then
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
else
case "${NGX_WORKER_CONNECTIONS}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
esac
fi
export NGX_WORKER_CONNECTIONS
if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
unset NGX_WORKER_PRIORITY
else
case "${NGX_WORKER_PRIORITY}" in
-[1-9] | -1[0-9] | -20 ) ;;
[0-9] | 1[0-9] | 20 ) ;;
-0 )
log_always "NGX_WORKER_PRIORITY: likely an error: '-0'"
log_always "adjusting NGX_WORKER_PRIORITY=0"
NGX_WORKER_PRIORITY=0
;;
* )
log_always "NGX_WORKER_PRIORITY: unrecognized value: ${NGX_WORKER_PRIORITY}"
log_always "setting NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}"
NGX_WORKER_PRIORITY=${_NGX_WORKER_PRIORITY}
;;
esac
export NGX_WORKER_PRIORITY
fi
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
unset NGX_WORKER_RLIMIT_NOFILE
else
case "${NGX_WORKER_RLIMIT_NOFILE}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_RLIMIT_NOFILE: too low: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
## allow values within [100;9999999]
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_RLIMIT_NOFILE: unrecognized value: ${NGX_WORKER_RLIMIT_NOFILE}"
log_always "setting NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}"
NGX_WORKER_RLIMIT_NOFILE=${_NGX_WORKER_RLIMIT_NOFILE}
;;
esac
export NGX_WORKER_RLIMIT_NOFILE
fi
if [ -z "${NGX_WORKER_AIO_REQUESTS:-}" ] ; then
unset NGX_WORKER_AIO_REQUESTS
else
case "${NGX_WORKER_AIO_REQUESTS}" in
[0-9] )
log_always "NGX_WORKER_AIO_REQUESTS: too low: ${NGX_WORKER_AIO_REQUESTS}"
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
;;
## allow values within [10;99999]
[1-9][0-9] ) ;;
[1-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9] ) ;;
[1-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_AIO_REQUESTS: unrecognized value: ${NGX_WORKER_AIO_REQUESTS}"
log_always "setting NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}"
NGX_WORKER_AIO_REQUESTS=${_NGX_WORKER_AIO_REQUESTS}
;;
esac
export NGX_WORKER_AIO_REQUESTS
fi
if [ -n "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
unset nofile_soft nofile_hard
nofile_soft=$(ulimit -Sn)
nofile_hard=$(ulimit -Hn)
if [ "${nofile_hard}" = unlimited ] ; then
## minor hack (if applicable) :)
nofile_hard=$((NGX_WORKER_RLIMIT_NOFILE + 1))
fi
unset nofile_ok ; nofile_ok=0
while : ; do
[ ${nofile_hard} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
[ ${nofile_soft} -ge ${NGX_WORKER_RLIMIT_NOFILE} ] || break
nofile_ok=1
break ; done
if [ ${nofile_ok} = 0 ] ; then
log_always "adjusting 'nofile' limits"
log_always "Limits before:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Hn "${NGX_WORKER_RLIMIT_NOFILE}"
nofile_hard=$(ulimit -Hn)
fi
if [ ${nofile_hard} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
log_always "lowering NGX_WORKER_RLIMIT_NOFILE to ${nofile_hard} due to hard limit"
NGX_WORKER_RLIMIT_NOFILE=${nofile_hard}
fi
if [ ${nofile_soft} -lt ${NGX_WORKER_RLIMIT_NOFILE} ] ; then
ulimit -Sn "${NGX_WORKER_RLIMIT_NOFILE}"
fi
log_always "Limits after:"
sed -En '1p;/open files/p' < /proc/$$/limits >&2
fi
unset nofile_soft nofile_hard nofile_ok
export NGX_WORKER_RLIMIT_NOFILE
fi
unset nofile_limit nofile_kind
if [ -z "${NGX_WORKER_RLIMIT_NOFILE:-}" ] ; then
nofile_limit=$(ulimit -Hn)
nofile_kind="'ulimit:nofile'"
else
nofile_limit=${NGX_WORKER_RLIMIT_NOFILE}
nofile_kind='NGX_WORKER_RLIMIT_NOFILE'
fi
if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}"
else
unset ratio
ratio=$(float_div "${nofile_limit}" "${NGX_WORKER_CONNECTIONS}")
case "${ratio}" in
1 | 1.* )
log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}"
;;
esac
unset ratio
fi
unset nofile_limit nofile_kind
unset _NGX_WORKER_PROCESSES _NGX_WORKER_PRIORITY _NGX_WORKER_RLIMIT_NOFILE _NGX_WORKER_CONNECTIONS _NGX_WORKER_AIO_REQUESTS

32
image-entry.d/14-core-loglevel.envsh Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/sh
unset _NGX_LOGLEVEL
## here should be SANE defaults (!)
_NGX_LOGLEVEL=warn
if [ -z "${NGX_LOGLEVEL:-}" ] ; then
NGX_LOGLEVEL=${_NGX_LOGLEVEL}
else
NGX_LOGLEVEL=$(printf '%s' "${NGX_LOGLEVEL}" | tr '[:upper:]' '[:lower:]')
case "${NGX_LOGLEVEL}" in
alert | crit | emerg | error | notice | info | warn ) ;;
debug )
if [ "${NGX_DEBUG}" = 1 ] ; then
NGX_LOGLEVEL=debug
else
NGX_LOGLEVEL=info
log_always "NGX_LOGLEVEL: using 'debug' in non-debug image"
log_always "setting NGX_LOGLEVEL=${NGX_LOGLEVEL}"
fi
;;
* )
log_always "NGX_LOGLEVEL: unrecognized value: ${NGX_LOGLEVEL}"
log_always "setting NGX_LOGLEVEL=${_NGX_LOGLEVEL}"
NGX_LOGLEVEL=${_NGX_LOGLEVEL}
;;
esac
fi
export NGX_LOGLEVEL
unset _NGX_LOGLEVEL

18
image-entry.d/20-http.envsh Executable file
View File

@@ -0,0 +1,18 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_MODULES NGX_HTTP_CONFLOAD NGX_HTTP_CACHES NGX_HTTP_STATIC_TEMPLATE NGX_HTTP_STATIC_MERGE
else
unset default_caches
default_caches='temp_client_body'
set -a
NGX_HTTP_MODULES="${NGX_HTTP_MODULES:-}"
NGX_HTTP_CONFLOAD="${NGX_HTTP_CONFLOAD:-}"
NGX_HTTP_CACHES=$(sort_dedup_list "${default_caches} ${NGX_HTTP_CACHES:-}")
NGX_HTTP_STATIC_TEMPLATE=$(gobool_to_int "${NGX_HTTP_STATIC_TEMPLATE:-1}" 1)
NGX_HTTP_STATIC_MERGE=$(gobool_to_int "${NGX_HTTP_STATIC_MERGE:-1}" 1)
set +a
unset default_caches
fi

104
image-entry.d/21-http-modules.envsh Executable file
View File

@@ -0,0 +1,104 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_V2 NGX_HTTP_V3 NGX_HTTP_PROXY
else
set -a
NGX_HTTP_V2=$(gobool_to_int "${NGX_HTTP_V2:-0}" 0)
NGX_HTTP_V3=$(gobool_to_int "${NGX_HTTP_V3:-0}" 0)
NGX_HTTP_PROXY=$(gobool_to_int "${NGX_HTTP_PROXY:-1}" 1)
set +a
unset http_modules http_confload
http_modules=
http_confload="${NGX_HTTP_CONFLOAD:-}"
## filter out builtin http modules
unset i
for i in ${NGX_HTTP_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module http "$i" ; then
log "$i is builtin module, moving to NGX_HTTP_CONFLOAD"
http_confload=$(append_list "${http_confload}" "$i")
continue
fi
## naive deduplication
if list_have_item "${http_modules}" "$i" ; then
log "$i is already specified"
continue
fi
http_modules=$(append_list "${http_modules}" "$i")
done ; unset i
## grpc depends on http/2
if list_have_item "${http_confload}" grpc ; then
http_confload="${http_confload} v2"
fi
## fixes
if list_have_item "${http_confload}" v2 ; then
export NGX_HTTP_V2=1
fi
if list_have_item "${http_confload}" v3 ; then
export NGX_HTTP_V3=1
fi
if list_have_item "${http_confload}" proxy ; then
export NGX_HTTP_PROXY=1
fi
## adjustments
[ "${NGX_HTTP_V2}" = 0 ] || http_confload="${http_confload} v2"
[ "${NGX_HTTP_V3}" = 0 ] || http_confload="${http_confload} v3"
[ "${NGX_HTTP_PROXY}" = 0 ] || http_confload="${http_confload} proxy"
if [ -n "${http_modules:-}" ] ; then
## angie-module-lua: depends on angie-module-ndk
## angie-module-set-misc: depends on angie-module-ndk
unset want_ndk ; want_ndk=0
if list_have_item "${http_modules}" lua ; then
want_ndk=1
elif list_have_item "${http_modules}" set-misc ; then
want_ndk=1
fi
if [ ${want_ndk} = 1 ] ; then
## forcefully move 'ndk' to beginning of list
http_modules=$(printf '%s' " ${http_modules} " | sed -zE 's/ ndk / /;s/^/ndk/;s/ $//')
fi
unset want_ndk
## angie-module-wasm: http module requires core module to be loaded too
while : ; do
list_have_item "${http_modules}" wasm || break
if list_have_item "${NGX_CORE_MODULES}" wasm ; then break ; fi
log_always "adjusting NGX_CORE_MODULES to include 'wasm'"
NGX_CORE_MODULES=$(append_list "${NGX_CORE_MODULES}" wasm)
export NGX_CORE_MODULES
break ; done
fi
set -a
NGX_HTTP_MODULES="${http_modules}"
NGX_HTTP_CONFLOAD=$(sort_dedup_list "${http_confload}")
set +a
unset http_modules http_confload
## adjust caches
unset m
for m in fastcgi proxy scgi uwsgi ; do
list_have_item "${NGX_HTTP_CONFLOAD}" $m || continue
NGX_HTTP_CACHES="${NGX_HTTP_CACHES} temp_${m}"
done ; unset m
NGX_HTTP_CACHES=$(sort_dedup_list "${NGX_HTTP_CACHES}")
fi

9
image-entry.d/22-http-ssl.envsh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_SSL_PROFILE
else
## here should be SANE defaults (!)
NGX_HTTP_SSL_PROFILE="${NGX_HTTP_SSL_PROFILE:-intermediate}"
export NGX_HTTP_SSL_PROFILE
fi

30
image-entry.d/23-http-max-ranges.envsh Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_MAX_RANGES
else
unset _NGX_HTTP_MAX_RANGES
## here should be SANE defaults (!)
_NGX_HTTP_MAX_RANGES=16
if [ -z "${NGX_HTTP_MAX_RANGES:-}" ] ; then
unset NGX_HTTP_MAX_RANGES
else
case "${NGX_HTTP_MAX_RANGES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
0 )
log_always "HTTP: Range/If-Range/Accept-Ranges support is disabled by NGX_HTTP_MAX_RANGES=0"
;;
* )
log_always "NGX_HTTP_MAX_RANGES: unrecognized value: ${NGX_HTTP_MAX_RANGES}"
log_always "setting NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}"
NGX_HTTP_MAX_RANGES=${_NGX_HTTP_MAX_RANGES}
;;
esac
export NGX_HTTP_MAX_RANGES
fi
unset _NGX_HTTP_MAX_RANGES
fi

112
image-entry.d/24-http-forward-headers.envsh Executable file
View File

@@ -0,0 +1,112 @@
#!/bin/sh
if [ "${NGX_HTTP}" = 0 ] ; then
unset NGX_HTTP_TRANSPARENT_PROXY NGX_HTTP_FAKE_UA NGX_HTTP_FORWARDED NGX_HTTP_X_FORWARDED NGX_HTTP_X_REAL_IP
else
unset _NGX_HTTP_FAKE_UA _NGX_HTTP_FORWARDED _NGX_HTTP_X_FORWARDED _NGX_HTTP_X_REAL_IP
## here should be SANE defaults (!)
_NGX_HTTP_FAKE_UA='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36'
_NGX_HTTP_FORWARDED=pass
_NGX_HTTP_X_FORWARDED=pass
_NGX_HTTP_X_REAL_IP=pass
NGX_HTTP_TRANSPARENT_PROXY=$(gobool_to_int "${NGX_HTTP_TRANSPARENT_PROXY:-0}" 0)
export NGX_HTTP_TRANSPARENT_PROXY
[ -n "${NGX_HTTP_FAKE_UA:-}" ] || NGX_HTTP_FAKE_UA=${_NGX_HTTP_FAKE_UA}
export NGX_HTTP_FAKE_UA
if [ -n "${NGX_HTTP_FORWARDED:-}" ] ; then
NGX_HTTP_FORWARDED=$(printf '%s' "${NGX_HTTP_FORWARDED}" | tr '[:upper:]' '[:lower:]')
fi
if [ -n "${NGX_HTTP_X_FORWARDED:-}" ] ; then
NGX_HTTP_X_FORWARDED=$(printf '%s' "${NGX_HTTP_X_FORWARDED}" | tr '[:upper:]' '[:lower:]')
fi
if [ -n "${NGX_HTTP_X_REAL_IP:-}" ] ; then
NGX_HTTP_X_REAL_IP=$(printf '%s' "${NGX_HTTP_X_REAL_IP}" | tr '[:upper:]' '[:lower:]')
fi
if [ "${NGX_HTTP_TRANSPARENT_PROXY}" = 1 ] ; then
if [ -n "${NGX_HTTP_FORWARDED:-}" ] ; then
log_always "NGX_HTTP_FORWARDED: overridden to 'remove' due to NGX_HTTP_TRANSPARENT_PROXY=1"
fi
NGX_HTTP_FORWARDED=remove
if [ -n "${NGX_HTTP_X_FORWARDED:-}" ] ; then
log_always "NGX_HTTP_X_FORWARDED: overridden to 'remove' due to NGX_HTTP_TRANSPARENT_PROXY=1"
fi
NGX_HTTP_X_FORWARDED=remove
if [ -n "${NGX_HTTP_X_REAL_IP:-}" ] ; then
log_always "NGX_HTTP_X_REAL_IP: overridden to 'remove' due to NGX_HTTP_TRANSPARENT_PROXY=1"
fi
NGX_HTTP_X_REAL_IP=remove
else
if [ -z "${NGX_HTTP_FORWARDED:-}" ] ; then
NGX_HTTP_FORWARDED=${_NGX_HTTP_FORWARDED}
fi
case "${NGX_HTTP_FORWARDED}" in
pass | remove ) ;;
* )
unset x
x=$(gobool_to_int "${NGX_HTTP_FORWARDED}")
case "$x" in
0 ) NGX_HTTP_FORWARDED=remove ;;
1 ) NGX_HTTP_FORWARDED=pass ;;
* )
log_always "NGX_HTTP_FORWARDED: unrecognized value: ${NGX_HTTP_FORWARDED}"
log_always "setting NGX_HTTP_FORWARDED=${_NGX_HTTP_FORWARDED}"
NGX_HTTP_FORWARDED=${_NGX_HTTP_FORWARDED}
;;
esac
unset x
;;
esac
if [ -z "${NGX_HTTP_X_FORWARDED:-}" ] ; then
NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
fi
case "${NGX_HTTP_X_FORWARDED}" in
pass | remove ) ;;
* )
unset x
x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}")
case "$x" in
0 ) NGX_HTTP_X_FORWARDED=remove ;;
1 ) NGX_HTTP_X_FORWARDED=pass ;;
* )
log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}"
log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}"
NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
;;
esac
unset x
;;
esac
if [ -z "${NGX_HTTP_X_REAL_IP:-}" ] ; then
NGX_HTTP_X_REAL_IP=${_NGX_HTTP_X_REAL_IP}
fi
case "${NGX_HTTP_X_REAL_IP}" in
pass | remove ) ;;
* )
unset x
x=$(gobool_to_int "${NGX_HTTP_X_REAL_IP}")
case "$x" in
0 ) NGX_HTTP_X_REAL_IP=remove ;;
1 ) NGX_HTTP_X_REAL_IP=pass ;;
* )
log_always "NGX_HTTP_X_REAL_IP: unrecognized value: ${NGX_HTTP_X_REAL_IP}"
log_always "setting NGX_HTTP_X_REAL_IP=${_NGX_HTTP_X_REAL_IP}"
NGX_HTTP_X_REAL_IP=${_NGX_HTTP_X_REAL_IP}
;;
esac
unset x
;;
esac
fi
export NGX_HTTP_FORWARDED NGX_HTTP_X_FORWARDED NGX_HTTP_X_REAL_IP
unset _NGX_HTTP_FAKE_UA _NGX_HTTP_FORWARDED _NGX_HTTP_X_FORWARDED _NGX_HTTP_X_REAL_IP
fi

10
image-entry.d/30-mail.envsh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
if [ "${NGX_MAIL}" = 0 ] ; then
unset NGX_MAIL_MODULES NGX_MAIL_CONFLOAD
else
set -a
NGX_MAIL_MODULES="${NGX_MAIL_MODULES:-}"
NGX_MAIL_CONFLOAD="${NGX_MAIL_CONFLOAD:-}"
set +a
fi

41
image-entry.d/31-mail-modules.envsh Executable file
View File

@@ -0,0 +1,41 @@
#!/bin/sh
if [ "${NGX_MAIL}" = 1 ] ; then
unset mail_modules mail_confload
mail_modules=
mail_confload="${NGX_MAIL_CONFLOAD:-}"
## filter out builtin mail modules
unset i
for i in ${NGX_MAIL_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module mail "$i" ; then
log "$i is builtin module, moving to NGX_MAIL_CONFLOAD"
mail_confload=$(append_list "${mail_confload}" "$i")
continue
fi
## naive deduplication
if list_have_item "${mail_modules}" "$i" ; then
log "$i is already specified"
continue
fi
mail_modules=$(append_list "${mail_modules}" "$i")
done ; unset i
set -a
NGX_MAIL_MODULES="${mail_modules}"
NGX_MAIL_CONFLOAD=$(sort_dedup_list "${mail_confload}")
set +a
unset mail_modules mail_confload
fi

9
image-entry.d/32-mail-ssl.envsh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
if [ "${NGX_MAIL}" = 0 ] ; then
unset NGX_MAIL_SSL_PROFILE
else
## here should be SANE defaults (!)
NGX_MAIL_SSL_PROFILE="${NGX_MAIL_SSL_PROFILE:-intermediate}"
export NGX_MAIL_SSL_PROFILE
fi

10
image-entry.d/40-stream.envsh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
if [ "${NGX_STREAM}" = 0 ] ; then
unset NGX_STREAM_MODULES NGX_STREAM_CONFLOAD
else
set -a
NGX_STREAM_MODULES="${NGX_STREAM_MODULES:-}"
NGX_STREAM_CONFLOAD="${NGX_STREAM_CONFLOAD:-}"
set +a
fi

42
image-entry.d/41-stream-modules.envsh Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
if [ "${NGX_STREAM}" = 1 ] ; then
unset stream_modules stream_confload
stream_modules=
## stream module is almost meaningless without proxy [configuration]
stream_confload="proxy ${NGX_STREAM_CONFLOAD:-}"
## filter out builtin stream modules
unset i
for i in ${NGX_STREAM_MODULES:-} ; do
[ -n "$i" ] || continue
case "$i" in
*/* | *\** | *\?* )
log_always "module '$i' is not legal, skipping"
continue
;;
esac
if is_builtin_module stream "$i" ; then
log "$i is builtin module, moving to NGX_STREAM_CONFLOAD"
stream_confload=$(append_list "${stream_confload}" "$i")
continue
fi
## naive deduplication
if list_have_item "${stream_modules}" "$i" ; then
log "$i is already specified"
continue
fi
stream_modules=$(append_list "${stream_modules}" "$i")
done ; unset i
set -a
NGX_STREAM_MODULES="${stream_modules}"
NGX_STREAM_CONFLOAD=$(sort_dedup_list "${stream_confload}")
set +a
unset stream_modules stream_confload
fi

9
image-entry.d/42-stream-ssl.envsh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
if [ "${NGX_STREAM}" = 0 ] ; then
unset NGX_STREAM_SSL_PROFILE
else
## here should be SANE defaults (!)
NGX_STREAM_SSL_PROFILE="${NGX_STREAM_SSL_PROFILE:-intermediate}"
export NGX_STREAM_SSL_PROFILE
fi

40
image-entry.d/70-merge-dirs.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/bin/sh
set -ef
. /run/ngx/iep/00-common.envsh
## hack: override "cache", "lib" and "log" from /angie (and possibly from /etc/angie)
fake_dir=$(mktemp -d)
for n in ${persist_dirs} ; do touch "${fake_dir}/$n" ; done
install -d "${target_root}"
overlaydirs --merge "${target_root}" /etc/angie.dist /etc/angie /angie "${fake_dir}"
## fixup after merge
for n in ${persist_dirs} ; do rm -f "${target_root}/$n" ; done
rm -rf "${fake_dir}"
if [ "${NGX_HTTP_STATIC_MERGE}" = 0 ] ; then
src0=/etc/angie.dist/static
dst="${target_root}/static"
rm -rf "${dst}"
for r in /angie /etc/angie ; do
src="$r/static"
[ -d "${src}" ] || continue
if [ -h "${src}" ] ; then
log_always "${src} is a symbolic link, skipping!"
continue
fi
install -d "${dst}"
overlaydirs --merge "${dst}" ${src0} "${src}"
done
[ -d "${dst}" ] || {
log_always "static directory is almost empty!"
install -d "${dst}"
overlaydirs --merge "${dst}" ${src0}
}
fi
exit 0

20
image-entry.d/71-topmost-configs.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
set -f
. /run/ngx/iep/00-common.envsh
s="${target_root}"
d="${volume_root}/conf.ctx"
comps=
[ "${NGX_HTTP}" = 0 ] || comps="${comps} http"
[ "${NGX_MAIL}" = 0 ] || comps="${comps} mail"
[ "${NGX_STREAM}" = 0 ] || comps="${comps} stream"
install -d "$d"
for n in ${comps} ; do
ln -s "$s/ctx-$n.conf" "$d/"
ln -s "$s/mod-$n.conf" "$d/"
done
exit 0

58
image-entry.d/72-fullfil-tree.sh Executable file
View File

@@ -0,0 +1,58 @@
#!/bin/sh
set -ef
. /run/ngx/iep/00-common.envsh
user_install -d "${volume_root}/lock"
for n in ${persist_dirs} ; do
[ -n "$n" ] || continue
s="/angie/$n"
d="${volume_root}/$n"
while : ; do
[ -d "$s" ] || break
if [ -h "$s" ] ; then
log_always "$s is a symbolic link, skipping!"
break
fi
ln_s "$s" "$d"
## NB: we're NOT using "chmod -R" due to heavy and (potentially) unnecessary i/o
[ "${IEP_ROOT}" = 0 ] || chown "${NGX_USER}:${NGX_GROUP}" "$s" || :
break ; done
[ -d "$d" ] || user_install -d "$d"
done
## provide same symlinks as upstream (both Angie and nginx) docker images do
d="${volume_root}/log"
[ -e "$d/access.log" ] || ln -s /dev/stdout "$d/access.log"
[ -e "$d/error.log" ] || ln -s /dev/stderr "$d/error.log"
d="${volume_root}/cache"
for n in ${NGX_HTTP_CACHES:-} ; do
[ -n "$n" ] || continue
[ -d "$d/$n" ] || user_install -d "$d/$n"
done
if list_have_item "${NGX_HTTP_CONFLOAD}" acme ; then
d="${volume_root}/lib/acme"
[ -d "$d" ] || user_install -d "$d"
fi
if list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then
d="${target_root}/lib/modsecurity"
[ -d "$d" ] || user_install -d "$d"
d="${target_root}/log"
for n in modsecurity modsecurity/concurrent ; do
[ -n "$n" ] || continue
[ -d "$d/$n" ] || user_install -d "$d/$n"
done
fi
exit 0

114
image-entry.d/73-expand-templates.sh Executable file
View File

@@ -0,0 +1,114 @@
#!/bin/sh
set -f
. /run/ngx/iep/00-common.envsh
## Angie: unset core variables
unset ANGIE ANGIE_BPF_MAPS
[ "${NGX_STRICT_LOAD}" = 0 ] || set -e
cd "${target_root}/"
expand_error_delim() {
IEP_DEBUG=0 log_always ' ----------------------------------- '
}
unset expand_error_seen
expand_error() {
[ "${expand_error_seen:-}" != 1 ] || return
expand_error_seen=1
expand_error_delim
log_always 'template expansion has failed'
if [ "${NGX_STRICT_LOAD}" = 1 ] ; then
t=15
log_always "injecting delay for $t seconds"
expand_error_delim
sleep $t
exit 1
fi
expand_error_delim
}
set +e
## NB: j2cfg/ and static/ are handled separately
merge_dirs=$(find ./ -follow -mindepth 1 -maxdepth 1 -type d -printf '%P/\n' | grep -Fxv -e j2cfg/ -e static/ | sort -uV)
[ "${NGX_STRICT_LOAD}" = 0 ] || set -e
unset ENVSUBST_ARGS
ENVSUBST_ARGS="${volume_root}/diag.envsubst.txt"
envsubst-args.sh > "${ENVSUBST_ARGS}"
export ENVSUBST_ARGS
## envsubst is simple and fast
## expand j2cfg/ first, then other directories
expand_dir_envsubst j2cfg/ || expand_error
expand_dir_envsubst ${merge_dirs} || expand_error
## j2cfg is more complex
unset J2CFG_CONFIG
set -a
J2CFG_PATH="${target_root}/j2cfg"
J2CFG_SEARCH_PATH="${target_root}"
set +a
## expand j2cfg/ first
expand_dir_j2cfg j2cfg/ || expand_error
## dump [merged] j2cfg config
j2cfg_dump="${volume_root}/diag.j2cfg.yml"
j2cfg-dump > "${j2cfg_dump}" || expand_error
export J2CFG_CONFIG="${j2cfg_dump}"
## expand other directories
expand_dir_j2cfg ${merge_dirs} || expand_error
## expand static/
## remove template sources in order to avoid leaking sensitive data
if [ "${NGX_HTTP_STATIC_TEMPLATE}" = 1 ] ; then
template_list=$(mktemp)
find static/ -follow -name '*.in' -type f \
| {
set +e
if [ -n "${NGX_STATIC_EXCLUDE_REGEX:-}" ] ; then
grep -Ev -e "${NGX_STATIC_EXCLUDE_REGEX}"
elif [ -n "${NGX_STATIC_INCLUDE_REGEX:-}" ] ; then
grep -E -e "${NGX_STATIC_INCLUDE_REGEX}"
else
cat
fi
} \
| sort -uV > "${template_list}"
while read -r src ; do
[ -n "${src}" ] || continue
expand_file_envsubst "${src}" || expand_error
rm -fv "${src}"
done < "${template_list}"
find static/ -follow -name '*.j2' -type f -printf '%p\0' \
| {
set +e
if [ -n "${NGX_STATIC_EXCLUDE_REGEX:-}" ] ; then
grep -zEv -e "${NGX_STATIC_EXCLUDE_REGEX}"
elif [ -n "${NGX_STATIC_INCLUDE_REGEX:-}" ] ; then
grep -zE -e "${NGX_STATIC_INCLUDE_REGEX}"
else
cat
fi
} \
| sort -zuV > "${template_list}"
if [ -s "${template_list}" ] ; then
xargs -0r -n 1000 -a "${template_list}" \
j2cfg-multi < /dev/null || expand_error
xargs -0r -n 1000 -a "${template_list}" \
rm -fv < /dev/null
fi
rm -f "${template_list}"
fi
exit 0

143
image-entry.d/74-combine-tree.sh Executable file
View File

@@ -0,0 +1,143 @@
#!/bin/sh
set -f
. /run/ngx/iep/00-common.envsh
[ "${NGX_STRICT_LOAD}" = 0 ] || set -e
load_error_delim() {
IEP_DEBUG=0 log_always ' ----------------------------------- '
}
unset load_error_seen
load_error() {
[ "${load_error_seen:-}" != 1 ] || return
load_error_seen=1
load_error_delim
log_always 'tree combine has failed'
if [ "${NGX_STRICT_LOAD}" = 1 ] ; then
t=15
log_always "injecting delay for $t seconds"
load_error_delim
sleep $t
exit 1
fi
load_error_delim
}
install -d "${volume_root}/conf.load"
## Angie modules are loaded in [strict] order!
combine_modules() {
[ -n "$1" ] || return 1
local n
n="$1" ; shift
[ $# -ne 0 ] || return 0
local i m src_dir dst_dir src_name dst_name src_path dst_path dst_dir
src_dir="${target_root}/mod"
dst_dir="${volume_root}/conf.load"
i=0
for m ; do
[ -n "$m" ] || continue
case "$m" in
/* | */../* | *\** | *\?* )
log_always "module config filename '$m' is not legal, skipping"
continue
;;
esac
case "$m" in
*/* ) src_name="$m.conf" ;;
* ) src_name="$n-$m.conf" ;;
esac
dst_name=$(printf 'mod-%s-%02d-%s.conf' "$n" "$i" "$m" | tr -s '/_' '_')
src_path="${src_dir}/${src_name}"
if ! [ -f "${src_path}" ] ; then
log_always "file ${src_name} is not found in ${src_dir}/"
load_error
log "file ${src_name} is skipped"
continue
fi
dst_path="${dst_dir}/${dst_name}"
ln_cp "${src_path}" "${dst_path}"
i=$((i+1))
done
}
combine_confload() {
[ -n "$1" ] || return 1
local n
n="$1" ; shift
[ $# -ne 0 ] || return 0
local s src_dir dst_dir src_name dst_name src_path dst_path
src_dir="${target_root}/conf"
dst_dir="${volume_root}/conf.load"
for s ; do
[ -n "$s" ] || continue
case "$s" in
/* | */../* | *\** | *\?* )
log_always "config filename '$s' is not legal, skipping"
continue
;;
esac
case "$s" in
*/* ) src_name="$s.conf" ;;
* ) src_name="$n-$s.conf" ;;
esac
dst_name=$(printf '%s-%s.conf' "$n" "$s" | tr -s '/_' '_')
dst_path="${dst_dir}/${dst_name}"
if [ -e "${dst_path}" ] ; then
log "${dst_path} already exists, skipping"
continue
fi
src_path="${src_dir}/${src_name}"
if ! [ -f "${src_path}" ] ; then
log_always "file ${src_name} is not found in ${src_dir}/"
if [ "${NGX_ALLOW_MISSING_CONFLOAD:-}" != 1 ] ; then
load_error
log "file ${src_name} is skipped"
fi
continue
fi
ln_cp "${src_path}" "${dst_path}"
done
}
combine_modules core ${NGX_CORE_MODULES:-}
combine_modules http ${NGX_HTTP_MODULES:-}
combine_modules mail ${NGX_MAIL_MODULES:-}
combine_modules stream ${NGX_STREAM_MODULES:-}
loose=$(( 1 - NGX_STRICT_LOAD ))
NGX_ALLOW_MISSING_CONFLOAD=$(gobool_to_int "${NGX_ALLOW_MISSING_CONFLOAD:-${loose}}" ${loose})
combine_confload core ${NGX_CORE_CONFLOAD:-}
combine_confload core_ev ${NGX_CORE_EVENTS_CONFLOAD:-}
combine_confload http ${NGX_HTTP_CONFLOAD:-}
combine_confload mail ${NGX_MAIL_CONFLOAD:-}
combine_confload stream ${NGX_STREAM_CONFLOAD:-}
## some modules doesn't have configuration at all
NGX_ALLOW_MISSING_CONFLOAD=1
combine_confload core ${NGX_CORE_MODULES:-}
combine_confload http ${NGX_HTTP_MODULES:-}
combine_confload mail ${NGX_MAIL_MODULES:-}
combine_confload stream ${NGX_STREAM_MODULES:-}
exit 0

16
image-entry.d/75-adjust-core-user.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/sh
set -f
. /run/ngx/iep/00-common.envsh
conf=/run/ngx/conf/autoconf/core-user.conf
if [ "${IEP_ROOT}" = 1 ] ; then
log "Running as root, no need to adjust configuration"
exit 0
fi
log_always "Running as non-root, adjusting configuration"
rm -fv "${conf}"
exit 0

135
image-entry.d/76-openssl-ca-certs.envsh Executable file
View File

@@ -0,0 +1,135 @@
#!/bin/sh
unset def_bundle def_bundle_fp
def_bundle='/etc/ssl/certs/ca-certificates.crt'
def_bundle_fp="${def_bundle}.fp"
while : ; do
if [ -n "${SSL_CERT_FILE:-}" ] ; then
log_always "NOT merging CA certificates (if any): SSL_CERT_FILE is already set (=${SSL_CERT_FILE})"
break
fi
[ -d "${target_root}/tls/ca" ] || break
unset w
w=$(mktemp -d) || break
find "${target_root}/tls/ca/" -follow -type f | sort -V > "$w/all.list"
[ -s "$w/all.list" ] || break
## entering processing section
touch "$w/processing"
unset orig_ca_file
while read -r orig_ca_file ; do
[ -n "${orig_ca_file}" ] || continue
openssl-cert-auto-pem.sh "${orig_ca_file}"
done < "$w/all.list" > "$w/all.pem"
unset orig_ca_file
[ -s "$w/all.pem" ] || break
openssl-cert-auto-pem.sh "$w/all.pem" "$w/new.pem" "$w/new.fp" "$w/new.off"
[ -s "$w/new.pem" ] || break
[ -s "$w/new.fp" ] || break
[ -s "$w/new.off" ] || break
rm -f "$w/all.pem"
## leaving processing section
rm -f "$w/processing"
unset def_bundle_bind_mount
def_bundle_bind_mount=1
while : ; do
unset devno_root
devno_root=$(env stat -c '%d' / )
[ -f "${def_bundle}" ] || break
unset devno_bundle
devno_bundle=$(env stat -L -c '%d' "${def_bundle}")
[ "${devno_root}" = "${devno_bundle}" ] || break
[ -f "${def_bundle_fp}" ] || break
unset devno_bundle_fp
devno_bundle_fp=$(env stat -L -c '%d' "${def_bundle_fp}")
[ "${devno_root}" = "${devno_bundle_fp}" ] || break
def_bundle_bind_mount=0
break ; done
unset devno_root devno_bundle devno_bundle_fp
if [ "${def_bundle_bind_mount}" = 1 ] ; then
log_always "detected bind-mount inside ${def_bundle%/*}/"
log_always "this is merely misuse!"
if [ -s "${def_bundle}" ] ; then
openssl-cert-auto-pem.sh "${def_bundle}" "$w/cacert.pem" "$w/cacert.fp"
fi
else
ln -s "${def_bundle}" "$w/cacert.pem"
ln -s "${def_bundle_fp}" "$w/cacert.fp"
fi
unset with_def_bundle
with_def_bundle=0
while : ; do
[ -s "$w/cacert.pem" ] || break
[ -s "$w/cacert.fp" ] || break
with_def_bundle=1
break ; done
if [ "${with_def_bundle}" = 1 ] ; then
grep -Fxnv -f "$w/cacert.fp" "$w/new.fp" | cut -d : -f 1 > "$w/diff.ln"
[ -s "$w/diff.ln" ] || break
else
: > "$w/diff.ln"
fi
: > "${volume_root}/ca.pem"
if [ "${with_def_bundle}" = 1 ] ; then
cat < "$w/cacert.pem" > "${volume_root}/ca.pem"
else
log_always "NOT using ${def_bundle} - empty or missing"
fi
unset n off
while read -r n ; do
[ -n "$n" ] || continue
off=$(sed -ne "${n}p" "$w/new.off")
[ -n "${off}" ] || continue
sed -ne "${off}p" "$w/new.pem"
done < "$w/diff.ln" >> "${volume_root}/ca.pem"
unset n off
set -a
SSL_CERT_FILE="${volume_root}/ca.pem"
## merely a quirk
SSL_CERT_DIR="${empty_dir}"
set +a
break ; done
unset def_bundle_fp def_bundle_bind_mount with_def_bundle
while ! [ -f "${volume_root}/ca.pem" ] ; do
[ -s "${def_bundle}" ] || break
ln -s "${def_bundle}" "${volume_root}/ca.pem"
break ; done
unset def_bundle
[ -f "${volume_root}/ca.pem" ] || : > "${volume_root}/ca.pem"
if [ -n "${w:-}" ] ; then
if [ -f "$w/processing" ] ; then
rm -f "$w/processing"
log_always "unable to merge CA certificates (see below for details):"
log_always "directory listing:"
env -C "$w" ls -lA >&2
log_always "directory listing (following symlinks):"
env -C "$w" ls -L -lA >&2
log_always "consider contacting developers"
fi
rm -rf "$w"
fi
unset w

31
image-entry.d/90-angie-config-test.sh Executable file
View File

@@ -0,0 +1,31 @@
#!/bin/sh
set -f
. /run/ngx/iep/00-common.envsh
## Angie: unset core variables
unset ANGIE ANGIE_BPF_MAPS
## merely debug test
log_always 'test Angie configuration:'
log_always '========================='
(
exec 1>"${volume_root}/diag.angie.conf"
angie -T
)
r=$?
log_always '========================='
if [ $r = 0 ] ; then
log_always 'ready to run Angie'
else
log_always 'configuration test has failed, see above'
t=15
log_always "injecting delay for $t seconds"
sleep $t
fi
## cleanup after test
rm -f "${volume_root}/angie.pid"
exit 0

67
image-entry.d/99-cleanup-env.envsh Executable file
View File

@@ -0,0 +1,67 @@
#!/bin/sh
## Angie: unset core variables
unset ANGIE ANGIE_BPF_MAPS
IEP_RETAIN_ENV=$(gobool_to_int "${IEP_RETAIN_ENV:-0}" 0)
if [ "${IEP_RETAIN_ENV}" = 1 ] ; then
log_always "NOT removing following variables:"
sed -E '/^./s,^, ,' >&2
echo >&2
else
unset __set
__set="$-"
set +e
unset __env __env_print
while read -r __env ; do
[ -n "${__env}" ] || continue
case "${__env}" in
\'* | \"* )
log "skipping variable (malformed): ${__env}" >&2
continue
;;
esac
if [ "${IEP_DEBUG}" = 1 ] ; then
__env_print="${__env}="$(printenv "${__env}")
__env_print=$(env printf '%q' "${__env_print}")
log_always "unsetting variable: ${__env_print}"
else
log "unsetting variable: ${__env}"
fi
unset "${__env}"
done
unset __env __env_print
[ -z "${__set}" ] || set -"${__set}"
unset __set
fi <<-EOF
$(
set +e
cat /proc/$$/environ \
| sed -zEn '/^([^=]+).*$/s//\1/p' \
| xargs -0r printf '%q\n' \
| {
## retain variables defined in ".core_worker_env" configuration key
## (if it was specified somewhere in dictionaries - either yaml or json)
f="${target_root}/autoconf/core-worker-env.txt"
[ -s "$f" ] || exec cat
grep -Fxv -f "$f"
} \
| {
## remove environment variables:
## 1. variables starting with "NGX" as they are used by configuration templates
## 2. variables containing "_SERVICE" or "_PORT" as they are came from
## container orchestration
grep -E \
-e '^NGX' \
-e '_(SERVICE|PORT)' \
} \
| sort -uV
)
EOF