various bug fixes related to Swarm integration
This commit is contained in:
parent
4a9d64d9d9
commit
b199464a73
|
@ -18,9 +18,9 @@ jobs:
|
|||
run: docker build -t bunkerized-nginx .
|
||||
|
||||
# Temp ignore CVE-2021-36159
|
||||
- name: Temp add .trivyignore
|
||||
run: |
|
||||
echo "CVE-2021-36159" > .trivyignore
|
||||
#- name: Temp add .trivyignore
|
||||
# run: |
|
||||
# echo "CVE-2021-36159" > .trivyignore
|
||||
|
||||
- name: Run Trivy security scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
|
@ -31,9 +31,9 @@ jobs:
|
|||
ignore-unfixed: true
|
||||
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
|
||||
- name: Temp remove .trivyignore
|
||||
run: |
|
||||
rm -f .trivyignore
|
||||
#- name: Temp remove .trivyignore
|
||||
# run: |
|
||||
# rm -f .trivyignore
|
||||
|
||||
- name: Run autotest
|
||||
run: docker run bunkerized-nginx test
|
||||
|
|
|
@ -12,10 +12,8 @@ RUN chmod +x /tmp/docker.sh && \
|
|||
/tmp/docker.sh && \
|
||||
rm -f /tmp/docker.sh
|
||||
|
||||
# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897 and CVE-2021-33560
|
||||
RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0"
|
||||
# Temp : can't fix CVE-2021-36159 because fixed version is not available on alpine arm/v7
|
||||
# RUN apk add "apk-tools>=2.12.6-r0"
|
||||
# Fix CVE-2021-22901, CVE-2021-22898, CVE-2021-22897, CVE-2021-33560 and CVE-2021-36159
|
||||
RUN apk add "curl>=7.77.0-r0" "libgcrypt>=1.8.8-r0" "apk-tools>=2.12.6-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge /plugins
|
||||
|
||||
|
@ -23,6 +21,6 @@ EXPOSE 8080/tcp 8443/tcp
|
|||
|
||||
USER nginx:nginx
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || exit 1
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ -f /tmp/nginx.pid ] || [ -f /tmp/nginx-temp.pid ] || exit 1
|
||||
|
||||
ENTRYPOINT ["/opt/bunkerized-nginx/entrypoint/entrypoint.sh"]
|
||||
|
|
|
@ -33,6 +33,7 @@ class Config :
|
|||
try :
|
||||
# Lock
|
||||
if self.__lock :
|
||||
log("config", "ERROR", "lock")
|
||||
self.__lock.acquire()
|
||||
locked = True
|
||||
|
||||
|
@ -46,6 +47,7 @@ class Config :
|
|||
|
||||
# Unlock
|
||||
if self.__lock :
|
||||
log("config", "ERROR", "release")
|
||||
self.__lock.release()
|
||||
locked = False
|
||||
|
||||
|
@ -136,6 +138,7 @@ class Config :
|
|||
|
||||
def __api_call(self, instances, path) :
|
||||
if self.__lock :
|
||||
log("config", "ERROR", "lock")
|
||||
self.__lock.acquire()
|
||||
ret = True
|
||||
nb = 0
|
||||
|
@ -172,5 +175,6 @@ class Config :
|
|||
log("config", "INFO", "failed API order to " + url)
|
||||
ret = False
|
||||
if self.__lock :
|
||||
log("config", "ERROR", "release")
|
||||
self.__lock.release()
|
||||
return ret and nb > 0
|
||||
|
|
|
@ -13,10 +13,12 @@ class ReloadServerHandler(socketserver.StreamRequestHandler):
|
|||
if not data or not data in [b"lock", b"reload", b"unlock"] :
|
||||
break
|
||||
if data == b"lock" :
|
||||
log("RELOADSERVER", "ERROR", "lock")
|
||||
self.server.controller.lock.acquire()
|
||||
locked = True
|
||||
self.request.sendall(b"ok")
|
||||
elif data == b"unlock" :
|
||||
log("RELOADSERVER", "ERROR", "unlock")
|
||||
self.server.controller.lock.release()
|
||||
locked = False
|
||||
self.request.sendall(b"ok")
|
||||
|
|
|
@ -309,9 +309,9 @@ $ docker service create \
|
|||
--constraint node.role==manager \
|
||||
--network bunkerized-net \
|
||||
--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock,ro \
|
||||
--mount type=bind,source=/shared/confs,destination=/etc/nginx,rw \
|
||||
--mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt,rw \
|
||||
--mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge,rw \
|
||||
--mount type=bind,source=/shared/confs,destination=/etc/nginx \
|
||||
--mount type=bind,source=/shared/letsencrypt,destination=/etc/letsencrypt \
|
||||
--mount type=bind,source=/shared/acme-challenge,destination=/acme-challenge \
|
||||
-e SWARM_MODE=yes \
|
||||
-e API_URI=/ChangeMeToSomethingHardToGuess \
|
||||
bunkerity/bunkerized-nginx-autoconf
|
||||
|
|
Loading…
Reference in New Issue