various bug fixes related to Swarm integration

.github/workflows/build-bunkerized-nginx.yml

@@ -18,9 +18,9 @@ jobs:
         run: docker build -t bunkerized-nginx .
    
       # Temp ignore CVE-2021-36159
-      - name: Temp add .trivyignore
-        run: |
-          echo "CVE-2021-36159" > .trivyignore
+      #- name: Temp add .trivyignore
+      #  run: |
+      #    echo "CVE-2021-36159" > .trivyignore
 
       - name: Run Trivy security scanner
         uses: aquasecurity/trivy-action@master
@@ -31,9 +31,9 @@ jobs:
           ignore-unfixed: true
           severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
 
-      - name: Temp remove .trivyignore
-        run: |
-          rm -f .trivyignore
+      #- name: Temp remove .trivyignore
+      #  run: |
+      #    rm -f .trivyignore
 
       - name: Run autotest
         run: docker run bunkerized-nginx test

Dockerfile

@@ -12,10 +12,8 @@ RUN chmod +x /tmp/docker.sh && \
     /tmp/docker.sh && \
     rm -f /tmp/docker.sh
 
-# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897 and CVE-2021-33560
-RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0"
-# Temp : can't fix CVE-2021-36159 because fixed version is not available on alpine arm/v7
-# RUN apk add "apk-tools>=2.12.6-r0"
+# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897, CVE-2021-33560 and CVE-2021-36159
+RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0" "apk-tools>=2.12.6-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
 
@@ -23,6 +21,6 @@ EXPOSE 8080/tcp 8443/tcp
 
 USER nginx:nginx
 
-HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || [ -f /tmp/nginx-temp.pid ] || exit 1
 
 ENTRYPOINT ["/opt/bunkerized-nginx/entrypoint/entrypoint.sh"]

autoconf/src/Config.py

@@ -33,6 +33,7 @@ class Config :
 		try :
 			# Lock
 			if self.__lock :
+				log("config", "ERROR", "lock")
 				self.__lock.acquire()
 				locked = True
 
@@ -46,6 +47,7 @@ class Config :
 
 			# Unlock
 			if self.__lock :
+				log("config", "ERROR", "release")
 				self.__lock.release()
 				locked = False
 
@@ -136,6 +138,7 @@ class Config :
 
 	def __api_call(self, instances, path) :
 		if self.__lock :
+			log("config", "ERROR", "lock")
 			self.__lock.acquire()
 		ret = True
 		nb = 0
@@ -172,5 +175,6 @@ class Config :
 				log("config", "INFO", "failed API order to " + url)
 				ret = False
 		if self.__lock :
+			log("config", "ERROR", "release")
 			self.__lock.release()
 		return ret and nb > 0

autoconf/src/ReloadServer.py

@@ -13,10 +13,12 @@ class ReloadServerHandler(socketserver.StreamRequestHandler):
 				if not data or not data in [b"lock", b"reload", b"unlock"] :
 					break
 				if data == b"lock" :
+					log("RELOADSERVER", "ERROR", "lock")
 					self.server.controller.lock.acquire()
 					locked = True
 					self.request.sendall(b"ok")
 				elif data == b"unlock" :
+					log("RELOADSERVER", "ERROR", "unlock")
 					self.server.controller.lock.release()
 					locked = False
 					self.request.sendall(b"ok")

docs/integrations.md

@@ -309,9 +309,9 @@ $ docker service create \
          --constraint node.role==manager \
          --network bunkerized-net \
          --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
-         --mount type=bind,source=/shared/confs,destination=/etc/nginx,rw \
-         --mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt,rw \
-         --mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge,rw \
+         --mount type=bind,source=/shared/confs,destination=/etc/nginx \
+         --mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt \
+         --mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge \
          -e SWARM_MODE=yes \
          -e API_URI=/ChangeMeToSomethingHardToGuess \
          bunkerity/bunkerized-nginx-autoconf