diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..bbf25bc --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +**/*.tar +**/*.tar.gz diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e5f3c32..7518573 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,7 +16,7 @@ jobs: outputs: release_type: ${{ steps.check_release.outputs.type }} env: - TAG: ${{ github.ref_name }} + CONTAINER_VERSION: ${{ github.ref_name }} steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2 @@ -44,17 +44,14 @@ jobs: id: check_release run: | TYPE="production" - if [[ ${TAG} =~ "rc" ]]; then + if [[ ${CONTAINER_VERSION} =~ "rc" ]]; then TYPE="release-candidate" fi echo "Release type: ${TYPE}" echo "type=${TYPE}" >> $GITHUB_OUTPUT - - name: Build - run: make build - - - name: Push - run: make push + - name: Build and push + run: make BUILDX_ARGS=--push build - name: Push latest if: steps.check_release.outputs.type == 'production' @@ -105,7 +102,7 @@ jobs: syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX} cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST} cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom" - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST} + cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST} echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT @@ -115,3 +112,73 @@ jobs: retention-days: 30 name: ${{ steps.sign.outputs.sbom }} path: ${{ steps.sign.outputs.sbom }} + + update_version: + name: Update package version + if: needs.build.outputs.release_type == 'production' + runs-on: self-hosted-amd64-1cpu + needs: build + steps: + - name: Import secrets + uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4 + id: secrets + with: + exportEnv: true + url: ${{ secrets.VAULT_URL }} + role: ${{ secrets.VAULT_ROLE }} + method: kubernetes + path: kubernetes-ci + secrets: | + kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN ; + kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN_NAME ; + kv-gitlab-ci/data/github/shared/versions-repo-creds host | GITLAB_HOST ; + kv-gitlab-ci/data/github/shared/versions-repo-creds repo | GITLAB_REPO ; + + - name: Update package version + env: + COMPONENT_NAME: wallarm-nginx-docker + COMPONENT_VERSION: ${{ github.ref_name }} + run: | + PR_BRANCH="update/${COMPONENT_NAME}/${COMPONENT_VERSION}" + COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}" + GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}" + + git clone ${GITLAB_REPO_URL} + cd packages_versions + git checkout -b ${PR_BRANCH} + git config --local user.name 'project_808_bot' + git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}' + + cd packages_versions + cat latest.json | jq -r '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' > latest.new.json + mv latest.new.json latest.json + git add latest.json + git commit -m "${COMMIT_MESSAGE}" + git push ${GITLAB_REPO_URL} ${PR_BRANCH} + + glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN} + + echo "Creating merge request ..." + glab mr create \ + --fill \ + --yes \ + --label ${COMPONENT_NAME} \ + --source-branch ${PR_BRANCH} \ + --repo https://${GITLAB_HOST}/${GITLAB_REPO} + + echo "Approving merge request ..." + glab mr approve \ + ${PR_BRANCH} \ + --repo https://${GITLAB_HOST}/${GITLAB_REPO} + + # Sometimes merging is failed without delay + echo "Sleep ..." + sleep 20 + + echo "Merging ..." + glab mr merge \ + ${PR_BRANCH} \ + --yes \ + --remove-source-branch \ + --when-pipeline-succeeds=false \ + --repo https://${GITLAB_HOST}/${GITLAB_REPO} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 37aa802..86837c8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,34 +12,48 @@ permissions: jobs: build: name: Build - runs-on: self-hosted-amd64-1cpu + runs-on: ${{ matrix.RUNNER }} + strategy: + fail-fast: false + matrix: + include: + - PLATFORM: amd64 + ARCH: x86_64 + RUNNER: self-hosted-amd64-1cpu + - PLATFORM: arm64 + ARCH: aarch64 + RUNNER: self-hosted-arm64-1cpu steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2 - name: Build image - run: make build + run: make ARCHS=${{ matrix.ARCH }} PLATFORMS=${{ matrix.PLATFORM }} BUILDX_ARGS=--load build - name: Save image - run: docker save -o node.tar docker.io/wallarm/node:test + run: docker save -o node-${{ matrix.ARCH }}.tar docker.io/wallarm/node:test - name: Cache image uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: retention-days: 1 - name: node.tar - path: node.tar + name: node-${{ matrix.ARCH }}.tar + path: node-${{ matrix.ARCH }}.tar test: name: Test - runs-on: self-hosted-amd64-2cpu + runs-on: ${{ matrix.RUNNER }} needs: - build strategy: matrix: - case: - - single - - split + case: [single, split] + ARCH: [x86_64, aarch64] + include: + - ARCH: x86_64 + RUNNER: self-hosted-amd64-2cpu + - ARCH: aarch64 + RUNNER: self-hosted-arm64-2cpu fail-fast: false steps: - name: Checkout @@ -58,6 +72,9 @@ jobs: kv-gitlab-ci/data/github/ingress api_token ; kv-gitlab-ci/data/github/ingress user_secret ; kv-gitlab-ci/data/github/ingress user_uuid ; + kv-gitlab-ci/data/github/ingress allure_project_id ; + kv-gitlab-ci/data/github/ingress allure_server_token ; + kv-gitlab-ci/data/github/ingress allure_server_url ; kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ; kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ; kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds registry_name ; @@ -72,14 +89,19 @@ jobs: - name: Load cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: - name: node.tar + name: node-${{ matrix.ARCH }}.tar - name: Load images - run: docker load -i node.tar + run: docker load -i node-${{ matrix.ARCH }}.tar - name: Run test env: USER_UUID: ${{ steps.secrets.outputs.user_uuid }} USER_SECRET: ${{ steps.secrets.outputs.user_secret }} WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }} - run: make ${{ matrix.case }} \ No newline at end of file + ALLURE_TOKEN: ${{ steps.secrets.outputs.ALLURE_SERVER_TOKEN }} + ALLURE_ENDPOINT: ${{ steps.secrets.outputs.ALLURE_SERVER_URL }} + ALLURE_PROJECT_ID: ${{ steps.secrets.outputs.ALLURE_PROJECT_ID }} + ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }} + ALLURE_UPLOAD_REPORT: true + run: make ${{ matrix.case }} diff --git a/.gitignore b/.gitignore index 2eea525..0a010a6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -.env \ No newline at end of file +.env +build +.idea \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index a64762f..8350bf5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,44 +1,70 @@ -FROM debian:buster +ARG ALPINE_VERSION + +FROM alpine:${ALPINE_VERSION} + +ARG ALPINE_VERSION +ARG COMMIT_SHA +ARG CONTAINER_VERSION +ARG GOMPLATE_VERISON +ARG NGINX_VERSION +ARG TARGETPLATFORM +ARG WLRM_FOLDER + MAINTAINER Wallarm Support Team -ENV DEBIAN_FRONTEND noninteractive - -COPY conf/sources.list /etc/apt/sources.list.d/wallarm-node.list.tmp - -RUN apt-get -y update && apt-get -y install ca-certificates && mv /etc/apt/sources.list.d/wallarm-node.list.tmp /etc/apt/sources.list.d/wallarm-node.list \ - && printf -- "mQINBGIMrcABEAC6Eiq7wvDFie+y6P8e8rRxXlmpOh7FP4NwyR+XAoANbztuZMZO2OLZAR/QBWXP8HINFIpA8JtB1/KACE3shw508KlZ1K2vhaYkbDBiK14BTvVYkl/rOQd4mYPChN5BFr1n/QBMleESxh9gegA8HeAu39PbJB60mpfdK+0dvrQlZ6A5D1/eXRTf1PqgpNwOx4P+2DoVSpwF5JSVwYFgjsAXCzOAhuhu7HFazDq7GKQoUx9Wau15/B0P2QYAlRVElWmwl0Ueni96uz0WikMpQHKo9zY67XuurNfmcp+jclaBqB+8n8mbDaWVQn0k+oTRURhD3W5WgF6dgcfV0vmeKtVa6FmMpA1fX2qh2PyHFno6P1I9+72gsISc6tXSiZ4X2HNkAcjk+lL0BarSW3bsoEOZP2CAZlucBQ5hcNQKJ/7BiaMOn2ihfs7mEpbSBpodKAXU79Nf4nkQlTHYGzkD8MzPNSyljh9QB+BnAass2xJyqIfqo4dpCst4dcBMuloBsRBfnsgpSurjeT6pY5hCQTJzi/6bA6vHf7fJUE96iidyZbSf2k4aYunESpeKfWPYOC51yNoIDTOcaIvcfC2mKr48IyEEVQHatvPAt8oyMg0GOg/8TgD2aMIr7YDVgLhBlWpV9Z7mMRPQo8wRb2JyiOGjN2dmcccb2WiiFv9x3k7CMQARAQABtClXYWxsYXJtIChXYWxsYXJtIEdQRykgPGFkbWluQHdhbGxhcm0uY29tPokCWAQTAQgAQhYhBJTqYS5aDCC27CA0RyhfkQbUiFfHBQJiDK3AAhsDBQkJZgGABQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRAoX5EG1IhXx6RjD/9A2UXjTdFdU7p4v8pIAbU4HaTiOmdhcRxDw9Et8fdBcywXMV2UPwVG50FuYjyFLpesrwcWU5rHb2ltI3i2yco4NEP01bV0P5H/bHxSYTRZtENhY4hmIpMeo5HkUrtHi74wr5P2xGyllT8F4BUJzManySOQzPJYmXw6feL5T25lzFEuMLSMVQq+02wPTqq2tgiHrxI/KhIPCcq22pKEdrrInOApC2tNBrr5CAniRfeWN9ZWkQRwdHdDd4h087ntQom8iRzgB61daF6k3pkTtkcsIT8O4oV+00QvXYOE+zfzzasXdBCGsrKE71GbemIkpBsAXfcczt2b8lGdopRV+RPq33AOEXzmEC9rm3l6/9+L0Ozk472zFsbcP7EUVwoN5PBzilZ/TZEzeHWb6reXWxbGEad+5ev2STqL9ljha1+WwFPsMCJXmfFUCTek+PdS/eVNG4HnGhBZEV2fD1ETik3ueb1Rv7068mZrHnsBR1tDFXx0mhygTGohkrrTKG5fEqNXQFk6xTn+4J2kTNhPgvC1wP0CVMVuiHAm8Cz84RTP1fJ+htJvH75//q1XocxT6cHI+pi0JDaO8rmAbouhlOTaohSrqUyDEXFyhttAYbudQPHRUJtr8h3iX8Gl/vBUYx4SU2Sts5XskNFKkrOXvlXlBQ6NRXum9f8av2Qy+bAOWLkCDQRiDK3AARAAzwghirEHaD8K3sAmdNQGK1460E8ITGIVSQWuKlUX8b1kZw+fJIc2k+yTWicRe/Omu09y2+tpTBXUoKRA60HNtLoceOvA2TnzEOi3VdabOeUirs39dzoG+OH3wizYuWiSOc2oi6oyP9chjpWVYM2ozgtFr1kvdi6HtGyg8oz6jks8U8E/rlftQhCtD/l4U6+0huIawggxOGTfXb9zWhaQiOAGh+DB79BPNuXxHbkAyEzsOqXWmWLCJXdZ5N5bwzUCrTw5J3zzfK+5cUFXj6G/HB/hRHV46To7859gzb6d2f8GsOvbElbM3vj4PLd81w6DesynssAwoUYWkREZ7Z3sVCyJ+pgRp0tO1SP08lis46xAHQ+oqbGL4JH5hf5byqUsHaq0MCkF9OGGVlar0wb7W3+xVyT3KJlQ9/bj3hFfG5k1BrEAPbjxSx+B7C9ldGNs+LtWAjwWgg24VESU1hzYV3OccvoWzBP08UVLyxt5tne+594Q5UiHYVbnKaxiUAp3mQnpKQW1GSL9btdyMXXMPMYfePxraYE8fFDg3uyJyEGTXQUwQbbTfB1BQib6esA/tTd/UDe0kUyHHqvg2DoowXIR17cfItzesuih3xpIFdDjB64vr79nUriOg5OYKCEWukq4rddTVlrmUjcCffPbMtqZmtYPSVxEcua8sbbOXekAEQEAAYkCPAQYAQgAJhYhBJTqYS5aDCC27CA0RyhfkQbUiFfHBQJiDK3AAhsMBQkJZgGAAAoJEChfkQbUiFfHvA4P/2QvLhIqztbxCAOa5vewhekfNmu5jTMqQqQ+czaF43GHe9CnC4uz2RyjuJpQeAUS4eicYZhit7RDHZ4PXBMdNV6YCpImF6LJv+FehuJZm6EJqdIq4t44fBQWtdqj+8xYxPNI9TVk0Qsxs4hEKHaG7+pCiGIZDNdQTHODQpPU9g1ir/WyJ10azGyLBmcINr1cCDnmV12v+E6yLKeTFK6R9ocVBw/3QrPgvHa5TSE9peo+7L0qeTz8uOodSJ6Df+3O1fMl8LPEPhOn1WdTd6x1yu21PXyJmFR60PfzNM/rT6JNTcc5xpDj+bIbaXikfZIPDPsV5cZIs/xvE9HeMfgBB6OJkQwWjg7znZYA1B1RGBkUHzLnO5ZppaV9NPw6LRUfnRc2BdfqC21LNfZJYHH3/IMdFJSmW12ivfbYFh81qUAuAgEJK09Xvvef6QrJPZM5XdB7H0e0PSfHhLgp16OgZkyc5UZ9tH8Cata/saBWM9lhKljQbZupd9kEYCSTnDhsmWGHbL2co6hH9yqLa5n4ogdZ854qUURG7X3IG9tyZOtv07a/khebMkQtm6h4UgRPD1FuZDJ+S/hwPMh1KvvUfmMl9s6UFRRhQRuUZR0gmSx652igzwCpgu8ZBUhhWdr37kAg80ZJbVYqkylS2+hKdG4zJBX16Jz8yD0gUrEN4DD0" | base64 -d > /usr/share/keyrings/wallarm.gpg \ - && apt-get -y update && apt-get -y upgrade \ - && apt-get -y --no-install-recommends install \ - cron \ - logrotate \ - monitoring-plugins \ - supervisor \ - nginx \ - wallarm-node \ - libnginx-mod-http-wallarm \ - collectd-utils \ - curl \ - iptables \ - bsdmainutils \ - sudo \ - socat \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ - && chown -R wallarm:wallarm /var/lib/wallarm-tarantool \ - && sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/cron - -RUN cp /usr/share/doc/libnginx-mod-http-wallarm/examples/wallarm-status.conf /etc/nginx/conf.d/ -COPY scripts/init /usr/local/bin/ -COPY scripts/registernode_loop /usr/local/bin/ +LABEL org.opencontainers.image.title="Docker official image for Wallarm Node. API security platform agent" +LABEL org.opencontainers.image.documentation="https://docs.wallarm.com/installation/inline/compute-instances/docker/nginx-based" +LABEL org.opencontainers.image.source="https://github.com/wallarm/docker-wallarm-node" +LABEL org.opencontainers.image.vendor="Wallarm" +LABEL org.opencontainers.image.version="${CONTAINER_VERSION}" +LABEL org.opencontainers.image.revision="${COMMIT_SHA}" +LABEL com.wallarm.nginx-docker.versions.alpine="${ALPINE_VERSION}" +LABEL com.wallarm.nginx-docker.versions.nginx="${NGINX_VERSION}" +LABEL com.wallarm.nginx-docker.versions.aio="${AIO_VERSION}" +LABEL com.wallarm.nginx-docker.versions.aio="${GOMPLATE_VERSION}" -COPY conf/supervisord.conf /etc/supervisor/ -COPY conf/supervisord.filtering.conf /etc/supervisor/supervisord.filtering.conf.example -COPY conf/supervisord.post-analytics.conf /etc/supervisor/supervisord.post-analytics.conf.example +# core deps +RUN addgroup -S wallarm && \ + adduser -S -D -G wallarm -h /opt/wallarm wallarm && \ + apk update && \ + apk upgrade && \ + apk add curl bash socat logrotate libgcc \ + gomplate=~$GOMPLATE_VERISON \ + nginx=~$NGINX_VERSION \ + nginx-mod-http-perl=~$NGINX_VERSION \ + nginx-mod-stream=~$NGINX_VERSION \ + nginx-mod-http-dav-ext=~$NGINX_VERSION \ + nginx-mod-http-echo=~$NGINX_VERSION \ + nginx-mod-http-geoip=~$NGINX_VERSION \ + nginx-mod-http-image-filter=~$NGINX_VERSION \ + nginx-mod-mail=~$NGINX_VERSION \ + nginx-mod-http-upstream-fair=~$NGINX_VERSION \ + nginx-mod-http-xslt-filter=~$NGINX_VERSION && \ + nginx -V && \ + rm -r /var/cache/apk/* + +# install wallarm +COPY --chown=wallarm:wallarm build/$TARGETPLATFORM/ / + +# build-time compat check +COPY build-scripts/check_sig.sh /opt/wallarm/check_sig.sh +RUN /bin/sh -c '/opt/wallarm/check_sig.sh' && rm /opt/wallarm/check_sig.sh + +# init script +COPY scripts/init /usr/local/bin/ -COPY conf/logrotate.conf /etc/ -COPY conf/default /etc/nginx/sites-enabled/ -COPY conf/collectd.conf /etc/collectd/ +# configs +RUN /bin/bash -c \ + 'mkdir -p /etc/nginx/{modules-available,sites-available,sites-enabled} && \ + ln -sf /etc/nginx/modules/ /etc/nginx/modules-enabled && \ + ln -sf /etc/nginx/modules-available/mod-http-wallarm.conf /etc/nginx/modules-enabled/ && \ + touch /etc/environment && \ + rm /etc/nginx/conf.d/stream.conf && \ + chown -R wallarm:wallarm /run /etc/environment /etc/nginx /var/log/nginx /var/lib/nginx' +COPY conf/nginx /etc/nginx/ +COPY conf/nginx_templates /opt/wallarm/ EXPOSE 80 443 +USER wallarm CMD ["/usr/local/bin/init"] diff --git a/Makefile b/Makefile index c5bd9b0..4a91148 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,4 @@ +.EXPORT_ALL_VARIABLES: # https://makefiletutorial.com/ # set default shell @@ -5,38 +6,81 @@ SHELL=/bin/bash -o pipefail -o errexit -include .env -DOCKERFILE := ./Dockerfile +AIO_VERSION ?= 4.8.4 +CONTAINER_VERSION ?= test +ALPINE_VERSION = 3.18 +NGINX_VERSION = 1.24.0 +WLRM_FOLDER = stable-$(shell echo ${NGINX_VERSION} | sed 's/\.//g') +GOMPLATE_VERISON = 3.11.5 +COMMIT_SHA ?= git-$(shell git rev-parse --short HEAD) + REGISTRY := docker.io/wallarm -TAG ?= test -IMAGE ?= $(REGISTRY)/node:$(TAG) +IMAGE ?= $(REGISTRY)/node:$(CONTAINER_VERSION) IMAGE_LATEST := $(REGISTRY)/node:latest +RAND_NUM := $(shell echo $$RANDOM$$RANDOM$$RANDOM | cut -c 1-10) COMPOSE_CMD = NODE_IMAGE=$(IMAGE) docker-compose -p $@ -f test/docker-compose.$@.yaml -NODE_UUID = $(COMPOSE_CMD) exec node cat /etc/wallarm/node.yaml | grep uuid | awk '{print $$2}' -PYTEST_CMD = $(COMPOSE_CMD) exec -e NODE_UUID=$$($(NODE_UUID)) pytest pytest -n $(PYTEST_WORKERS) $(PYTEST_ARGS) +NODE_UUID_CMD = $(COMPOSE_CMD) exec node cat /opt/wallarm/etc/wallarm/node.yaml | grep uuid | awk '{print $$2}' +NODE_UUID = $(shell $(NODE_UUID_CMD)) +GITHUB_VARS_CMD = env | awk -F '=' '/^GITHUB_/ {print "-e " $$1 "=" $$2}' +GITHUB_VARS = $(shell $(GITHUB_VARS_CMD)) +RUN_TESTS := $(shell [ "$$ALLURE_UPLOAD_REPORT" = "true" ] && \ + echo "pytest allurectl watch --job-uid $(RAND_NUM) -- pytest" || \ + echo "pytest pytest") +PYTEST_CMD = $(COMPOSE_CMD) exec $(GITHUB_VARS) -e NODE_UUID=$$($(NODE_UUID_CMD)) \ + $(RUN_TESTS) -n $(PYTEST_WORKERS) $(PYTEST_ARGS) ### Variables required to run test .EXPORT_ALL_VARIABLES: WALLARM_API_HOST ?= api.wallarm.com WALLARM_API_CA_VERIFY ?= True -CLIENT_ID ?= 4 +CLIENT_ID ?= 5 PYTEST_WORKERS ?= 10 PYTEST_ARGS ?= --allure-features=Node +# Single-platform for local, multi-platform for CI +ifndef CI + PLATFORMS?=amd64 + ARCHS?=x86_64 + BUILDX_ARGS?=--load +else + PLATFORMS?=amd64,aarch64 + ARCHS?=x86_64 aarch64 + BUILDX_ARGS?=--push +endif + ### Build routines ### -build: - @docker build -t $(IMAGE) . --force-rm --no-cache --progress=plain +.PHONY: build +build: setup_buildx + $(foreach ARCH,$(ARCHS), ARCH=$(ARCH) build-scripts/get_dependencies.sh && ARCH=$(ARCH) build-scripts/apply_fixes.sh ;) + docker buildx build \ + --platform $(PLATFORMS) -f Dockerfile \ + --build-arg CONTAINER_VERSION="$(CONTAINER_VERSION)" \ + --build-arg GOMPLATE_VERISON="$(GOMPLATE_VERISON)" \ + --build-arg ALPINE_VERSION="$(ALPINE_VERSION)" \ + --build-arg NGINX_VERSION="$(NGINX_VERSION)" \ + --build-arg AIO_VERSION="$(AIO_VERSION)" \ + --build-arg WLRM_FOLDER="$(WLRM_FOLDER)" \ + --build-arg COMMIT_SHA="$(COMMIT_SHA)" \ + -t $(IMAGE) $(BUILDX_ARGS) . + +setup_buildx: + docker buildx rm multi-arch || true + docker buildx create \ + --name multi-arch \ + --platform linux/amd64,linux/arm64 \ + --driver docker-container \ + --use -push rmi: - @docker $@ $(IMAGE) +rmi: + @docker rmi $(IMAGE) push-latest: - @docker tag $(IMAGE) $(IMAGE_LATEST) - @docker push $(IMAGE_LATEST) + docker buildx imagetools create -t $(IMAGE_LATEST) $(IMAGE) dive: - @dive $(CONTROLLER_IMAGE) + @dive $(IMAGE) .PHONY: build push push-latest rmi dive diff --git a/build-scripts/apply_fixes.sh b/build-scripts/apply_fixes.sh new file mode 100755 index 0000000..812b094 --- /dev/null +++ b/build-scripts/apply_fixes.sh @@ -0,0 +1,32 @@ +#!/bin/bash +set -e + +ARCH=${ARCH:-x86_64} +DOCKER_ARCH=${DOCKER_ARCH:-amd64} + +if [ "$ARCH" == "aarch64" ]; then + DOCKER_ARCH="arm64" +fi + +BUILD_DIR="build/linux/${DOCKER_ARCH}" + +sed -i -E \ + -e '/WALLARM_COMPONENT_NAME/s/(.*)=(.*)/\1=wallarm-nginx-docker/' \ + -e "/WALLARM_COMPONENT_VERSION/s/(.*)=(.*)/\1=$AIO_VERSION/" \ + -e '/SLAB_ALLOC_ARENA/d' \ + "$BUILD_DIR/opt/wallarm/env.list" + +sed -i \ + -e '/FQDNLookup/s/no/true/' \ + -e '/DeleteSocket/aSocketGroup "wallarm"' \ + "$BUILD_DIR/opt/wallarm/etc/collectd/wallarm-collectd.conf" + +sed -i -E \ + -e '/LUA/s/(.*)=(.*)/\1="\2"/' \ + "$BUILD_DIR/opt/wallarm/env.list" + +cat conf/supervisord.conf.socat >> "$BUILD_DIR/opt/wallarm/etc/supervisord.conf.filtering" + +mkdir -p "$BUILD_DIR/usr/lib/nginx/modules" && \ + mv "$BUILD_DIR/opt/wallarm/modules/${WLRM_FOLDER}/"* "$BUILD_DIR/usr/lib/nginx/modules/" && \ + rm -rf "$BUILD_DIR/opt/wallarm/modules" diff --git a/build-scripts/check_sig.sh b/build-scripts/check_sig.sh new file mode 100755 index 0000000..e011c45 --- /dev/null +++ b/build-scripts/check_sig.sh @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +NGINX_PATH="/usr/sbin/nginx" +MODULE_PATH="/usr/lib/nginx/modules/ngx_http_wallarm_module.so" + +NGINX_SIG=$(grep -E -o '.,.,.,[01]{33}' "${NGINX_PATH}") +MODULE_SIG=$(grep -E -ao '.,.,.,[01]{33}' "${MODULE_PATH}") + +if [ "${NGINX_SIG}" = "${MODULE_SIG}" ]; then + echo "OK! Signature of nginx module match expectations from signature of nginx binary found in the base image" +else + echo "Failure! The signature of module is mismatch: ${NGINX_SIG} / ${MODULE_SIG}" + exit 1 +fi diff --git a/build-scripts/get_dependencies.sh b/build-scripts/get_dependencies.sh new file mode 100755 index 0000000..9fcb91b --- /dev/null +++ b/build-scripts/get_dependencies.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -x +set -e +ARCH=${ARCH:-x86_64} +DOCKER_ARCH=${DOCKER_ARCH:-amd64} + +if [ "$ARCH" == "aarch64" ]; then + DOCKER_ARCH="arm64" +fi + +AIO_FILE="wallarm-${AIO_VERSION}.${ARCH}-musl.tar.gz" +AIO_URL="https://storage.googleapis.com/meganode_storage/${AIO_VERSION%.*}/${AIO_FILE}" +BUILD_DIR="build/linux/${DOCKER_ARCH}" + +echo "Downloading AiO archive ${AIO_FILE} ..." +curl --create-dirs -L -C - -o "$BUILD_DIR/wallarm-${ARCH}.tar.gz" "$AIO_URL" + +echo "Extracting into ${BUILD_DIR}" +tar -xf "$BUILD_DIR/wallarm-${ARCH}.tar.gz" -C "$BUILD_DIR" diff --git a/conf/collectd.conf b/conf/collectd.conf deleted file mode 100644 index 70f642a..0000000 --- a/conf/collectd.conf +++ /dev/null @@ -1,1649 +0,0 @@ -# Config file for collectd(1). -# -# Some plugins need additional configuration and are disabled by default. -# Please read collectd.conf(5) for details. -# -# You should also read /usr/share/doc/collectd-core/README.Debian.plugins -# before enabling any more plugins. - -############################################################################## -# Global # -#----------------------------------------------------------------------------# -# Global settings for the daemon. # -############################################################################## - -#Hostname "localhost" -FQDNLookup true -#BaseDir "/var/lib/collectd" -#PluginDir "/usr/lib/collectd" -#TypesDB "/usr/share/collectd/types.db" "/etc/collectd/my_types.db" - -#----------------------------------------------------------------------------# -# When enabled, plugins are loaded automatically with the default options # -# when an appropriate block is encountered. # -# Disabled by default. # -#----------------------------------------------------------------------------# -#AutoLoadPlugin false - -#----------------------------------------------------------------------------# -# When enabled, internal statistics are collected, using "collectd" as the # -# plugin name. # -# Disabled by default. # -#----------------------------------------------------------------------------# -#CollectInternalStats false - -#----------------------------------------------------------------------------# -# Interval at which to query values. This may be overwritten on a per-plugin # -# base by using the 'Interval' option of the LoadPlugin block: # -# # -# Interval 60 # -# # -#----------------------------------------------------------------------------# -#Interval 10 - -#MaxReadInterval 86400 -#Timeout 2 -#ReadThreads 5 -#WriteThreads 5 - -# Limit the size of the write queue. Default is no limit. Setting up a limit -# is recommended for servers handling a high volume of traffic. -#WriteQueueLimitHigh 1000000 -#WriteQueueLimitLow 800000 - -############################################################################## -# Logging # -#----------------------------------------------------------------------------# -# Plugins which provide logging functions should be loaded first, so log # -# messages generated when loading or configuring other plugins can be # -# accessed. # -############################################################################## - -LoadPlugin logfile -#LoadPlugin syslog -#LoadPlugin log_logstash - - - LogLevel "info" - File STDOUT - Timestamp true - PrintSeverity true - - -# -# LogLevel info -# - -# -# LogLevel info -# File "/var/log/collectd.json.log" -# - -############################################################################## -# LoadPlugin section # -#----------------------------------------------------------------------------# -# Specify what features to activate. # -############################################################################## - -#LoadPlugin aggregation -#LoadPlugin amqp -#LoadPlugin apache -#LoadPlugin apcups -#LoadPlugin ascent -#LoadPlugin barometer -LoadPlugin battery -#LoadPlugin bind -#LoadPlugin ceph -#LoadPlugin cgroups -#LoadPlugin chrony -#LoadPlugin conntrack -#LoadPlugin contextswitch -LoadPlugin cpu -#LoadPlugin cpufreq -#LoadPlugin cpusleep -#LoadPlugin csv -#LoadPlugin curl -#LoadPlugin curl_json -#LoadPlugin curl_xml -#LoadPlugin dbi -LoadPlugin df -LoadPlugin disk -#LoadPlugin dns -#LoadPlugin dpdkevents -#LoadPlugin dpdkstat -#LoadPlugin drbd -#LoadPlugin email -LoadPlugin entropy -#LoadPlugin ethstat -#LoadPlugin exec -#LoadPlugin fhcount -#LoadPlugin filecount -#LoadPlugin fscache -#LoadPlugin gmond -#LoadPlugin gps -#LoadPlugin hugepages -#LoadPlugin grpc -#LoadPlugin hddtemp -#LoadPlugin intel_rdt -LoadPlugin interface -#LoadPlugin ipc -#LoadPlugin ipmi -#LoadPlugin iptables -#LoadPlugin ipvs -LoadPlugin irq -#LoadPlugin java -LoadPlugin load -#LoadPlugin lua -#LoadPlugin lvm -#LoadPlugin madwifi -#LoadPlugin mbmon -#LoadPlugin mcelog -#LoadPlugin md -#LoadPlugin memcachec -#LoadPlugin memcached -LoadPlugin memory -#LoadPlugin modbus -#LoadPlugin mqtt -#LoadPlugin multimeter -#LoadPlugin mysql -#LoadPlugin netlink -#LoadPlugin network -#LoadPlugin nfs -#LoadPlugin nginx -#LoadPlugin notify_desktop -#LoadPlugin notify_email -#LoadPlugin notify_nagios -#LoadPlugin ntpd -#LoadPlugin numa -#LoadPlugin nut -#LoadPlugin olsrd -#LoadPlugin onewire -#LoadPlugin openldap -#LoadPlugin openvpn -#LoadPlugin ovs_events -#LoadPlugin ovs_stats -#LoadPlugin perl -#LoadPlugin pinba -#LoadPlugin ping -#LoadPlugin postgresql -#LoadPlugin powerdns -LoadPlugin processes -#LoadPlugin protocols -#LoadPlugin python -#LoadPlugin redis -#LoadPlugin rrdcached -LoadPlugin rrdtool -#LoadPlugin sensors -#LoadPlugin serial -#LoadPlugin sigrok -#LoadPlugin smart -#LoadPlugin snmp -#LoadPlugin snmp_agent -#LoadPlugin statsd -LoadPlugin swap -#LoadPlugin table -#LoadPlugin tail -#LoadPlugin tail_csv -#LoadPlugin tcpconns -#LoadPlugin teamspeak2 -#LoadPlugin ted -#LoadPlugin thermal -#LoadPlugin tokyotyrant -#LoadPlugin turbostat -LoadPlugin unixsock -#LoadPlugin uptime -LoadPlugin users -#LoadPlugin uuid -#LoadPlugin varnish -#LoadPlugin virt -#LoadPlugin vmem -#LoadPlugin vserver -#LoadPlugin wireless -#LoadPlugin write_graphite -#LoadPlugin write_http -#LoadPlugin write_kafka -#LoadPlugin write_log -#LoadPlugin write_mongodb -#LoadPlugin write_prometheus -#LoadPlugin write_redis -#LoadPlugin write_riemann -#LoadPlugin write_sensu -#LoadPlugin write_tsdb -#LoadPlugin xencpu -#LoadPlugin zfs_arc -#LoadPlugin zookeeper - -############################################################################## -# Plugin configuration # -#----------------------------------------------------------------------------# -# In this section configuration stubs for each plugin are provided. A desc- # -# ription of those options is available in the collectd.conf(5) manual page. # -############################################################################## - -# -# -# #Host "unspecified" -# Plugin "cpu" -# PluginInstance "/[0,2,4,6,8]$/" -# Type "cpu" -# #TypeInstance "unspecified" -# -# SetPlugin "cpu" -# SetPluginInstance "even-%{aggregation}" -# -# GroupBy "Host" -# GroupBy "TypeInstance" -# -# CalculateNum false -# CalculateSum false -# CalculateAverage true -# CalculateMinimum false -# CalculateMaximum false -# CalculateStddev false -# -# - -# -# -# Host "localhost" -# Port "5672" -# VHost "/" -# User "guest" -# Password "guest" -# Exchange "amq.fanout" -# RoutingKey "collectd" -# Persistent false -# StoreRates false -# ConnectionRetryDelay 0 -# -# - -# -# -# URL "http://localhost/server-status?auto" -# User "www-user" -# Password "secret" -# VerifyPeer false -# VerifyHost false -# CACert "/etc/ssl/ca.crt" -# Server "apache" -# -# -# -# URL "http://some.domain.tld/status?auto" -# Host "some.domain.tld" -# Server "lighttpd" -# -# - -# -# Host "localhost" -# Port "3551" -# ReportSeconds true -# PersistentConnection true -# - -# -# URL "http://localhost/ascent/status/" -# User "www-user" -# Password "secret" -# VerifyPeer false -# VerifyHost false -# CACert "/etc/ssl/ca.crt" -# - -# -# Device "/dev/i2c-0"; -# Oversampling 512 -# PressureOffset 0.0 -# TemperatureOffset 0.0 -# Normalization 2 -# Altitude 238.0 -# TemperatureSensor "myserver/onewire-F10FCA000800/temperature" -# - -# -# ValuesPercentage false -# ReportDegraded false -# QueryStateFS false -# - -# -# URL "http://localhost:8053/" -# -# ParseTime false -# -# OpCodes true -# QTypes true -# ServerStats true -# ZoneMaintStats true -# ResolverStats false -# MemoryStats true -# -# -# QTypes true -# ResolverStats true -# CacheRRSets true -# -# Zone "127.in-addr.arpa/IN" -# -# - -# -# LongRunAvgLatency false -# ConvertSpecialMetricTypes true -# -# SocketPath "/var/run/ceph/ceph-osd.0.asok" -# -# -# SocketPath "/var/run/ceph/ceph-osd.1.asok" -# -# -# SocketPath "/var/run/ceph/ceph-mon.ceph1.asok" -# -# -# SocketPath "/var/run/ceph/ceph-mds.ceph1.asok" -# -# - -# -# Host "localhost" -# Port "323" -# Timeout "2" -# - -# -# CGroup "libvirt" -# IgnoreSelected false -# - -# -# ReportByCpu true -# ReportByState true -# ValuesPercentage false -# ReportNumCpu false -# ReportGuestState false -# SubtractGuestState true -# - -# -# DataDir "/var/lib/collectd/csv" -# StoreRates false -# - -# -# -# URL "http://finance.google.com/finance?q=NYSE%3AAMD" -# User "foo" -# Password "bar" -# Digest false -# VerifyPeer true -# VerifyHost true -# CACert "/path/to/ca.crt" -# Header "X-Custom-Header: foobar" -# Post "foo=bar" -# -# MeasureResponseTime false -# MeasureResponseCode false -# -# Regex "]*> *([0-9]*\\.[0-9]+) *" -# DSType "GaugeAverage" -# Type "stock_value" -# Instance "AMD" -# -# -# - -# -## See: http://wiki.apache.org/couchdb/Runtime_Statistics -# -# Instance "httpd" -# -# Type "http_requests" -# -# -# -# Type "http_request_methods" -# -# -# -# Type "http_response_codes" -# -# -## Database status metrics: -# -# Instance "dbs" -# -# Type "gauge" -# -# -# Type "counter" -# -# -# Type "bytes" -# -# -# - -# -# -# Host "my_host" -# #Plugin "stats" -# Instance "some_instance" -# User "collectd" -# Password "thaiNg0I" -# Digest false -# VerifyPeer true -# VerifyHost true -# CACert "/path/to/ca.crt" -# Header "X-Custom-Header: foobar" -# Post "foo=bar" -# -# -# Type "magic_level" -# InstancePrefix "prefix-" -# InstanceFrom "td[1]" -# #PluginInstanceFrom "td[1]" -# ValuesFrom "td[2]/span[@class=\"level\"]" -# -# -# - -# -# -# Statement "SELECT 'customers' AS c_key, COUNT(*) AS c_value \ -# FROM customers_tbl" -# MinVersion 40102 -# MaxVersion 50042 -# -# Type "gauge" -# InstancePrefix "customer" -# InstancesFrom "c_key" -# ValuesFrom "c_value" -# -# -# -# -# #Plugin "mycompany" -# Driver "mysql" -# DriverOption "host" "localhost" -# DriverOption "username" "collectd" -# DriverOption "password" "secret" -# DriverOption "dbname" "custdb0" -# SelectDB "custdb0" -# Query "num_of_customers" -# Query "..." -# Host "..." -# -# - - -# Device "/dev/sda1" -# Device "192.168.0.2:/mnt/nfs" -# MountPoint "/home" -# FSType "ext3" - - # ignore rootfs; else, the root file-system would appear twice, causing - # one of the updates to fail and spam the log - FSType rootfs - # ignore the usual virtual / temporary file-systems - FSType sysfs - FSType proc - FSType devtmpfs - FSType devpts - FSType tmpfs - FSType fusectl - FSType cgroup - IgnoreSelected true - -# ReportByDevice false -# ReportInodes false - -# ValuesAbsolute true -# ValuesPercentage false - - -# -# Disk "hda" -# Disk "/sda[23]/" -# IgnoreSelected false -# UseBSDName false -# UdevNameAttr "DEVNAME" -# - -# -# Interface "eth0" -# IgnoreSource "192.168.0.1" -# SelectNumericQueryTypes false -# - -# -# -# Coremask "0x1" -# MemoryChannels "4" -# FilePrefix "rte" -# -# -# SendEventsOnUpdate true -# EnabledPortMask 0xffff -# PortName "interface1" -# PortName "interface2" -# SendNotification false -# -# -# SendEventsOnUpdate true -# LCoreMask "0xf" -# KeepAliveShmName "/dpdk_keepalive_shm_name" -# SendNotification false -# -# - -# -# -# Coremask "0x2" -# MemoryChannels "4" -# FilePrefix "rte" -# LogLevel "7" -# RteDriverLibPath "/usr/lib/dpdk-pmd" -# -# SharedMemObj "dpdk_collectd_stats_0" -# EnabledPortMask 0xffff -# PortName "interface1" -# PortName "interface2" -# - -# -# SocketFile "/var/run/collectd-email" -# SocketGroup "collectd" -# SocketPerms "0770" -# MaxConns 5 -# - -# -# Interface "eth0" -# Map "rx_csum_offload_errors" "if_rx_errors" "checksum_offload" -# Map "multicast" "if_multicast" -# MappedOnly false -# - -# -# Exec user "/path/to/exec" -# Exec "user:group" "/path/to/exec" -# NotificationExec user "/path/to/exec" -# - -# -# ValuesAbsolute true -# ValuesPercentage false -# - -# -# -# #Plugin "foo" -# Instance "foodir" -# Name "*.conf" -# MTime "-5m" -# Size "+10k" -# Recursive true -# IncludeHidden false -# RegularOnly true -# #FilesSizeType "bytes" -# #FilesCountType "files" -# #TypeInstance "instance" -# -# - -# -# MCReceiveFrom "239.2.11.71" "8649" -# -# -# Type "swap" -# TypeInstance "total" -# DataSource "value" -# -# -# -# Type "swap" -# TypeInstance "free" -# DataSource "value" -# -# - -# -# Host "127.0.0.1" -# Port "2947" -# Timeout 0.015 -# PauseConnect 5 -# - -# -# Host "127.0.0.1" -# Port 7634 -# - -# -# -# EnableSSL true -# SSLCACertificateFile "/path/to/root.pem" -# SSLCertificateFile "/path/to/server.pem" -# SSLCertificateKeyFile "/path/to/server.key" -# -# -# EnableSSL true -# SSLCACertificateFile "/path/to/root.pem" -# SSLCertificateFile "/path/to/client.pem" -# SSLCertificateKeyFile "/path/to/client.key" -# -# - -# -# ReportPerNodeHP true -# ReportRootHP true -# ValuesPages true -# ValuesBytes false -# ValuesPercentage false -# - -# -# Cores "0-2" -# - -# -# Interface "eth0" -# IgnoreSelected false -# ReportInactive true -# UniqueName false -# - -# -# -# Sensor "some_sensor" -# Sensor "another_one" -# IgnoreSelected false -# NotifySensorAdd false -# NotifySensorRemove true -# NotifySensorNotPresent false -# NotifyIPMIConnectionState false -# SELEnabled false -# SELClearEvent false -# -# -# Host "server.example.com" -# Address "1.2.3.4" -# Username "user" -# Password "secret" -# #AuthType "md5" -# Sensor "some_sensor" -# Sensor "another_one" -# IgnoreSelected false -# NotifySensorAdd false -# NotifySensorRemove true -# NotifySensorNotPresent false -# NotifyIPMIConnectionState false -# SELEnabled false -# SELClearEvent false -# -# - -# -# Chain "table" "chain" -# Chain6 "table" "chain" -# - -# -# Irq 7 -# Irq 8 -# Irq 9 -# IgnoreSelected true -# - -# -# JVMArg "-verbose:jni" -# JVMArg "-Djava.class.path=/usr/share/collectd/java/collectd-api.jar" -# -# LoadPlugin "org.collectd.java.GenericJMX" -# -# # See /usr/share/doc/collectd/examples/GenericJMX.conf -# # for an example config. -# -# - -# -# ReportRelative true -# - -# -# BasePath "/usr/share/collectd/lua" -# Script "script1.lua" -# Script "script2.lua" -# - -# -# Interface "wlan0" -# IgnoreSelected false -# Source "SysFS" -# WatchSet "None" -# WatchAdd "node_octets" -# WatchAdd "node_rssi" -# WatchAdd "is_rx_acl" -# WatchAdd "is_scan_active" -# - -# -# Host "127.0.0.1" -# Port 411 -# - -# -# -# McelogClientSocket "/var/run/mcelog-client" -# PersistentNotification false -# -# McelogLogfile "/var/log/mcelog" -# - -# -# Device "/dev/md0" -# IgnoreSelected false -# - -# -# -# Server "localhost" -# Key "page_key" -# -# Regex "(\\d+) bytes sent" -# ExcludeRegex "" -# DSType CounterAdd -# Type "ipt_octets" -# Instance "type_instance" -# -# -# - -# -# -# Socket "/var/run/memcached.sock" -# or: -# #Host "memcache.example.com" -# Address "127.0.0.1" -# Port "11211" -# -# - -# -# ValuesAbsolute true -# ValuesPercentage false -# - -# -# -# RegisterBase 1234 -# RegisterCmd ReadHolding -# RegisterType float -# Type gauge -# Instance "..." -# -# -# -# Address "addr" -# Port "1234" -# Interval 60 -# -# -# Instance "foobar" # optional -# Collect "data_name" -# -# -# - -# -# -# Host "localhost" -# Port 1883 -# ClientId "localhost" -# User "user" -# Password "secret" -# QoS 0 -# Prefix "collectd" -# StoreRates true -# Retain false -# CACert "/etc/ssl/ca.crt" -# CertificateFile "/etc/ssl/client.crt" -# CertificateKeyFile "/etc/ssl/client.pem" -# TLSProtocol "tlsv1.2" -# CipherSuite "ciphers" -# -# -# Host "localhost" -# Port 1883 -# ClientId "localhost" -# User "user" -# Password "secret" -# QoS 2 -# Topic "collectd/#" -# CleanSession true -# -# - -# -# -# Host "database.serv.er" -# Port "3306" -# User "db_user" -# Password "secret" -# Database "db_name" -# SSLKey "/path/to/key.pem" -# SSLCert "/path/to/cert.pem" -# SSLCA "/path/to/ca.pem" -# SSLCAPath "/path/to/cas/" -# SSLCipher "DHE-RSA-AES256-SHA" -# MasterStats true -# ConnectTimeout 10 -# InnodbStats true -# -# -# -# Alias "squeeze" -# Host "localhost" -# Socket "/var/run/mysql/mysqld.sock" -# SlaveStats true -# SlaveNotifications true -# -# -# -# Alias "galera" -# Host "localhost" -# Socket "/var/run/mysql/mysqld.sock" -# WsrepStats true -# -# - -# -# Interface "All" -# VerboseInterface "All" -# QDisc "eth0" "pfifo_fast-1:0" -# Class "ppp0" "htb-1:10" -# Filter "ppp0" "u32-1:0" -# IgnoreSelected false -# - -# -# # client setup: -# Server "ff18::efc0:4a42" "25826" -# -# SecurityLevel Encrypt -# Username "user" -# Password "secret" -# Interface "eth0" -# ResolveInterval 14400 -# -# TimeToLive 128 -# -# # server setup: -# Listen "ff18::efc0:4a42" "25826" -# -# SecurityLevel Sign -# AuthFile "/etc/collectd/passwd" -# Interface "eth0" -# -# MaxPacketSize 1452 -# -# # proxy setup (client and server as above): -# Forward true -# -# # statistics about the network plugin itself -# ReportStats false -# -# # "garbage collection" -# CacheFlush 1800 -# - -# -# ReportV2 false -# ReportV3 false -# ReportV4 false -# - -# -# URL "http://localhost/status?auto" -# User "www-user" -# Password "secret" -# VerifyPeer false -# VerifyHost false -# CACert "/etc/ssl/ca.crt" -# - -# -# OkayTimeout 1000 -# WarningTimeout 5000 -# FailureTimeout 0 -# - -# -# SMTPServer "localhost" -# SMTPPort 25 -# SMTPUser "my-username" -# SMTPPassword "my-password" -# From "collectd@main0server.com" -# # on . -# # Beware! Do not use not more than two placeholders (%)! -# Subject "[collectd] %s on %s!" -# Recipient "email1@domain1.net" -# Recipient "email2@domain2.com" -# - -# -# CommandFile "/var/lib/icinga/rw/icinga.cmd" -# - -# -# Host "localhost" -# Port 123 -# ReverseLookups false -# IncludeUnitID true -# - -# -# UPS "upsname@hostname:port" -# ForceSSL true -# VerifyPeer true -# CAPath "/path/to/folder" -# #ConnectTimeout 5000 -# - -# -# Host "127.0.0.1" -# Port "2006" -# CollectLinks "Summary" -# CollectRoutes "Summary" -# CollectTopology "Summary" -# - -# -# Device "-s localhost:4304" -# Sensor "F10FCA000800" -# IgnoreSelected false -# - -# -# -# URL "ldap://localhost:389" -# StartTLS false -# VerifyHost true -# CACert "/path/to/ca.crt" -# Timeout -1 -# Version 3 -# -# - -# -# StatusFile "/etc/openvpn/openvpn-status.log" -# ImprovedNamingSchema false -# CollectCompression true -# CollectIndividualUsers true -# CollectUserCount false -# - -# -# Port "6640" -# Address "127.0.0.1" -# Socket "/var/run/openvswitch/db.sock" -# Interfaces "br0" "veth0" -# SendNotification true -# DispatchValues false -# -# -# -# Port "6640" -# Address "127.0.0.1" -# Socket "/var/run/openvswitch/db.sock" -# Bridges "br0" "br_ext" -# - -# -# IncludeDir "/my/include/path" -# BaseName "Collectd::Plugins" -# EnableDebugger "" -# LoadPlugin Monitorus -# LoadPlugin OpenVZ -# -# -# Foo "Bar" -# Qux "Baz" -# -# - -# -# Address "::0" -# Port "30002" -# -# Host "host name" -# Server "server name" -# Script "script name" -# -# - -# -# Host "host.foo.bar" -# Host "host.baz.qux" -# Interval 1.0 -# Timeout 0.9 -# TTL 255 -# SourceAddress "1.2.3.4" -# Device "eth0" -# MaxMissed -1 -# - -# -# -# Statement "SELECT magic FROM wizard WHERE host = $1;" -# Param hostname -# -# -# Type gauge -# InstancePrefix "magic" -# ValuesFrom "magic" -# -# -# -# -# Statement "SELECT COUNT(type) AS count, type \ -# FROM (SELECT CASE \ -# WHEN resolved = 'epoch' THEN 'open' \ -# ELSE 'resolved' END AS type \ -# FROM tickets) type \ -# GROUP BY type;" -# -# -# Type counter -# InstancePrefix "rt36_tickets" -# InstancesFrom "type" -# ValuesFrom "count" -# -# -# -# -# # See /usr/share/doc/collectd-core/examples/postgresql/collectd_insert.sql for details -# Statement "SELECT collectd_insert($1, $2, $3, $4, $5, $6, $7, $8, $9);" -# StoreRates true -# -# -# -# #Plugin "kingdom" -# Host "hostname" -# Port 5432 -# User "username" -# Password "secret" -# -# SSLMode "prefer" -# KRBSrvName "kerberos_service_name" -# -# Query magic -# -# -# -# Interval 60 -# Service "service_name" -# -# Query backends # predefined -# Query rt36_tickets -# -# -# -# Service "collectd_store" -# Writer sqlstore -# # see collectd.conf(5) for details -# CommitInterval 30 -# -# - -# -# -# Collect "latency" -# Collect "udp-answers" "udp-queries" -# Socket "/var/run/pdns.controlsocket" -# -# -# Collect "questions" -# Collect "cache-hits" "cache-misses" -# Socket "/var/run/pdns_recursor.controlsocket" -# -# LocalSocket "/opt/collectd/var/run/collectd-powerdns" -# - -# -# CollectFileDescriptor true -# CollectContextSwitch true -# CollectMemoryMaps true -# Process "name" -# ProcessMatch "foobar" "/usr/bin/perl foobar\\.pl.*" -# -# CollectFileDescriptor false -# CollectContextSwitch false -# -# -# CollectFileDescriptor false -# CollectContextSwitch true -# -# - -# -# Value "/^Tcp:/" -# IgnoreSelected false -# - -# -# ModulePath "/path/to/your/python/modules" -# LogTraces true -# Interactive true -# Import "spam" -# -# -# spam "wonderful" "lovely" -# -# - -# -# -# Host "redis.example.com" -# Port "6379" -# Timeout 2000 -# -# - -# -# DaemonAddress "unix:/var/run/rrdcached.sock" -# DataDir "/var/lib/rrdcached/db/collectd" -# CreateFiles true -# CreateFilesAsync false -# CollectStatistics true -# -# The following settings are rather advanced -# and should usually not be touched: -# StepSize 10 -# HeartBeat 20 -# RRARows 1200 -# RRATimespan 158112000 -# XFF 0.1 -# - - - DataDir "/var/lib/collectd/rrd" -# CacheTimeout 120 -# CacheFlush 900 -# WritesPerSecond 30 -# CreateFilesAsync false -# RandomTimeout 0 -# -# The following settings are rather advanced -# and should usually not be touched: -# StepSize 10 -# HeartBeat 20 -# RRARows 1200 -# RRATimespan 158112000 -# XFF 0.1 - - -# -# SensorConfigFile "/etc/sensors3.conf" -# Sensor "it8712-isa-0290/temperature-temp1" -# Sensor "it8712-isa-0290/fanspeed-fan3" -# Sensor "it8712-isa-0290/voltage-in8" -# IgnoreSelected false -# - -# -# LogLevel 3 -# -# Driver "fluke-dmm" -# MinimumInterval 10 -# Conn "/dev/ttyUSB2" -# -# -# Driver "cem-dt-885x" -# Conn "/dev/ttyUSB1" -# -# - -# -# Disk "/^[hs]d[a-f][0-9]?$/" -# IgnoreSelected false -# - -# See /usr/share/doc/collectd/examples/snmp-data.conf.gz for a -# comprehensive sample configuration. -# -# -# Type "voltage" -# Table false -# Instance "input_line1" -# Scale 0.1 -# Values "SNMPv2-SMI::enterprises.6050.5.4.1.1.2.1" -# -# -# Type "users" -# Table false -# Instance "" -# Shift -1 -# Values "HOST-RESOURCES-MIB::hrSystemNumUsers.0" -# -# -# Type "if_octets" -# Table true -# InstancePrefix "traffic" -# Instance "IF-MIB::ifDescr" -# Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets" -# -# -# -# Address "192.168.0.2" -# Version 1 -# Community "community_string" -# Collect "std_traffic" -# Inverval 120 -# Timeout 10 -# Retries 1 -# -# -# Address "192.168.0.42" -# Version 2 -# Community "another_string" -# Collect "std_traffic" "hr_users" -# -# -# Address "192.168.0.3" -# Version 1 -# Community "more_communities" -# Collect "powerplus_voltge_input" -# Interval 300 -# Timeout 5 -# Retries 5 -# -# - -# -# -# Plugin "memory" -# Type "memory" -# TypeInstance "free" -# OIDs "1.3.6.1.4.1.2021.4.6.0" -# -# -# IndexOID "IF-MIB::ifIndex" -# SizeOID "IF-MIB::ifNumber" -# -# Instance true -# Plugin "interface" -# OIDs "IF-MIB::ifDescr" -# -# -# Plugin "interface" -# Type "if_octets" -# TypeInstance "" -# OIDs "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets" -# -#
-# - -# -# Host "::" -# Port "8125" -# DeleteCounters false -# DeleteTimers false -# DeleteGauges false -# DeleteSets false -# CounterSum false -# TimerPercentile 90.0 -# TimerPercentile 95.0 -# TimerPercentile 99.0 -# TimerLower false -# TimerUpper false -# TimerSum false -# TimerCount false -# - -# -# ReportByDevice false -# ReportBytes true -# ValuesAbsolute true -# ValuesPercentage false -# ReportIO true -# - -# -# -# #Plugin "table" -# Instance "slabinfo" -# Separator " " -# -# Type gauge -# InstancePrefix "active_objs" -# InstancesFrom 0 -# ValuesFrom 1 -# -# -# Type gauge -# InstancePrefix "objperslab" -# InstancesFrom 0 -# ValuesFrom 4 -# -#
-# - -# -# -# Instance "exim" -# Interval 60 -# -# Regex "S=([1-9][0-9]*)" -# DSType "CounterAdd" -# Type "ipt_bytes" -# Instance "total" -# -# -# Regex "\\" -# ExcludeRegex "\\.*mail_spool defer" -# DSType "CounterInc" -# Type "counter" -# Instance "local_user" -# -# -# -# #Use the following log format in nginx: -# #log_format response_time '[$host] "$upstream_response_time" ...' -# Instance "apache" -# -# Regex "^\\S+ \"([0-9.]+)\"" -# -# Percentile 80 # -> latency-foo-80 -# Percentile 95 # -> latency-foo-95 -# Percentile 99 # -> latency-foo-99 -# Bucket 0 0.1 # -> bucket-latency-foo-0_0.1 -# Bucket 0.1 0.2 # -> bucket-latency-foo-0.1_0.2 -# Bucket 0.2 0.5 # -> bucket-latency-foo-0.2_0.5 -# Bucket 0.5 1.0 # -> bucket-latency-foo-0.5_1 -# Bucket 1.0 2.0 # -> bucket-latency-foo-1_2 -# Bucket 2.0 0 # -> bucket-latency-foo-2_inf -# #BucketType "bucket" -# -# Type "latency" -# Instance "foo" -# -# -# - -# -# -# Type "percent" -# Instance "dropped" -# ValueFrom 1 -# -# -# Type "bytes" -# Instance "wire-realtime" -# ValueFrom 2 -# -# -# Type "alerts_per_second" -# ValueFrom 3 -# -# -# Type "kpackets_wire_per_sec.realtime" -# ValueFrom 4 -# -# -# Instance "snort-eth0" -# Interval 600 -# Collect "dropped" "mbps" "alerts" "kpps" -# TimeFrom 0 -# -# - -# -# ListeningPorts false -# AllPortsSummary false -# LocalPort "25" -# RemotePort "25" -# - -# -# Host "127.0.0.1" -# Port "51234" -# Server "8767" -# - -# -# Device "/dev/ttyUSB0" -# Retries 0 -# - -# -# ForceUseProcfs false -# Device "THRM" -# IgnoreSelected false -# - -# -# Host "localhost" -# Port "1978" -# - -# -## None of the following option should be set manually -## This plugin automatically detect most optimal options -## Only set values here if: -## - The module asks you to -## - You want to disable the collection of some data -## - Your (Intel) CPU is not supported (yet) by the module -## - The module generates a lot of errors 'MSR offset 0x... read failed' -## In the last two cases, please open a bug request -# -# TCCActivationTemp "100" -# CoreCstates "392" -# PackageCstates "396" -# SystemManagementInterrupt true -# DigitalTemperatureSensor true -# PackageThermalManagement true -# RunningAveragePowerLimit "7" -# - - - SocketFile "/var/run/collectd-unixsock" - SocketGroup "collectd" - SocketPerms "0660" - DeleteSocket true - - -# -# UUIDFile "/etc/uuid" -# - -# -# This tag support an argument if you want to -# monitor the local instance just use -# If you prefer defining another instance you can do -# so by using -# -# CollectBackend true -# CollectBan false # Varnish 3 and above -# CollectCache true -# CollectConnections true -# CollectDirectorDNS false # Varnish 3 only -# CollectESI false -# CollectFetch false -# CollectHCB false -# CollectObjects false -# CollectPurge false # Varnish 2 only -# CollectSession false -# CollectSHM true -# CollectSMA false # Varnish 2 & 4 only -# CollectSMS false -# CollectSM false # Varnish 2 only -# CollectStruct false -# CollectTotals false -# CollectUptime false # Varnish 3 and above -# CollectVCL false -# CollectVSM false # Varnish 4 only -# CollectWorkers false -# CollectLock false # Varnish 4 only -# CollectMempool false # Varnish 4 only -# CollectManagement false # Varnish 4 only -# CollectSMF false # Varnish 4 only -# CollectVBE false # Varnish 4 only -# CollectMSE false # Varnish-Plus 4 only -# -# - -# -# Connection "xen:///" -# RefreshInterval 60 -# Domain "name" -# BlockDevice "name:device" -# BlockDeviceFormat target -# BlockDeviceFormatBasename false -# InterfaceDevice "name:device" -# IgnoreSelected false -# HostnameFormat name -# InterfaceFormat name -# PluginInstanceFormat name -# Instances 1 -# ExtraStats "cpu_util disk disk_err domain_state fs_info job_stats_background pcpu perf vcpupin" -# - -# -# Verbose false -# - -# -# -# Host "localhost" -# Port "2003" -# Protocol "tcp" -# ReconnectInterval 0 -# LogSendErrors true -# Prefix "collectd" -# Postfix "collectd" -# StoreRates true -# AlwaysAppendDS false -# EscapeCharacter "_" -# SeparateInstances false -# PreserveSeparator false -# DropDuplicateFields false -# -# - -# -# -# URL "http://example.com/collectd-post" -# User "collectd" -# Password "secret" -# VerifyPeer true -# VerifyHost true -# CACert "/etc/ssl/ca.crt" -# CAPath "/etc/ssl/certs/" -# ClientKey "/etc/ssl/client.pem" -# ClientCert "/etc/ssl/client.crt" -# ClientKeyPass "secret" -# Header "X-Custom-Header: custom_value" -# SSLVersion "TLSv1" -# Format "Command" -# Prefix "collectd" # metric prefix, only available for KAIROSDB format -# Attribute "key" "value" # only available for KAIROSDB format -# TTL 0 # data ttl, only available for KAIROSDB format -# Metrics true -# Notifications false -# StoreRates false -# BufferSize 4096 -# LowSpeedLimit 0 -# Timeout 0 -# Prefix "collectd/" -# -# - -# -# Property "metadata.broker.list" "localhost:9092" -# -# Format JSON -# -# - -# -# -# Host "localhost" -# Port "27017" -# Timeout 1000 -# StoreRates false -# Database "auth_db" -# User "auth_user" -# Password "auth_passwd" -# -# - -# -# Port "9103" -# - -# -# -# Host "localhost" -# Port "6379" -# Timeout 1000 -# -# - -# -# -# Host "localhost" -# Port 5555 -# Protocol TCP -# Batch true -# BatchMaxSize 8192 -# StoreRates true -# AlwaysAppendDS false -# TTLFactor 2.0 -# Notifications true -# CheckThresholds false -# EventServicePrefix "" -# -# Tag "foobar" -# Attribute "foo" "bar" -# - -# -# -# Host "localhost" -# Port 3030 -# StoreRates true -# AlwaysAppendDS false -# Notifications true -# Metrics true -# EventServicePrefix "" -# MetricHandler "influx" -# MetricHandler "default" -# NotificationHandler "flapjack" -# NotificationHandler "howling_monkey" -# -# Tag "foobar" -# Attribute "foo" "bar" -# - -# -# -# Host "localhost" -# Port "4242" -# HostTags "status=production" -# StoreRates false -# AlwaysAppendDS false -# -# - -# -# Host "localhost" -# Port "2181" -# - - - Filter "*.conf" - - diff --git a/conf/default b/conf/default deleted file mode 100644 index e021382..0000000 --- a/conf/default +++ /dev/null @@ -1,26 +0,0 @@ -# -# by default, proxy all to 127.0.0.1:8080 -# - -server { - listen 80 default_server; - listen [::]:80 default_server ipv6only=on; - #listen 443 ssl; - - server_name localhost; - - #ssl_certificate cert.pem; - #ssl_certificate_key cert.key; - - root /usr/share/nginx/html; - - index index.html index.htm; - - # wallarm_mode monitoring; - # wallarm_application 1; - - location / { - proxy_pass http://127.0.0.1:8080; - include proxy_params; - } -} diff --git a/conf/logrotate.conf b/conf/logrotate.conf deleted file mode 100644 index d2f14b5..0000000 --- a/conf/logrotate.conf +++ /dev/null @@ -1,33 +0,0 @@ -/var/log/nginx/*.log { - daily - missingok - rotate 52 - compress - delaycompress - notifempty - create 0640 www-data adm - sharedscripts - prerotate - if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ - run-parts /etc/logrotate.d/httpd-prerotate; \ - fi \ - endscript - postrotate - [ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid` - endscript -} - -/var/log/wallarm/tarantool.log { - daily - size 512k - missingok - rotate 10 - compress - delaycompress - create 0640 wallarm adm - postrotate - pkill -HUP tarantool - endscript -} - -include /etc/logrotate.d/wallarm-common diff --git a/conf/nginx/modules-available/mod-http-wallarm.conf b/conf/nginx/modules-available/mod-http-wallarm.conf new file mode 100644 index 0000000..e880a63 --- /dev/null +++ b/conf/nginx/modules-available/mod-http-wallarm.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_wallarm_module.so; diff --git a/conf/nginx/nginx.conf b/conf/nginx/nginx.conf new file mode 100644 index 0000000..e1b7fe6 --- /dev/null +++ b/conf/nginx/nginx.conf @@ -0,0 +1,65 @@ +### Wallarm default ### + +#user wallarm; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/conf/nginx/proxy_params b/conf/nginx/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/conf/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/conf/nginx_templates/default.conf.tmpl b/conf/nginx_templates/default.conf.tmpl new file mode 100644 index 0000000..d062c51 --- /dev/null +++ b/conf/nginx_templates/default.conf.tmpl @@ -0,0 +1,49 @@ +# +# by default, proxy all to 127.0.0.1:8080 +# + +server { + listen {{ env.Getenv "NGINX_PORT" "80" }} default_server; + {{ if not (env.Getenv "DISABLE_IPV6") -}} + listen [::]:{{ env.Getenv "NGINX_PORT" "80" }} default_server ipv6only=on; + {{ end -}} + #listen 443 ssl; + + server_name localhost; + + #ssl_certificate cert.pem; + #ssl_certificate_key cert.key; + + root /usr/share/nginx/html; + + index index.html index.htm; + + wallarm_mode {{ env.Getenv "WALLARM_MODE" "monitoring" }}; + {{ if env.Getenv "WALLARM_APPLICATION" -}} + wallarm_application {{ .Env.WALLARM_APPLICATION }}; + {{ end }} + {{ if env.Getenv "WALLARM_STATUS_ALLOW" -}} + + location /wallarm-status { + {{range (.Env.WALLARM_STATUS_ALLOW | strings.Split ",") -}} + allow {{ . }}; + {{ end -}} + deny all; + wallarm_status on; + wallarm_mode off; + } + {{ end }} + + location / { + {{ $nginxBackend := "http://127.0.0.1:8080" }} + {{ if env.Getenv "NGINX_BACKEND" -}} + {{ if or (.Env.NGINX_BACKEND | strings.HasPrefix "http") (.Env.NGINX_BACKEND | strings.HasPrefix "https") -}} + {{ $nginxBackend = .Env.NGINX_BACKEND -}} + {{ else -}} + {{ $nginxBackend = (print "http://" .Env.NGINX_BACKEND) -}} + {{ end -}} + {{ end -}} + proxy_pass {{ print $nginxBackend }}; + include proxy_params; + } +} diff --git a/conf/nginx_templates/wallarm-status.conf.tmpl b/conf/nginx_templates/wallarm-status.conf.tmpl new file mode 100644 index 0000000..71d8a5c --- /dev/null +++ b/conf/nginx_templates/wallarm-status.conf.tmpl @@ -0,0 +1,24 @@ +# wallarm-status, required for monitoring purposes. + +# Default `wallarm-status` configuration. +# It is strongly advised not to alter any of the existing lines of the default +# wallarm-status configuration as it may corrupt the process of metric data +# upload to the Wallarm cloud. + + +server { + listen 127.0.0.8:{{ env.Getenv "NGINX_PORT" "80" }}; + + server_name localhost; + + allow 127.0.0.0/8; + deny all; + + wallarm_mode off; + disable_acl "on"; + access_log off; + + location ~/wallarm-status$ { + wallarm_status on; + } +} diff --git a/conf/sources.list b/conf/sources.list deleted file mode 100644 index da8a3c7..0000000 --- a/conf/sources.list +++ /dev/null @@ -1 +0,0 @@ -deb [signed-by=/usr/share/keyrings/wallarm.gpg] http://repo.wallarm.com/debian/wallarm-node buster/4.8/ \ No newline at end of file diff --git a/conf/supervisord.conf b/conf/supervisord.conf deleted file mode 100644 index 62331d3..0000000 --- a/conf/supervisord.conf +++ /dev/null @@ -1,71 +0,0 @@ -[supervisord] -nodaemon=true -logfile=/var/log/wallarm/supervisord.log -pidfile=/run/supervisor/pid - -[unix_http_server] -file=//run/supervisor/sock - -[rpcinterface:supervisor] -supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - -[supervisorctl] -serverurl=unix:///run/supervisor/sock - -[program:collectd] -command=/usr/sbin/collectd -f -C /etc/collectd/wallarm-collectd.conf -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/collectd.log - -[program:cron] -command=/usr/sbin/cron -f -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/cron.log - -[program:tarantool] -environment=LUA_PATH="/usr/share/tarantool/?.lua;/usr/share/tarantool/?/init.lua;/usr/share/wallarm-tarantool/modules/?.lua;/usr/share/wallarm-tarantool/modules/?/init.lua" -command=/usr/bin/wtarantool /usr/share/wallarm-tarantool/init.lua -user=wallarm -group=wallarm -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/tarantool-out.log - -[program:nginx] -command=/usr/sbin/nginx -g "daemon off;" -autorestart=true -startretries=4294967295 -stdout_logfile_maxbytes=0 -stdout_logfile=/dev/stdout -stderr_logfile_maxbytes=0 -stderr_logfile=/dev/stdout - -[program:appstructure] -command=/usr/bin/wallarm-appstructure-client --config-file /etc/wallarm/node.yaml -user=wallarm -group=wallarm -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/appstructure.log - -[program:antibotapiextractor] -command=/usr/bin/antibotapiextractor -user=wallarm -group=wallarm -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/antibotapiextractor.log - -[program:registernode_loop] -command=/usr/local/bin/registernode_loop -autorestart=false -startsecs=0 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/registernode_loop.log diff --git a/conf/supervisord.conf.socat b/conf/supervisord.conf.socat new file mode 100644 index 0000000..05cde63 --- /dev/null +++ b/conf/supervisord.conf.socat @@ -0,0 +1,6 @@ +[program:socat] +command=socat TCP4-LISTEN:3313,fork,reuseaddr TCP4:%(ENV_POSTANALYTIC_ADDRESS)s:3313 +autorestart=true +startretries=4294967295 +redirect_stderr=true +stdout_logfile=/opt/wallarm/var/log/wallarm/socat.log diff --git a/conf/supervisord.filtering.conf b/conf/supervisord.filtering.conf deleted file mode 100644 index 379224d..0000000 --- a/conf/supervisord.filtering.conf +++ /dev/null @@ -1,50 +0,0 @@ -[supervisord] -nodaemon=true -logfile=/var/log/wallarm/supervisord.log -pidfile=/run/supervisor/pid - -[unix_http_server] -file=//run/supervisor/sock - -[rpcinterface:supervisor] -supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - -[supervisorctl] -serverurl=unix:///run/supervisor/sock - -[program:collectd] -command=/usr/sbin/collectd -f -C /etc/collectd/wallarm-collectd.conf -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/collectd.log - -[program:cron] -command=/usr/sbin/cron -f -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/cron.log - -[program:socat] -command=socat TCP4-LISTEN:3313,fork,reuseaddr TCP4:%(ENV_POSTANALYTIC_ADDRESS)s:3313 -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/socat.log - -[program:nginx] -command=/usr/sbin/nginx -g "daemon off;" -autorestart=true -startretries=4294967295 -stdout_logfile_maxbytes=0 -stdout_logfile=/dev/stdout -stderr_logfile_maxbytes=0 -stderr_logfile=/dev/stdout - -[program:registernode_loop] -command=/usr/local/bin/registernode_loop -autorestart=false -startsecs=0 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/registernode_loop.log diff --git a/conf/supervisord.post-analytics.conf b/conf/supervisord.post-analytics.conf deleted file mode 100644 index f0d9ad4..0000000 --- a/conf/supervisord.post-analytics.conf +++ /dev/null @@ -1,62 +0,0 @@ -[supervisord] -nodaemon=true -logfile=/var/log/wallarm/supervisord.log -pidfile=/run/supervisor/pid - -[unix_http_server] -file=//run/supervisor/sock - -[rpcinterface:supervisor] -supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - -[supervisorctl] -serverurl=unix:///run/supervisor/sock - -[program:collectd] -command=/usr/sbin/collectd -f -C /etc/collectd/wallarm-collectd.conf -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/collectd.log - -[program:cron] -command=/usr/sbin/cron -f -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/cron.log - -[program:tarantool] -environment=LUA_PATH="/usr/share/tarantool/?.lua;/usr/share/tarantool/?/init.lua;/usr/share/wallarm-tarantool/modules/?.lua;/usr/share/wallarm-tarantool/modules/?/init.lua",HOST="0.0.0.0" -command=/usr/bin/wtarantool /usr/share/wallarm-tarantool/init.lua -user=wallarm -group=wallarm -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/tarantool-out.log - -[program:appstructure] -command=/usr/bin/wallarm-appstructure-client --config-file /etc/wallarm/node.yaml -user=wallarm -group=wallarm -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/appstructure.log - -[program:antibotapiextractor] -command=/usr/bin/antibotapiextractor -user=wallarm -group=wallarm -autorestart=true -startretries=4294967295 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/antibotapiextractor.log - -[program:registernode_loop] -command=/usr/local/bin/registernode_loop -autorestart=false -startsecs=0 -redirect_stderr=true -stdout_logfile=/var/log/wallarm/registernode_loop.log diff --git a/scripts/init b/scripts/init index 66cfdba..221cff0 100755 --- a/scripts/init +++ b/scripts/init @@ -1,20 +1,5 @@ #!/bin/bash -prepare_dirs() { - LOGDIR=/var/log/wallarm - TARANTOOL_LOGFILE=$LOGDIR/tarantool.log - - chown wallarm:wallarm $LOGDIR - chmod 0750 $LOGDIR - - touch $TARANTOOL_LOGFILE - chown wallarm:wallarm $TARANTOOL_LOGFILE - - touch /etc/crontab /etc/cron.d/* - - mkdir -p /run/supervisor -} - register_node() { args="--batch --no-sync" @@ -58,30 +43,30 @@ register_node() { args="$args --filtering-only" fi - if [ -e /etc/wallarm/node.yaml ] \ - && [ -s /etc/wallarm/node.yaml ] + if [ -e /opt/wallarm/etc/wallarm/node.yaml ] \ + && [ -s /opt/wallarm/etc/wallarm/node.yaml ] then echo "Node registartion skipped - node.yaml already exists" elif [ -n "$NODE_UUID" ] \ && [ -n "$NODE_SECRET" ] \ && [ -n "$WALLARM_API_TOKEN" ] then - /usr/share/wallarm-common/register-node \ + /opt/wallarm/register-node \ $args \ --uuid "$NODE_UUID" else - /usr/share/wallarm-common/register-node \ + /opt/wallarm/register-node \ $args fi } sync_node() { - cmd="/usr/share/wallarm-common/syncnode -l STDOUT" + cmd="/opt/wallarm/usr/share/wallarm-common/syncnode -l STDOUT" for i in $(seq 1 3); do if $cmd; then break - elif [ -f /etc/wallarm/proton.db ] && [ -f /etc/wallarm/custom_ruleset ]; then + elif [ -f /opt/wallarm/etc/wallarm/proton.db ] && [ -f /opt/wallarm/etc/wallarm/custom_ruleset ]; then break else echo "Wait before next syncnode attempt..." @@ -91,6 +76,15 @@ sync_node() { } configure_nginx() { + read -r NGX_CONF_FIRST < /etc/nginx/nginx.conf + if [ "$NGX_CONF_FIRST" = "### Wallarm default ###" ] \ + || [ -n "$RENDER_STATUS_PAGE" ]; then + echo "Rendering status page..." + gomplate -f /opt/wallarm/wallarm-status.conf.tmpl > /etc/nginx/conf.d/wallarm-status.conf + else + echo "Custom nginx.conf (probably mounted dir), please handle status page manually" + fi + if [ -n "$NGINX_EXTERNAL_CONFIG" ]; then return 0 fi @@ -103,77 +97,27 @@ configure_nginx() { [ -n "$NGINX_BACKEND" ] || return 0 - if [ "$NGINX_BACKEND" = "${NGINX_BACKEND#http://}" ] \ - && [ "$NGINX_BACKEND" = "${NGINX_BACKEND#https://}" ] - then - sed -i -e "s#proxy_pass .*#proxy_pass http://$NGINX_BACKEND;#" \ - /etc/nginx/sites-enabled/default - else - sed -i -e "s#proxy_pass .*#proxy_pass $NGINX_BACKEND;#" \ - /etc/nginx/sites-enabled/default - fi - - if [ -n "$DISABLE_IPV6" ]; then - sed -i '/ipv6only/d' /etc/nginx/sites-enabled/default - fi + echo "Rendering nginx default config..." + gomplate -f /opt/wallarm/default.conf.tmpl > /etc/nginx/sites-enabled/default if [ ! -z "$NGINX_PORT" ]; then - sed -i -r "s#(listen.+)80(.+)#\1$NGINX_PORT\2#" \ - /etc/nginx/sites-enabled/default - sed -i -r "s#(listen.+)80(.+)#\1$NGINX_PORT\2#" \ - /etc/nginx/conf.d/wallarm-status.conf - sed -i -r "s#http://127.0.0.8/wallarm-status#http://127.0.0.8:$NGINX_PORT/wallarm-status#" \ - /etc/collectd/wallarm-collectd.conf.d/nginx-wallarm.conf - fi - - sed -i -e "s@# wallarm_mode .*@wallarm_mode ${WALLARM_MODE:-monitoring};@" \ - /etc/nginx/sites-enabled/default - - if [ -n "$WALLARM_APPLICATION" ]; then - sed -i -e "s|# wallarm_application .*|wallarm_application $WALLARM_APPLICATION;|" \ - /etc/nginx/sites-enabled/default - fi - - if [ -n "$WALLARM_STATUS_ALLOW" ]; then - craft_wallarm_status_snippet - insert_wallarm_status_snippet + sed -i -r "s#http://127.0.0.8/wallarm-status#http://127.0.0.8:$NGINX_PORT/wallarm-status#" \ + /opt/wallarm/etc/collectd/wallarm-collectd.conf.d/nginx-wallarm.conf fi } -craft_wallarm_status_snippet() { - { - printf "\tlocation /wallarm-status {\n" - for cidr in $(echo "$WALLARM_STATUS_ALLOW" | sed "s/,/ /g"); do - printf "\t\tallow %s;\n" "$cidr" - done - printf "\t\tdeny all;\n" - printf "\t\twallarm_status on;\n" - printf "\t\twallarm_mode off;\n" - printf "\t}\n\n" - } >/tmp/wallarm-status.conf -} - -insert_wallarm_status_snippet() { - line_for_insert=$(grep -n "location / {" /etc/nginx/sites-enabled/default | cut -f 1 -d:) - line_for_insert=$((line_for_insert - 1)) - sed -i "${line_for_insert}r /tmp/wallarm-status.conf" /etc/nginx/sites-enabled/default -} - configure_services() { if [ x"$POSTANALYTIC_ONLY" = x"true" ] \ || [ x"$POSTANALYTIC_ONLY" = x"True" ] \ || [ x"$POSTANALYTIC_ONLY" = x"yes" ] then - rm /etc/cron.d/wallarm-node-nginx - rm /etc/collectd/wallarm-collectd.conf.d/nginx-wallarm.conf - mv /etc/supervisor/supervisord.post-analytics.conf.example /etc/supervisor/supervisord.conf - sed -e 's/# post-analytic://' -i /etc/cron.d/wallarm-node-tarantool + rm /opt/wallarm/etc/collectd/wallarm-collectd.conf.d/nginx-wallarm.conf + mv /opt/wallarm/etc/supervisord.conf.postanalytics /opt/wallarm/etc/supervisord.conf fi if [ -n "$POSTANALYTIC_ADDRESS" ]; then - rm /etc/cron.d/wallarm-node-tarantool - rm /etc/collectd/wallarm-collectd.conf.d/wallarm-tarantool.conf - mv /etc/supervisor/supervisord.filtering.conf.example /etc/supervisor/supervisord.conf + rm /opt/wallarm/etc/collectd/wallarm-collectd.conf.d/wallarm-tarantool.conf + mv /opt/wallarm/etc/supervisord.conf.filtering /opt/wallarm/etc/supervisord.conf fi } @@ -201,19 +145,28 @@ if [ -n "$POSTANALYTIC_ADDRESS" ] && [ -n "$POSTANALYTIC_ONLY" ]; then fi if [ -z "$WALLARM_API_TOKEN" ]; then - if [ ! -f "/etc/wallarm/private.key" ]; then + if [ ! -f "/opt/wallarm/etc/wallarm/private.key" ]; then echo "ERROR: no WALLARM_API_TOKEN and no private key in /etc/wallarm/private.key" >&2 exit 1 fi fi +# Propagate env vars to supervisor +set -a && source /opt/wallarm/env.list && set +a printenv >> /etc/environment -prepare_dirs configure_services #taken from https://unix.stackexchange.com/a/71511 { register_node |& tee /dev/fd/3 | grep -q 'Label "group" is required for this registration type' && exit; } 3>&1 sync_node configure_nginx -exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf +if [ x"$POSTANALYTIC_ONLY" = x"true" ] \ + || [ x"$POSTANALYTIC_ONLY" = x"True" ] \ + || [ x"$POSTANALYTIC_ONLY" = x"yes" ] +then + exec /opt/wallarm/usr/bin/python3.8 /opt/wallarm/usr/bin/supervisord -n -c /opt/wallarm/etc/supervisord.conf +else + /opt/wallarm/usr/bin/python3.8 /opt/wallarm/usr/bin/supervisord -n -c /opt/wallarm/etc/supervisord.conf & + exec /usr/sbin/nginx -g "daemon off;" +fi diff --git a/scripts/registernode_loop b/scripts/registernode_loop deleted file mode 100755 index ecb86b7..0000000 --- a/scripts/registernode_loop +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -source /usr/local/bin/init --source-only -cmd="register_node" - -while ! [ -s /etc/wallarm/node.yaml ]; do - if $cmd; then - break - else - echo "Wait before next register_node attempt..." - sleep 5 - fi -done - -exit 0 diff --git a/test/docker-compose.single.yaml b/test/docker-compose.single.yaml index 1ea54f6..0d53add 100644 --- a/test/docker-compose.single.yaml +++ b/test/docker-compose.single.yaml @@ -8,23 +8,18 @@ services: WALLARM_API_CA_VERIFY: ${WALLARM_API_CA_VERIFY} WALLARM_API_TOKEN: ${WALLARM_API_TOKEN} healthcheck: - test: bash -c '[ -f /etc/wallarm/node.yaml ]' + test: bash -c '[ -f /opt/wallarm/etc/wallarm/node.yaml ]' timeout: 5s retries: 10 volumes: - "./nginx_conf/wallarm_node.conf:/etc/nginx/sites-enabled/default" - depends_on: - - nginx - - nginx: - image: nginx:stable-alpine - volumes: - - "./nginx_conf/nginx_node.conf:/etc/nginx/conf.d/default.conf" + - "./nginx_conf/nginx_node.conf:/etc/nginx/sites-enabled/workload.conf" pytest: image: dkr.wallarm.com/tests/smoke-tests:latest environment: WALLARM_API_HOST: ${WALLARM_API_HOST} + WALLARM_API_PRESET: ${WALLARM_API_PRESET:-eu1} WALLARM_API_CA_VERIFY: ${WALLARM_API_CA_VERIFY} CLIENT_ID: ${CLIENT_ID} USER_UUID: ${USER_UUID} @@ -33,6 +28,18 @@ services: PYTEST_ARGS: ${PYTEST_ARGS} NODE_BASE_URL: http://node HOSTNAME_OLD_NODE: smoke-tests-old-node + ALLURE_ENVIRONMENT_ARCH: ${ALLURE_ENVIRONMENT_ARCH} + ALLURE_PROJECT_ID: ${ALLURE_PROJECT_ID} + ALLURE_TOKEN: ${ALLURE_TOKEN} + ALLURE_ENDPOINT: ${ALLURE_ENDPOINT} + ALLURE_RESULTS: ${ALLURE_RESULTS:-/tests/_out/allure_report} + ALLURE_LAUNCH_TAGS: USER:${GITHUB_ACTOR:-local}, + WORKFLOW:${GITHUB_WORKFLOW:-local}, + RUN_ID:${GITHUB_RUN_ID:-local}, + BRANCH:${GITHUB_REF_NAME:-local}, + JOB:${GITHUB_JOB:-local}, + ARCH:${ALLURE_ENVIRONMENT_ARCH:-} + ALLURE_LAUNCH_NAME: ${GITHUB_WORKFLOW:-local}-${GITHUB_RUN_ID:-local}-${GITHUB_JOB:-local}-${ALLURE_ENVIRONMENT_ARCH:-} entrypoint: '/bin/sleep' command: - infinity \ No newline at end of file diff --git a/test/docker-compose.split.yaml b/test/docker-compose.split.yaml index 65bfb73..c200e57 100644 --- a/test/docker-compose.split.yaml +++ b/test/docker-compose.split.yaml @@ -9,14 +9,14 @@ services: WALLARM_API_TOKEN: ${WALLARM_API_TOKEN} POSTANALYTIC_ADDRESS: post-analytics healthcheck: - test: bash -c '[ -f /etc/wallarm/node.yaml ]' + test: bash -c '[ -f /opt/wallarm/etc/wallarm/node.yaml ]' timeout: 5s retries: 10 volumes: - "./nginx_conf/wallarm_node.conf:/etc/nginx/sites-enabled/default" + - "./nginx_conf/nginx_node.conf:/etc/nginx/sites-enabled/workload.conf" depends_on: - post-analytics - - nginx post-analytics: image: ${NODE_IMAGE} @@ -26,19 +26,15 @@ services: WALLARM_API_TOKEN: ${WALLARM_API_TOKEN} POSTANALYTIC_ONLY: true healthcheck: - test: bash -c '[ -f /etc/wallarm/node.yaml ]' + test: bash -c '[ -f /opt/wallarm/etc/wallarm/node.yaml ]' timeout: 5s retries: 10 - nginx: - image: nginx:stable-alpine - volumes: - - "./nginx_conf/nginx_node.conf:/etc/nginx/conf.d/default.conf" - pytest: image: dkr.wallarm.com/tests/smoke-tests:latest environment: WALLARM_API_HOST: ${WALLARM_API_HOST} + WALLARM_API_PRESET: ${WALLARM_API_PRESET:-eu1} WALLARM_API_CA_VERIFY: ${WALLARM_API_CA_VERIFY} CLIENT_ID: ${CLIENT_ID} USER_UUID: ${USER_UUID} @@ -47,6 +43,18 @@ services: PYTEST_ARGS: ${PYTEST_ARGS} NODE_BASE_URL: http://node HOSTNAME_OLD_NODE: smoke-tests-old-node + ALLURE_ENVIRONMENT_ARCH: ${ALLURE_ENVIRONMENT_ARCH} + ALLURE_PROJECT_ID: ${ALLURE_PROJECT_ID} + ALLURE_TOKEN: ${ALLURE_TOKEN} + ALLURE_ENDPOINT: ${ALLURE_ENDPOINT} + ALLURE_RESULTS: ${ALLURE_RESULTS:-/tests/_out/allure_report} + ALLURE_LAUNCH_TAGS: USER:${GITHUB_ACTOR:-local}, + WORKFLOW:${GITHUB_WORKFLOW:-local}, + RUN_ID:${GITHUB_RUN_ID:-local}, + BRANCH:${GITHUB_REF_NAME:-local}, + JOB:${GITHUB_JOB:-local}, + ARCH:${ALLURE_ENVIRONMENT_ARCH:-} + ALLURE_LAUNCH_NAME: ${GITHUB_WORKFLOW:-local}-${GITHUB_RUN_ID:-local}-${GITHUB_JOB:-local}-${ALLURE_ENVIRONMENT_ARCH:-} entrypoint: '/bin/sleep' command: - infinity diff --git a/test/nginx_conf/nginx_node.conf b/test/nginx_conf/nginx_node.conf index 9fd127a..6521780 100644 --- a/test/nginx_conf/nginx_node.conf +++ b/test/nginx_conf/nginx_node.conf @@ -1,9 +1,31 @@ -server { - listen 80 default_server; - server_name _; - root /usr/share/nginx/html; - index index.html index.htm; +server { # Example of a local backend + listen 127.0.0.1:8000; + location / { + return 200; + } + location /api-discovery-test { + return 200; + default_type application/json; + } + + # Some mocks for test_api_abuse_prevention.py + location /.git { + if ($http_custom_id) { + return 400; + } + return 200; + } + location /admin { + if ($http_custom_id) { + return 401; + } + return 200; + } + location /api/v2 { + if ($http_custom_id) { + return 502; + } return 200; } -} \ No newline at end of file +} diff --git a/test/nginx_conf/wallarm_node.conf b/test/nginx_conf/wallarm_node.conf index e8c8b16..1bf5e2a 100644 --- a/test/nginx_conf/wallarm_node.conf +++ b/test/nginx_conf/wallarm_node.conf @@ -1,9 +1,5 @@ -# We use this custom config since we need to set real_ip_header and -# set_real_ip_from directives, but init script does not support it yet. - server { listen 80 default_server; - listen [::]:80 default_server ipv6only=on; #listen 443 ssl; server_name localhost; @@ -18,13 +14,37 @@ server { index index.html index.htm; - wallarm_fallback off; + #wallarm_fallback off; # It doesn't work for docker node, we should use `-e WALLARM_FALLBACK=false` there wallarm_mode block; # wallarm_application 1; - location / { - proxy_pass http://nginx:80; + location / { # Example of proxying to a local backend + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /wallarm-mode/monitoring { + wallarm_mode monitoring; + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # Endpoint for `test_api_abuse_prevention.py` (and any other test, that uses non-default APP_ID) + location /wallarm-application/ { + rewrite ^/wallarm-application(/.*)$ $1 break; + wallarm_application $http_custom_id; + proxy_pass http://127.0.0.1:8000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } -} \ No newline at end of file + + location /api-discovery-test { + wallarm_application $http_custom_id; + proxy_pass http://127.0.0.1:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + +}