FROM docker.io/rockdrilla/angie-conv:v0.0.1-deps AS deps ## --- FROM deps AS certs SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## consult https://github.com/certifi/python-certifi/ ENV CERTIFI_COMMIT=bd8153872e9c6fc98f4023df9c2deaffea2fa463 RUN apt-install.sh ca-certificates ; \ ## process certifi ca_file='/etc/ssl/certs/ca-certificates.crt' ; \ openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp.orig" ; \ ls -l "${ca_file}" ; \ certifi-extras.sh ; \ openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp" ; \ chmod 0444 "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig" ; \ ls -l "${ca_file}" "${ca_file}.fp" "${ca_file}.fp.orig" ## --- FROM deps AS pycache SHELL [ "/bin/sh", "-ec" ] COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ COPY /j2cfg/ /usr/local/lib/j2cfg/ ENV PYTHONDONTWRITEBYTECODE='' ## Python cache preseed RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/ RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \ find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \ | sed -zEn \ -e '/^(collections|importlib|json|re)$/p' \ | sort -zV \ | env -C "${libpython}" xargs -0r \ python3 -m compileall -q -j 2 ; \ find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \ | sed -zE \ -e '/\.(dist-info|pth|txt)$/d' \ -e '/^(pip|pkg_resources|setuptools|wheel)$/d' \ | sort -zV \ | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \ python3 -m compileall -q -j 2 ## Python cache warmup RUN j2cfg-single /usr/local/lib/j2cfg/test.j2 /tmp/test ; \ cat /tmp/test ; echo ; echo ; \ rm -f /tmp/test ## Python cache adjustments RUN d="@$(date '+%s')" ; \ find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \ find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} + ## --- FROM deps SHELL [ "/bin/sh", "-ec" ] ## NB: NGX_DEBUG is set via build script COPY /Dockerfile /usr/local/share/ COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/ ## RFC: Python cache ## TODO: reduce load by selecting only __pycache__ directories in either way COPY --from=pycache /usr/local/lib/ /usr/local/lib/ ## already copied by statement above # COPY /j2cfg/ /usr/local/lib/j2cfg/ ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules COPY /scripts/* /usr/local/bin/ RUN _UID=11111 _GID=11111 ; \ echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \ echo "angie:x:${_GID}:" >> /etc/group ; \ echo 'angie:!:::::::' >> /etc/shadow RUN apt-install.sh angie ; \ apt-clean.sh ; \ ## verify Angie layout [ -d "${ANGIE_MODULES_DIR}" ] ; \ n='/usr/sbin/angie' ; \ [ -x "$n-debug" ] ; \ [ -x "$n-nodebug" ] ; \ ## adjust Angie binaries rm -fv "$n" ; \ if [ "${NGX_DEBUG}" = 0 ] ; then \ rm -fv "$n-debug" ; \ mv -fv "$n-nodebug" "$n" ; \ else \ rm -fv "$n-nodebug" ; \ mv -fv "$n-debug" "$n" ; \ fi ## preserve snippets from Angie config directory ## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.6.2/conf RUN d=/etc/angie ; t=$(mktemp -d) ; \ tar -C "$d" -cf - \ fastcgi_params \ fastcgi.conf \ mime.types \ prometheus_all.conf \ scgi_params \ uwsgi_params \ | tar -C "$t" -xf - ; \ rm -rf "$d" ; \ install -d "$d" "$d/snip.dist" ; \ tar -C "$t" -cf - . | tar -C "$d/snip.dist" -xf - ; \ rm -rf "$t" ## copy directory structure COPY /angie/ /etc/angie/ ## produce own layout for Angie >:) ## /angie/ is persistence store RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \ ## adjust paths across filesystem rm -rfv /var/cache/angie/ /var/lib/angie/ /var/log/angie/ ; \ ln -sv /run/angie/cache /var/cache/angie ; \ ln -sv /run/angie/lib /var/lib/angie ; \ ln -sv /run/angie/log /var/log/angie ; \ ## adjust paths in config directory cd /etc/angie || exit 1 ; \ ln -sv /run/angie run ; \ ln -sv /run/angie/load load ; \ ln -sv /run/angie/lock lock ; \ ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \ ## hyper-modular paths: data='autoconf conf j2cfg mod modules site snip static tls' ; \ vardata='cache lib log' ; \ for n in ${data} ; do \ for d in "$n" "$n.dist" ; do \ [ -e "$d" ] || install -d "$d" ; \ done ; \ done ; \ for n in ${data} ${vardata} ; do \ ln -sv "/run/angie/$n" "$n.d" ; \ done ## special empty directory RUN d='/var/lib/empty' ; \ rm -rf "$d" ; \ if [ -d "$d" ] ; then exit 1 ; fi ; \ install -d -m 0555 "$d" ## prepare DH params for TLS ## NB: disabled in pipeline for now ## reason: too slow (and too much effort) # RUN cd /etc/angie/tls.dist || exit 1 ; \ # openssl-generate-dh-bundle.sh ## future quirk for angie-module-modsecurity >:) RUN n='modsecurity' ; \ d="/etc/angie/$n" ; \ ln -sv "/run/angie/$n" "$d.d" ; \ dpkg-divert --divert "$d.dist" --rename "$d" ; \ for p in modsecurity.conf unicode.mapping ; do \ dpkg-divert --divert "$d.dist/$p" --rename "$d/$p" ; \ done ; \ p='rules.conf' ; \ dpkg-divert --divert "$d.dist/$p.dist" --rename "$d/$p" VOLUME [ "/run/angie" ] ## preseed builtin modules list RUN x='angie-builtin-modules.sh' ; \ "$x" ; \ rm -fv "$(which "$x")" ## relatively lightweight modules RUN apt-install-angie-mod.sh \ brotli \ cache-purge \ echo \ geoip2 \ headers-more \ subs \ upload \ zip \ zstd \ ; \ apt-clean.sh ## adjust permissions/ownership RUN d='/etc/angie' ; \ chown -hR 0:0 "$d" ; \ find "$d/" -name .gitkeep -type f -delete ; \ find "$d/" -type d -exec chmod 0755 {} + ; \ find "$d/" -type f -exec chmod 0644 {} + ## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining: ## - there's no need to change ENTRYPOINT/CMD ## - custom entrypoint should be placed in /usr/local/sbin/ ## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh COPY /image-entry.sh /usr/local/bin/ COPY /image-entry.d/ /image-entry.d/ ## must be bind-mounted only for local customization/overrides! # RUN install -d /image-entry ## misc defaults ENV DUMB_INIT_SETSID=0 \ MALLOC_ARENA_MAX=4 STOPSIGNAL SIGQUIT ENTRYPOINT [ "image-entry.sh" ] CMD [ "angie" ]