Refactored openresty-voms packaging

.gitlab-ci.yml

@@ -30,13 +30,13 @@ docker-build-rpm:
     - apk add git bash
     - git clone https://baltig.infn.it/mw-devel/helper-scripts.git helper-scripts
     - cp helper-scripts/scripts/* /usr/local/bin
-    - cp rpmbuild/RPMS/x86_64/* ${CI_PROJECT_DIR}/docker/ngx-voms-openshift/
-    - cp rpmbuild/RPMS/noarch/* ${CI_PROJECT_DIR}/docker/ngx-voms-openshift/ 
-    - rm ${CI_PROJECT_DIR}/docker/ngx-voms-openshift/*-debuginfo*.rpm
+    - cp rpmbuild/RPMS/x86_64/* ${CI_PROJECT_DIR}/docker/openresty-voms/
+    - cp rpmbuild/RPMS/noarch/* ${CI_PROJECT_DIR}/docker/openresty-voms/ 
+    - rm ${CI_PROJECT_DIR}/docker/openresty-voms/*-debuginfo*.rpm
     - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
     - export DOCKER_REGISTRY_HOST=${CI_REGISTRY}
     - export DOCKER_REGISTRY_NAMESPACE=${CI_PROJECT_PATH}
-    - cd docker/ngx-voms-openshift && build-docker-image.sh && push-docker-image.sh
+    - cd docker/openresty-voms && build-docker-image.sh && push-docker-image.sh
 
 push-to-dockerhub:
   stage: docker-push
@@ -54,8 +54,7 @@ push-to-dockerhub:
     - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
     - export DOCKER_REGISTRY_HOST=${CI_REGISTRY}
     - export DOCKER_REGISTRY_NAMESPACE=${CI_PROJECT_PATH}
-    - cd docker && cd ngx-voms-packaging && pull-docker-image.sh && cd .. && unset DOCKER_REGISTRY_HOST
-    - docker login -u ${DOCKERHUB_USER} -p ${DOCKERHUB_PASSWORD}
-    - cd ngx-voms-packaging && push-docker-image.sh
+    - cd docker/openresty-voms && pull-docker-image.sh && unset DOCKER_REGISTRY_HOST
+    - docker login -u ${DOCKERHUB_USER} -p ${DOCKERHUB_PASSWORD} && push-docker-image.sh
   only:
     - master

docker/ngx-voms-openshift/.env

-DOCKER_IMAGE=storm2/ngx-voms-openshift
-DOCKER_VERBOSE=y
-DOCKER_GIT_TAG_ENABLED=y

docker/ngx-voms-packaging/Dockerfile

-FROM storm2/base:latest
-
-RUN sudo yum -y install voms zlib pcre readline gettext && \
-      sudo yum clean all && rm -rf /var/cache/yum
-
-ADD assets/setup.sh /docker/
-
-RUN sh /docker/setup.sh
-
-RUN mkdir /cores
-
-USER root
-
-ADD openresty-voms-1.15.8.1-7.el7.x86_64.rpm openresty-voms-1.15.8.1-7.el7.x86_64.rpm
-ADD openresty-voms-debuginfo-1.15.8.1-7.el7.x86_64.rpm openresty-voms-debuginfo-1.15.8.1-7.el7.x86_64.rpm
-
-ADD openresty-voms-doc-1.15.8.1-7.el7.noarch.rpm openresty-voms-doc-1.15.8.1-7.el7.noarch.rpm
-ADD openresty-voms-opm-1.15.8.1-7.el7.noarch.rpm openresty-voms-opm-1.15.8.1-7.el7.noarch.rpm
-ADD openresty-voms-resty-1.15.8.1-7.el7.noarch.rpm openresty-voms-resty-1.15.8.1-7.el7.noarch.rpm
-
-RUN sudo yum -y localinstall openresty-voms-1.15.8.1-7.el7.x86_64.rpm \
-    openresty-voms-resty-1.15.8.1-7.el7.noarch.rpm \
-    openresty-voms-doc-1.15.8.1-7.el7.noarch.rpm \
-    openresty-voms-opm-1.15.8.1-7.el7.noarch.rpm \
-    openresty-voms-resty-1.15.8.1-7.el7.noarch.rpm
-
-RUN chown -R ${STORM_USER}:${STORM_USER} /usr/local/openresty-voms/ /usr/lib/systemd/system/openresty-voms.service /usr/bin/openresty-voms
-
-ENV TINI_VERSION v0.18.0
-ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
-RUN chmod +x /tini
-ENTRYPOINT ["/tini", "--"]
-
-CMD ["sudo", "/usr/bin/openresty-voms", "-g", "daemon off;"]
-
-USER ${STORM_USER}

docker/ngx-voms-packaging/assets/setup.sh

-#!/bin/sh
-set -ex
-
-mkdir -p /etc/nginx/conf.d
-
-chown -R ${STORM_USER}:${STORM_USER} /etc/nginx
-
-

docker/ngx-voms-packaging/.env → docker/openresty-voms/.env

-DOCKER_IMAGE=storm2/ngx-voms-centos7
+DOCKER_IMAGE=storm2/openresty-voms
 DOCKER_VERBOSE=y
 DOCKER_GIT_TAG_ENABLED=y
-

docker/ngx-voms-openshift/Dockerfile → docker/openresty-voms/Dockerfile

 FROM centos:7
 
+# Allow customization of nginx user ID and name
+ARG NGINX_USER=nginx
+ARG NGINX_USER_UID=1001
+
+ENV NGINX_USER $NGINX_USER
+ENV NGINX_USER_UID $NGINX_USER_UID
+
 RUN echo "include_only=.garr.it,.cern.ch" >> /etc/yum/pluginconf.d/fastestmirror.conf && \
       yum clean all && \
       yum install -y hostname epel-release && \
       yum -y update && \
       yum -y install which wget tar sudo file && \
       echo '%wheel ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && \
+      adduser --uid ${NGINX_USER_UID} ${NGINX_USER} && \
+      usermod -a -G root ${NGINX_USER} && \
       yum clean all && \
       rm -rf /var/cache/yum
 
@@ -15,7 +24,13 @@ RUN  \
 
 ADD *.rpm /pkgs/
 
-RUN yum -y localinstall /pkgs/*.rpm
+RUN yum -y localinstall /pkgs/*.rpm && \
+      chmod -R g+rwx /usr/local/openresty-voms/nginx && \
+      mkdir -p /etc/nginx/conf.d
+
+ADD assets/nginx.conf /usr/local/openresty-voms/nginx/conf/nginx.conf
+
+CMD ["/usr/bin/openresty-voms", "-g", "daemon off;"]
 
 ENV TINI_VERSION v0.18.0
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini

docker/openresty-voms/assets/nginx.conf

+user  nobody;
+worker_processes  1;
+
+env OPENSSL_ALLOW_PROXY_CERTS=1;
+env X509_VOMS_DIR=/vomsdir;
+
+error_log  logs/error.log  notice;
+
+pid        logs/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format tls '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> '
+                    '$ssl_protocol/$ssl_cipher '
+                    '"$ssl_client_s_dn" '
+                    '[$voms_fqans] '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    log_format  plain '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  logs/access.log  tls;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+    
+    include /etc/nginx/conf.d/*.conf;
+
+}