initial import

5a422065 · Michał 'rysiek' Woźniak · 1cc02cb5 · 5a422065 · 5a422065
Commit 5a422065 authored Oct 06, 2015 by Michał 'rysiek' Woźniak
Hide whitespace changes
Inline Side-by-side

Showing with 121 additions and 0 deletions

Dockerfile Dockerfile +46 -0

run.sh run.sh +75 -0

No files found.
--- a/Dockerfile
+++ b/Dockerfile
+FROM debian:jessie
+
+#    Watchful NGinX container -- nginx docker container that watches for
+#    logrotated logfiles and makes sure nginx reloads them when needed.
+#    
+#    Copyright (C) 2015 Organized Crime and Corruption Reporting Project
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# based on: https://github.com/nginxinc/docker-nginx/blob/1eea9f7d082dff426e7923a90138de804038266d/Dockerfile
+#MAINTAINER NGINX Docker Maintainers "docker-maint@nginx.com"
+MAINTAINER Michał "rysiek" Woźniak <rysiek@occrp.org>
+
+RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+RUN echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list
+
+# yeah, we'll pin on this
+ENV NGINX_VERSION 1.9*
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
+    apt-get install -y ca-certificates nginx="${NGINX_VERSION}" inotify-tools && \
+    rm -rf /var/lib/apt/lists/*
+
+# forward request and error logs to docker log collector
+RUN ln -sf /dev/stdout /var/log/nginx/access.log
+RUN ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY run.sh /run.sh
+RUN chmod +x /run.sh
+
+VOLUME ["/var/cache/nginx"]
+
+EXPOSE 80 443
+#CMD ["nginx", "-g", "daemon off;"]
+CMD ["/run.sh"]
\ No newline at end of file
--- a/run.sh
+++ b/run.sh
+#!/bin/bash
+
+#    Watchful NGinX container -- nginx docker container that watches for
+#    logrotated logfiles and makes sure nginx reloads them when needed.
+#    
+#    Copyright (C) 2015 Organized Crime and Corruption Reporting Project
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# TODO FIXME actually monitoring the logfiles
+# getting them via lsof $( cat PID_FILE )
+
+# yes, this is dead-simple; just watch this file,
+# and if it gets modified, send nginx the signal
+WATCH_FILE="/srv/logs/nginx/logrotate"
+
+# we need this for signal sending
+PID_FILE="/var/run/nginx.pid"
+
+# we need this for DHParram generation
+DHPARAM_FILE="/etc/ssl/nginx/dhparam.pem"
+
+# this waits for changes in $WATCH_FILE and sends nginx a USR1 signal to reload the logfiles
+function watch_logfiles {
+
+  # inform
+  echo "+-- watching for changes in watchfile at: $WATCH_FILE"
+
+  # loopy-loop!
+  # FIXME we need to handle SIGHUP/SIGTERM/SIGKILL nicely some day
+  while true; do
+    # if the file is not there, create
+    if [ ! -e "$WATCH_FILE" ]; then
+      echo "    +-- watch file missing, creating it at: $WATCH_FILE"
+      touch "$WATCH_FILE"
+    fi
+    # wait for events
+    inotifywait -r -e modify -e move -e create -e delete -qq "$WATCH_FILE"
+    # if a watched event occured, send the signal
+    if [ $? -eq 0 ]; then
+      echo "    +-- watch file changed, sending USR1 to nginx (pid $( cat "$PID_FILE" ))..."
+      kill -USR1 "$( cat "$PID_FILE" )"
+    fi
+  done
+}
+
+# create the dhparams
+if [ ! -e "$DHPARAM_FILE" ]; then
+  echo "+-- generating dhparam in $DHPARAM_FILE"
+  mkdir -p "$( dirname "$DHPARAM_FILE" )"
+  openssl dhparam -out "$DHPARAM_FILE" 4096
+  chown -R www-data:www-data "$( dirname "$DHPARAM_FILE" )"
+  chmod ug=rX,o= "$( dirname "$DHPARAM_FILE" )"
+else
+  echo "+-- dhparam found in $DHPARAM_FILE"
+fi
+
+# start the watch
+watch_logfiles &
+sleep 1
+
+# run nginx
+echo "+-- starting nginx..."
+exec /usr/sbin/nginx -g "daemon off;"
\ No newline at end of file