ARG IMAGE_VERSION
FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-deps AS deps
## ---
FROM deps AS pycache
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /scripts-extra/* /usr/local/sbin/
COPY /j2cfg/ /usr/local/lib/j2cfg/
ENV PYTHONDONTWRITEBYTECODE=''
## Python cache preseed
RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zEn \
-e '/^(collections|concurrent|encodings|importlib|json|logging|multiprocessing|re|urllib)$/p' \
| sort -zV \
| env -C "${libpython}" xargs -0r \
python3 -m compileall -q -j 2 ; \
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zE \
-e '/\.(dist-info|pth|txt)$/d' \
-e '/^pip$/d' \
| sort -zV \
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
python3 -m compileall -q -j 2
## Python cache warmup
RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \
cat /tmp/test ; echo ; echo ; \
rm -f /tmp/test
## Python cache adjustments
RUN d="@$(date '+%s')" ; \
find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \
find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} +
WORKDIR /pycache
RUN find /usr/local/ -type f -name '*.py[co]' -printf '%P\0' \
| sort -zV \
| tar -C /usr/local --null -T - -cf - \
| tar -xf -
## ---
FROM deps
SHELL [ "/bin/sh", "-ec" ]
## NB: NGX_DEBUG is set via build script
COPY /Dockerfile /usr/local/share/
COPY /j2cfg/ /usr/local/lib/j2cfg/
## RFC: Python cache
COPY --from=pycache /pycache/ /usr/local/
ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules
COPY /scripts/* /usr/local/bin/
RUN _UID=11111 _GID=11111 ; \
echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \
echo "angie:x:${_GID}:" >> /etc/group ; \
echo 'angie:!:::::::' >> /etc/shadow
COPY /apt/sources.angie /etc/apt/sources.list.d/angie.sources
RUN apt-install.sh \
angie \
angie-console-light \
; \
apt-clean.sh ; \
## verify Angie layout
[ -d "${ANGIE_MODULES_DIR}" ] ; \
n='/usr/sbin/angie' ; \
[ -x "$n-debug" ] ; \
[ -x "$n-nodebug" ] ; \
## adjust Angie binaries
rm -fv "$n" ; \
if [ "${NGX_DEBUG}" = 0 ] ; then \
rm -fv "$n-debug" ; \
mv -fv "$n-nodebug" "$n" ; \
else \
rm -fv "$n-nodebug" ; \
mv -fv "$n-debug" "$n" ; \
fi
## preserve snippets from Angie config directory
## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.9.0/conf
RUN d=/etc/angie ; t=$(mktemp -d) ; \
tar -C "$d" -cf - \
fastcgi_params \
fastcgi.conf \
mime.types \
prometheus_all.conf \
scgi_params \
uwsgi_params \
| tar -C "$t" -xf - ; \
rm -rf "$d" ; \
install -d "$d" "$d/snip.dist" ; \
tar -C "$t" -cf - . | tar -C "$d/snip.dist" -xf - ; \
rm -rf "$t"
## copy directory structure
COPY /angie/ /etc/angie/
## produce own layout for Angie >:)
## /angie/ is persistence store
RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \
## adjust paths across filesystem
rm -rfv /var/cache/angie/ /var/lib/angie/ /var/log/angie/ ; \
ln -sv /run/angie/cache /var/cache/angie ; \
ln -sv /run/angie/lib /var/lib/angie ; \
ln -sv /run/angie/log /var/log/angie ; \
## adjust paths in config directory
cd /etc/angie || exit 1 ; \
ln -sv /run/angie run ; \
ln -sv /run/angie/load load ; \
ln -sv /run/angie/lock lock ; \
ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \
## hyper-modular paths:
data='autoconf conf j2cfg mod modules site snip static tls' ; \
vardata='cache lib log' ; \
for n in ${data} ; do \
for d in "$n" "$n.dist" ; do \
[ -e "$d" ] || install -d "$d" ; \
done ; \
done ; \
for n in ${data} ${vardata} ; do \
ln -sv "/run/angie/$n" "$n.d" ; \
done
## special empty directory
RUN d='/var/lib/empty' ; \
rm -rf "$d" ; \
if [ -d "$d" ] ; then exit 1 ; fi ; \
install -d -m 0555 "$d"
## prepare DH params for TLS
## NB: disabled in pipeline for now
## reason: too slow (and too much effort)
# RUN cd /etc/angie/tls.dist || exit 1 ; \
# openssl-generate-dh-bundle.sh
## future quirk for angie-module-modsecurity >:)
RUN n='modsecurity' ; \
d="/etc/angie/$n" ; \
ln -sv "/run/angie/$n" "$d.d" ; \
dpkg-divert --divert "$d.dist" --rename "$d" ; \
for p in modsecurity.conf unicode.mapping ; do \
dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \
done ; \
p='rules.conf' ; \
dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p"
VOLUME [ "/run/angie" ]
## preseed builtin modules list
RUN x='angie-builtin-modules.sh' ; \
"$x" ; \
rm -fv "$(which "$x")"
## relatively lightweight modules
RUN apt-install-angie-mod.sh \
brotli \
cache-purge \
echo \
geoip2 \
headers-more \
subs \
upload \
zip \
zstd \
; \
apt-clean.sh
## adjust permissions/ownership
RUN d='/etc/angie' ; \
chown -hR 0:0 "$d" ; \
find "$d/" -name .gitkeep -type f -delete ; \
find "$d/" -type d -exec chmod 0755 {} + ; \
find "$d/" -type f -exec chmod 0644 {} +
## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining:
## - there's no need to change ENTRYPOINT/CMD
## - custom entrypoint should be placed in /usr/local/sbin/
## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh
COPY /image-entry.sh /usr/local/bin/
COPY /image-entry.d/ /image-entry.d/
## must be bind-mounted only for local customization/overrides!
# RUN install -d /image-entry
## misc defaults
ENV MALLOC_ARENA_MAX=4
STOPSIGNAL SIGQUIT
ENTRYPOINT [ "image-entry.sh" ]
CMD [ "angie" ]