From 86af6345e5c75f083da686258c4569395a04fe44 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Mon, 30 Sep 2024 20:45:03 +0300 Subject: [PATCH] image-entry: refine --- image-entry.d/00-common.envsh | 17 ++- image-entry.d/02-nonroot.envsh | 3 +- image-entry.d/03-local-override.envsh | 13 ++- image-entry.d/04-local-ip-addresses.envsh | 5 + image-entry.d/12-core-user.envsh | 118 ++++++++++---------- image-entry.d/13-core-worker.envsh | 89 ++++++++------- image-entry.d/21-http-modules.envsh | 70 +++++------- image-entry.d/24-http-forward-headers.envsh | 47 ++++---- image-entry.d/99-cleanup-env.envsh | 2 +- 9 files changed, 193 insertions(+), 171 deletions(-) diff --git a/image-entry.d/00-common.envsh b/image-entry.d/00-common.envsh index 72574e9..339f558 100644 --- a/image-entry.d/00-common.envsh +++ b/image-entry.d/00-common.envsh @@ -8,7 +8,7 @@ empty_dir='/var/lib/empty' have_envvar() { [ -n "$1" ] || return 1 - grep -Ezq "^$1=" /proc/self/environ || return + grep -Ezq "^$1=" /proc/$$/environ || return } ## unexporting variable in (POSIX) sh is PITA =/ @@ -202,6 +202,7 @@ prepend_list() { } list_have_item() { + [ -n "$1" ] || return 1 [ -n "$2" ] || return 1 case " $1 " in *" $2 "* ) return 0 ;; @@ -213,16 +214,15 @@ normalize_list() { [ -n "$1" ] || return 0 printf '%s' "$1" \ - | tr -s '[:space:]' ' ' \ - | sed -zE 's/^ //;s/ $//' + | sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//' } sort_dedup_list() { [ -n "$1" ] || return 0 printf '%s' "$1" \ - | tr -s '[:space:]' '\n' | sort -uV | paste -sd ' ' \ - | sed -zE 's/^\s+//;s/\s+$//' + | tr -s '[:space:]' '\n' | sort -uV \ + | sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//' } float_div() { @@ -235,4 +235,11 @@ find_fast() { randN() { od -v -A n -t x1 -N "$1" < /dev/urandom | tr -d '[:space:]' +} + +re_ipv4_oct='[0-9]|[1-9][0-9]|[1-9][0-9][0-9]|2[0-4][0-9]|25[0-5]' +re_ipv4_addr="^${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\$" +is_ipv4_address() { + [ -n "$1" ] || return 1 + printf '%s' "$1" | grep -zEq "${re_ipv4_addr}" || return 1 } \ No newline at end of file diff --git a/image-entry.d/02-nonroot.envsh b/image-entry.d/02-nonroot.envsh index 1fa40f9..aadf2f0 100755 --- a/image-entry.d/02-nonroot.envsh +++ b/image-entry.d/02-nonroot.envsh @@ -2,5 +2,6 @@ unset IEP_ROOT IEP_ROOT=1 -[ "$(stat -c %u /proc/1)" = 0 ] || IEP_ROOT=0 +# [ "$(env stat -Lc %u /proc/$$)" = 0 ] || IEP_ROOT=0 +[ "$(id -n)" = 0 ] || IEP_ROOT=0 export IEP_ROOT diff --git a/image-entry.d/03-local-override.envsh b/image-entry.d/03-local-override.envsh index 95df4eb..97a0116 100755 --- a/image-entry.d/03-local-override.envsh +++ b/image-entry.d/03-local-override.envsh @@ -3,15 +3,18 @@ unset IEP_LOCAL_OVERRIDE IEP_LOCAL_OVERRIDE=0 -unset _fsspec _fstarget _fstype _fsopts _fsreq _fspass -while read -r _fsspec _fstarget _fstype _fsopts _fsreq _fspass ; do - case "${_fstarget}" in +unset _fsspec i _extra +while read -r _fsspec i _extra ; do + [ -n "$i" ] || continue + case "$i" in /angie | /angie/* ) IEP_LOCAL_OVERRIDE=1 break ;; esac -done < /proc/mounts -unset _fsspec _fstarget _fstype _fsopts _fsreq _fspass +done <<-EOF +$(grep -F angie /proc/mounts) +EOF +unset _fsspec i _extra export IEP_LOCAL_OVERRIDE diff --git a/image-entry.d/04-local-ip-addresses.envsh b/image-entry.d/04-local-ip-addresses.envsh index 10bb06b..f3e2bf9 100755 --- a/image-entry.d/04-local-ip-addresses.envsh +++ b/image-entry.d/04-local-ip-addresses.envsh @@ -13,9 +13,14 @@ unset NGX_IPV4_ADDRESSES NGX_IPV6_ADDRESSES for i in ${NGX_IP_ADDRESSES} ; do case "$i" in *:* ) + ## TODO: IPv6 address validation NGX_IPV6_ADDRESSES=$(append_list "${NGX_IPV6_ADDRESSES}" "$i") ;; * ) + if ! is_ipv4_address "$i" ; then + log_always "invalid IPv4 address: $i" + continue + fi NGX_IPV4_ADDRESSES=$(append_list "${NGX_IPV4_ADDRESSES}" "$i") ;; esac diff --git a/image-entry.d/12-core-user.envsh b/image-entry.d/12-core-user.envsh index 38b7e2f..97a442d 100755 --- a/image-entry.d/12-core-user.envsh +++ b/image-entry.d/12-core-user.envsh @@ -9,62 +9,68 @@ unset _NGX_USER _NGX_GROUP _NGX_USER=angie _NGX_GROUP=angie -[ -n "${NGX_USER:-}" ] || NGX_USER=${_NGX_USER} -case "${NGX_USER}" in -"${_NGX_USER}" ) ;; -## numeric id - remap to name -[1-9]* ) - _user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1) - if [ -n "${_user_name}" ] ; then - NGX_USER=${_user_name} - else - log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}" - log_always "setting NGX_USER=${_NGX_USER}" - NGX_USER=${_NGX_USER} - fi - unset _user_name -;; -* ) - _user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1) - if [ -n "${_user_name}" ] ; then - NGX_USER=${_user_name} - else - log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}" - log_always "setting NGX_USER=${_NGX_USER}" - NGX_USER=${_NGX_USER} - fi - unset _user_name -;; -esac +if [ -z "${NGX_USER:-}" ] ; then + NGX_USER=${_NGX_USER} +else + case "${NGX_USER}" in + "${_NGX_USER}" ) ;; + [1-9]* ) + ## numeric id - remap to name + _user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1) + if [ -n "${_user_name}" ] ; then + NGX_USER=${_user_name} + else + log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}" + log_always "setting NGX_USER=${_NGX_USER}" + NGX_USER=${_NGX_USER} + fi + unset _user_name + ;; + * ) + _user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1) + if [ -n "${_user_name}" ] ; then + NGX_USER=${_user_name} + else + log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}" + log_always "setting NGX_USER=${_NGX_USER}" + NGX_USER=${_NGX_USER} + fi + unset _user_name + ;; + esac +fi +export NGX_USER -[ -n "${NGX_GROUP:-}" ] || NGX_GROUP=${_NGX_GROUP} -case "${NGX_GROUP}" in -"${_NGX_GROUP}" ) ;; -## numeric id - remap to name -[1-9]* ) - _group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1) - if [ -n "${_group_name}" ] ; then - NGX_GROUP=${_group_name} - else - log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}" - log_always "setting NGX_GROUP=${_NGX_GROUP}" - NGX_GROUP=${_NGX_GROUP} - fi - unset _group_name -;; -* ) - _group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1) - if [ -n "${_group_name}" ] ; then - NGX_GROUP=${_group_name} - else - log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}" - log_always "setting NGX_GROUP=${_NGX_GROUP}" - NGX_GROUP=${_NGX_GROUP} - fi - unset _group_name -;; -esac - -export NGX_USER NGX_GROUP +if [ -z "${NGX_GROUP:-}" ] ; then + NGX_GROUP=${_NGX_GROUP} +else + case "${NGX_GROUP}" in + "${_NGX_GROUP}" ) ;; + [1-9]* ) + ## numeric id - remap to name + _group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1) + if [ -n "${_group_name}" ] ; then + NGX_GROUP=${_group_name} + else + log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}" + log_always "setting NGX_GROUP=${_NGX_GROUP}" + NGX_GROUP=${_NGX_GROUP} + fi + unset _group_name + ;; + * ) + _group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1) + if [ -n "${_group_name}" ] ; then + NGX_GROUP=${_group_name} + else + log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}" + log_always "setting NGX_GROUP=${_NGX_GROUP}" + NGX_GROUP=${_NGX_GROUP} + fi + unset _group_name + ;; + esac +fi +export NGX_GROUP unset _NGX_USER _NGX_GROUP diff --git a/image-entry.d/13-core-worker.envsh b/image-entry.d/13-core-worker.envsh index fdb7697..4290bd4 100755 --- a/image-entry.d/13-core-worker.envsh +++ b/image-entry.d/13-core-worker.envsh @@ -6,59 +6,65 @@ _NGX_WORKER_PROCESSES=2 _NGX_WORKER_PRIORITY=0 _NGX_WORKER_RLIMIT_NOFILE=16384 _NGX_WORKER_CONNECTIONS=4096 -_NGX_WORKER_AIO_REQUESTS=64 +_NGX_WORKER_AIO_REQUESTS=32 -[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} -case "${NGX_WORKER_PROCESSES}" in -## allow values within [1;999] -[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;; -[Aa][Uu][Tt][Oo] ) - ## adjust - NGX_WORKER_PROCESSES=auto - log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet" - log_always "offloading decision to Angie (this could be a problem!)" -;; -0 ) - log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet" - log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}" +if [ -z "${NGX_WORKER_PROCESSES:-}" ] ; then NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} -;; -* ) - log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}" - log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}" - NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} -;; -esac +else + case "${NGX_WORKER_PROCESSES}" in + ## allow values within [1;999] + [1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;; + [Aa][Uu][Tt][Oo] ) + ## adjust + NGX_WORKER_PROCESSES=auto + log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet" + log_always "offloading decision to Angie (this could be a problem!)" + ;; + 0 ) + log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet" + log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}" + NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} + ;; + * ) + log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}" + log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}" + NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} + ;; + esac +fi export NGX_WORKER_PROCESSES if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then unset NGX_WORKER_CPU_AFFINITY else - ## offload handling to Angie + ## let Angie handle this set -a NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}") set +a fi -[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} -case "${NGX_WORKER_CONNECTIONS}" in -[0-9] | [1-9][0-9] ) - log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}" - log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}" +if [ -z "${NGX_WORKER_CONNECTIONS:-}" ] ; then NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} -;; -## allow values within [100;9999999] -[1-9][0-9][0-9] ) ;; -[1-9][0-9][0-9][0-9] ) ;; -[1-9][0-9][0-9][0-9][0-9] ) ;; -[1-9][0-9][0-9][0-9][0-9][0-9] ) ;; -[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;; -* ) - log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}" - log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}" - NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} -;; -esac +else + case "${NGX_WORKER_CONNECTIONS}" in + [0-9] | [1-9][0-9] ) + log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}" + log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}" + NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} + ;; + ## allow values within [100;9999999] + [1-9][0-9][0-9] ) ;; + [1-9][0-9][0-9][0-9] ) ;; + [1-9][0-9][0-9][0-9][0-9] ) ;; + [1-9][0-9][0-9][0-9][0-9][0-9] ) ;; + [1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;; + * ) + log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}" + log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}" + NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} + ;; + esac +fi export NGX_WORKER_CONNECTIONS if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then @@ -181,11 +187,14 @@ else fi if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})" + log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}" else + unset ratio ratio=$(float_div "${nofile_limit}" "${NGX_WORKER_CONNECTIONS}") case "${ratio}" in 1 | 1.* ) log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})" + log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}" ;; esac unset ratio diff --git a/image-entry.d/21-http-modules.envsh b/image-entry.d/21-http-modules.envsh index c02de83..9ec4ffd 100755 --- a/image-entry.d/21-http-modules.envsh +++ b/image-entry.d/21-http-modules.envsh @@ -5,35 +5,11 @@ if [ "${NGX_HTTP}" = 0 ] ; then else NGX_HTTP_NO_PROXY=$(gobool_to_int "${NGX_HTTP_NO_PROXY:-0}" 0) export NGX_HTTP_NO_PROXY - if [ "${NGX_HTTP_NO_PROXY}" = 0 ] ; then - NGX_HTTP_CONFLOAD=$(append_list "${NGX_HTTP_CONFLOAD}" proxy) - fi unset http_modules http_confload http_modules= http_confload="${NGX_HTTP_CONFLOAD:-}" - if [ -n "${NGX_HTTP_MODULES}" ] ; then - ## angie-module-lua: depends on angie-module-ndk - ## angie-module-set-misc: depends on angie-module-ndk - - # unset want_ndk - # want_ndk=0 - # if list_have_item "${NGX_HTTP_MODULES}" lua ; then - # want_ndk=1 - # elif list_have_item "${NGX_HTTP_MODULES}" set-misc ; then - # want_ndk=1 - # fi - # if [ ${want_ndk} = 1 ] ; then - # NGX_HTTP_MODULES=$(prepend_list "${NGX_HTTP_MODULES}" ndk) - # fi - # unset want_ndk - NGX_HTTP_MODULES=$( - printf '%s' "${NGX_HTTP_MODULES}" \ - | sed -zE 's/(\s|^)(lua|set-misc)(\s|$)/\1ndk \2\3/g' - ) - fi - ## filter out builtin http modules unset i for i in ${NGX_HTTP_MODULES:-} ; do @@ -62,17 +38,30 @@ else done unset i + if [ "${NGX_HTTP_NO_PROXY}" = 0 ] ; then + http_confload="${http_confload} proxy" + fi + ## grpc depends on http/2 - if list_have_item "${NGX_HTTP_CONFLOAD}" grpc ; then - unset want_http2 - want_http2=0 - if ! list_have_item "${NGX_HTTP_CONFLOAD}" v2 ; then - want_http2=1 + if list_have_item "${http_confload}" grpc ; then + http_confload="${http_confload} v2" + fi + + ## angie-module-lua: depends on angie-module-ndk + ## angie-module-set-misc: depends on angie-module-ndk + if [ -n "${http_modules:-}" ] ; then + unset want_ndk + want_ndk=0 + if list_have_item "${http_modules}" lua ; then + want_ndk=1 + elif list_have_item "${http_modules}" set-misc ; then + want_ndk=1 fi - if [ "${want_http2}" = 1 ] ; then - NGX_HTTP_CONFLOAD=$(append_list "${NGX_HTTP_CONFLOAD}" v2) + if [ ${want_ndk} = 1 ] ; then + ## forcefully move 'ndk' to beginning of list + http_modules=$(printf '%s' " ${http_modules} " | sed -zE 's/ ndk / /;s/^/ndk/;s/ $//') fi - unset want_http2 + unset want_ndk fi set -a @@ -85,20 +74,19 @@ else ## quirk: angie-module-modsecurity unset NGX_HTTP_WITH_MODSECURITY NGX_HTTP_WITH_MODSECURITY=0 - while : ; do - if ! list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then - break - fi - + if list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then + unset d f for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do [ -d "$d" ] || continue - [ -f "$d/ngx_http_modsecurity_module.so" ] || continue - if ! [ -h "$d/ngx_http_modsecurity_module.so" ] ; then + f="$d/ngx_http_modsecurity_module.so" + [ -f "$f" ] || continue + if ! [ -h "$f" ] ; then NGX_HTTP_WITH_MODSECURITY=1 break fi - done ; unset d - break ; done + done + unset d f + fi export NGX_HTTP_WITH_MODSECURITY if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then diff --git a/image-entry.d/24-http-forward-headers.envsh b/image-entry.d/24-http-forward-headers.envsh index c44410f..b8291d7 100755 --- a/image-entry.d/24-http-forward-headers.envsh +++ b/image-entry.d/24-http-forward-headers.envsh @@ -25,31 +25,34 @@ else NGX_HTTP_X_FORWARDED=remove fi - [ -n "${NGX_HTTP_X_FORWARDED:-}" ] || NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED} - case "${NGX_HTTP_X_FORWARDED}" in - [Pp][Aa][Ss][Ss] ) - ## adjust - NGX_HTTP_X_FORWARDED=pass - ;; - [Rr][Ee][Mm][Oo][Vv][Ee] ) - ## adjust - NGX_HTTP_X_FORWARDED=remove - ;; - * ) - unset x - x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}") - case "$x" in - 0 ) NGX_HTTP_X_FORWARDED=remove ;; - 1 ) NGX_HTTP_X_FORWARDED=pass ;; + if [ -z "${NGX_HTTP_X_FORWARDED:-}" ] ; then + NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED} + else + case "${NGX_HTTP_X_FORWARDED}" in + [Pp][Aa][Ss][Ss] ) + ## adjust + NGX_HTTP_X_FORWARDED=pass + ;; + [Rr][Ee][Mm][Oo][Vv][Ee] ) + ## adjust + NGX_HTTP_X_FORWARDED=remove + ;; * ) - log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}" - log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}" - NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED} + unset x + x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}") + case "$x" in + 0 ) NGX_HTTP_X_FORWARDED=remove ;; + 1 ) NGX_HTTP_X_FORWARDED=pass ;; + * ) + log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}" + log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}" + NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED} + ;; + esac + unset x ;; esac - unset x - ;; - esac + fi export NGX_HTTP_X_FORWARDED unset _NGX_HTTP_FAKE_UA _NGX_HTTP_X_FORWARDED diff --git a/image-entry.d/99-cleanup-env.envsh b/image-entry.d/99-cleanup-env.envsh index 94a5963..c8aab7e 100755 --- a/image-entry.d/99-cleanup-env.envsh +++ b/image-entry.d/99-cleanup-env.envsh @@ -41,7 +41,7 @@ else fi <<-EOF $( set +e - cat /proc/self/environ \ + cat /proc/$$/environ \ | sed -zEn '/^([^=]+).*$/s//\1/p' \ | xargs -0r printf '%q\n' \ | {