FROM docker.io/rockdrilla/angie-conv:deps-v1 as deps ## --- FROM deps as certs SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## consult https://github.com/certifi/python-certifi/ ENV CERTIFI_COMMIT=bd8153872e9c6fc98f4023df9c2deaffea2fa463 RUN pkg='curl' ; \ apt-install.sh ca-certificates ${pkg} ; \ ## process certifi ls -l /etc/ssl/certs/ca-certificates.crt ; \ certifi-extras.sh ; \ ls -l /etc/ssl/certs/ca-certificates.crt ## --- FROM deps as pycache SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ENV PYTHONDONTWRITEBYTECODE='' ## Python cache preseed RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \ find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \ | sed -zEn \ -e '/^(asyncio|collections|concurrent|encodings|html|importlib|json|logging|multiprocessing|re|urllib|xml)$/p' \ | sort -zV \ | env -C "${libpython}" xargs -0r \ python3 -m compileall -q -j 2 ; \ find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \ | sed -zE \ -e '/\.(dist-info|pth|txt)$/d' \ -e '/^(pip|pkg_resources|setuptools|wheel)$/d' \ | sort -zV \ | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \ python3 -m compileall -q -j 2 ## Python cache warmup RUN python3 -m site > /dev/null ; \ echo > /tmp/f.j2 ; \ jinja.py /tmp/f.j2 ; \ pip-env.sh pip list -v >/dev/null ; \ find "${PYTHON_SITE_PACKAGES}/pip/" -name __pycache__ -exec rm -rf {} + ## Python cache adjustments RUN d="@$(date '+%s')" ; \ libpython="${PYTHON_SITE_PACKAGES%/*}" ; \ find "${libpython}/" -name '*.pyc' -exec touch -m -d "$d" {} + ; \ find "${libpython}/" -name __pycache__ -exec touch -m -d "$d" {} + ## --- FROM deps SHELL [ "/bin/sh", "-ec" ] ## NB: NGX_DEBUG is set via build script COPY /Dockerfile /usr/local/share/ COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=certs /usr/local/share/ca-certificates/ /usr/local/share/ca-certificates/ ## RFC: Python cache ## TODO: reduce load by selecting only __pycache__ directories in either way # COPY --from=pycache /usr/local/lib/ /usr/local/lib/ ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules COPY /scripts/* /usr/local/bin/ RUN _UID=11111 _GID=11111 ; \ echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \ echo "angie:x:${_GID}:" >> /etc/group ; \ echo 'angie:!:::::::' >> /etc/shadow RUN apt-install.sh angie ; \ apt-clean.sh ; \ ## verify Angie layout [ -d "${ANGIE_MODULES_DIR}" ] ; \ n='/usr/sbin/angie' ; \ [ -x "$n-debug" ] ; \ [ -x "$n-nodebug" ] ; \ ## adjust Angie binaries rm -fv "$n" ; \ if [ "${NGX_DEBUG}" = 0 ] ; then \ rm -fv "$n-debug" ; \ mv -fv "$n-nodebug" "$n" ; \ ln -fsv "${n##*/}" "$n-nodebug" ; \ ln -fsv /bin/false "$n-debug" ; \ else \ rm -fv "$n-nodebug" ; \ mv -fv "$n-debug" "$n" ; \ ln -fsv "${n##*/}" "$n-debug" ; \ ln -fsv /bin/false "$n-nodebug" ; \ fi ## preserve snippets from Angie config directory ## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.6.0/conf RUN d=/etc/angie ; t=$(mktemp -d) ; \ tar -C "$d" -cf - \ fastcgi_params \ fastcgi.conf \ mime.types \ prometheus_all.conf \ scgi_params \ uwsgi_params \ | tar -C "$t" -xf - ; \ rm -rf "$d" ; \ install -d "$d" "$d/snip.dist" ; \ tar -C "$t" -cf - . | tar -C "$d/snip.dist" -xf - ; \ rm -rf "$t" ; \ chown -hR 0:0 "$d" ; \ chmod go-w "$d" ; \ find "$d/" -type f -exec chmod 0644 {} + ## produce own layout for Angie >:) ## /angie/ is persistence store RUN install -d -o angie -g angie -m 03777 /angie /run/angie ; \ ## adjust paths across filesystem rm -rfv /var/cache/angie/ /var/lib/angie/ /var/log/angie/ ; \ ln -sv /run/angie/cache /var/cache/angie ; \ ln -sv /run/angie/lib /var/lib/angie ; \ ln -sv /run/angie/log /var/log/angie ; \ ## adjust paths in config directory cd /etc/angie/ ; \ ln -sv /run/angie run ; \ ln -sv /run/angie/lock lock.d ; \ ln -sv ${ANGIE_MODULES_DIR} modules.dist ; \ ## hyper-modular paths: data='conf mod modules njs site snip static' ; \ vardata='cache lib log' ; \ for n in ${data} ; do \ for d in "$n" "$n.dist" ; do \ [ -e "$d" ] || install -d "$d" ; \ done ; \ done ; \ for n in ${data} ${vardata} ; do \ ln -sv "/run/angie/$n" "$n.d" ; \ done VOLUME [ "/run/angie" ] COPY /angie/ /etc/angie/ RUN find /etc/angie/ -name .gitkeep -delete ; \ find /etc/angie/ ! -type l -exec chmod go-w {} + ## preseed builtin modules list RUN x='angie-builtin-modules.sh' ; \ "$x" ; \ chmod a-x $(which "$x") ## misc tools RUN apt-install.sh \ brotli \ zstd \ ; \ apt-clean.sh ## relatively lightweight modules RUN apt-install-angie-mod.sh \ auth-jwt \ auth-spnego \ brotli \ cache-purge \ echo \ geoip2 \ headers-more \ subs \ testcookie \ upload \ zip \ zstd \ ; \ apt-clean.sh ## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining: ## - there's no need to change ENTRYPOINT/CMD ## - custom entrypoint should be placed in /usr/local/sbin/ ## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh COPY /image-entry.sh /usr/local/bin/ COPY /image-entry.d/ /image-entry.d/ ## must be bind-mounted only for local customization/overrides! # RUN install -d /image-entry ## misc defaults ENV DUMB_INIT_SETSID=0 \ MALLOC_ARENA_MAX=4 \ GOMAXPROCS=4 STOPSIGNAL SIGQUIT ENTRYPOINT [ "image-entry.sh" ] CMD [ "angie" ]