image-entry: refine

2024-09-30 20:45:03 +03:00 · 2024-09-30 20:45:03 +03:00 · 86af6345e5
commit 86af6345e5
parent b92bd85597
9 changed files with 193 additions and 171 deletions
--- a/image-entry.d/00-common.envsh
+++ b/image-entry.d/00-common.envsh
@ -8,7 +8,7 @@ empty_dir='/var/lib/empty'

 have_envvar() {
 	[ -n "$1" ] || return 1
-	grep -Ezq "^$1=" /proc/self/environ || return
+	grep -Ezq "^$1=" /proc/$$/environ || return
 }

 ## unexporting variable in (POSIX) sh is PITA =/
@ -202,6 +202,7 @@ prepend_list() {
 }

 list_have_item() {
+	[ -n "$1" ] || return 1
 	[ -n "$2" ] || return 1
 	case " $1 " in
 	*" $2 "* ) return 0 ;;
@ -213,16 +214,15 @@ normalize_list() {
 	[ -n "$1" ] || return 0

 	printf '%s' "$1" \
-	| tr -s '[:space:]' ' ' \
-	| sed -zE 's/^ //;s/ $//'
+	| sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
 }

 sort_dedup_list() {
 	[ -n "$1" ] || return 0

 	printf '%s' "$1" \
-	| tr -s '[:space:]' '\n' | sort -uV | paste -sd ' ' \
-	| sed -zE 's/^\s+//;s/\s+$//'
+	| tr -s '[:space:]' '\n' | sort -uV \
+	| sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
 }

 float_div() {
@ -236,3 +236,10 @@ find_fast() {
 randN() {
 	od -v -A n -t x1 -N "$1" < /dev/urandom | tr -d '[:space:]'
 }
+
+re_ipv4_oct='[0-9]|[1-9][0-9]|[1-9][0-9][0-9]|2[0-4][0-9]|25[0-5]'
+re_ipv4_addr="^${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\$"
+is_ipv4_address() {
+	[ -n "$1" ] || return 1
+	printf '%s' "$1" | grep -zEq "${re_ipv4_addr}" || return 1
+}
--- a/image-entry.d/02-nonroot.envsh
+++ b/image-entry.d/02-nonroot.envsh
@ -2,5 +2,6 @@

 unset IEP_ROOT
 IEP_ROOT=1
-[ "$(stat -c %u /proc/1)" = 0 ] || IEP_ROOT=0
+# [ "$(env stat -Lc %u /proc/$$)" = 0 ] || IEP_ROOT=0
+[ "$(id -n)" = 0 ] || IEP_ROOT=0
 export IEP_ROOT
--- a/image-entry.d/03-local-override.envsh
+++ b/image-entry.d/03-local-override.envsh
@ -3,15 +3,18 @@
 unset IEP_LOCAL_OVERRIDE
 IEP_LOCAL_OVERRIDE=0

-unset _fsspec _fstarget _fstype _fsopts _fsreq _fspass
-while read -r _fsspec _fstarget _fstype _fsopts _fsreq _fspass ; do
-	case "${_fstarget}" in
+unset _fsspec i _extra
+while read -r _fsspec i _extra ; do
+	[ -n "$i" ] || continue
+	case "$i" in
 	/angie | /angie/* )
 		IEP_LOCAL_OVERRIDE=1
 		break
 	;;
 	esac
-done < /proc/mounts
-unset _fsspec _fstarget _fstype _fsopts _fsreq _fspass
+done <<-EOF
+$(grep -F angie /proc/mounts)
+EOF
+unset _fsspec i _extra

 export IEP_LOCAL_OVERRIDE
--- a/image-entry.d/04-local-ip-addresses.envsh
+++ b/image-entry.d/04-local-ip-addresses.envsh
@ -13,9 +13,14 @@ unset NGX_IPV4_ADDRESSES NGX_IPV6_ADDRESSES
 for i in ${NGX_IP_ADDRESSES} ; do
 	case "$i" in
 	*:* )
+		## TODO: IPv6 address validation
 		NGX_IPV6_ADDRESSES=$(append_list "${NGX_IPV6_ADDRESSES}" "$i")
 	;;
 	* )
+		if ! is_ipv4_address "$i" ; then
+			log_always "invalid IPv4 address: $i"
+			continue
+		fi
 		NGX_IPV4_ADDRESSES=$(append_list "${NGX_IPV4_ADDRESSES}" "$i")
 	;;
 	esac
--- a/image-entry.d/12-core-user.envsh
+++ b/image-entry.d/12-core-user.envsh
@ -9,62 +9,68 @@ unset _NGX_USER _NGX_GROUP
 _NGX_USER=angie
 _NGX_GROUP=angie

-[ -n "${NGX_USER:-}" ] || NGX_USER=${_NGX_USER}
-case "${NGX_USER}" in
-"${_NGX_USER}" ) ;;
-## numeric id - remap to name
-[1-9]* )
-	_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
-	if [ -n "${_user_name}" ] ; then
-		NGX_USER=${_user_name}
-	else
-		log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}"
-		log_always "setting NGX_USER=${_NGX_USER}"
-		NGX_USER=${_NGX_USER}
-	fi
-	unset _user_name
-;;
-* )
-	_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
-	if [ -n "${_user_name}" ] ; then
-		NGX_USER=${_user_name}
-	else
-		log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}"
-		log_always "setting NGX_USER=${_NGX_USER}"
-		NGX_USER=${_NGX_USER}
-	fi
-	unset _user_name
-;;
-esac
+if [ -z "${NGX_USER:-}" ] ; then
+	NGX_USER=${_NGX_USER}
+else
+	case "${NGX_USER}" in
+	"${_NGX_USER}" ) ;;
+	[1-9]* )
+		## numeric id - remap to name
+		_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
+		if [ -n "${_user_name}" ] ; then
+			NGX_USER=${_user_name}
+		else
+			log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}"
+			log_always "setting NGX_USER=${_NGX_USER}"
+			NGX_USER=${_NGX_USER}
+		fi
+		unset _user_name
+	;;
+	* )
+		_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
+		if [ -n "${_user_name}" ] ; then
+			NGX_USER=${_user_name}
+		else
+			log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}"
+			log_always "setting NGX_USER=${_NGX_USER}"
+			NGX_USER=${_NGX_USER}
+		fi
+		unset _user_name
+	;;
+	esac
+fi
+export NGX_USER

-[ -n "${NGX_GROUP:-}" ] || NGX_GROUP=${_NGX_GROUP}
-case "${NGX_GROUP}" in
-"${_NGX_GROUP}" ) ;;
-## numeric id - remap to name
-[1-9]* )
-	_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
-	if [ -n "${_group_name}" ] ; then
-		NGX_GROUP=${_group_name}
-	else
-		log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}"
-		log_always "setting NGX_GROUP=${_NGX_GROUP}"
-		NGX_GROUP=${_NGX_GROUP}
-	fi
-	unset _group_name
-;;
-* )
-	_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
-	if [ -n "${_group_name}" ] ; then
-		NGX_GROUP=${_group_name}
-	else
-		log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}"
-		log_always "setting NGX_GROUP=${_NGX_GROUP}"
-		NGX_GROUP=${_NGX_GROUP}
-	fi
-	unset _group_name
-;;
-esac
-
-export NGX_USER NGX_GROUP
+if [ -z "${NGX_GROUP:-}" ] ; then
+	NGX_GROUP=${_NGX_GROUP}
+else
+	case "${NGX_GROUP}" in
+	"${_NGX_GROUP}" ) ;;
+	[1-9]* )
+		## numeric id - remap to name
+		_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
+		if [ -n "${_group_name}" ] ; then
+			NGX_GROUP=${_group_name}
+		else
+			log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}"
+			log_always "setting NGX_GROUP=${_NGX_GROUP}"
+			NGX_GROUP=${_NGX_GROUP}
+		fi
+		unset _group_name
+	;;
+	* )
+		_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
+		if [ -n "${_group_name}" ] ; then
+			NGX_GROUP=${_group_name}
+		else
+			log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}"
+			log_always "setting NGX_GROUP=${_NGX_GROUP}"
+			NGX_GROUP=${_NGX_GROUP}
+		fi
+		unset _group_name
+	;;
+	esac
+fi
+export NGX_GROUP

 unset _NGX_USER _NGX_GROUP
--- a/image-entry.d/13-core-worker.envsh
+++ b/image-entry.d/13-core-worker.envsh
@ -6,59 +6,65 @@ _NGX_WORKER_PROCESSES=2
 _NGX_WORKER_PRIORITY=0
 _NGX_WORKER_RLIMIT_NOFILE=16384
 _NGX_WORKER_CONNECTIONS=4096
-_NGX_WORKER_AIO_REQUESTS=64
+_NGX_WORKER_AIO_REQUESTS=32

-[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
-case "${NGX_WORKER_PROCESSES}" in
-## allow values within [1;999]
-[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
-[Aa][Uu][Tt][Oo] )
-	## adjust
-	NGX_WORKER_PROCESSES=auto
-	log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
-	log_always "offloading decision to Angie (this could be a problem!)"
-;;
-0 )
-	log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
-	log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
+if [ -z "${NGX_WORKER_PROCESSES:-}" ] ; then
 	NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
-;;
-* )
-	log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
-	log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
-	NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
-;;
-esac
+else
+	case "${NGX_WORKER_PROCESSES}" in
+	## allow values within [1;999]
+	[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
+	[Aa][Uu][Tt][Oo] )
+		## adjust
+		NGX_WORKER_PROCESSES=auto
+		log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
+		log_always "offloading decision to Angie (this could be a problem!)"
+	;;
+	0 )
+		log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
+		log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
+		NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
+	;;
+	* )
+		log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
+		log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
+		NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
+	;;
+	esac
+fi
 export NGX_WORKER_PROCESSES

 if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
 	unset NGX_WORKER_CPU_AFFINITY
 else
-	## offload handling to Angie
+	## let Angie handle this
 	set -a
 	NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
 	set +a
 fi

-[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
-case "${NGX_WORKER_CONNECTIONS}" in
-[0-9] | [1-9][0-9] )
-	log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
-	log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
+if [ -z "${NGX_WORKER_CONNECTIONS:-}" ] ; then
 	NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
-;;
-## allow values within [100;9999999]
-[1-9][0-9][0-9] ) ;;
-[1-9][0-9][0-9][0-9] ) ;;
-[1-9][0-9][0-9][0-9][0-9] ) ;;
-[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
-[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
-* )
-	log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
-	log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
-	NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
-;;
-esac
+else
+	case "${NGX_WORKER_CONNECTIONS}" in
+	[0-9] | [1-9][0-9] )
+		log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
+		log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
+		NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
+	;;
+	## allow values within [100;9999999]
+	[1-9][0-9][0-9] ) ;;
+	[1-9][0-9][0-9][0-9] ) ;;
+	[1-9][0-9][0-9][0-9][0-9] ) ;;
+	[1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
+	[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
+	* )
+		log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
+		log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
+		NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
+	;;
+	esac
+fi
 export NGX_WORKER_CONNECTIONS

 if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
@ -181,11 +187,14 @@ else
 fi
 if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
 	log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
+	log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}"
 else
+	unset ratio
 	ratio=$(float_div "${nofile_limit}" "${NGX_WORKER_CONNECTIONS}")
 	case "${ratio}" in
 	1 | 1.* )
 		log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
+		log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}"
 	;;
 	esac
 	unset ratio
--- a/image-entry.d/21-http-modules.envsh
+++ b/image-entry.d/21-http-modules.envsh
@ -5,35 +5,11 @@ if [ "${NGX_HTTP}" = 0 ] ; then
 else
 	NGX_HTTP_NO_PROXY=$(gobool_to_int "${NGX_HTTP_NO_PROXY:-0}" 0)
 	export NGX_HTTP_NO_PROXY
-	if [ "${NGX_HTTP_NO_PROXY}" = 0 ] ; then
-		NGX_HTTP_CONFLOAD=$(append_list "${NGX_HTTP_CONFLOAD}" proxy)
-	fi

 	unset http_modules http_confload
 	http_modules=
 	http_confload="${NGX_HTTP_CONFLOAD:-}"

-	if [ -n "${NGX_HTTP_MODULES}" ] ; then
-		## angie-module-lua: depends on angie-module-ndk
-		## angie-module-set-misc: depends on angie-module-ndk
-
-		# unset want_ndk
-		# want_ndk=0
-		# if list_have_item "${NGX_HTTP_MODULES}" lua ; then
-		# 	want_ndk=1
-		# elif list_have_item "${NGX_HTTP_MODULES}" set-misc ; then
-		# 	want_ndk=1
-		# fi
-		# if [ ${want_ndk} = 1 ] ; then
-		# 	NGX_HTTP_MODULES=$(prepend_list "${NGX_HTTP_MODULES}" ndk)
-		# fi
-		# unset want_ndk
-		NGX_HTTP_MODULES=$(
-			printf '%s' "${NGX_HTTP_MODULES}" \
-			| sed -zE 's/(\s|^)(lua|set-misc)(\s|$)/\1ndk \2\3/g'
-		)
-	fi
-
 	## filter out builtin http modules
 	unset i
 	for i in ${NGX_HTTP_MODULES:-} ; do
@ -62,17 +38,30 @@ else
 	done
 	unset i

+	if [ "${NGX_HTTP_NO_PROXY}" = 0 ] ; then
+		http_confload="${http_confload} proxy"
+	fi
+
 	## grpc depends on http/2
-	if list_have_item "${NGX_HTTP_CONFLOAD}" grpc ; then
-		unset want_http2
-		want_http2=0
-		if ! list_have_item "${NGX_HTTP_CONFLOAD}" v2 ; then
-			want_http2=1
+	if list_have_item "${http_confload}" grpc ; then
+		http_confload="${http_confload} v2"
+	fi
+
+	## angie-module-lua: depends on angie-module-ndk
+	## angie-module-set-misc: depends on angie-module-ndk
+	if [ -n "${http_modules:-}" ] ; then
+		unset want_ndk
+		want_ndk=0
+		if list_have_item "${http_modules}" lua ; then
+			want_ndk=1
+		elif list_have_item "${http_modules}" set-misc ; then
+			want_ndk=1
 		fi
-		if [ "${want_http2}" = 1 ] ; then
-			NGX_HTTP_CONFLOAD=$(append_list "${NGX_HTTP_CONFLOAD}" v2)
+		if [ ${want_ndk} = 1 ] ; then
+			## forcefully move 'ndk' to beginning of list
+			http_modules=$(printf '%s' " ${http_modules} " | sed -zE 's/ ndk / /;s/^/ndk/;s/ $//')
 		fi
-		unset want_http2
+		unset want_ndk
 	fi

 	set -a
@ -85,20 +74,19 @@ else
 	## quirk: angie-module-modsecurity
 	unset NGX_HTTP_WITH_MODSECURITY
 	NGX_HTTP_WITH_MODSECURITY=0
-	while : ; do
-		if ! list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then
-			break
-		fi
-
+	if list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then
+		unset d f
 		for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do
 			[ -d "$d" ] || continue
-			[ -f "$d/ngx_http_modsecurity_module.so" ] || continue
-			if ! [ -h "$d/ngx_http_modsecurity_module.so" ] ; then
+			f="$d/ngx_http_modsecurity_module.so"
+			[ -f "$f" ] || continue
+			if ! [ -h "$f" ] ; then
 				NGX_HTTP_WITH_MODSECURITY=1
 				break
 			fi
-		done ; unset d
-	break ; done
+		done
+		unset d f
+	fi
 	export NGX_HTTP_WITH_MODSECURITY

 	if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then
--- a/image-entry.d/24-http-forward-headers.envsh
+++ b/image-entry.d/24-http-forward-headers.envsh
@ -25,31 +25,34 @@ else
 		NGX_HTTP_X_FORWARDED=remove
 	fi

-	[ -n "${NGX_HTTP_X_FORWARDED:-}" ] || NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
-	case "${NGX_HTTP_X_FORWARDED}" in
-	[Pp][Aa][Ss][Ss] )
-		## adjust
-		NGX_HTTP_X_FORWARDED=pass
-	;;
-	[Rr][Ee][Mm][Oo][Vv][Ee] )
-		## adjust
-		NGX_HTTP_X_FORWARDED=remove
-	;;
-	* )
-		unset x
-		x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}")
-		case "$x" in
-		0 ) NGX_HTTP_X_FORWARDED=remove ;;
-		1 ) NGX_HTTP_X_FORWARDED=pass ;;
+	if [ -z "${NGX_HTTP_X_FORWARDED:-}" ] ; then
+		NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
+	else
+		case "${NGX_HTTP_X_FORWARDED}" in
+		[Pp][Aa][Ss][Ss] )
+			## adjust
+			NGX_HTTP_X_FORWARDED=pass
+		;;
+		[Rr][Ee][Mm][Oo][Vv][Ee] )
+			## adjust
+			NGX_HTTP_X_FORWARDED=remove
+		;;
 		* )
-			log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}"
-			log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}"
-			NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
+			unset x
+			x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}")
+			case "$x" in
+			0 ) NGX_HTTP_X_FORWARDED=remove ;;
+			1 ) NGX_HTTP_X_FORWARDED=pass ;;
+			* )
+				log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}"
+				log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}"
+				NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
+			;;
+			esac
+			unset x
 		;;
 		esac
-		unset x
-	;;
-	esac
+	fi
 	export NGX_HTTP_X_FORWARDED

 	unset _NGX_HTTP_FAKE_UA _NGX_HTTP_X_FORWARDED
--- a/image-entry.d/99-cleanup-env.envsh
+++ b/image-entry.d/99-cleanup-env.envsh
@ -41,7 +41,7 @@ else
 fi <<-EOF
 $(
 	set +e
-	cat /proc/self/environ \
+	cat /proc/$$/environ \
 	| sed -zEn '/^([^=]+).*$/s//\1/p' \
 	| xargs -0r printf '%q\n' \
 	| {