diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..bed853110 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,4 @@ +# Exclude stuff from the docker build context + +target +.docker_*/ \ No newline at end of file diff --git a/ci/README.md b/ci/README.md index 799b48f33..d6a1c230b 100644 --- a/ci/README.md +++ b/ci/README.md @@ -1,6 +1,6 @@ -# CI scripts - - -* **install_\*.sh scripts are not used! They are guidance if you need to install these components yourself** -* travis_install.sh is run first -* travis_run.sh is run next, which selects travis_run_docker.sh (run inside a docker container) or build.sh (run directly) +# CI scripts + + +* **install_\*.sh scripts are not used! They are guidance if you need to install these components yourself** +* travis_install.sh is run first +* travis_run.sh is run next, which selects travis_run_docker.sh (run inside a docker container) or build.sh (run directly) diff --git a/ci/docker/.dockerignore b/ci/docker/.dockerignore deleted file mode 100644 index 788119f33..000000000 --- a/ci/docker/.dockerignore +++ /dev/null @@ -1,2 +0,0 @@ -.docker_*/ -*.sh diff --git a/ci/docker/docker.md b/ci/docker/docker.md deleted file mode 100644 index 37413c007..000000000 --- a/ci/docker/docker.md +++ /dev/null @@ -1,16 +0,0 @@ - - -### FAQ - -#### Cannot connect to the Docker daemon. Is the docker daemon running on this host? - -See https://stackoverflow.com/questions/21871479/docker-cant-connect-to-docker-daemon - - -OS X only: - -``` -docker-machine start # start virtual machine for docker -docker-machine env # it's helps to get environment variables -eval "$(docker-machine env default)" #set environment variables -``` diff --git a/ci/docker/travis/ubuntu14/Dockerfile b/ci/docker/travis/ubuntu14/Dockerfile deleted file mode 100644 index f1abd7395..000000000 --- a/ci/docker/travis/ubuntu14/Dockerfile +++ /dev/null @@ -1,2 +0,0 @@ -FROM imazen/imageflow_build_ubuntu14 -RUN rustup default beta diff --git a/ci/docker/travis/ubuntu16/Dockerfile b/ci/docker/travis/ubuntu16/Dockerfile deleted file mode 100644 index c0c43a35a..000000000 --- a/ci/docker/travis/ubuntu16/Dockerfile +++ /dev/null @@ -1,2 +0,0 @@ -FROM imazen/imageflow_build_ubuntu16 -RUN rustup default beta diff --git a/ci/packaging_extras/requirements/x86_64-haswell-linux-gcc54-glibc223.txt b/ci/packaging_extras/requirements/x86_64-haswell-linux-gcc54-glibc223.txt deleted file mode 100644 index f56c81604..000000000 --- a/ci/packaging_extras/requirements/x86_64-haswell-linux-gcc54-glibc223.txt +++ /dev/null @@ -1,3 +0,0 @@ -Hardware: Requires a Haswell (2013) or later compatible CPU with AVX2 support. (Excludes Celeron and Pentium-branded CPUS) - -Software: 64-bit Ubuntu 16.04 or other linux supplying Ubuntu GLIBC 2.23-0ubuntu3 diff --git a/ci/packaging_extras/requirements/x86_64-linux-gcc48-eglibc219.txt b/ci/packaging_extras/requirements/x86_64-linux-gcc48-eglibc219.txt deleted file mode 100644 index f3853563b..000000000 --- a/ci/packaging_extras/requirements/x86_64-linux-gcc48-eglibc219.txt +++ /dev/null @@ -1 +0,0 @@ -64-bit Ubuntu 14.04 or other Ubuntu platform supplying (Ubuntu EGLIBC 2.19-0ubuntu6.9 required) diff --git a/ci/packaging_extras/requirements/x86_64-linux-gcc54-glibc223.txt b/ci/packaging_extras/requirements/x86_64-linux-gcc54-glibc223.txt deleted file mode 100644 index 945cc6cb1..000000000 --- a/ci/packaging_extras/requirements/x86_64-linux-gcc54-glibc223.txt +++ /dev/null @@ -1 +0,0 @@ -64-bit Ubuntu 16.04 or other linux supplying Ubuntu GLIBC 2.23-0ubuntu3 diff --git a/ci/packaging_extras/requirements/x86_64-linux-musl.txt b/ci/packaging_extras/requirements/x86_64-linux-musl.txt deleted file mode 100644 index ddc58dcf8..000000000 --- a/ci/packaging_extras/requirements/x86_64-linux-musl.txt +++ /dev/null @@ -1 +0,0 @@ -x86_64-linux-musl \ No newline at end of file diff --git a/ci/packaging_extras/requirements/x86_64-mac-osx10_11.txt b/ci/packaging_extras/requirements/x86_64-mac-osx10_11.txt deleted file mode 100644 index cf4aa8951..000000000 --- a/ci/packaging_extras/requirements/x86_64-mac-osx10_11.txt +++ /dev/null @@ -1 +0,0 @@ -64-bit macOS 10.11 or higher \ No newline at end of file diff --git a/ci/packaging_extras/requirements/x86_64-sandybridge-linux-gcc54-glibc223.txt b/ci/packaging_extras/requirements/x86_64-sandybridge-linux-gcc54-glibc223.txt deleted file mode 100644 index 71d615e23..000000000 --- a/ci/packaging_extras/requirements/x86_64-sandybridge-linux-gcc54-glibc223.txt +++ /dev/null @@ -1,3 +0,0 @@ -Hardware: Requires a Sandy Bridge (2011) or later compatible CPU with AVX support. (May exclude Celeron and Pentium-branded discount processors) - -Software: 64-bit Ubuntu 16.04 or other linux supplying Ubuntu GLIBC 2.23-0ubuntu3 diff --git a/ci/packaging_extras/requirements/x86_64-sandybridge-mac-osx10_11.txt b/ci/packaging_extras/requirements/x86_64-sandybridge-mac-osx10_11.txt deleted file mode 100644 index 40db4bf05..000000000 --- a/ci/packaging_extras/requirements/x86_64-sandybridge-mac-osx10_11.txt +++ /dev/null @@ -1,3 +0,0 @@ -Hardware: Requires a Sandy Bridge (2011) or later compatible CPU with AVX support. (May exclude Celeron and Pentium-branded discount processors) - -Software: 64-bit macOS 10.11 or higher \ No newline at end of file diff --git a/ci/travis_monitor_base_dockerfiles.sh b/ci/travis_monitor_base_dockerfiles.sh new file mode 100644 index 000000000..f2c7e2248 --- /dev/null +++ b/ci/travis_monitor_base_dockerfiles.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# script expects TRAVIS_COMMIT_RANGE to be set to a commit range to check for changes +# and TRAVIS_BUILD_DIR set to the build dir +# Docker hub only triggers if $TRAVIS_BRANCH or $TRAVIS_TAG are set + +# first param is file to monitor for changes +# second is endpoint to inform +inform_docker_hub_if_changed(){ + + if [ -z "$1" ]; then + echo "First parameter must be a file to diff for changes. Exiting." && exit 1; + fi + if [ -z "$2" ]; then + echo "Second parameter must be a docker hub endpoint. Exiting." && exit 1; + fi + + if [ -z "${TRAVIS_COMMIT_RANGE}" ]; then + echo "TRAVIS_COMMIT_RANGE not set - should be commit range to check for changes, like 6544f0b..a62c029. Exiting." && exit 1; + else + echo "Scanning ${TRAVIS_COMMIT_RANGE} for changes to $1"; + git diff -s --exit-code ${TRAVIS_COMMIT_RANGE} ./README.m + RETVAL = $? + if [ RETVAL -eq 1 ]; then + echo ... found changes, invoking travis_trigger_docker_cloud.sh + ./ci/travis_trigger_docker_cloud.sh "$2" + elif [ RETVAL -eq 0 ]; then + echo ... no changes + else + echo ... git command failed with error ${RETVAL} + fi + + fi +} + +cd "$TRAVIS_BUILD_DIR" + +#inform_docker_hub_if_changed("./docker/imageflow_base_os/Dockerfile","") +#inform_docker_hub_if_changed("./docker/imageflow_build_ubuntu16/Dockerfile","") +#inform_docker_hub_if_changed("./docker/imageflow_build_ubuntu18/Dockerfile","") +inform_docker_hub_if_changed "./docker/imageflow_build_ubuntu18_debug/Dockerfile" "https://registry.hub.docker.com/u/imazen/imageflow_build_ubuntu18_debug/trigger/38852860-517f-49c2-81c2-a033aba36a5b/" + diff --git a/ci/travis_trigger_docker_cloud.sh b/ci/travis_trigger_docker_cloud.sh index 2107185d2..86a3d6494 100755 --- a/ci/travis_trigger_docker_cloud.sh +++ b/ci/travis_trigger_docker_cloud.sh @@ -1,16 +1,18 @@ #!/bin/bash set -e #Exit on failure. +if [ -z "$1" ]; then + echo "travis_trigger_docker_hub.sh requires a docker hub endpoint url as a parameter. Exiting." && exit 1; +fi + # Test locally by running -# TRAVIS_BRANCH=master ./ci/travis_trigger_docker_cloud.sh -# TRAVIS_TAG=v0.0.10 ./ci/travis_trigger_docker_cloud.sh +# TRAVIS_BRANCH=master ./ci/travis_trigger_docker_cloud.sh https://registry.hub.docker.com/u/imazen/imageflow_server_unsecured/trigger/3682f725-3a98-49dd-9e96-acd594721250/ +# TRAVIS_TAG=v0.0.10 ./ci/travis_trigger_docker_cloud.sh https://registry.hub.docker.com/u/imazen/imageflow_tool/trigger/d4943bd2-6350-4cda-9012-f56fe2deaef8/ if [[ -z "$TRAVIS_PULL_REQUEST_SHA" ]]; then if [[ -n "$TRAVIS_TAG" ]]; then - # We can re-enable when tagged releases allow non-localhost connections - #export CLOUD_SOURCE_NAME="${TRAVIS_TAG}" - #export CLOUD_SOURCE_TYPE="Tag" - echo "Skipping docker cloud build for tags (update when we permit non-localhost connections)" + export CLOUD_SOURCE_NAME="${TRAVIS_TAG}" + export CLOUD_SOURCE_TYPE="Tag" else if [[ -n "$TRAVIS_BRANCH" ]]; then export CLOUD_SOURCE_NAME="${TRAVIS_BRANCH}" @@ -22,17 +24,9 @@ fi if [[ -n "$CLOUD_SOURCE_NAME" ]]; then PAYLOAD="{'source_type': '${CLOUD_SOURCE_TYPE}', 'source_name': '${CLOUD_SOURCE_NAME}'}" - # This token has no security value and is rate limited to 10. + # Endpoint url tokens have no security value and are rate limited to 10. # It only checks GitHub for the given tag/branch - it does not accept any data. - TRIGGER_ENDPOINT=https://registry.hub.docker.com/u/imazen/imageflow_server_unsecured/trigger/3682f725-3a98-49dd-9e96-acd594721250/ - echo "Trigger 1 (server): docker cloud build with $PAYLOAD" - curl -H "Content-Type: application/json" --data "${PAYLOAD}" -X POST "$TRIGGER_ENDPOINT" - - TRIGGER_ENDPOINT_2=https://registry.hub.docker.com/u/imazen/imageflow_tool/trigger/d4943bd2-6350-4cda-9012-f56fe2deaef8/ - - echo "Trigger 2 (imageflow_tool) docker cloud build with $PAYLOAD" - curl -H "Content-Type: application/json" --data "${PAYLOAD}" -X POST "$TRIGGER_ENDPOINT_2" - - + echo "Invoking $1 with $PAYLOAD" + curl -H "Content-Type: application/json" --data "${PAYLOAD}" -X POST "$1" fi diff --git a/ci/wintools/SETUP_PATH.bat b/ci/wintools/SETUP_PATH.bat index 5532df77f..523999b29 100644 --- a/ci/wintools/SETUP_PATH.bat +++ b/ci/wintools/SETUP_PATH.bat @@ -1,28 +1,28 @@ -echo PATH is currently: %PATH% -echo . -echo . -set PATH=%PATH%;C:\Program Files\Git\bin;C:\Program Files\Git\mingw64\bin -set PATH=%PATH%;C:\Program Files (x86)\NASM; -set PATH=%PATH%;C:\Program Files (x86)\Rust\bin - -echo Updated path to -echo %PATH% -echo . - -set RUST_TARGET=i686-pc-windows-msvc -set TARGET_CPU=sandybridge -set RUST_FLAGS=%RUST_FLAGS -C target-cpu=%TARGET_CPU% - -set CARGO_INCREMENTAL=1 -set RUST_TEST_THREADS=1 -set VS_ARCH=x86 - -if [%1] == [x86] goto :x86 -set RUST_TARGET=x86_64-pc-windows-msvc -set VS_ARCH=amd64 -:x86 - -echo VS_ARCH=%VSARCH% RUST_TARGET=%RUST_TARGET% TARGET_CPU=%TARGET_CPU% CARGO_INCREMENTAL=%CARGO_INCREMENTAL% -echo NOW entering VS 14 - -%comspec% /k ""C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" %VS_ARCH%" +echo PATH is currently: %PATH% +echo . +echo . +set PATH=%PATH%;C:\Program Files\Git\bin;C:\Program Files\Git\mingw64\bin +set PATH=%PATH%;C:\Program Files (x86)\NASM; +set PATH=%PATH%;C:\Program Files (x86)\Rust\bin + +echo Updated path to +echo %PATH% +echo . + +set RUST_TARGET=i686-pc-windows-msvc +set TARGET_CPU=sandybridge +set RUST_FLAGS=%RUST_FLAGS -C target-cpu=%TARGET_CPU% + +set CARGO_INCREMENTAL=1 +set RUST_TEST_THREADS=1 +set VS_ARCH=x86 + +if [%1] == [x86] goto :x86 +set RUST_TARGET=x86_64-pc-windows-msvc +set VS_ARCH=amd64 +:x86 + +echo VS_ARCH=%VSARCH% RUST_TARGET=%RUST_TARGET% TARGET_CPU=%TARGET_CPU% CARGO_INCREMENTAL=%CARGO_INCREMENTAL% +echo NOW entering VS 14 + +%comspec% /k ""C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" %VS_ARCH%" diff --git a/docker/LICENSE b/docker/LICENSE new file mode 100644 index 000000000..8607d29be --- /dev/null +++ b/docker/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017-2018 Imazen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 000000000..1591ae9c3 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,43 @@ +# Dockerfiles + + +## for running Imageflow + +* imageflow_tool +* imageflow_server_unsecured +* proxied_stack + +## for building Imageflow + +All Dockerfiles should use user account `imageflow` with uid 1000 +Build directory should be /home/imageflow/imageflow +Run directory should be /home/imageflow + +* imageflow_base_os is for lightweight deployment; it is not used during build. +* imageflow_build_ubuntu16 +* imageflow_build_ubuntu18 +* imageflow_build_ubuntu18_debug + +## Building + +No special requirements. The build scripts are there for convenience. + +## Testing + +Clone imazen/imageflow, and invoke ./ci/docker/test.sh [imagename] `imazen/` is auto-prefixed to the first argument. + + +## FAQ + +### Cannot connect to the Docker daemon. Is the docker daemon running on this host? + +See https://stackoverflow.com/questions/21871479/docker-cant-connect-to-docker-daemon + + +OS X only: + +``` +docker-machine start # start virtual machine for docker +docker-machine env # it helps to get environment variables +eval "$(docker-machine env default)" #set environment variables +``` diff --git a/docker/container_size.sh b/docker/container_size.sh new file mode 100644 index 000000000..2f5fa8b98 --- /dev/null +++ b/docker/container_size.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +docker images + +docker history imazen/imageflow_base_os +docker history imazen/imageflow_build_ubuntu14 +docker history imazen/imageflow_build_ubuntu16 +docker history imazen/imageflow_build_ubuntu18 +docker history imazen/imageflow_build_ubuntu18_debug + +#docker run imazen/build_if_gcc48 du -h / | grep '[0-9\.]\+M' + diff --git a/docker/imageflow_base_os/Dockerfile b/docker/imageflow_base_os/Dockerfile new file mode 100644 index 000000000..7c72d9522 --- /dev/null +++ b/docker/imageflow_base_os/Dockerfile @@ -0,0 +1,36 @@ +FROM ubuntu:bionic + +MAINTAINER Lilith River + +ARG BASE_OS_SOURCE_COMMIT +ARG BASE_OS_DOCKER_TAG + +RUN if [ -z "${BASE_OS_SOURCE_COMMIT}" ]; then echo "BASE_OS_SOURCE_COMMIT not set; exiting" && exit 1; else echo "BASE_OS_SOURCE_COMMIT=${BASE_OS_SOURCE_COMMIT}"; fi + +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y \ + sudo wget libcurl4-openssl-dev curl libssl-dev ca-certificates libpng-dev \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /tmp/*' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + +RUN groupadd 1001 -g 1001 &&\ + groupadd 1000 -g 1000 &&\ + useradd -ms /bin/bash imageflow -g 1001 -G 1000 &&\ + echo "imageflow:imageflow" | chpasswd && adduser imageflow sudo &&\ + echo "imageflow ALL= NOPASSWD: ALL\n" >> /etc/sudoers + +USER imageflow + +WORKDIR /home/imageflow + +ENV RUST_BACKTRACE 1 +ENV BASE_OS_SOURCE_COMMIT="${BASE_OS_SOURCE_COMMIT}" BASE_OS_DOCKER_TAG="${BASE_OS_DOCKER_TAG}" +ENV BASE_OS_LAST_LAYER_UNIX_SECONDS="$(date +%s)" diff --git a/docker/imageflow_base_os/README.md b/docker/imageflow_base_os/README.md new file mode 100644 index 000000000..61d4bd83f --- /dev/null +++ b/docker/imageflow_base_os/README.md @@ -0,0 +1,10 @@ +## imazen/imageflow_base_os + +* This image should contain the runtime dependencies needed by imageflow_server and imageflow_tool. +* It should also contain wget, for use in child dockerfiles +* RUST_BACKTRACE=1 + +It should be rebuilt every commit, master -> latest, (v[0-9].*) -> $1 + + +ubuntu:bionic with imageflow user account - updated with sudo wget libcurl4-openssl-dev curl libssl-dev ca-certificates libpng-dev \ No newline at end of file diff --git a/docker/imageflow_base_os/hooks/build b/docker/imageflow_base_os/hooks/build new file mode 100644 index 000000000..58a40ef1c --- /dev/null +++ b/docker/imageflow_base_os/hooks/build @@ -0,0 +1,15 @@ +#!/bin/bash + +echo "SOURCE_COMMIT: $SOURCE_COMMIT" + +if [[ -z "$SOURCE_COMMIT" ]]; then + export SOURCE_COMMIT="${SOURCE_COMMIT:-$(git rev-parse HEAD)}" + echo "Updating SOURCE_COMMIT from git rev-parse HEAD" + echo "SOURCE_COMMIT: $SOURCE_COMMIT" +fi + +IMAGE_NAME="${IMAGE_NAME:-imazen/imageflow_base_os}" + +echo "DOCKER_TAG: $DOCKER_TAG" + +docker build -t "$IMAGE_NAME" --build-arg "BASE_OS_SOURCE_COMMIT=$SOURCE_COMMIT" --build-arg "BASE_OS_DOCKER_TAG=$DOCKER_TAG" . \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu14/Dockerfile b/docker/imageflow_build_ubuntu14/Dockerfile new file mode 100644 index 000000000..d321aaa5d --- /dev/null +++ b/docker/imageflow_build_ubuntu14/Dockerfile @@ -0,0 +1,46 @@ +FROM ubuntu:trusty + +# We'll leave the Ubuntu 14.04 and 18.04 images light, and only install valgrind/coverage/bindings on 16.04 +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y \ + sudo build-essential nasm dh-autoreconf pkg-config ca-certificates apt-transport-https \ + wget zip libcurl4-openssl-dev libelf-dev libdw-dev curl libssl-dev zlib1g-dev git \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -f /tmp/*' \ + && bash -c 'rm -f /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + +RUN groupadd 1001 -g 1001 &&\ + groupadd 1000 -g 1000 &&\ + useradd -ms /bin/bash imageflow -g 1001 -G 1000 &&\ + echo "imageflow:imageflow" | chpasswd && adduser imageflow sudo &&\ + echo "imageflow ALL= NOPASSWD: ALL\n" >> /etc/sudoers + +USER imageflow + +#Install beta Rust and make default + +ENV PATH=/home/imageflow/.cargo/bin:$PATH +RUN RUSTVER="beta-2018-06-30" && curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $RUSTVER -v \ + && rustup default $RUSTVER \ + && HI=$(rustup which rustc) && HI=${HI%/bin/rustc} && export TOOLCHAIN_DIR=$HI && echo TOOLCHAIN_DIR=$TOOLCHAIN_DIR \ + && sudo rm -rf $TOOLCHAIN_DIR/share/doc \ + && sudo rm -rf $TOOLCHAIN_DIR/share/man \ + && sudo rm -rf /home/conan/.multirust/toolchains/${RUSTVER}-x86_64-unknown-linux-gnu/share/doc \ + && ln -sf -t $TOOLCHAIN_DIR/lib/ $TOOLCHAIN_DIR/lib/rustlib/x86_64-unknown-linux-gnu/lib/*.so \ + && rustup show \ + && rustc -V + + +RUN PKG_CONFIG_ALL_STATIC=1 cargo install --force --git=https://github.com/mozilla/sccache.git --features=s3 \ + && PKG_CONFIG_ALL_STATIC=1 cargo install dssim \ + +WORKDIR /home/imageflow/imageflow + +MAINTAINER Lilith River diff --git a/docker/imageflow_build_ubuntu14/build.sh b/docker/imageflow_build_ubuntu14/build.sh new file mode 100644 index 000000000..6f92b1ef2 --- /dev/null +++ b/docker/imageflow_build_ubuntu14/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -e + +#export EXTRA_DOCKER_BUILD_PARAMS=--no-cache + + +# For os x convenience +if [[ "$(uname -s)" == 'Darwin' ]]; then + eval "$(docker-machine env default)" +fi + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +IMAGE_NAME="$(basename "${SCRIPT_DIR}")" + + +set -x +# shellcheck disable=SC2086 +docker build ${EXTRA_DOCKER_BUILD_PARAMS} -t "imazen/${IMAGE_NAME}" "${SCRIPT_DIR}" + +docker history "imazen/${IMAGE_NAME}" + +docker run "imazen/${IMAGE_NAME}" du -h / | grep '[0-9\.]\+M' + diff --git a/docker/imageflow_build_ubuntu14/rebuild.sh b/docker/imageflow_build_ubuntu14/rebuild.sh new file mode 100644 index 000000000..f24aee963 --- /dev/null +++ b/docker/imageflow_build_ubuntu14/rebuild.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +EXTRA_DOCKER_BUILD_PARAMS="--no-cache" ./build.sh \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu16/Dockerfile b/docker/imageflow_build_ubuntu16/Dockerfile new file mode 100644 index 000000000..3bc58d94a --- /dev/null +++ b/docker/imageflow_build_ubuntu16/Dockerfile @@ -0,0 +1,48 @@ +FROM ubuntu:xenial + +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y \ + sudo build-essential nasm dh-autoreconf pkg-config ca-certificates \ + git zip curl libpng-dev libssl-dev wget libc6-dbg \ + libcurl4-openssl-dev libelf-dev libdw-dev apt-transport-https \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /tmp/*' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + +RUN groupadd 1001 -g 1001 &&\ + groupadd 1000 -g 1000 &&\ + useradd -ms /bin/bash imageflow -g 1001 -G 1000 &&\ + echo "imageflow:imageflow" | chpasswd && adduser imageflow sudo &&\ + echo "imageflow ALL= NOPASSWD: ALL\n" >> /etc/sudoers + +USER imageflow + + +ENV PATH=/home/imageflow/.cargo/bin:$PATH + + +#Install stable Rust and make default +RUN RUSTVER="stable" && curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $RUSTVER -v \ + && rustup default $RUSTVER \ + && HI=$(rustup which rustc) && HI=${HI%/bin/rustc} && export TOOLCHAIN_DIR=$HI && echo TOOLCHAIN_DIR=$TOOLCHAIN_DIR \ + && sudo rm -rf $TOOLCHAIN_DIR/share/doc \ + && sudo rm -rf $TOOLCHAIN_DIR/share/man \ + && sudo rm -rf /home/conan/.multirust/toolchains/${RUSTVER}-x86_64-unknown-linux-gnu/share/doc \ + && ln -sf -t $TOOLCHAIN_DIR/lib/ $TOOLCHAIN_DIR/lib/rustlib/x86_64-unknown-linux-gnu/lib/*.so \ + && rustup show \ + && rustc -V + +RUN PKG_CONFIG_ALL_STATIC=1 cargo install --force --git=https://github.com/mozilla/sccache.git --features=s3 \ + && PKG_CONFIG_ALL_STATIC=1 cargo install dssim + +WORKDIR /home/imageflow/imageflow + + +MAINTAINER Lilith River diff --git a/docker/imageflow_build_ubuntu16/build.sh b/docker/imageflow_build_ubuntu16/build.sh new file mode 100644 index 000000000..35f1b2203 --- /dev/null +++ b/docker/imageflow_build_ubuntu16/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e + +#export EXTRA_DOCKER_BUILD_PARAMS=--no-cache + + +# For os x convenience +if [[ "$(uname -s)" == 'Darwin' ]]; then + eval "$(docker-machine env default)" +fi + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +IMAGE_NAME="$(basename "${SCRIPT_DIR}")" + + +set -x + +# shellcheck disable=SC2086 +docker build ${EXTRA_DOCKER_BUILD_PARAMS} -t "imazen/${IMAGE_NAME}" "${SCRIPT_DIR}" + +docker history "imazen/${IMAGE_NAME}" + +docker run "imazen/${IMAGE_NAME}" du -h / | grep '[0-9\.]\+M' + diff --git a/docker/imageflow_build_ubuntu16/rebuild.sh b/docker/imageflow_build_ubuntu16/rebuild.sh new file mode 100644 index 000000000..f24aee963 --- /dev/null +++ b/docker/imageflow_build_ubuntu16/rebuild.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +EXTRA_DOCKER_BUILD_PARAMS="--no-cache" ./build.sh \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu16_debug/Dockerfile b/docker/imageflow_build_ubuntu16_debug/Dockerfile new file mode 100644 index 000000000..e49ca7968 --- /dev/null +++ b/docker/imageflow_build_ubuntu16_debug/Dockerfile @@ -0,0 +1,106 @@ +FROM ubuntu:xenial + +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y \ + sudo build-essential nasm dh-autoreconf pkg-config ca-certificates gnupg \ + git zip curl libpng-dev libssl-dev wget libc6-dbg \ + libcurl4-openssl-dev libelf-dev libdw-dev apt-transport-https \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /tmp/*' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + + +RUN wget -q https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb \ + && sudo dpkg -i packages-microsoft-prod.deb \ + && apt-get update \ + && apt-get install --no-install-recommends -y \ + ruby-dev ruby-bundler rubygems-integration \ + luajit \ + python-minimal python-pip python-setuptools \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /tmp/* || true' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + + +#dotnet-sdk-2.1.200 \ + +# Install CMake 3.4.1 (minimal) +# Mirrored for speed from https://cmake.org/files/v3.4/cmake-3.4.1-Linux-x86_64.tar.gz +RUN wget -nv https://s3.amazonaws.com/public-unit-test-resources/cmake-3.4.1-Linux-x86_64.tar.gz \ + && tar -xzf cmake-3.4.1-Linux-x86_64.tar.gz \ + && cp cmake-3.4.1-Linux-x86_64/bin/cmake /usr/bin/cmake \ + && cp cmake-3.4.1-Linux-x86_64/bin/ctest /usr/bin/ctest \ + && cp -fR cmake-3.4.1-Linux-x86_64/share/* /usr/share \ + && rm -rf cmake-3.4.1-Linux-x86_64 && rm cmake-3.4.1-Linux-x86_64.tar.gz + +# Install lcov and coveralls-lcov +RUN wget -nv -O lcov.tar.gz http://ftp.de.debian.org/debian/pool/main/l/lcov/lcov_1.11.orig.tar.gz \ + && tar xvzf lcov.tar.gz && rm lcov.tar.gz && mv lcov-1.11 lcov \ + && sudo make -C lcov/ install \ + && rm -rf lcov && rm -rf /usr/share/man \ + && sudo gem install coveralls-lcov + +# Install kcov +RUN wget -nv -O kcov.tar.gz https://github.com/SimonKagstrom/kcov/archive/master.tar.gz \ + && tar xvzf kcov.tar.gz && rm kcov.tar.gz && mv kcov-master kcov \ + && mkdir kcov/build && cd kcov/build \ + && cmake .. && make && sudo make install \ + && cd ../.. && rm -rf kcov && rm -rf /usr/local/share/man + + +# 3.12 fixes the bug when running against anything linked to openssl +RUN VALGRIND_VER="valgrind-3.12.0" \ + && wget -nv http://valgrind.org/downloads/${VALGRIND_VER}.tar.bz2 \ + && tar -vxjf ${VALGRIND_VER}.tar.bz2 && rm ${VALGRIND_VER}.tar.* \ + && cd "${VALGRIND_VER}" && ./configure && make install \ + && cd .. && rm -rf "${VALGRIND_VER}" \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /usr/lib/valgrind/*-x86-*' \ + && bash -c 'rm -rf /usr/local/lib/valgrind/*-x86-*' \ + && bash -c 'rm -rf /usr/lib/valgrind/{power,mips,s390,arm,32bit,i386}*' \ + && bash -c 'rm -rf /usr/local/lib/valgrind/{power,mips,s390,arm,32bit,i386}*' \ + && bash -c 'rm -rf /tmp/* || true' \ + && bash -c 'rm -rf /var/tmp/*' + + +RUN groupadd 1001 -g 1001 &&\ + groupadd 1000 -g 1000 &&\ + useradd -ms /bin/bash imageflow -g 1001 -G 1000 &&\ + echo "imageflow:imageflow" | chpasswd && adduser imageflow sudo &&\ + echo "imageflow ALL= NOPASSWD: ALL\n" >> /etc/sudoers + +USER imageflow + +ENV PATH=/home/imageflow/.cargo/bin:$PATH + + +#Install beta Rust and make default +RUN RUSTVER="stable" && curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $RUSTVER -v \ + && rustup default $RUSTVER \ + && HI=$(rustup which rustc) && HI=${HI%/bin/rustc} && export TOOLCHAIN_DIR=$HI && echo TOOLCHAIN_DIR=$TOOLCHAIN_DIR \ + && sudo rm -rf $TOOLCHAIN_DIR/share/doc \ + && sudo rm -rf $TOOLCHAIN_DIR/share/man \ + && sudo rm -rf /home/conan/.multirust/toolchains/${RUSTVER}-x86_64-unknown-linux-gnu/share/doc \ + && ln -sf -t $TOOLCHAIN_DIR/lib/ $TOOLCHAIN_DIR/lib/rustlib/x86_64-unknown-linux-gnu/lib/*.so \ + && rustup show \ + && rustc -V + +RUN PKG_CONFIG_ALL_STATIC=1 cargo install --force --git=https://github.com/mozilla/sccache.git --features=s3 \ + && PKG_CONFIG_ALL_STATIC=1 cargo install dssim + +MAINTAINER Lilith River + +WORKDIR /home/imageflow/imageflow \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu16_debug/build.sh b/docker/imageflow_build_ubuntu16_debug/build.sh new file mode 100644 index 000000000..35f1b2203 --- /dev/null +++ b/docker/imageflow_build_ubuntu16_debug/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e + +#export EXTRA_DOCKER_BUILD_PARAMS=--no-cache + + +# For os x convenience +if [[ "$(uname -s)" == 'Darwin' ]]; then + eval "$(docker-machine env default)" +fi + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +IMAGE_NAME="$(basename "${SCRIPT_DIR}")" + + +set -x + +# shellcheck disable=SC2086 +docker build ${EXTRA_DOCKER_BUILD_PARAMS} -t "imazen/${IMAGE_NAME}" "${SCRIPT_DIR}" + +docker history "imazen/${IMAGE_NAME}" + +docker run "imazen/${IMAGE_NAME}" du -h / | grep '[0-9\.]\+M' + diff --git a/docker/imageflow_build_ubuntu16_debug/rebuild.sh b/docker/imageflow_build_ubuntu16_debug/rebuild.sh new file mode 100644 index 000000000..f24aee963 --- /dev/null +++ b/docker/imageflow_build_ubuntu16_debug/rebuild.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +EXTRA_DOCKER_BUILD_PARAMS="--no-cache" ./build.sh \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu18/Dockerfile b/docker/imageflow_build_ubuntu18/Dockerfile new file mode 100644 index 000000000..c94d0f0fd --- /dev/null +++ b/docker/imageflow_build_ubuntu18/Dockerfile @@ -0,0 +1,54 @@ +FROM ubuntu:18.04 + +# libpng-dev is required for libpng-sys crate +# libssl-dev and pkg-config are required for SSL support +# nasm is required for libjpeg-turbo + +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y \ + sudo build-essential nasm dh-autoreconf pkg-config \ + git zip curl libpng-dev libssl-dev wget \ + libcurl4-openssl-dev libelf-dev libdw-dev \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /usr/local/lib/valgrind/*-x86-*' \ + && bash -c 'rm -rf /usr/lib/valgrind/{power,mips,s390,arm,32bit,i386}*' \ + && bash -c 'rm -rf /usr/local/lib/valgrind/{power,mips,s390,arm,32bit,i386}*' \ + && bash -c 'rm -rf /tmp/* || true' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + +RUN groupadd 1001 -g 1001 &&\ + groupadd 1000 -g 1000 &&\ + useradd -ms /bin/bash imageflow -g 1001 -G 1000 &&\ + echo "imageflow:imageflow" | chpasswd && adduser imageflow sudo &&\ + echo "imageflow ALL= NOPASSWD: ALL\n" >> /etc/sudoers + +USER imageflow + +ENV PATH=/home/imageflow/.cargo/bin:$PATH + +#Install stable Rust and make default +RUN RUSTVER="stable" && curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $RUSTVER -v \ + && rustup default $RUSTVER \ + && HI=$(rustup which rustc) && HI=${HI%/bin/rustc} && export TOOLCHAIN_DIR=$HI && echo TOOLCHAIN_DIR=$TOOLCHAIN_DIR \ + && sudo rm -rf $TOOLCHAIN_DIR/share/doc \ + && sudo rm -rf $TOOLCHAIN_DIR/share/man \ + && sudo rm -rf /home/conan/.rustup/toolchains/${RUSTVER}-x86_64-unknown-linux-gnu/share/doc \ + && ln -sf -t $TOOLCHAIN_DIR/lib/ $TOOLCHAIN_DIR/lib/rustlib/x86_64-unknown-linux-gnu/lib/*.so \ + && rustup show \ + && rustc -V + +RUN PKG_CONFIG_ALL_STATIC=1 cargo install --force --git=https://github.com/mozilla/sccache.git --features=s3 \ + && PKG_CONFIG_ALL_STATIC=1 cargo install dssim \ + && rm -rf ~/.cargo/registry + +WORKDIR /home/imageflow/imageflow + + +MAINTAINER Lilith River \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu18/build.sh b/docker/imageflow_build_ubuntu18/build.sh new file mode 100644 index 000000000..35f1b2203 --- /dev/null +++ b/docker/imageflow_build_ubuntu18/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e + +#export EXTRA_DOCKER_BUILD_PARAMS=--no-cache + + +# For os x convenience +if [[ "$(uname -s)" == 'Darwin' ]]; then + eval "$(docker-machine env default)" +fi + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +IMAGE_NAME="$(basename "${SCRIPT_DIR}")" + + +set -x + +# shellcheck disable=SC2086 +docker build ${EXTRA_DOCKER_BUILD_PARAMS} -t "imazen/${IMAGE_NAME}" "${SCRIPT_DIR}" + +docker history "imazen/${IMAGE_NAME}" + +docker run "imazen/${IMAGE_NAME}" du -h / | grep '[0-9\.]\+M' + diff --git a/docker/imageflow_build_ubuntu18/rebuild.sh b/docker/imageflow_build_ubuntu18/rebuild.sh new file mode 100644 index 000000000..f24aee963 --- /dev/null +++ b/docker/imageflow_build_ubuntu18/rebuild.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +EXTRA_DOCKER_BUILD_PARAMS="--no-cache" ./build.sh \ No newline at end of file diff --git a/docker/imageflow_build_ubuntu18_debug/Dockerfile b/docker/imageflow_build_ubuntu18_debug/Dockerfile new file mode 100644 index 000000000..c2ceee25b --- /dev/null +++ b/docker/imageflow_build_ubuntu18_debug/Dockerfile @@ -0,0 +1,82 @@ +FROM ubuntu:bionic + +RUN apt-get update \ + && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y \ + sudo build-essential nasm dh-autoreconf pkg-config ca-certificates gnupg \ + git zip curl libpng-dev libssl-dev wget libc6-dbg \ + libcurl4-openssl-dev libelf-dev libdw-dev apt-transport-https \ + cmake valgrind \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /tmp/*' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + + +RUN wget -q https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb \ + && sudo dpkg -i packages-microsoft-prod.deb \ + && apt-get update \ + && apt-get install --no-install-recommends -y \ + ruby-dev ruby-bundler rubygems-integration \ + luajit \ + python-minimal python-pip python-setuptools \ + && apt-get clean -y \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && bash -c 'rm -rf {/usr/share/doc,/usr/share/man,/var/cache,/usr/doc,/usr/local/share/doc,/usr/local/share/man}' \ + && bash -c 'rm -rf /tmp/* || true' \ + && bash -c 'rm -rf /var/tmp/*' \ + && sudo mkdir -p /var/cache/apt/archives/partial \ + && sudo touch /var/cache/apt/archives/lock \ + && sudo chmod 640 /var/cache/apt/archives/lock + + + +# Install lcov and coveralls-lcov +RUN wget -nv -O lcov.tar.gz http://ftp.de.debian.org/debian/pool/main/l/lcov/lcov_1.11.orig.tar.gz \ + && tar xvzf lcov.tar.gz && rm lcov.tar.gz && mv lcov-1.11 lcov \ + && sudo make -C lcov/ install \ + && rm -rf lcov && rm -rf /usr/share/man \ + && sudo gem install coveralls-lcov + +# Install kcov +RUN wget -nv -O kcov.tar.gz https://github.com/SimonKagstrom/kcov/archive/master.tar.gz \ + && tar xvzf kcov.tar.gz && rm kcov.tar.gz && mv kcov-master kcov \ + && mkdir kcov/build && cd kcov/build \ + && cmake .. && make && sudo make install \ + && cd ../.. && rm -rf kcov && rm -rf /usr/local/share/man + + +RUN groupadd 1001 -g 1001 &&\ + groupadd 1000 -g 1000 &&\ + useradd -ms /bin/bash imageflow -g 1001 -G 1000 &&\ + echo "imageflow:imageflow" | chpasswd && adduser imageflow sudo &&\ + echo "imageflow ALL= NOPASSWD: ALL\n" >> /etc/sudoers + +USER imageflow + +ENV PATH=/home/imageflow/.cargo/bin:$PATH + + +#Install stable Rust and make default +RUN RUSTVER="stable" && curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $RUSTVER -v \ + && rustup default $RUSTVER \ + && HI=$(rustup which rustc) && HI=${HI%/bin/rustc} && export TOOLCHAIN_DIR=$HI && echo TOOLCHAIN_DIR=$TOOLCHAIN_DIR \ + && sudo rm -rf $TOOLCHAIN_DIR/share/doc \ + && sudo rm -rf $TOOLCHAIN_DIR/share/man \ + && sudo rm -rf /home/conan/.multirust/toolchains/${RUSTVER}-x86_64-unknown-linux-gnu/share/doc \ + && ln -sf -t $TOOLCHAIN_DIR/lib/ $TOOLCHAIN_DIR/lib/rustlib/x86_64-unknown-linux-gnu/lib/*.so \ + && rustup show \ + && rustc -V + +RUN PKG_CONFIG_ALL_STATIC=1 cargo install --force --git=https://github.com/mozilla/sccache.git --features=s3 \ + && PKG_CONFIG_ALL_STATIC=1 cargo install dssim + +MAINTAINER Lilith River + +WORKDIR /home/imageflow/imageflow diff --git a/docker/imageflow_build_ubuntu18_debug/build.sh b/docker/imageflow_build_ubuntu18_debug/build.sh new file mode 100644 index 000000000..35f1b2203 --- /dev/null +++ b/docker/imageflow_build_ubuntu18_debug/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e + +#export EXTRA_DOCKER_BUILD_PARAMS=--no-cache + + +# For os x convenience +if [[ "$(uname -s)" == 'Darwin' ]]; then + eval "$(docker-machine env default)" +fi + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +IMAGE_NAME="$(basename "${SCRIPT_DIR}")" + + +set -x + +# shellcheck disable=SC2086 +docker build ${EXTRA_DOCKER_BUILD_PARAMS} -t "imazen/${IMAGE_NAME}" "${SCRIPT_DIR}" + +docker history "imazen/${IMAGE_NAME}" + +docker run "imazen/${IMAGE_NAME}" du -h / | grep '[0-9\.]\+M' + diff --git a/docker/imageflow_build_ubuntu18_debug/rebuild.sh b/docker/imageflow_build_ubuntu18_debug/rebuild.sh new file mode 100644 index 000000000..f24aee963 --- /dev/null +++ b/docker/imageflow_build_ubuntu18_debug/rebuild.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +EXTRA_DOCKER_BUILD_PARAMS="--no-cache" ./build.sh \ No newline at end of file diff --git a/ci/docker/hub/nightly_unsecured/Dockerfile b/docker/imageflow_server_unsecured/Dockerfile similarity index 86% rename from ci/docker/hub/nightly_unsecured/Dockerfile rename to docker/imageflow_server_unsecured/Dockerfile index 03b44a26e..3d5c1a78f 100644 --- a/ci/docker/hub/nightly_unsecured/Dockerfile +++ b/docker/imageflow_server_unsecured/Dockerfile @@ -1,6 +1,6 @@ FROM imazen/imageflow_base_os -MAINTAINER Nathanael Jones +MAINTAINER Lilith River ARG SOURCE_COMMIT ARG DOCKER_TAG @@ -8,7 +8,7 @@ ARG DOCKER_TAG RUN if [ -z "${SOURCE_COMMIT}" ]; then echo "SOURCE_COMMIT not set; exiting" && exit 1; else echo "SOURCE_COMMIT=${SOURCE_COMMIT}"; fi -RUN mkdir nightly && cd nightly && wget -nv -O ifs.tar.gz https://s3-us-west-1.amazonaws.com/imageflow-nightlies/commits/${SOURCE_COMMIT}/linux64_sandybridge_glibc223.tar.gz \ +RUN mkdir nightly && cd nightly && wget -nv -O ifs.tar.gz https://s3-us-west-1.amazonaws.com/imageflow-nightlies/commits/${SOURCE_COMMIT}/linux64_glibc227.tar.gz \ && tar xvzf ifs.tar.gz && mv ./imageflow_server ../ && cd .. && rm -rf nightly EXPOSE 39876 diff --git a/ci/docker/hub/nightly_unsecured/README.md b/docker/imageflow_server_unsecured/README.md similarity index 97% rename from ci/docker/hub/nightly_unsecured/README.md rename to docker/imageflow_server_unsecured/README.md index b79723440..9406c35df 100644 --- a/ci/docker/hub/nightly_unsecured/README.md +++ b/docker/imageflow_server_unsecured/README.md @@ -1,47 +1,47 @@ - -## imageflow_server_unsecured - -No HTTPS support, no TLS, no NGINX proxy. Just imageflow_server, that's it. Compiled for Sandy Bridge and higher architectures - -Starts the demo server by default on port 39876 - - -``` -$imageflow_server help start - -Start HTTP server - -USAGE: - imageflow_server start [FLAGS] [OPTIONS] --mount ... --data-dir - -FLAGS: - --demo Start demo server (on localhost:39876 by default) with mounts /ir4/proxy/unsplash -> http://images.unsplash.com/ - -h, --help Prints help information - -V, --version Prints version information - -OPTIONS: - --bind-address The IPv4 or IPv6 address to bind to (or the hostname, like localhost). 0.0.0.0 binds to all addresses. [default: - localhost] - --data-dir An existing directory for logging and caching - --mount ... Serve images from the given location using the provided API, e.g --mount "/prefix/:ir4_local:./{}" --mount - "/extern/:ir4_http:http:://domain.com/{}" - Escape colons by doubling, e.g. http:// -> http::// - -p, --port Set the port that the server will listen on [default: 39876] -``` - - -``` -$imageflow_server help diagnose - -imageflow_server-diagnose -Diagnostic utilities - -USAGE: - imageflow_server diagnose [FLAGS] - -FLAGS: - --call-panic Triggers a Rust panic (so you can observe failure/backtrace behavior) - -h, --help Prints help information - --show-compilation-info Show all the information stored in this executable about the environment in which it was compiled. - -V, --version Prints version information + +## imageflow_server_unsecured + +No HTTPS support, no TLS, no NGINX proxy. Just imageflow_server, that's it. Compiled for Sandy Bridge and higher architectures + +Starts the demo server by default on port 39876 + + +``` +$imageflow_server help start + +Start HTTP server + +USAGE: + imageflow_server start [FLAGS] [OPTIONS] --mount ... --data-dir + +FLAGS: + --demo Start demo server (on localhost:39876 by default) with mounts /ir4/proxy/unsplash -> http://images.unsplash.com/ + -h, --help Prints help information + -V, --version Prints version information + +OPTIONS: + --bind-address The IPv4 or IPv6 address to bind to (or the hostname, like localhost). 0.0.0.0 binds to all addresses. [default: + localhost] + --data-dir An existing directory for logging and caching + --mount ... Serve images from the given location using the provided API, e.g --mount "/prefix/:ir4_local:./{}" --mount + "/extern/:ir4_http:http:://domain.com/{}" + Escape colons by doubling, e.g. http:// -> http::// + -p, --port Set the port that the server will listen on [default: 39876] +``` + + +``` +$imageflow_server help diagnose + +imageflow_server-diagnose +Diagnostic utilities + +USAGE: + imageflow_server diagnose [FLAGS] + +FLAGS: + --call-panic Triggers a Rust panic (so you can observe failure/backtrace behavior) + -h, --help Prints help information + --show-compilation-info Show all the information stored in this executable about the environment in which it was compiled. + -V, --version Prints version information ``` \ No newline at end of file diff --git a/ci/docker/hub/nightly_unsecured/docker-compose.yml b/docker/imageflow_server_unsecured/docker-compose.yml similarity index 100% rename from ci/docker/hub/nightly_unsecured/docker-compose.yml rename to docker/imageflow_server_unsecured/docker-compose.yml diff --git a/ci/docker/hub/nightly_unsecured/hooks/build b/docker/imageflow_server_unsecured/hooks/build old mode 100755 new mode 100644 similarity index 96% rename from ci/docker/hub/nightly_unsecured/hooks/build rename to docker/imageflow_server_unsecured/hooks/build index 0ef573e19..b609f3ab5 --- a/ci/docker/hub/nightly_unsecured/hooks/build +++ b/docker/imageflow_server_unsecured/hooks/build @@ -1,14 +1,14 @@ -#!/bin/bash - -echo "SOURCE_COMMIT: $SOURCE_COMMIT" - -if [[ -z "$SOURCE_COMMIT" ]]; then - export SOURCE_COMMIT="${SOURCE_COMMIT:-$(git rev-parse HEAD)}" - echo "Updating SOURCE_COMMIT from git rev-parse HEAD" - echo "SOURCE_COMMIT: $SOURCE_COMMIT" -fi - - -echo "DOCKER_TAG: $DOCKER_TAG" - +#!/bin/bash + +echo "SOURCE_COMMIT: $SOURCE_COMMIT" + +if [[ -z "$SOURCE_COMMIT" ]]; then + export SOURCE_COMMIT="${SOURCE_COMMIT:-$(git rev-parse HEAD)}" + echo "Updating SOURCE_COMMIT from git rev-parse HEAD" + echo "SOURCE_COMMIT: $SOURCE_COMMIT" +fi + + +echo "DOCKER_TAG: $DOCKER_TAG" + docker build -t "$IMAGE_NAME" --build-arg "SOURCE_COMMIT=$SOURCE_COMMIT" --build-arg "DOCKER_TAG=$DOCKER_TAG" . \ No newline at end of file diff --git a/ci/docker/hub/nightly_unsecured/unsecured_stackfile.yaml b/docker/imageflow_server_unsecured/unsecured_stackfile.yaml similarity index 97% rename from ci/docker/hub/nightly_unsecured/unsecured_stackfile.yaml rename to docker/imageflow_server_unsecured/unsecured_stackfile.yaml index a97df59fc..ddb80eaef 100644 --- a/ci/docker/hub/nightly_unsecured/unsecured_stackfile.yaml +++ b/docker/imageflow_server_unsecured/unsecured_stackfile.yaml @@ -1,14 +1,14 @@ -imageflow-raw: - autoredeploy: true - entrypoint: '/bin/bash -c "sudo chown -R imageflow /home/imageflow/ && sync && /home/imageflow/imageflow_server --version && /home/imageflow/imageflow_server diagnose --smoke-test-core && cat /proc/cpuinfo && /home/imageflow/imageflow_server start --demo --bind-address 0.0.0.0 --port 3000 --data-dir /home/imageflow/data/"' - environment: - - RUST_BACKTRACE=1 - image: 'imazen/imageflow_server_unsecured:latest' - ports: - - '3000:3000' - privileged: true - restart: always - roles: - - global - volumes: +imageflow-raw: + autoredeploy: true + entrypoint: '/bin/bash -c "sudo chown -R imageflow /home/imageflow/ && sync && /home/imageflow/imageflow_server --version && /home/imageflow/imageflow_server diagnose --smoke-test-core && cat /proc/cpuinfo && /home/imageflow/imageflow_server start --demo --bind-address 0.0.0.0 --port 3000 --data-dir /home/imageflow/data/"' + environment: + - RUST_BACKTRACE=1 + image: 'imazen/imageflow_server_unsecured:latest' + ports: + - '3000:3000' + privileged: true + restart: always + roles: + - global + volumes: - '/mnt/imageflow/server_data:/home/imageflow/data' \ No newline at end of file diff --git a/ci/docker/hub/tool/Dockerfile b/docker/imageflow_tool/Dockerfile similarity index 70% rename from ci/docker/hub/tool/Dockerfile rename to docker/imageflow_tool/Dockerfile index f2f9ba1fd..6c1c66632 100644 --- a/ci/docker/hub/tool/Dockerfile +++ b/docker/imageflow_tool/Dockerfile @@ -1,14 +1,14 @@ FROM imazen/imageflow_base_os -MAINTAINER Nathanael Jones +MAINTAINER Lilith River ARG SOURCE_COMMIT ARG DOCKER_TAG -RUN if [ -z "${SOURCE_COMMIT}" ]; then echo "SOURCE_COMMIT not set; exiting" && exit 1; else echo "SOURCE_COMMIT=${SOURCE_COMMIT}"; fi +RUN if [ -z "${SOURCE_COMMIT}" ]; then echo "SOURCE_COMMIT not set - should be $(git rev-parse HEAD). Exiting." && exit 1; else echo "SOURCE_COMMIT=${SOURCE_COMMIT}"; fi -RUN mkdir nightly && cd nightly && wget -nv -O ifs.tar.gz https://s3-us-west-1.amazonaws.com/imageflow-nightlies/commits/${SOURCE_COMMIT}/linux64_sandybridge_glibc223.tar.gz \ +RUN mkdir nightly && cd nightly && wget -nv -O ifs.tar.gz https://s3-us-west-1.amazonaws.com/imageflow-nightlies/commits/${SOURCE_COMMIT}/linux64_glibc227.tar.gz \ && tar xvzf ifs.tar.gz && mv ./imageflow_tool ../ && cd .. && rm -rf nightly diff --git a/ci/docker/hub/tool/README.md b/docker/imageflow_tool/README.md similarity index 86% rename from ci/docker/hub/tool/README.md rename to docker/imageflow_tool/README.md index 0d3545b53..0f4d02f9f 100644 --- a/ci/docker/hub/tool/README.md +++ b/docker/imageflow_tool/README.md @@ -1,3 +1,3 @@ - -## imageflow_tool - + +## imageflow_tool + diff --git a/ci/docker/hub/tool/hooks/build b/docker/imageflow_tool/hooks/build old mode 100755 new mode 100644 similarity index 96% rename from ci/docker/hub/tool/hooks/build rename to docker/imageflow_tool/hooks/build index 0e7de084d..2cb616d0a --- a/ci/docker/hub/tool/hooks/build +++ b/docker/imageflow_tool/hooks/build @@ -1,14 +1,14 @@ -#!/bin/bash - -echo "SOURCE_COMMIT: $SOURCE_COMMIT" - -if [[ -z "$SOURCE_COMMIT" ]]; then - export SOURCE_COMMIT="${SOURCE_COMMIT:-$(git rev-parse HEAD)}" - echo "Updating SOURCE_COMMIT from git rev-parse HEAD" - echo "SOURCE_COMMIT: $SOURCE_COMMIT" -fi - - -echo "DOCKER_TAG: $DOCKER_TAG" - -docker build -t "$IMAGE_NAME" --build-arg "SOURCE_COMMIT=$SOURCE_COMMIT" --build-arg "DOCKER_TAG=$DOCKER_TAG" . +#!/bin/bash + +echo "SOURCE_COMMIT: $SOURCE_COMMIT" + +if [[ -z "$SOURCE_COMMIT" ]]; then + export SOURCE_COMMIT="${SOURCE_COMMIT:-$(git rev-parse HEAD)}" + echo "Updating SOURCE_COMMIT from git rev-parse HEAD" + echo "SOURCE_COMMIT: $SOURCE_COMMIT" +fi + + +echo "DOCKER_TAG: $DOCKER_TAG" + +docker build -t "$IMAGE_NAME" --build-arg "SOURCE_COMMIT=$SOURCE_COMMIT" --build-arg "DOCKER_TAG=$DOCKER_TAG" . diff --git a/ci/docker/hub/proxied/README.md b/docker/proxied_stack/README.md similarity index 97% rename from ci/docker/hub/proxied/README.md rename to docker/proxied_stack/README.md index 7908a4f97..fe388eb4a 100644 --- a/ci/docker/hub/proxied/README.md +++ b/docker/proxied_stack/README.md @@ -1,5 +1,5 @@ -https://louisking.xyz/blog/2016/02/21/docker-cloud-nginx.html - -https://blog.switchbit.io/developing-a-ghost-theme-with-gulp-part-5/ - -Switch to https://acme-v01.api.letsencrypt.org/directory after testing. Don't hit the rate limit +https://louisking.xyz/blog/2016/02/21/docker-cloud-nginx.html + +https://blog.switchbit.io/developing-a-ghost-theme-with-gulp-part-5/ + +Switch to https://acme-v01.api.letsencrypt.org/directory after testing. Don't hit the rate limit diff --git a/ci/docker/hub/proxied/config_only_image/Dockerfile b/docker/proxied_stack/config_only_image/Dockerfile similarity index 100% rename from ci/docker/hub/proxied/config_only_image/Dockerfile rename to docker/proxied_stack/config_only_image/Dockerfile diff --git a/ci/docker/hub/proxied/config_only_image/README.md b/docker/proxied_stack/config_only_image/README.md similarity index 97% rename from ci/docker/hub/proxied/config_only_image/README.md rename to docker/proxied_stack/config_only_image/README.md index 1ea2c76ee..6a173d48b 100644 --- a/ci/docker/hub/proxied/config_only_image/README.md +++ b/docker/proxied_stack/config_only_image/README.md @@ -1,4 +1,4 @@ - -Just static files for configuration - + +Just static files for configuration + `docker build -t "imazen/nginx_template" . && docker push imazen/nginx_template` \ No newline at end of file diff --git a/ci/docker/hub/proxied/config_only_image/push.sh b/docker/proxied_stack/config_only_image/push.sh old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/config_only_image/push.sh rename to docker/proxied_stack/config_only_image/push.sh diff --git a/ci/docker/hub/proxied/config_only_image/templates/nginx.tmpl b/docker/proxied_stack/config_only_image/templates/nginx.tmpl similarity index 97% rename from ci/docker/hub/proxied/config_only_image/templates/nginx.tmpl rename to docker/proxied_stack/config_only_image/templates/nginx.tmpl index 6f5fbfb96..25b85d3ff 100644 --- a/ci/docker/hub/proxied/config_only_image/templates/nginx.tmpl +++ b/docker/proxied_stack/config_only_image/templates/nginx.tmpl @@ -1,244 +1,244 @@ -{{ define "upstream" }} - {{ if .Address }} - {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} - {{ if and .Container.Node.ID .Address.HostPort }} - # {{ .Container.Node.Name }}/{{ .Container.Name }} - server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }}; - {{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} - {{ else }} - # {{ .Container.Name }} - server {{ .Address.IP }}:{{ .Address.Port }}; - {{ end }} - {{ else }} - # {{ .Container.Name }} - server {{ .Container.IP }} down; - {{ end }} -{{ end }} - -server_names_hash_bucket_size 64; - -# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the -# scheme used to connect to this server -map $http_x_forwarded_proto $proxy_x_forwarded_proto { - default $http_x_forwarded_proto; - '' $scheme; -} - -# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any -# Connection header that may have been passed to this server -map $http_upgrade $proxy_connection { - default upgrade; - '' close; -} - -gzip_proxied expired no-cache no-store private auth; -gzip on; -gzip_types text/plain text/css application/json application/javascript text/xml application/xml -application/xml+rss text/javascripti image/svg+xml application/vnd.ms-fontobject -application/x-woff; - -log_format vhost '$host $remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - -access_log off; - -# Use webp where supported -map $http_accept $webp_suffix { - default ""; - "~*webp" ".webp"; -} - -{{ if (exists "/etc/nginx/proxy.conf") }} -include /etc/nginx/proxy.conf; -{{ else }} -# HTTP 1.1 support -proxy_http_version 1.1; -proxy_buffering on; -proxy_set_header Host $http_host; -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection $proxy_connection; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; -{{ end }} - -server { - server_name _; # This is just an invalid value which will never trigger on a real hostname. - listen 80; - access_log /var/log/nginx/access.log vhost; - return 503; -} - -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} -server { - server_name _; # This is just an invalid value which will never trigger on a real hostname. - listen 443 ssl http2; - access_log /var/log/nginx/access.log vhost; - return 503; - - ssl_certificate /etc/nginx/certs/default.crt; - ssl_certificate_key /etc/nginx/certs/default.key; -} -{{ end }} - -{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} - -upstream {{ $host }} { - -{{ range $index, $value := $containers }} - - {{ $addrLen := len $value.Addresses }} - - {{/* If a VIRTUAL_NETWORK is specified use use its IP */}} - {{ if $value.Env.VIRTUAL_NETWORK }} - {{ range $i, $network := $value.Networks }} - {{ if eq $network.Name $value.Env.VIRTUAL_NETWORK }} - # Container: {{$value.Name}}@{{$network.Name}} - server {{ $network.IP }}:{{ $value.Env.VIRTUAL_PORT }}; - {{ end }} - {{ end }} - - {{/* If only 1 port exposed, use that */}} - {{ else if eq $addrLen 1 }} - {{ with $address := index $value.Addresses 0 }} - # {{$value.Name}} - server {{ $address.IP }}:{{ $address.Port }}; - {{ end }} - - {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}} - {{ else if $value.Env.VIRTUAL_PORT }} - {{ range $i, $address := $value.Addresses }} - {{ if eq $address.Port $value.Env.VIRTUAL_PORT }} - # {{$value.Name}} - server {{ $address.IP }}:{{ $address.Port }}; - {{ end }} - {{ end }} - - {{/* Else default to standard web port 80 */}} - {{ else }} - {{ range $i, $address := $value.Addresses }} - {{ if eq $address.Port "80" }} - # {{$value.Name}} - server {{ $address.IP }}:{{ $address.Port }}; - {{ end }} - {{ end }} - {{ end }} -{{ end }} -} - -{{ $default_host := or ($.Env.DEFAULT_HOST) "" }} -{{ $default_server := index (dict $host "" $default_host "default_server") $host }} - -{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} -{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} - -{{/* Get the first cert name defined by containers w/ the same vhost */}} -{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} - -{{/* Get the best matching cert by name for the vhost. */}} -{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} - -{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} -{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} -{{ $vhostCert := replace $vhostCert ".key" "" -1 }} - -{{/* Use the cert specifid on the container or fallback to the best vhost match */}} -{{ $cert := (coalesce $certName $vhostCert) }} - -{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} - -server { - server_name {{ $host }}; - listen 80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - return 301 https://$host$request_uri; -} - -server { - server_name {{ $host }}; - listen 443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; - - ssl_prefer_server_ciphers on; - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:5m; - - ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; - ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; - - {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} - ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; - {{ end }} - - add_header Strict-Transport-Security "max-age=31536000"; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - location / { - proxy_buffering on; - - proxy_pass {{ trim $proto }}://{{ trim $host }}; - {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} - } - -} -{{ else }} - -server { - server_name {{ $host }}; - listen 80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - location / { - proxy_buffering on; - - proxy_pass {{ trim $proto }}://{{ trim $host }}; - {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} - } - -} - -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} -server { - server_name {{ $host }}; - listen 443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - return 503; - - ssl_certificate /etc/nginx/certs/default.crt; - ssl_certificate_key /etc/nginx/certs/default.key; -} -{{ end }} - -{{ end }} -{{ end }} +{{ define "upstream" }} + {{ if .Address }} + {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} + {{ if and .Container.Node.ID .Address.HostPort }} + # {{ .Container.Node.Name }}/{{ .Container.Name }} + server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }}; + {{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} + {{ else }} + # {{ .Container.Name }} + server {{ .Address.IP }}:{{ .Address.Port }}; + {{ end }} + {{ else }} + # {{ .Container.Name }} + server {{ .Container.IP }} down; + {{ end }} +{{ end }} + +server_names_hash_bucket_size 64; + +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the +# scheme used to connect to this server +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} + +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any +# Connection header that may have been passed to this server +map $http_upgrade $proxy_connection { + default upgrade; + '' close; +} + +gzip_proxied expired no-cache no-store private auth; +gzip on; +gzip_types text/plain text/css application/json application/javascript text/xml application/xml +application/xml+rss text/javascripti image/svg+xml application/vnd.ms-fontobject +application/x-woff; + +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + +access_log off; + +# Use webp where supported +map $http_accept $webp_suffix { + default ""; + "~*webp" ".webp"; +} + +{{ if (exists "/etc/nginx/proxy.conf") }} +include /etc/nginx/proxy.conf; +{{ else }} +# HTTP 1.1 support +proxy_http_version 1.1; +proxy_buffering on; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $proxy_connection; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +{{ end }} + +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + listen 80; + access_log /var/log/nginx/access.log vhost; + return 503; +} + +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + listen 443 ssl http2; + access_log /var/log/nginx/access.log vhost; + return 503; + + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} +{{ end }} + +{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} + +upstream {{ $host }} { + +{{ range $index, $value := $containers }} + + {{ $addrLen := len $value.Addresses }} + + {{/* If a VIRTUAL_NETWORK is specified use use its IP */}} + {{ if $value.Env.VIRTUAL_NETWORK }} + {{ range $i, $network := $value.Networks }} + {{ if eq $network.Name $value.Env.VIRTUAL_NETWORK }} + # Container: {{$value.Name}}@{{$network.Name}} + server {{ $network.IP }}:{{ $value.Env.VIRTUAL_PORT }}; + {{ end }} + {{ end }} + + {{/* If only 1 port exposed, use that */}} + {{ else if eq $addrLen 1 }} + {{ with $address := index $value.Addresses 0 }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + + {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}} + {{ else if $value.Env.VIRTUAL_PORT }} + {{ range $i, $address := $value.Addresses }} + {{ if eq $address.Port $value.Env.VIRTUAL_PORT }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + {{ end }} + + {{/* Else default to standard web port 80 */}} + {{ else }} + {{ range $i, $address := $value.Addresses }} + {{ if eq $address.Port "80" }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + {{ end }} + {{ end }} +{{ end }} +} + +{{ $default_host := or ($.Env.DEFAULT_HOST) "" }} +{{ $default_server := index (dict $host "" $default_host "default_server") $host }} + +{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} +{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} + +{{/* Get the first cert name defined by containers w/ the same vhost */}} +{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} + +{{/* Get the best matching cert by name for the vhost. */}} +{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} + +{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} +{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} +{{ $vhostCert := replace $vhostCert ".key" "" -1 }} + +{{/* Use the cert specifid on the container or fallback to the best vhost match */}} +{{ $cert := (coalesce $certName $vhostCert) }} + +{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} + +server { + server_name {{ $host }}; + listen 80 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + return 301 https://$host$request_uri; +} + +server { + server_name {{ $host }}; + listen 443 ssl http2 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + + ssl_prefer_server_ciphers on; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:5m; + + ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; + ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; + + {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} + ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; + {{ end }} + + add_header Strict-Transport-Security "max-age=31536000"; + + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ else if (exists "/etc/nginx/vhost.d/default") }} + include /etc/nginx/vhost.d/default; + {{ end }} + + location / { + proxy_buffering on; + + proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} + auth_basic "Restricted {{ $host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; + {{ end }} + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; + {{ end }} + } + +} +{{ else }} + +server { + server_name {{ $host }}; + listen 80 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ else if (exists "/etc/nginx/vhost.d/default") }} + include /etc/nginx/vhost.d/default; + {{ end }} + + location / { + proxy_buffering on; + + proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} + auth_basic "Restricted {{ $host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; + {{ end }} + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; + {{ end }} + } + +} + +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +server { + server_name {{ $host }}; + listen 443 ssl http2 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + return 503; + + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} +{{ end }} + +{{ end }} +{{ end }} diff --git a/ci/docker/hub/proxied/config_only_image/templates/nginx2.tmpl b/docker/proxied_stack/config_only_image/templates/nginx2.tmpl similarity index 97% rename from ci/docker/hub/proxied/config_only_image/templates/nginx2.tmpl rename to docker/proxied_stack/config_only_image/templates/nginx2.tmpl index a48da6f09..6266c509a 100644 --- a/ci/docker/hub/proxied/config_only_image/templates/nginx2.tmpl +++ b/docker/proxied_stack/config_only_image/templates/nginx2.tmpl @@ -1,225 +1,225 @@ -{{ define "upstream" }} - {{ if .Address }} - {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} - {{ if and .Container.Node.ID .Address.HostPort }} - # {{ .Container.Node.Name }}/{{ .Container.Name }} - server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }}; - {{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} - {{ else }} - # {{ .Container.Name }} - server {{ .Address.IP }}:{{ .Address.Port }}; - {{ end }} - {{ else }} - # {{ .Container.Name }} - server {{ .Container.IP }} down; - {{ end }} -{{ end }} - -# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the -# scheme used to connect to this server -map $http_x_forwarded_proto $proxy_x_forwarded_proto { - default $http_x_forwarded_proto; - '' $scheme; -} - -# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any -# Connection header that may have been passed to this server -map $http_upgrade $proxy_connection { - default upgrade; - '' close; -} - -gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - -log_format vhost '$host $remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - -access_log off; - -{{ if (exists "/etc/nginx/proxy.conf") }} -include /etc/nginx/proxy.conf; -{{ else }} -# HTTP 1.1 support -proxy_http_version 1.1; -proxy_buffering off; -proxy_set_header Host $http_host; -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection $proxy_connection; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; -{{ end }} - -server { - server_name _; # This is just an invalid value which will never trigger on a real hostname. - listen 80; - access_log /var/log/nginx/access.log vhost; - return 503; -} - -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} -server { - server_name _; # This is just an invalid value which will never trigger on a real hostname. - listen 443 ssl http2; - access_log /var/log/nginx/access.log vhost; - return 503; - - ssl_certificate /etc/nginx/certs/default.crt; - ssl_certificate_key /etc/nginx/certs/default.key; -} -{{ end }} - -{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} - -upstream {{ $host }} { - -{{ range $index, $value := $containers }} - - {{ $addrLen := len $value.Addresses }} - {{/* If only 1 port exposed, use that */}} - {{ if eq $addrLen 1 }} - {{ with $address := index $value.Addresses 0 }} - # {{$value.Name}} - server {{ $address.IP }}:{{ $address.Port }}; - {{ end }} - - {{/* If a VIRTUAL_NETWORK is specified use use its IP */}} - {{ else if $value.Env.VIRTUAL_NETWORK }} - {{ range $i, $network := $value.Networks }} - {{ if eq $network.Name $value.Env.VIRTUAL_NETWORK }} - # Container: {{$value.Name}}@{{$network.Name}} - server {{ $network.IP }}:{{ $value.Env.VIRTUAL_PORT }}; - {{ end }} - {{ end }} - - {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}} - {{ else if $value.Env.VIRTUAL_PORT }} - {{ range $i, $address := $value.Addresses }} - {{ if eq $address.Port $value.Env.VIRTUAL_PORT }} - # {{$value.Name}} - server {{ $address.IP }}:{{ $address.Port }}; - {{ end }} - {{ end }} - - {{/* Else default to standard web port 80 */}} - {{ else }} - {{ range $i, $address := $value.Addresses }} - {{ if eq $address.Port "80" }} - # {{$value.Name}} - server {{ $address.IP }}:{{ $address.Port }}; - {{ end }} - {{ end }} - {{ end }} -{{ end }} -} - -{{ $default_host := or ($.Env.DEFAULT_HOST) "" }} -{{ $default_server := index (dict $host "" $default_host "default_server") $host }} - -{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} -{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} - -{{/* Get the first cert name defined by containers w/ the same vhost */}} -{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} - -{{/* Get the best matching cert by name for the vhost. */}} -{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} - -{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} -{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} -{{ $vhostCert := replace $vhostCert ".key" "" -1 }} - -{{/* Use the cert specifid on the container or fallback to the best vhost match */}} -{{ $cert := (coalesce $certName $vhostCert) }} - -{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} - -server { - server_name {{ $host }}; - listen 80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - return 301 https://$host$request_uri; -} - -server { - server_name {{ $host }}; - listen 443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; - - ssl_prefer_server_ciphers on; - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:50m; - - ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; - ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; - - {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} - ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; - {{ end }} - - add_header Strict-Transport-Security "max-age=31536000"; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - location / { - proxy_pass {{ trim $proto }}://{{ trim $host }}; - {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} - } -} -{{ else }} - -server { - server_name {{ $host }}; - listen 80 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - - {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s" $host }}; - {{ else if (exists "/etc/nginx/vhost.d/default") }} - include /etc/nginx/vhost.d/default; - {{ end }} - - location / { - proxy_pass {{ trim $proto }}://{{ trim $host }}; - {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} - auth_basic "Restricted {{ $host }}"; - auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; - {{ end }} - {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} - include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; - {{ else if (exists "/etc/nginx/vhost.d/default_location") }} - include /etc/nginx/vhost.d/default_location; - {{ end }} - } -} - -{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} -server { - server_name {{ $host }}; - listen 443 ssl http2 {{ $default_server }}; - access_log /var/log/nginx/access.log vhost; - return 503; - - ssl_certificate /etc/nginx/certs/default.crt; - ssl_certificate_key /etc/nginx/certs/default.key; -} -{{ end }} - -{{ end }} -{{ end }} +{{ define "upstream" }} + {{ if .Address }} + {{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}} + {{ if and .Container.Node.ID .Address.HostPort }} + # {{ .Container.Node.Name }}/{{ .Container.Name }} + server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }}; + {{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}} + {{ else }} + # {{ .Container.Name }} + server {{ .Address.IP }}:{{ .Address.Port }}; + {{ end }} + {{ else }} + # {{ .Container.Name }} + server {{ .Container.IP }} down; + {{ end }} +{{ end }} + +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the +# scheme used to connect to this server +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} + +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any +# Connection header that may have been passed to this server +map $http_upgrade $proxy_connection { + default upgrade; + '' close; +} + +gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + +log_format vhost '$host $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + +access_log off; + +{{ if (exists "/etc/nginx/proxy.conf") }} +include /etc/nginx/proxy.conf; +{{ else }} +# HTTP 1.1 support +proxy_http_version 1.1; +proxy_buffering off; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $proxy_connection; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +{{ end }} + +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + listen 80; + access_log /var/log/nginx/access.log vhost; + return 503; +} + +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +server { + server_name _; # This is just an invalid value which will never trigger on a real hostname. + listen 443 ssl http2; + access_log /var/log/nginx/access.log vhost; + return 503; + + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} +{{ end }} + +{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} + +upstream {{ $host }} { + +{{ range $index, $value := $containers }} + + {{ $addrLen := len $value.Addresses }} + {{/* If only 1 port exposed, use that */}} + {{ if eq $addrLen 1 }} + {{ with $address := index $value.Addresses 0 }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + + {{/* If a VIRTUAL_NETWORK is specified use use its IP */}} + {{ else if $value.Env.VIRTUAL_NETWORK }} + {{ range $i, $network := $value.Networks }} + {{ if eq $network.Name $value.Env.VIRTUAL_NETWORK }} + # Container: {{$value.Name}}@{{$network.Name}} + server {{ $network.IP }}:{{ $value.Env.VIRTUAL_PORT }}; + {{ end }} + {{ end }} + + {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}} + {{ else if $value.Env.VIRTUAL_PORT }} + {{ range $i, $address := $value.Addresses }} + {{ if eq $address.Port $value.Env.VIRTUAL_PORT }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + {{ end }} + + {{/* Else default to standard web port 80 */}} + {{ else }} + {{ range $i, $address := $value.Addresses }} + {{ if eq $address.Port "80" }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + {{ end }} + {{ end }} +{{ end }} +} + +{{ $default_host := or ($.Env.DEFAULT_HOST) "" }} +{{ $default_server := index (dict $host "" $default_host "default_server") $host }} + +{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}} +{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }} + +{{/* Get the first cert name defined by containers w/ the same vhost */}} +{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} + +{{/* Get the best matching cert by name for the vhost. */}} +{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} + +{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}} +{{ $vhostCert := replace $vhostCert ".crt" "" -1 }} +{{ $vhostCert := replace $vhostCert ".key" "" -1 }} + +{{/* Use the cert specifid on the container or fallback to the best vhost match */}} +{{ $cert := (coalesce $certName $vhostCert) }} + +{{ if (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }} + +server { + server_name {{ $host }}; + listen 80 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + return 301 https://$host$request_uri; +} + +server { + server_name {{ $host }}; + listen 443 ssl http2 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + + ssl_prefer_server_ciphers on; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; + ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; + + {{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }} + ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }}; + {{ end }} + + add_header Strict-Transport-Security "max-age=31536000"; + + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ else if (exists "/etc/nginx/vhost.d/default") }} + include /etc/nginx/vhost.d/default; + {{ end }} + + location / { + proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} + auth_basic "Restricted {{ $host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; + {{ end }} + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; + {{ end }} + } +} +{{ else }} + +server { + server_name {{ $host }}; + listen 80 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + + {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s" $host }}; + {{ else if (exists "/etc/nginx/vhost.d/default") }} + include /etc/nginx/vhost.d/default; + {{ end }} + + location / { + proxy_pass {{ trim $proto }}://{{ trim $host }}; + {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }} + auth_basic "Restricted {{ $host }}"; + auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" $host) }}; + {{ end }} + {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }} + include {{ printf "/etc/nginx/vhost.d/%s_location" $host}}; + {{ else if (exists "/etc/nginx/vhost.d/default_location") }} + include /etc/nginx/vhost.d/default_location; + {{ end }} + } +} + +{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }} +server { + server_name {{ $host }}; + listen 443 ssl http2 {{ $default_server }}; + access_log /var/log/nginx/access.log vhost; + return 503; + + ssl_certificate /etc/nginx/certs/default.crt; + ssl_certificate_key /etc/nginx/certs/default.key; +} +{{ end }} + +{{ end }} +{{ end }} diff --git a/ci/docker/hub/proxied/config_only_image/true b/docker/proxied_stack/config_only_image/true old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/config_only_image/true rename to docker/proxied_stack/config_only_image/true diff --git a/ci/docker/hub/proxied/config_only_image/true-asm b/docker/proxied_stack/config_only_image/true-asm old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/config_only_image/true-asm rename to docker/proxied_stack/config_only_image/true-asm diff --git a/ci/docker/hub/proxied/docker-gen-cloud/Dockerfile b/docker/proxied_stack/docker-gen-cloud/Dockerfile similarity index 100% rename from ci/docker/hub/proxied/docker-gen-cloud/Dockerfile rename to docker/proxied_stack/docker-gen-cloud/Dockerfile diff --git a/ci/docker/hub/proxied/docker-gen-cloud/README.md b/docker/proxied_stack/docker-gen-cloud/README.md similarity index 98% rename from ci/docker/hub/proxied/docker-gen-cloud/README.md rename to docker/proxied_stack/docker-gen-cloud/README.md index ae7e4fd7c..bf229a459 100644 --- a/ci/docker/hub/proxied/docker-gen-cloud/README.md +++ b/docker/proxied_stack/docker-gen-cloud/README.md @@ -1,61 +1,61 @@ -# docker-gen for Docker Cloud - -This is an enhancment to the [docker-gen](https://github.com/jwilder/docker-gen) image that adds support -for [Docker Cloud](https://cloud.docker.com). - -This image is used in context of [this](https://blog.switchbit.io/developing-a-ghost-theme-with-gulp-part-5/) -post on using [JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) -to generate Let's Encrypt certificates for a Ghost specific stack. - -# The problem - -The usual way of using `docker-gen` in conjunction with `docker-letsencrypt-nginx-proxy-companion` using the separate -container method, is as follows (as per the [docs](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion#separate-containers-recommended-method)): - -``` -$ docker run -d \ - --name nginx-gen \ - --volumes-from nginx \ - -v /path/to/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \ - -v /var/run/docker.sock:/tmp/docker.sock:ro \ - jwilder/docker-gen \ - -notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf -``` - -however, within a Docker Cloud based environment we cannot use `-notify-sighup nginx` due to the fact that -the container names (on the actual nodes) do not match their [Service](https://docs.docker.com/docker-cloud/apps/stacks/) names. -The result is that the `nginx` container (Service) never get's reloaded to take advantage of the generated Nginx configuration. - -# The solution - -How we get around this is to add the [Docker Cloud CLI](https://github.com/docker/dockercloud-cli) -to the `docker-gen` image and add a script (`restart_service.sh`) that uses the CLI to redeploy a Service. -For example, the following configuration, using Docker Cloud [Stack file](https://docs.docker.com/docker-cloud/apps/stack-yaml-reference/) -format, would be used to achieve the desired affect: - -``` -nginx-gen: - image: donovanmuller/docker-gen-docker-cloud:1 - volumes: - - "/var/run/docker.sock:/tmp/docker.sock:ro" - volumes_from: - - nginx-proxy - - ghost-nginx-proxy-config - entrypoint: /usr/local/bin/docker-gen -notify-output -notify "./restart_service.sh" -watch -only-exposed -wait 10s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf - environment: - - PROXY_SERVICE_ENV_VAR=nginx-proxy - roles: - - global -``` - -Note the use of the `restart_service.sh` script with `-notify-output -notify "./restart_service.sh"`. -Instead of using `-notify-sighup` the script is executed which uses the `docker-cloud` CLI to redeploy the Service -indicated by the environment variable `PROXY_SERVICE_ENV_VAR`. -This variable represents the Service name (`nginx-proxy` in the example above) to redeploy, not the container name. - -We also need the `global` [role](https://docs.docker.com/docker-cloud/apps/api-roles/) so that Docker Cloud can inject the `DOCKERCLOUD_AUTH` details needed by `docker-cloud` CLI -to [authenticate](https://github.com/docker/dockercloud-cli#authentication) against. - - - - +# docker-gen for Docker Cloud + +This is an enhancment to the [docker-gen](https://github.com/jwilder/docker-gen) image that adds support +for [Docker Cloud](https://cloud.docker.com). + +This image is used in context of [this](https://blog.switchbit.io/developing-a-ghost-theme-with-gulp-part-5/) +post on using [JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) +to generate Let's Encrypt certificates for a Ghost specific stack. + +# The problem + +The usual way of using `docker-gen` in conjunction with `docker-letsencrypt-nginx-proxy-companion` using the separate +container method, is as follows (as per the [docs](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion#separate-containers-recommended-method)): + +``` +$ docker run -d \ + --name nginx-gen \ + --volumes-from nginx \ + -v /path/to/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \ + -v /var/run/docker.sock:/tmp/docker.sock:ro \ + jwilder/docker-gen \ + -notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf +``` + +however, within a Docker Cloud based environment we cannot use `-notify-sighup nginx` due to the fact that +the container names (on the actual nodes) do not match their [Service](https://docs.docker.com/docker-cloud/apps/stacks/) names. +The result is that the `nginx` container (Service) never get's reloaded to take advantage of the generated Nginx configuration. + +# The solution + +How we get around this is to add the [Docker Cloud CLI](https://github.com/docker/dockercloud-cli) +to the `docker-gen` image and add a script (`restart_service.sh`) that uses the CLI to redeploy a Service. +For example, the following configuration, using Docker Cloud [Stack file](https://docs.docker.com/docker-cloud/apps/stack-yaml-reference/) +format, would be used to achieve the desired affect: + +``` +nginx-gen: + image: donovanmuller/docker-gen-docker-cloud:1 + volumes: + - "/var/run/docker.sock:/tmp/docker.sock:ro" + volumes_from: + - nginx-proxy + - ghost-nginx-proxy-config + entrypoint: /usr/local/bin/docker-gen -notify-output -notify "./restart_service.sh" -watch -only-exposed -wait 10s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + environment: + - PROXY_SERVICE_ENV_VAR=nginx-proxy + roles: + - global +``` + +Note the use of the `restart_service.sh` script with `-notify-output -notify "./restart_service.sh"`. +Instead of using `-notify-sighup` the script is executed which uses the `docker-cloud` CLI to redeploy the Service +indicated by the environment variable `PROXY_SERVICE_ENV_VAR`. +This variable represents the Service name (`nginx-proxy` in the example above) to redeploy, not the container name. + +We also need the `global` [role](https://docs.docker.com/docker-cloud/apps/api-roles/) so that Docker Cloud can inject the `DOCKERCLOUD_AUTH` details needed by `docker-cloud` CLI +to [authenticate](https://github.com/docker/dockercloud-cli#authentication) against. + + + + diff --git a/ci/docker/hub/proxied/docker-gen-cloud/push.sh b/docker/proxied_stack/docker-gen-cloud/push.sh old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/docker-gen-cloud/push.sh rename to docker/proxied_stack/docker-gen-cloud/push.sh diff --git a/ci/docker/hub/proxied/docker-gen-cloud/restart_service.sh b/docker/proxied_stack/docker-gen-cloud/restart_service.sh old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/docker-gen-cloud/restart_service.sh rename to docker/proxied_stack/docker-gen-cloud/restart_service.sh diff --git a/ci/docker/hub/proxied/logs.sh b/docker/proxied_stack/logs.sh old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/logs.sh rename to docker/proxied_stack/logs.sh diff --git a/ci/docker/hub/proxied/other.txt b/docker/proxied_stack/other.txt similarity index 100% rename from ci/docker/hub/proxied/other.txt rename to docker/proxied_stack/other.txt diff --git a/ci/docker/hub/proxied/redeploy.sh b/docker/proxied_stack/redeploy.sh old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/redeploy.sh rename to docker/proxied_stack/redeploy.sh diff --git a/ci/docker/hub/proxied/stackfile.yml b/docker/proxied_stack/stackfile.yml similarity index 100% rename from ci/docker/hub/proxied/stackfile.yml rename to docker/proxied_stack/stackfile.yml diff --git a/ci/docker/hub/proxied/stackup.sh b/docker/proxied_stack/stackup.sh old mode 100755 new mode 100644 similarity index 100% rename from ci/docker/hub/proxied/stackup.sh rename to docker/proxied_stack/stackup.sh diff --git a/docker/tool_imageci/Dockerfile b/docker/tool_imageci/Dockerfile new file mode 100644 index 000000000..147fc72bb --- /dev/null +++ b/docker/tool_imageci/Dockerfile @@ -0,0 +1,26 @@ +FROM imazen/imageflow_build_ubuntu18 as builder +# We expect user imageflow to have uid 100, and /home/imageflow/imageflow to exist +# We expect the build context to be the source checkout directory, preferably with the .git folder + +USER imageflow + +# We have to wrest ownership of /home/imageflow/imageflow, as for some reason Docker makes root owner +RUN sudo chown imageflow: /home/imageflow/imageflow +# Also set ownership of files copied in +COPY --chown=1000 . /home/imageflow/imageflow + +WORKDIR /home/imageflow/imageflow + +#RUN awk -F: '{printf "%s:%s\n",$1,$3}' /etc/passwd && ls -la + + +RUN cargo build --release --package imageflow_tool_lib --bin imageflow_tool + +# Start over from a smaller (160MB) image +FROM imazen/imageflow_base_os +MAINTAINER Lilith River + +WORKDIR /home/imageflow +COPY --from=builder /home/imageflow/target/release/imaegflow_tool . +RUN ./imageflow_tool diagnose --show-compilation-info +CMD ["./imageflow_tool"] \ No newline at end of file