Merge pull request #139 from essentialkaos/develop

Version 1.23.2
essentialkaos · Oct 26, 2022 · abdf758 · abdf758
2 parents 4aeaf98 + a6a519f
commit abdf758
Show file tree

Hide file tree

Showing 10 changed files with 250 additions and 53 deletions.
diff --git a/.bibop/webkaos.recipe b/.bibop/webkaos.recipe
@@ -11,6 +11,7 @@ var service_name webkaos
 var user_name webkaos
 var prefix_dir /etc/webkaos
 var config {prefix_dir}/webkaos.conf
+var extra_config_dir {prefix_dir}/xtra
 var binary /usr/sbin/webkaos
 var modules_config {prefix_dir}/modules.conf
 var modules_dir /usr/share/webkaos/modules
@@ -34,6 +35,14 @@ command "-" "Debug version"
   exist {binary}.debug
   service-present webkaos-debug
 
+command "webkaos -v" "Check version info"
+  wait-output 1.0
+  output-match "webkaos version: webkaos\/\d\.\d+\.\d+"
+
+command "webkaos -t" "Validate default config"
+  exit 0
+  output-contains "webkaos: the configuration file /etc/webkaos/webkaos.conf syntax is ok"
+
 command "-" "Check linking with LuaJIT"
   lib-rpath {binary} /usr/share/webkaos/luajit/lib
   lib-linked {binary} "libluajit-5.1.so.*"
@@ -113,14 +122,34 @@ command "-" "Check Resty core and lrucache"
   mode {lua_dir}/resty/core/worker.lua 644
   mode {lua_dir}/resty/lrucache/pureffi.lua 644
 
-command "-" "Nginx compatibility package"
+command "-" "Check extra configs"
+  exist {extra_config_dir}/bots.conf
+  exist {extra_config_dir}/brotli.conf
+  exist {extra_config_dir}/common.conf
+  exist {extra_config_dir}/ssl.conf
+  exist {extra_config_dir}/ssl-wildcard.conf
+
+  mode {extra_config_dir}/bots.conf 644
+  mode {extra_config_dir}/brotli.conf 644
+  mode {extra_config_dir}/common.conf 644
+  mode {extra_config_dir}/ssl.conf 644
+  mode {extra_config_dir}/ssl-wildcard.conf 644
+
+command "-" "Check Nginx compatibility package"
   exist /etc/nginx
   exist /var/log/nginx
   exist /etc/nginx/nginx.conf
   exist /usr/sbin/nginx
   service-present nginx
   service-present nginx-debug
 
+command "nginx -v" "Check nginx wrapper version info"
+  wait-output 1.0
+  output-match "nginx version: nginx\/\d\.\d+\.\d+"
+
+command "nginx -t" "Validate default config using nginx wrapper"
+  exit 0
+
 command "-" "Original configuration backup"
   backup {config}
   backup {modules_config}
@@ -141,17 +170,20 @@ command "-" "Add self-signed certificate"
   chmod {ssl_dir}/ssl.key 600
   chmod {ssl_dir}/ssl.crt 600
 
+command "webkaos -t" "Validate test configuration"
+  exit 0
+
 command "-" "Clear old log files"
   touch {log_dir}/access.log
   touch {log_dir}/error.log
   truncate {log_dir}/access.log
   truncate {log_dir}/error.log
 
 command "-" "Check brotli module"
-  exist {prefix_dir}/xtra/brotli.conf
+  exist {extra_config_dir}/brotli.conf
   exist {modules_dir}/ngx_http_brotli_filter_module.so
   exist {modules_dir}/ngx_http_brotli_static_module.so
-  mode {prefix_dir}/xtra/brotli.conf 644
+  mode {extra_config_dir}/brotli.conf 644
   mode {modules_dir}/ngx_http_brotli_filter_module.so 755
   mode {modules_dir}/ngx_http_brotli_static_module.so 755
 
@@ -261,6 +293,10 @@ command:teardown "-" "Configuration restore"
 command:teardown "-" "DH param cleanup"
   remove {dh_param}
 
+command:teardown "-" "Logs cleanup"
+  truncate {log_dir}/access.log
+  truncate {log_dir}/error.log
+
 command:teardown "-" "Self-signed certificate cleanup"
   remove {ssl_dir}/ssl.key
   remove {ssl_dir}/ssl.crt
diff --git a/.docker/ol7-unprivileged.docker b/.docker/ol7-unprivileged.docker
@@ -0,0 +1,44 @@
+## WEBKAOS UNPRIVILEGED IMAGE ##################################################
+
+FROM essentialkaos/oraclelinux:7
+
+LABEL org.opencontainers.image.title="WEBKAOS (Unprivileged)" \
+      org.opencontainers.image.description="WEBKAOS Image on OracleLinux 7" \
+      org.opencontainers.image.vendor="ESSENTIAL KAOS" \
+      org.opencontainers.image.authors="Anton Novojilov" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.url="https://kaos.sh/webkaos" \
+      org.opencontainers.image.source="https://github.com/essentialkaos/webkaos"
+
+ARG UID=1001
+ARG GID=1001
+
+# hadolint ignore=DL3031,DL3033
+RUN yum -y -q install https://yum.kaos.st/kaos-repo-latest.el7.noarch.rpm && \
+    yum -y -q install webkaos webkaos-module-brotli gettext && \
+    yum clean all && \
+    rm -rf /var/cache/yum && \
+    rm -rf /tmp/* && \
+    rm -rf /var/tmp/* && \
+    usermod -u $UID webkaos && \
+    groupmod -g $GID webkaos && \
+    mkdir /var/run/webkaos && \
+    chown -R $UID:$GID /etc/webkaos /var/run/webkaos /var/log/webkaos && \
+    ln -sf /dev/stdout /var/log/webkaos/access.log && \
+    ln -sf /dev/stderr /var/log/webkaos/error.log && \
+    mkdir /etc/webkaos/templates
+
+COPY --chown=$UID:$GID SOURCES/webkaos-docker-unprivileged.conf /etc/webkaos/webkaos.conf
+COPY .docker/entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+EXPOSE 8080
+
+USER $UID
+
+STOPSIGNAL SIGTERM
+
+CMD ["webkaos", "-g", "daemon off;"]
+
+################################################################################
diff --git a/.docker/ol7.docker b/.docker/ol7.docker
@@ -0,0 +1,35 @@
+## WEBKAOS IMAGE ###############################################################
+
+FROM essentialkaos/oraclelinux:7
+
+LABEL org.opencontainers.image.title="WEBKAOS" \
+      org.opencontainers.image.description="WEBKAOS Image on OracleLinux 7" \
+      org.opencontainers.image.vendor="ESSENTIAL KAOS" \
+      org.opencontainers.image.authors="Anton Novojilov" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.url="https://kaos.sh/webkaos" \
+      org.opencontainers.image.source="https://github.com/essentialkaos/webkaos"
+
+# hadolint ignore=DL3031,DL3033
+RUN yum -y -q install https://yum.kaos.st/kaos-repo-latest.el7.noarch.rpm && \
+    yum -y -q install webkaos webkaos-module-brotli gettext && \
+    yum clean all && \
+    rm -rf /var/cache/yum && \
+    rm -rf /tmp/* && \
+    rm -rf /var/tmp/* && \
+    ln -sf /dev/stdout /var/log/webkaos/access.log && \
+    ln -sf /dev/stderr /var/log/webkaos/error.log && \
+    mkdir /etc/webkaos/templates
+
+COPY SOURCES/webkaos-docker.conf /etc/webkaos/webkaos.conf
+COPY .docker/entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+EXPOSE 80
+
+STOPSIGNAL SIGTERM
+
+CMD ["webkaos", "-g", "daemon off;"]
+
+################################################################################
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -127,10 +127,12 @@ jobs:
         run: |
           docker build -f .docker/centos7.docker -t centos7 .
           docker build -f .docker/centos7-unprivileged.docker -t centos7-unprivileged .
+          docker build -f .docker/ol7.docker -t ol7 .
+          docker build -f .docker/ol7-unprivileged.docker -t ol7-unprivileged .
 
       - name: Show info about built Docker image
         uses: essentialkaos/docker-info-action@v1
         if: ${{ github.event_name == 'pull_request' }}
         with:
-          image: centos7 centos7-unprivileged
+          image: centos7 centos7-unprivileged ol7 ol7-unprivileged
           show-labels: true
diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml
@@ -20,7 +20,7 @@ jobs:
 
     strategy:
       matrix:
-        tag: [ 'centos7', 'centos7-unprivileged' ]
+        tag: [ 'centos7', 'centos7-unprivileged', 'ol7', 'ol7-unprivileged' ]
 
     steps:
       - name: Checkout
@@ -75,9 +75,9 @@ jobs:
             exit 1
           fi
 
-          echo "::set-output name=version::$version"
-          echo "::set-output name=dockerfile::$docker_file"
-          echo "::set-output name=baseimage::$base_image"
+          echo "version=$version" >> $GITHUB_OUTPUT
+          echo "dockerfile=$docker_file" >> $GITHUB_OUTPUT
+          echo "baseimage=$base_image" >> $GITHUB_OUTPUT
 
           echo -e "\033[34mVersion:\033[0m    $version"
           echo -e "\033[34mDockerfile:\033[0m $docker_file"
@@ -87,7 +87,7 @@ jobs:
         id: build_check
         run: |
           if [[ "${{github.event_name}}" == "release" ]] ; then
-            echo "::set-output name=build::true"
+            echo "build=true" >> $GITHUB_OUTPUT
             exit 0
           fi
 
@@ -117,7 +117,7 @@ jobs:
 
           if ! docker inspect "ghcr.io/${{env.IMAGE_NAME}}:${{matrix.tag}}" | jq -r '.[0].RootFS.Layers' | grep -q "$base_layer" ; then
             echo "::warning::Rebuild image (reason: base image rebuilt)"
-            echo "::set-output name=build::true"
+            echo "build=true" >> $GITHUB_OUTPUT
             exit 0
           fi
 

diff --git a/README.md b/README.md
@@ -31,16 +31,31 @@ sudo yum install webkaos-module-brotli webkaos-module-naxsi
 
 Official webkaos images available on [Docker Hub](http://kaos.sh/d/webkaos) and [GitHub Container Registry](https://kaos.sh/p/webkaos). All Docker images support templating using environment variables.
 
+Official images:
+
+- `essentialkaos/webkaos:centos7`
+- `essentialkaos/webkaos:centos7-unprivileged`
+- `essentialkaos/webkaos:ol7`
+- `essentialkaos/webkaos:ol7-unprivileged`
+- `ghcr.io/essentialkaos/webkaos:centos7`
+- `ghcr.io/essentialkaos/webkaos:centos7-unprivileged`
+- `ghcr.io/essentialkaos/webkaos:ol7`
+- `ghcr.io/essentialkaos/webkaos:ol7-unprivileged`
+
 Usage examples:
 
 ```bash
+# Image on CentOS 7
 docker run --name my-webkaos -v /some/content:/usr/share/webkaos/html:ro -p 8080:80 -d essentialkaos/webkaos:centos7
-
+# Image on OracleLinux 7
+docker run --name my-webkaos -v /some/content:/usr/share/webkaos/html:ro -p 8080:80 -d essentialkaos/webkaos:ol7
 ```
 
 ```bash
+# Unprivileged image on CentOS 7
 docker run --name my-webkaos -v /some/content:/usr/share/webkaos/html:ro -p 8080:8080 -d essentialkaos/webkaos:centos7-unprivileged
-
+# Unprivileged image on OracleLinux 7
+docker run --name my-webkaos -v /some/content:/usr/share/webkaos/html:ro -p 8080:8080 -d essentialkaos/webkaos:ol7-unprivileged
 ```
 
 Useful environment variables:

diff --git a/SOURCES/cloudflare-ips.conf b/SOURCES/cloudflare-ips.conf
@@ -0,0 +1,23 @@
+# Cloudflare IPs (https://www.cloudflare.com/ips)
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
diff --git a/SOURCES/nginx-wrapper b/SOURCES/nginx-wrapper
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+################################################################################
+
+main() {
+  local opt
+
+  for opt in "$@" ; do
+    case "$opt" in
+      "-v" | "-V" | "-h" | "-?")
+        /usr/sbin/webkaos "$@" 2>&1 | sed '1!b;s/webkaos/nginx/g' 1>&2
+        exit 0 ;;
+    esac
+  done
+
+  /usr/sbin/webkaos "$@"
+
+  exit $?
+}
+
+################################################################################
+
+main "$@"