Commit a2a0ff3f authored by Michał 'rysiek' Woźniak's avatar Michał 'rysiek' Woźniak
Browse files

initial changes, ready for testing

parent e48a1347
FROM debian:stretch
FROM openresty/openresty:stretch
# Watchful NginX container -- nginx docker container that watches for
# logrotated logfiles and makes sure nginx reloads them when needed.
# Watchful OpenResty container -- openresty docker container that watches for
# logrotated logfiles and makes sure openresty reloads them when needed.
#
# Copyright (C) 2015 Organized Crime and Corruption Reporting Project
# Copyright (C) 2017 Organized Crime and Corruption Reporting Project
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
......@@ -18,68 +18,19 @@ FROM debian:stretch
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# based on: https://github.com/nginxinc/docker-nginx/blob/1eea9f7d082dff426e7923a90138de804038266d/Dockerfile
# based on: https://git.occrp.org/libre/watchful-nginx
MAINTAINER Michał "rysiek" Woźniak <rysiek@occrp.org>
#
# which package do we want?
# possible versions: nginx, nginx-light, nginx-full, nginx-extras
#
# if version is the default -- "nginx" -- the nginx.org package is installed
# otherwise, the Debian-provided package is installed; compare versions here:
# https://wiki.debian.org/Nginx#Recap_of_the_different_modules_in_every_package_.28starting_Squeeze-Backports.29
ARG NGINX_PACKAGE=nginx
# NOTICE: Debian-provided packages are *older*, so adjust NGINX_VERSION accordingly
# (as of this writing Debian stretch package version is at 1.10*)
ARG NGINX_VERSION=1.13*
# requirements
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
apt-get install -y ca-certificates inotify-tools gnupg2 && \
rm -rf /var/lib/apt/lists/*
# reality check
RUN case $NGINX_PACKAGE in \
nginx) \
echo "+-- building with nginx.org package: ${NGINX_PACKAGE}"; \
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
echo "deb http://nginx.org/packages/mainline/debian/ stretch nginx" >> /etc/apt/sources.list; \
;; \
nginx-light|nginx-full|nginx-extras) \
echo "+-- building with Debian-provided package: ${NGINX_PACKAGE}"; \
echo "\n* * * NOTICE: if build fails, make sure NGINX_VERSION is properly adjusted to what is available in Debian repository!\n\n"; \
;; \
*) \
echo "\n* * * ERROR: unknown nginx package: ${NGINX_PACKAGE}; please use one of: nginx, nginx-light, nginx-full, nginx-extras\n\n"; \
exit 1; \
;; \
esac
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
apt-get install -y "${NGINX_PACKAGE}"="${NGINX_VERSION}" && \
rm -rf /var/lib/apt/lists/*
# we might need to install some packages, but doing this in the entrypoint doesn't make any sense
ARG INSTALL_PACKAGES
RUN if [ "$INSTALL_PACKAGES" != "" ]; then \
export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \
$INSTALL_PACKAGES \
--no-install-recommends && \
rm -rf /var/lib/apt/lists/* ; \
fi
# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log
RUN ln -sf /dev/stderr /var/log/nginx/error.log
# make sure the log dir exists
RUN mkdir -p /srv/logs/nginx/ && chown www-data:www-data /srv/logs/nginx/
RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \
$INSTALL_PACKAGES ca-certificates inotify-tools gnupg2 \
--no-install-recommends && \
rm -rf /var/lib/apt/lists/*
COPY run.sh /run.sh
RUN chmod +x /run.sh
VOLUME ["/var/cache/nginx", "/etc/nginx"]
EXPOSE 80 443
ENTRYPOINT ["/bin/bash"]
CMD ["/run.sh"]
# Watchful NginX
# Watchful [OpenResty](https://openresty.org/en/)
Watchful NginX container -- `nginx` docker container that watches for logrotated logfiles using `inotify` and makes sure `nginx` reloads them when needed. A nasty, but functional, kludge of a work-around for [lack of PID namespaces in docker](https://github.com/docker/docker/issues/10163).
Watchful OpenResty container -- OpenResty `docker` container that watches for logrotated logfiles using `inotify` and makes sure `openresty` reloads them when needed. A nasty, but functional, kludge of a work-around for [lack of PID namespaces in docker](https://github.com/docker/docker/issues/10163).
## Building
The image can be built with either [`nginx` package installed from `nginx.org` repository](https://www.nginx.com/resources/wiki/start/topics/tutorials/install/?highlight=packages#official-debian-ubuntu-packages), or any of [`nginx-light`, `nginx-full`, `nginx-extras` installed from official Debian repository](https://wiki.debian.org/Nginx#Recap_of_the_different_modules_in_every_package_.28starting_Squeeze-Backports.29). This is controlled by `NGINX_PACKAGE` build argument.
By default, `nginx` package from `nginx.org` is being installed. If `NGINX_PACKAGE` is set to anything else than `nginx`, packages from default Debian repositories are used instead.
The `NGINX_VERSION` build argument controls the `nginx` package version that is going to be installed. By default, version `1.13*` (the latest) is used.
**NOTICE: package versions in official Debian repositories are much older than on `nginx.org`; hence, when using them, remember to set `NGINX_VERSION` accordingly. As of this writing Debian jessie package version is at `1.10*`.**
The image is based on the [`openresty:stretch` docker hub image](https://hub.docker.com/r/openresty/openresty/) and just adds the inotify-based magic sauce.
## Environment variables
***More documentation needed here***
- `NGINX_BOOT` (default: unset)
- `OPENRESTY_BOOT` (default: unset)
if set to string `"false"`, the entrypoint script will exit immediately before running `nginx`, in effect making it possible to use the image to generate `dhparam` file and quit (curtesy [@cguess](https://twitter.com/cguess)).
- `NO_DHPARAM` (default: unset)
if set to string `"true"`, `dhparam` generation will be skipped entirely; this is *not* a good idea, and should be used only for internal/utility nginx instances that run behind another webserver with TLS support.
### Examples
Building the image with `nginx` package from `nginx.org`, version `1.13.x` (i.e. the default):
```bash
docker build ./
# equivalent to
docker build --build-arg=NGINX_PACKAGE=nginx --build-arg=NGINX_VERSION=1.13* --no-cache ./
```
Building the image with `nginx-extras` package from the Debian repository, version `1.10*`:
```
docker build --build-arg=NGINX_PACKAGE=nginx-extras --build-arg=NGINX_VERSION=1.10* --no-cache ./
```
## Operation
Upon start it creates a dhparam file in `/etc/ssl/nginx/dhparam.pem` (if the file does not exist) and sets an `inotify` watch on `/srv/logs/nginx/logrotate`. Once the watch discovers that the watchfile has been modified, it sends the `USR1` signal to `nginx`, which causes it to reload the logfiles.
......
#!/bin/bash
# Watchful NginX container -- nginx docker container that watches for
# logrotated logfiles and makes sure nginx reloads them when needed.
# Watchful OpenResty container -- openresty docker container that watches for
# logrotated logfiles and makes sure openresty reloads them when needed.
#
# Copyright (C) 2015 Organized Crime and Corruption Reporting Project
#
......@@ -23,10 +23,10 @@
# yes, this is dead-simple; just watch this file,
# and if it gets modified, send nginx the signal
WATCH_FILE="/srv/logs/nginx/logrotate"
WATCH_FILE="/usr/local/openresty/nginx/logs/logrotate"
# we need this for signal sending
PID_FILE="/var/run/nginx.pid"
PID_FILE="/usr/local/openresty/nginx/logs/nginx.pid"
# we need this for DHParram generation
DHPARAM_FILE="/etc/ssl/nginx/dhparam.pem"
......@@ -69,8 +69,8 @@ else
echo "+-- dhparam found in $DHPARAM_FILE"
fi
if [ "$NGINX_BOOT" = "false" ]; then
echo "NGINX_BOOT is set to false, exiting."
if [ "$OPENRESTY_BOOT" = "false" ]; then
echo "OPENRESTY_BOOT is set to false, exiting."
exit
fi
......@@ -79,5 +79,5 @@ watch_logfiles &
sleep 1
# run nginx
echo "+-- starting nginx..."
exec /usr/sbin/nginx -g "daemon off;"
\ No newline at end of file
echo "+-- starting openresty..."
exec /usr/bin/openresty -g "daemon off;"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment