krd/angie-conv-image
1
0
Fork 0
Code

Compare commits

base: krd:b92bd85597a065f7f043b4d22c98e86929ce902f
Branches Tags
krd:main
..
compare: krd:921dd8fe9fa8b0c9fdb35ea7c06db7e1cd185993
Branches Tags
krd:main

5 Commits
b92bd85597 ... 921dd8fe9f

Author SHA1 Message Date
Konstantin Demin
921dd8fe9f
bump version to 0.0.2 2024-09-30 21:25:19 +03:00
Konstantin Demin
45e006c14e
requirements: bump wcmatch to 10.0 2024-09-30 21:25:19 +03:00
Konstantin Demin
7b5b3a0a30
angie: provide DNS resolver 2024-09-30 21:25:19 +03:00
Konstantin Demin
47515839a2
scripts: refine 2024-09-30 21:25:08 +03:00
Konstantin Demin
86af6345e5
image-entry: refine 2024-09-30 21:25:05 +03:00
34 changed files with 401 additions and 255 deletions
Show Stats Expand all files Collapse all files

2
angie/autoconf.dist/http-resolver.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
{%- set resolver_status_zone = 'http_resolver' -%}
{% include 'resolver.j2m' %}

13
angie/autoconf.dist/resolver.j2m Normal file
View File

@ -0,0 +1,13 @@
{%- if env.NGX_RESOLVERS %}
{%- if env.NGX_RESOLVER_STACK == 'any' %}
resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }};
{%- elif env.NGX_RESOLVER_STACK == 'ipv4' %}
resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }} ipv4=on ipv6=off;
{%- elif env.NGX_RESOLVER_STACK == 'ipv6' %}
resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }} ipv4=off ipv6=on;
{%- endif %}
{%- endif %}
{%- if env.NGX_RESOLVER_TIMEOUT %}
resolver_timeout {{ env.NGX_RESOLVER_TIMEOUT }};
{%- endif %}

2
angie/autoconf.dist/stream-resolver.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
{%- set resolver_status_zone = 'stream_resolver' -%}
{% include 'resolver.j2m' %}

2
build-scripts/image-base.sh
View File

@ -2,7 +2,7 @@
set -ef set -ef
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
IMAGE_VERSION="${IMAGE_VERSION:-v0.0.1}" IMAGE_VERSION="${IMAGE_VERSION:-v0.0.2}"
set -a set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}" BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"

2
build-scripts/image-deps.sh
View File

@ -2,7 +2,7 @@
set -ef set -ef
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
IMAGE_VERSION="${IMAGE_VERSION:-v0.0.1}" IMAGE_VERSION="${IMAGE_VERSION:-v0.0.2}"
set -a set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}" BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"

2
build-scripts/image.sh
View File

@ -2,7 +2,7 @@
set -ef set -ef
cd "$(dirname "$0")/.." cd "$(dirname "$0")/.."
IMAGE_VERSION="${IMAGE_VERSION:-v0.0.1}" IMAGE_VERSION="${IMAGE_VERSION:-v0.0.2}"
set -a set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}" BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"

2
doc/examples/basic/Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/basic/README.md
View File

@ -11,7 +11,7 @@ server {
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/
COPY /static/ /etc/angie/static/ COPY /static/ /etc/angie/static/

2
doc/examples/njs/Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/njs/README.md
View File

@ -3,7 +3,7 @@
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/perl/Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/perl/README.md
View File

@ -3,7 +3,7 @@
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/ssl/Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/ssl/README.md
View File

@ -3,7 +3,7 @@
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/
COPY /static/ /etc/angie/static/ COPY /static/ /etc/angie/static/

2
doc/examples/static-template/Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
SHELL [ "/bin/sh", "-ec" ] SHELL [ "/bin/sh", "-ec" ]
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/

2
doc/examples/static-template/README.md
View File

@ -13,7 +13,7 @@ server {
Dockerfile: Dockerfile:
```dockerfile ```dockerfile
FROM docker.io/rockdrilla/angie-conv:v0.0.1 FROM docker.io/rockdrilla/angie-conv:v0.0.2
COPY /site/ /etc/angie/site/ COPY /site/ /etc/angie/site/
COPY /static/ /etc/angie/static/ COPY /static/ /etc/angie/static/

17
image-entry.d/00-common.envsh
View File

@ -8,7 +8,7 @@ empty_dir='/var/lib/empty'
have_envvar() { have_envvar() {
[ -n "$1" ] || return 1 [ -n "$1" ] || return 1
grep -Ezq "^$1=" /proc/self/environ || return grep -Ezq "^$1=" /proc/$$/environ || return
} }
## unexporting variable in (POSIX) sh is PITA =/ ## unexporting variable in (POSIX) sh is PITA =/
@ -202,6 +202,7 @@ prepend_list() {
} }
list_have_item() { list_have_item() {
[ -n "$1" ] || return 1
[ -n "$2" ] || return 1 [ -n "$2" ] || return 1
case " $1 " in case " $1 " in
*" $2 "* ) return 0 ;; *" $2 "* ) return 0 ;;
@ -213,16 +214,15 @@ normalize_list() {
[ -n "$1" ] || return 0 [ -n "$1" ] || return 0
printf '%s' "$1" \ printf '%s' "$1" \
| tr -s '[:space:]' ' ' \ | sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
| sed -zE 's/^ //;s/ $//'
} }
sort_dedup_list() { sort_dedup_list() {
[ -n "$1" ] || return 0 [ -n "$1" ] || return 0
printf '%s' "$1" \ printf '%s' "$1" \
| tr -s '[:space:]' '\n' | sort -uV | paste -sd ' ' \ | tr -s '[:space:]' '\n' | sort -uV \
| sed -zE 's/^\s+//;s/\s+$//' | sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
} }
float_div() { float_div() {
@ -236,3 +236,10 @@ find_fast() {
randN() { randN() {
od -v -A n -t x1 -N "$1" < /dev/urandom | tr -d '[:space:]' od -v -A n -t x1 -N "$1" < /dev/urandom | tr -d '[:space:]'
} }
re_ipv4_oct='[0-9]|[1-9][0-9]|[1-9][0-9][0-9]|2[0-4][0-9]|25[0-5]'
re_ipv4_addr="^${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\.${re_ipv4_oct}\$"
is_ipv4_address() {
[ -n "$1" ] || return 1
printf '%s' "$1" | grep -zEq "${re_ipv4_addr}" || return 1
}

3
image-entry.d/02-nonroot.envsh
View File

@ -2,5 +2,6 @@
unset IEP_ROOT unset IEP_ROOT
IEP_ROOT=1 IEP_ROOT=1
[ "$(stat -c %u /proc/1)" = 0 ] || IEP_ROOT=0 # [ "$(env stat -Lc %u /proc/$$)" = 0 ] || IEP_ROOT=0
[ "$(id -n)" = 0 ] || IEP_ROOT=0
export IEP_ROOT export IEP_ROOT

13
image-entry.d/03-local-override.envsh
View File

@ -3,15 +3,18 @@
unset IEP_LOCAL_OVERRIDE unset IEP_LOCAL_OVERRIDE
IEP_LOCAL_OVERRIDE=0 IEP_LOCAL_OVERRIDE=0
unset _fsspec _fstarget _fstype _fsopts _fsreq _fspass unset _fsspec i _extra
while read -r _fsspec _fstarget _fstype _fsopts _fsreq _fspass ; do while read -r _fsspec i _extra ; do
case "${_fstarget}" in [ -n "$i" ] || continue
case "$i" in
/angie | /angie/* ) /angie | /angie/* )
IEP_LOCAL_OVERRIDE=1 IEP_LOCAL_OVERRIDE=1
break break
;; ;;
esac esac
done < /proc/mounts done <<-EOF
unset _fsspec _fstarget _fstype _fsopts _fsreq _fspass $(grep -F angie /proc/mounts)
EOF
unset _fsspec i _extra
export IEP_LOCAL_OVERRIDE export IEP_LOCAL_OVERRIDE

5
image-entry.d/04-local-ip-addresses.envsh
View File

@ -13,9 +13,14 @@ unset NGX_IPV4_ADDRESSES NGX_IPV6_ADDRESSES
for i in ${NGX_IP_ADDRESSES} ; do for i in ${NGX_IP_ADDRESSES} ; do
case "$i" in case "$i" in
*:* ) *:* )
## TODO: IPv6 address validation
NGX_IPV6_ADDRESSES=$(append_list "${NGX_IPV6_ADDRESSES}" "$i") NGX_IPV6_ADDRESSES=$(append_list "${NGX_IPV6_ADDRESSES}" "$i")
;; ;;
* ) * )
if ! is_ipv4_address "$i" ; then
log_always "invalid IPv4 address: $i"
continue
fi
NGX_IPV4_ADDRESSES=$(append_list "${NGX_IPV4_ADDRESSES}" "$i") NGX_IPV4_ADDRESSES=$(append_list "${NGX_IPV4_ADDRESSES}" "$i")
;; ;;
esac esac

109
image-entry.d/06-resolver.envsh Executable file
View File

@ -0,0 +1,109 @@
#!/bin/sh
unset _NGX_RESOLVER_STACK _NGX_RESOLVER_TIMEOUT
## here should be SANE defaults (!)
_NGX_RESOLVER_STACK=ipv4
_NGX_RESOLVER_TIMEOUT=10s
if [ -z "${NGX_RESOLVER_STACK:-}" ] ; then
NGX_RESOLVER_STACK=${_NGX_RESOLVER_STACK}
else
case "${NGX_RESOLVER_STACK}" in
[Ii][Pp][Vv]4 | [Vv]4 | 4 )
## adjust
NGX_RESOLVER_STACK=ipv4
;;
[Ii][Pp][Vv]6 | [Vv]6 | 6 )
## adjust
NGX_RESOLVER_STACK=ipv6
;;
[Dd][Uu][Aa][Ll] | [Aa][Ll][Ll] | [Aa][Nn][Yy] )
## adjust
NGX_RESOLVER_STACK=any
;;
[Nn][Oo][Nn][Ee] | 0 )
## adjust
NGX_RESOLVER_STACK=none
;;
* )
log_always "NGX_RESOLVER_STACK: unrecognized value: ${NGX_RESOLVER_STACK}"
log_always "setting NGX_RESOLVER_STACK=${_NGX_RESOLVER_STACK}"
NGX_RESOLVER_STACK=${_NGX_RESOLVER_STACK}
;;
esac
fi
export NGX_RESOLVER_STACK
if [ "${NGX_RESOLVER_STACK}" = 'none' ] ; then
unset NGX_RESOLV_CONF NGX_RESOLVER_TIMEOUT NGX_RESOLVERS
else
if [ -z "${NGX_RESOLVER_TIMEOUT:-}" ] ; then
NGX_RESOLVER_TIMEOUT=${_NGX_RESOLVER_TIMEOUT}
else
case "${NGX_RESOLVER_TIMEOUT}" in
[1-9] | [1-9][0-9] )
## convert implicit "seconds" to explicit
NGX_RESOLVER_TIMEOUT="${NGX_RESOLVER_TIMEOUT}s"
;;
[1-9]s | [1-9][0-9]s )
## pass
;;
[1-9]ms | [1-9][0-9]ms | [1-9][0-9][0-9]ms | [1-9][0-9][0-9][0-9]ms | [1-9][0-9][0-9][0-9][0-9]ms )
## pass
;;
* )
log_always "NGX_RESOLVER_TIMEOUT: unrecognized value: ${NGX_RESOLVER_TIMEOUT}"
log_always "setting NGX_RESOLVER_TIMEOUT=${_NGX_RESOLVER_TIMEOUT}"
NGX_RESOLVER_TIMEOUT=${_NGX_RESOLVER_TIMEOUT}
;;
esac
fi
export NGX_RESOLVER_TIMEOUT
unset _resolv_conf
while [ -z "${NGX_RESOLVERS+x}" ] ; do
_resolv_conf="${NGX_RESOLV_CONF-/etc/resolv.conf}"
[ -n "${_resolv_conf}" ] || break
[ -f "${_resolv_conf}" ] || break
[ -s "${_resolv_conf}" ] || break
unset i
while read -r i ; do
[ -n "$i" ] || continue
case "$i" in
## NB: /etc/resolv.conf allows (!) IPv6 addresses in dotted form (RFC 2373) but this is discouraged
*:* )
## TODO: IPv6 address validation
i="[$i]"
case "${NGX_RESOLVER_STACK}" in
ipv6 | any )
NGX_RESOLVERS=$(append_list "${NGX_RESOLVERS}" "$i")
;;
esac
;;
* )
if ! is_ipv4_address "$i" ; then
log_always "invalid IPv4 address: $i"
continue
fi
case "${NGX_RESOLVER_STACK}" in
ipv4 | any )
NGX_RESOLVERS=$(append_list "${NGX_RESOLVERS}" "$i")
;;
esac
;;
esac
done <<-EOF
$(mawk '$1 == "nameserver" {print $2}' < "${_resolv_conf}")
EOF
unset i
done
unset _resolv_conf
[ -z "${NGX_RESOLVERS}" ] || export NGX_RESOLVERS
fi
unset _NGX_RESOLVER_STACK _NGX_RESOLVER_TIMEOUT

118
image-entry.d/12-core-user.envsh
View File

@ -9,62 +9,68 @@ unset _NGX_USER _NGX_GROUP
_NGX_USER=angie _NGX_USER=angie
_NGX_GROUP=angie _NGX_GROUP=angie
[ -n "${NGX_USER:-}" ] || NGX_USER=${_NGX_USER} if [ -z "${NGX_USER:-}" ] ; then
case "${NGX_USER}" in NGX_USER=${_NGX_USER}
"${_NGX_USER}" ) ;; else
## numeric id - remap to name case "${NGX_USER}" in
[1-9]* ) "${_NGX_USER}" ) ;;
_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1) [1-9]* )
if [ -n "${_user_name}" ] ; then ## numeric id - remap to name
NGX_USER=${_user_name} _user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
else if [ -n "${_user_name}" ] ; then
log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}" NGX_USER=${_user_name}
log_always "setting NGX_USER=${_NGX_USER}" else
NGX_USER=${_NGX_USER} log_always "NGX_USER: ID is not known in /etc/passwd: ${NGX_USER}"
fi log_always "setting NGX_USER=${_NGX_USER}"
unset _user_name NGX_USER=${_NGX_USER}
;; fi
* ) unset _user_name
_user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1) ;;
if [ -n "${_user_name}" ] ; then * )
NGX_USER=${_user_name} _user_name=$(getent passwd "${NGX_USER}" | cut -d: -f1)
else if [ -n "${_user_name}" ] ; then
log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}" NGX_USER=${_user_name}
log_always "setting NGX_USER=${_NGX_USER}" else
NGX_USER=${_NGX_USER} log_always "NGX_USER: name is not known in /etc/passwd: ${NGX_USER}"
fi log_always "setting NGX_USER=${_NGX_USER}"
unset _user_name NGX_USER=${_NGX_USER}
;; fi
esac unset _user_name
;;
esac
fi
export NGX_USER
[ -n "${NGX_GROUP:-}" ] || NGX_GROUP=${_NGX_GROUP} if [ -z "${NGX_GROUP:-}" ] ; then
case "${NGX_GROUP}" in NGX_GROUP=${_NGX_GROUP}
"${_NGX_GROUP}" ) ;; else
## numeric id - remap to name case "${NGX_GROUP}" in
[1-9]* ) "${_NGX_GROUP}" ) ;;
_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1) [1-9]* )
if [ -n "${_group_name}" ] ; then ## numeric id - remap to name
NGX_GROUP=${_group_name} _group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
else if [ -n "${_group_name}" ] ; then
log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}" NGX_GROUP=${_group_name}
log_always "setting NGX_GROUP=${_NGX_GROUP}" else
NGX_GROUP=${_NGX_GROUP} log_always "NGX_GROUP: ID is not known in /etc/group: ${NGX_GROUP}"
fi log_always "setting NGX_GROUP=${_NGX_GROUP}"
unset _group_name NGX_GROUP=${_NGX_GROUP}
;; fi
* ) unset _group_name
_group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1) ;;
if [ -n "${_group_name}" ] ; then * )
NGX_GROUP=${_group_name} _group_name=$(getent group "${NGX_GROUP}" | cut -d: -f1)
else if [ -n "${_group_name}" ] ; then
log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}" NGX_GROUP=${_group_name}
log_always "setting NGX_GROUP=${_NGX_GROUP}" else
NGX_GROUP=${_NGX_GROUP} log_always "NGX_GROUP: name is not known in /etc/group: ${NGX_GROUP}"
fi log_always "setting NGX_GROUP=${_NGX_GROUP}"
unset _group_name NGX_GROUP=${_NGX_GROUP}
;; fi
esac unset _group_name
;;
export NGX_USER NGX_GROUP esac
fi
export NGX_GROUP
unset _NGX_USER _NGX_GROUP unset _NGX_USER _NGX_GROUP

89
image-entry.d/13-core-worker.envsh
View File

@ -6,59 +6,65 @@ _NGX_WORKER_PROCESSES=2
_NGX_WORKER_PRIORITY=0 _NGX_WORKER_PRIORITY=0
_NGX_WORKER_RLIMIT_NOFILE=16384 _NGX_WORKER_RLIMIT_NOFILE=16384
_NGX_WORKER_CONNECTIONS=4096 _NGX_WORKER_CONNECTIONS=4096
_NGX_WORKER_AIO_REQUESTS=64 _NGX_WORKER_AIO_REQUESTS=32
[ -n "${NGX_WORKER_PROCESSES:-}" ] || NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} if [ -z "${NGX_WORKER_PROCESSES:-}" ] ; then
case "${NGX_WORKER_PROCESSES}" in
## allow values within [1;999]
[1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
[Aa][Uu][Tt][Oo] )
## adjust
NGX_WORKER_PROCESSES=auto
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;; else
* ) case "${NGX_WORKER_PROCESSES}" in
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}" ## allow values within [1;999]
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}" [1-9] | [1-9][0-9] | [1-9][0-9][0-9] ) ;;
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES} [Aa][Uu][Tt][Oo] )
;; ## adjust
esac NGX_WORKER_PROCESSES=auto
log_always "NGX_WORKER_PROCESSES: \"auto\" isn't supported by container yet"
log_always "offloading decision to Angie (this could be a problem!)"
;;
0 )
log_always "NGX_WORKER_PROCESSES: \"0\" isn't supported by container yet"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
* )
log_always "NGX_WORKER_PROCESSES: unrecognized value: ${NGX_WORKER_PROCESSES}"
log_always "setting NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}"
NGX_WORKER_PROCESSES=${_NGX_WORKER_PROCESSES}
;;
esac
fi
export NGX_WORKER_PROCESSES export NGX_WORKER_PROCESSES
if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then if [ -z "${NGX_WORKER_CPU_AFFINITY:-}" ] ; then
unset NGX_WORKER_CPU_AFFINITY unset NGX_WORKER_CPU_AFFINITY
else else
## offload handling to Angie ## let Angie handle this
set -a set -a
NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}") NGX_WORKER_CPU_AFFINITY=$(normalize_list "${NGX_WORKER_CPU_AFFINITY}")
set +a set +a
fi fi
[ -n "${NGX_WORKER_CONNECTIONS:-}" ] || NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} if [ -z "${NGX_WORKER_CONNECTIONS:-}" ] ; then
case "${NGX_WORKER_CONNECTIONS}" in
[0-9] | [1-9][0-9] )
log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;; else
## allow values within [100;9999999] case "${NGX_WORKER_CONNECTIONS}" in
[1-9][0-9][0-9] ) ;; [0-9] | [1-9][0-9] )
[1-9][0-9][0-9][0-9] ) ;; log_always "NGX_WORKER_CONNECTIONS: too low: ${NGX_WORKER_CONNECTIONS}"
[1-9][0-9][0-9][0-9][0-9] ) ;; log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
[1-9][0-9][0-9][0-9][0-9][0-9] ) ;; NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
[1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;; ;;
* ) ## allow values within [100;9999999]
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}" [1-9][0-9][0-9] ) ;;
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}" [1-9][0-9][0-9][0-9] ) ;;
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS} [1-9][0-9][0-9][0-9][0-9] ) ;;
;; [1-9][0-9][0-9][0-9][0-9][0-9] ) ;;
esac [1-9][0-9][0-9][0-9][0-9][0-9][0-9] ) ;;
* )
log_always "NGX_WORKER_CONNECTIONS: unrecognized value: ${NGX_WORKER_CONNECTIONS}"
log_always "setting NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}"
NGX_WORKER_CONNECTIONS=${_NGX_WORKER_CONNECTIONS}
;;
esac
fi
export NGX_WORKER_CONNECTIONS export NGX_WORKER_CONNECTIONS
if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then if [ -z "${NGX_WORKER_PRIORITY:-}" ] ; then
@ -181,11 +187,14 @@ else
fi fi
if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then if [ ${nofile_limit} -lt ${NGX_WORKER_CONNECTIONS} ] ; then
log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})" log_always "WARNING: ${nofile_kind} is less than NGX_WORKER_CONNECTIONS (${nofile_limit} < ${NGX_WORKER_CONNECTIONS})"
log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}"
else else
unset ratio
ratio=$(float_div "${nofile_limit}" "${NGX_WORKER_CONNECTIONS}") ratio=$(float_div "${nofile_limit}" "${NGX_WORKER_CONNECTIONS}")
case "${ratio}" in case "${ratio}" in
1 | 1.* ) 1 | 1.* )
log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})" log_always "WARNING: \"${nofile_kind}/NGX_WORKER_CONNECTIONS\" ratio is too low (=${ratio})"
log_always "NGX_WORKER_CONNECTIONS is recommended to be at least twice larger than ${nofile_kind}"
;; ;;
esac esac
unset ratio unset ratio

70
image-entry.d/21-http-modules.envsh
View File

@ -5,35 +5,11 @@ if [ "${NGX_HTTP}" = 0 ] ; then
else else
NGX_HTTP_NO_PROXY=$(gobool_to_int "${NGX_HTTP_NO_PROXY:-0}" 0) NGX_HTTP_NO_PROXY=$(gobool_to_int "${NGX_HTTP_NO_PROXY:-0}" 0)
export NGX_HTTP_NO_PROXY export NGX_HTTP_NO_PROXY
if [ "${NGX_HTTP_NO_PROXY}" = 0 ] ; then
NGX_HTTP_CONFLOAD=$(append_list "${NGX_HTTP_CONFLOAD}" proxy)
fi
unset http_modules http_confload unset http_modules http_confload
http_modules= http_modules=
http_confload="${NGX_HTTP_CONFLOAD:-}" http_confload="${NGX_HTTP_CONFLOAD:-}"
if [ -n "${NGX_HTTP_MODULES}" ] ; then
## angie-module-lua: depends on angie-module-ndk
## angie-module-set-misc: depends on angie-module-ndk
# unset want_ndk
# want_ndk=0
# if list_have_item "${NGX_HTTP_MODULES}" lua ; then
# want_ndk=1
# elif list_have_item "${NGX_HTTP_MODULES}" set-misc ; then
# want_ndk=1
# fi
# if [ ${want_ndk} = 1 ] ; then
# NGX_HTTP_MODULES=$(prepend_list "${NGX_HTTP_MODULES}" ndk)
# fi
# unset want_ndk
NGX_HTTP_MODULES=$(
printf '%s' "${NGX_HTTP_MODULES}" \
| sed -zE 's/(\s|^)(lua|set-misc)(\s|$)/\1ndk \2\3/g'
)
fi
## filter out builtin http modules ## filter out builtin http modules
unset i unset i
for i in ${NGX_HTTP_MODULES:-} ; do for i in ${NGX_HTTP_MODULES:-} ; do
@ -62,17 +38,30 @@ else
done done
unset i unset i
if [ "${NGX_HTTP_NO_PROXY}" = 0 ] ; then
http_confload="${http_confload} proxy"
fi
## grpc depends on http/2 ## grpc depends on http/2
if list_have_item "${NGX_HTTP_CONFLOAD}" grpc ; then if list_have_item "${http_confload}" grpc ; then
unset want_http2 http_confload="${http_confload} v2"
want_http2=0 fi
if ! list_have_item "${NGX_HTTP_CONFLOAD}" v2 ; then
want_http2=1 ## angie-module-lua: depends on angie-module-ndk
## angie-module-set-misc: depends on angie-module-ndk
if [ -n "${http_modules:-}" ] ; then
unset want_ndk
want_ndk=0
if list_have_item "${http_modules}" lua ; then
want_ndk=1
elif list_have_item "${http_modules}" set-misc ; then
want_ndk=1
fi fi
if [ "${want_http2}" = 1 ] ; then if [ ${want_ndk} = 1 ] ; then
NGX_HTTP_CONFLOAD=$(append_list "${NGX_HTTP_CONFLOAD}" v2) ## forcefully move 'ndk' to beginning of list
http_modules=$(printf '%s' " ${http_modules} " | sed -zE 's/ ndk / /;s/^/ndk/;s/ $//')
fi fi
unset want_http2 unset want_ndk
fi fi
set -a set -a
@ -85,20 +74,19 @@ else
## quirk: angie-module-modsecurity ## quirk: angie-module-modsecurity
unset NGX_HTTP_WITH_MODSECURITY unset NGX_HTTP_WITH_MODSECURITY
NGX_HTTP_WITH_MODSECURITY=0 NGX_HTTP_WITH_MODSECURITY=0
while : ; do if list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then
if ! list_have_item "${NGX_HTTP_MODULES}" modsecurity ; then unset d f
break
fi
for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do for d in /angie/modules /etc/angie/modules /etc/angie/modules.dist ; do
[ -d "$d" ] || continue [ -d "$d" ] || continue
[ -f "$d/ngx_http_modsecurity_module.so" ] || continue f="$d/ngx_http_modsecurity_module.so"
if ! [ -h "$d/ngx_http_modsecurity_module.so" ] ; then [ -f "$f" ] || continue
if ! [ -h "$f" ] ; then
NGX_HTTP_WITH_MODSECURITY=1 NGX_HTTP_WITH_MODSECURITY=1
break break
fi fi
done ; unset d done
break ; done unset d f
fi
export NGX_HTTP_WITH_MODSECURITY export NGX_HTTP_WITH_MODSECURITY
if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then if [ "${NGX_HTTP_WITH_MODSECURITY}" = 1 ] ; then

47
image-entry.d/24-http-forward-headers.envsh
View File

@ -25,31 +25,34 @@ else
NGX_HTTP_X_FORWARDED=remove NGX_HTTP_X_FORWARDED=remove
fi fi
[ -n "${NGX_HTTP_X_FORWARDED:-}" ] || NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED} if [ -z "${NGX_HTTP_X_FORWARDED:-}" ] ; then
case "${NGX_HTTP_X_FORWARDED}" in NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
[Pp][Aa][Ss][Ss] ) else
## adjust case "${NGX_HTTP_X_FORWARDED}" in
NGX_HTTP_X_FORWARDED=pass [Pp][Aa][Ss][Ss] )
;; ## adjust
[Rr][Ee][Mm][Oo][Vv][Ee] ) NGX_HTTP_X_FORWARDED=pass
## adjust ;;
NGX_HTTP_X_FORWARDED=remove [Rr][Ee][Mm][Oo][Vv][Ee] )
;; ## adjust
* ) NGX_HTTP_X_FORWARDED=remove
unset x ;;
x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}")
case "$x" in
0 ) NGX_HTTP_X_FORWARDED=remove ;;
1 ) NGX_HTTP_X_FORWARDED=pass ;;
* ) * )
log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}" unset x
log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}" x=$(gobool_to_int "${NGX_HTTP_X_FORWARDED}")
NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED} case "$x" in
0 ) NGX_HTTP_X_FORWARDED=remove ;;
1 ) NGX_HTTP_X_FORWARDED=pass ;;
* )
log_always "NGX_HTTP_X_FORWARDED: unrecognized value: ${NGX_HTTP_X_FORWARDED}"
log_always "setting NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}"
NGX_HTTP_X_FORWARDED=${_NGX_HTTP_X_FORWARDED}
;;
esac
unset x
;; ;;
esac esac
unset x fi
;;
esac
export NGX_HTTP_X_FORWARDED export NGX_HTTP_X_FORWARDED
unset _NGX_HTTP_FAKE_UA _NGX_HTTP_X_FORWARDED unset _NGX_HTTP_FAKE_UA _NGX_HTTP_X_FORWARDED

2
image-entry.d/99-cleanup-env.envsh
View File

@ -41,7 +41,7 @@ else
fi <<-EOF fi <<-EOF
$( $(
set +e set +e
cat /proc/self/environ \ cat /proc/$$/environ \
| sed -zEn '/^([^=]+).*$/s//\1/p' \ | sed -zEn '/^([^=]+).*$/s//\1/p' \
| xargs -0r printf '%q\n' \ | xargs -0r printf '%q\n' \
| { | {

2
requirements.txt
View File

@ -2,4 +2,4 @@ jinja2==3.1.4
netaddr==1.3.0 netaddr==1.3.0
psutil==6.0.0 psutil==6.0.0
pyyaml==6.0.2 pyyaml==6.0.2
wcmatch==9.0 wcmatch==10.0

32
scripts/apt-clean.sh
View File

@ -23,24 +23,28 @@ find /var/cache/debconf/ ! -type d -wholename '/var/cache/debconf/*-old' -delete
__t=$(mktemp) ; : "${__t:?}" __t=$(mktemp) ; : "${__t:?}"
debconf_trim_i18n() { debconf_trim_i18n() {
mawk 'BEGIN { m = 0 } mawk 'BEGIN { m = 0; }
$0 == "" { print } $0 == "" { print; }
/^[^[:space:]]/ { /^[^[:space:]]/ {
if ($1 ~ "\.[Uu][Tt][Ff]-?8:") { m = 1; next; } if ($1 ~ "\.[Uu][Tt][Ff]-?8:") {
m = 0; print $0; m = 1;
} next;
/^[[:space:]]/ { }
if (m == 1) next; m = 0;
print $0; print $0;
}' < "$1" > "${__t}" }
cat < "${__t}" > "$1" /^[[:space:]]/ {
if (m == 1) next;
print $0;
}' < "$1" > "${__t}"
cat < "${__t}" > "$1"
} }
debconf_trim_i18n /var/cache/debconf/templates.dat debconf_trim_i18n /var/cache/debconf/templates.dat
while read -r tmpl ; do while read -r tmpl ; do
[ -n "${tmpl}" ] || continue [ -n "${tmpl}" ] || continue
[ -s "${tmpl}" ] || continue [ -s "${tmpl}" ] || continue
debconf_trim_i18n "${tmpl}" debconf_trim_i18n "${tmpl}"
done <<EOF done <<EOF
$(find "${DPKG_ADMINDIR}/info/" -type f -name '*.templates' | sort -V) $(find "${DPKG_ADMINDIR}/info/" -type f -name '*.templates' | sort -V)
EOF EOF

7
scripts/apt-install-angie-mod.sh
View File

@ -37,16 +37,15 @@ normalize_list() {
[ -n "$1" ] || return 0 [ -n "$1" ] || return 0
printf '%s' "$1" \ printf '%s' "$1" \
| tr -s '[:space:]' ' ' \ | sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
| sed -zE 's/^ //;s/ $//'
} }
sort_dedup_list() { sort_dedup_list() {
[ -n "$1" ] || return 0 [ -n "$1" ] || return 0
printf '%s' "$1" \ printf '%s' "$1" \
| tr -s '[:space:]' '\n' | sort -uV | paste -sd ' ' \ | tr -s '[:space:]' '\n' | sort -uV \
| sed -zE 's/^\s+//;s/\s+$//' | sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//'
} }
pkgs=$(sort_dedup_list "${pkgs}") pkgs=$(sort_dedup_list "${pkgs}")

5
scripts/apt-install.sh
View File

@ -22,8 +22,9 @@ _apt_update() {
} }
_dpkg_avail_hack() { _dpkg_avail_hack() {
: "${DPKG_ADMINDIR:=/var/lib/dpkg}"
VERSION_CODENAME=$(. /etc/os-release ; printf '%s' "${VERSION_CODENAME}") || : VERSION_CODENAME=$(. /etc/os-release ; printf '%s' "${VERSION_CODENAME}") || :
f="${DPKG_ADMINDIR:-/var/lib/dpkg}/available" f="${DPKG_ADMINDIR}/available"
# if ${VERSION_CODENAME} is empty then we're on Debian sid or so :) # if ${VERSION_CODENAME} is empty then we're on Debian sid or so :)
case "${VERSION_CODENAME}" in case "${VERSION_CODENAME}" in
stretch | buster | bionic | focal ) stretch | buster | bionic | focal )
@ -31,7 +32,7 @@ _dpkg_avail_hack() {
if [ -s "$f" ] ; then if [ -s "$f" ] ; then
return return
fi fi
/usr/lib/dpkg/methods/apt/update "${DPKG_ADMINDIR:-/var/lib/dpkg}" apt apt /usr/lib/dpkg/methods/apt/update "${DPKG_ADMINDIR}" apt apt
;; ;;
* ) * )
touch "$f" touch "$f"

10
scripts/envsubst-args.sh
View File

@ -1,19 +1,17 @@
#!/bin/sh #!/bin/sh
set -f set -f
sed -znE '/^([^=]+)=.*$/s,,\1,p' /proc/self/environ \ sed -znE '/^([^=]+)=.*$/s,,\1,p' /proc/$$/environ \
| sed -zE \ | sed -zE \
-e '/^_$/d;/^ENVSUBST_/d;' \ -e '/^_$/d;/^ENVSUBST_/d;' \
-e '/^__IEP_/d;/^IEP_$/d' \ -e '/^__IEP_/d;/^IEP_$/d' \
| { | {
if [ -n "${ENVSUBST_EXCLUDE_REGEX:-}" ] ; then if [ -n "${ENVSUBST_EXCLUDE_REGEX:-}" ] ; then
grep -zEv -e "${ENVSUBST_EXCLUDE_REGEX}" grep -zEv -e "${ENVSUBST_EXCLUDE_REGEX}"
elif [ -n "${ENVSUBST_INCLUDE_REGEX:-}" ] ; then
grep -zE -e "${ENVSUBST_INCLUDE_REGEX}"
else else
if [ -n "${ENVSUBST_INCLUDE_REGEX:-}" ] ; then cat
grep -zE -e "${ENVSUBST_INCLUDE_REGEX}"
else
cat
fi
fi fi
} \ } \
| sort -zV \ | sort -zV \

15
scripts/openssl-cert-auto-pem.sh
View File

@ -20,11 +20,16 @@ w_cleanup() {
} }
bundle_offsets() { bundle_offsets() {
awk ' mawk 'BEGIN { OFS = ","; i_begin = 0; }
BEGIN { OFS = "," ; i_begin = 0 ; } $0 == "-----BEGIN CERTIFICATE-----" {
$0 == "-----BEGIN CERTIFICATE-----" { i_begin = NR ; } i_begin = NR;
$0 == "-----END CERTIFICATE-----" { if (i_begin > 0) { print i_begin,NR ; i_begin = 0 ; } } }
' "$1" $0 == "-----END CERTIFICATE-----" {
if (i_begin > 0) {
print i_begin, NR;
i_begin = 0;
}
}' "$1"
} }
bundle_fingerprints() { bundle_fingerprints() {

6
scripts/python-rm-cache.sh
View File

@ -1,7 +1,9 @@
#!/bin/sh #!/bin/sh
set -f set -f
for i ; do for i ; do
find "$i/" -name __pycache__ -exec rm -rf {} + [ -n "$i" ] || continue
find "$i/" ! -type d -name '*.py[co]' -exec rm -f {} + [ -d "$i" ] || continue
find "$i/" -name __pycache__ -exec rm -rf {} +
find "$i/" ! -type d -name '*.py[co]' -exec rm -f {} +
done done
exit 0 exit 0

63
scripts/static-compress.sh
View File

@ -1,52 +1,41 @@
#!/bin/sh #!/bin/sh
set -f set -f
COMPRESS_MIN_RATIO=90
if command -V gzip >/dev/null ; then has_gzip=1 ; fi if command -V gzip >/dev/null ; then has_gzip=1 ; fi
if command -V brotli >/dev/null ; then has_brotli=1 ; fi if command -V brotli >/dev/null ; then has_brotli=1 ; fi
if command -V zstd >/dev/null ; then has_zstd=1 ; fi if command -V zstd >/dev/null ; then has_zstd=1 ; fi
do_gzip() { [ -s "$1.gz" ] || gzip -1kf "$1" ; comp_fixup "$1" "$1.gz" ; } do_gzip() { [ -s "$1.gz" ] || gzip -1kf "$1" || return ; comp_fixup "$1" "$1.gz" || rm -f "$1.gz" ; }
do_brotli() { [ -s "$1.br" ] || brotli -1kf "$1" ; comp_fixup "$1" "$1.br" ; } do_brotli() { [ -s "$1.br" ] || brotli -1kf "$1" || return ; comp_fixup "$1" "$1.br" || rm -f "$1.br" ; }
do_zstd() { [ -s "$1.zst" ] || zstd -q1kf "$1" ; comp_fixup "$1" "$1.zst" ; } do_zstd() { [ -s "$1.zst" ] || zstd -q1kf "$1" || return ; comp_fixup "$1" "$1.zst" || rm -f "$1.zst" ; }
float_div() {
mawk -v "a=$1" -v "b=$2" 'BEGIN{print a/b;exit;}' </dev/null
}
comp_fixup() { comp_fixup() {
size1=$(env stat -c '%s' "$1") || return [ -f "$1" ] || return 1
size1=$(env stat -Lc '%s' "$1") || return 1
[ -n "${size1}" ] || return 1
[ "${size1}" != 0 ] || return 1
[ -f "$2" ] || return [ -f "$2" ] || return 1
[ -s "$2" ] || { rm -f "$2" ; return ; } size2=$(env stat -c '%s' "$2") || return 1
size2=$(env stat -c '%s' "$2") || return [ -n "${size2}" ] || return 1
[ "${size2}" != 0 ] || return 1
pow1=${#size1} ; pow2=${#size2} ratio=$(float_div "${size2}" "${size1}") || return 1
case "${ratio}" in
[0-9]*e-[0-9]* )
## doubtful but okay (c) Oleg Tinkov
;;
0.[0-8]* | 0.90* )
## compression ratio below 90% is fine
;;
* ) return 1 ;;
esac
## if size2 is _longer_ than size1 - compression did something wrong (file is bigger) return 0
if [ ${pow2} -gt ${pow1} ] ; then
rm -f "$2" ; return
fi
## if size1 is _longer_ size2 more than 2 digits - compression was done very successful
## doubtful but okay (c) Oleg Tinkov
if [ $(( pow1 - pow2 )) -gt 2 ] ; then
return
fi
## math hack!
if [ ${pow1} -gt 7 ] ; then
skew=$(( pow1 - 4 ))
pow1=$(( pow1 - skew ))
pow2=$(( pow2 - skew ))
size1=$(printf '%s' "${size1}" | cut -c 1-${pow1})
size2=$(printf '%s' "${size2}" | cut -c 1-${pow2})
fi
ratio=$(( (100 * size2) / size1 ))
if [ ${ratio} -ge ${COMPRESS_MIN_RATIO} ] ; then
rm -f "$2"
else
## seems to be excessive
: touch -r "$1" -m "$2"
fi
} }
for i ; do for i ; do