Fixes nginxinc#73

This commit builds upon the previous commits that add support for running unprivileged nginx instances. In this commit, we normalize spelling, and add CI tooling support for unprivileged nginx instances. Signed-off-by: Elijah Zupancic <[email protected]>
zacMode · Dec 12, 2022 · 7c4fb24 · 7c4fb24
1 parent 8f406d2
commit 7c4fb24
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 26 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -21,9 +21,13 @@ jobs:
       - name: Install dependencies
         run: sudo apt-get install -y wait-for-it
       - name: Run tests - latest njs version
-        run: ./test.sh latest-njs-oss
+        run: ./test.sh --latest-njs --type oss
       - name: Run tests - stable njs version
-        run: ./test.sh oss
+        run: ./test.sh --type oss
+      - name: Run tests - stable njs version - unprivileged process
+        run: ./test.sh --unprivileged --type oss
+      - name: Run tests - latest njs version - unprivileged process
+        run: ./test.sh --latest-njs --unprivileged --type oss
 
   build_and_deploy:
     runs-on: ubuntu-latest
@@ -41,9 +45,9 @@ jobs:
       - name: Install dependencies
         run: sudo apt-get install -y wait-for-it
       - name: Run tests - latest njs version
-        run: ./test.sh latest-njs-oss
+        run: ./test.sh --latest-njs --type oss
       - name: Run tests - stable njs version
-        run: ./test.sh oss
+        run: ./test.sh --type oss
       # latest-njs-oss image push [Github]
       - name: Tag container image for Push to github [latest-njs-oss date]
         run: docker tag nginx-s3-gateway:latest-njs-oss docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
@@ -53,6 +57,15 @@ jobs:
         run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
       - name: Push container image to github [latest-njs-oss]
         run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-njs-oss
+      # unprivileged-oss image push [Github]
+      - name: Tag container image for Push to github [unprivileged-oss date]
+        run: docker tag nginx-s3-gateway:unprivileged-oss docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Tag container image for Push to github [unprivileged-oss]
+        run: docker tag nginx-s3-gateway:unprivileged-oss docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss
+      - name: Push container image to github [unprivileged-oss date]
+        run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Push container image to github [unprivileged-oss]
+        run: docker push docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:unprivileged-oss
       # oss image push [Github]
       - name: Tag container image for Push to github [oss date]
         run: docker tag nginx-s3-gateway:latest docker.pkg.github.com/$GITHUB_REPOSITORY/nginx-oss-s3-gateway:latest-${{ steps.date.outputs.date }}
@@ -77,6 +90,15 @@ jobs:
         run: docker push nginxinc/nginx-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
       - name: Push container image to Docker Hub [latest-njs-oss]
         run: docker push nginxinc/nginx-s3-gateway:latest-njs-oss
+      # unprivileged-oss image push [Docker Hub]
+      - name: Tag container image for Push to Docker Hub [unprivileged-oss date]
+        run: docker tag nginx-s3-gateway:unprivileged-oss nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Tag container image for Push to Docker Hub [unprivileged-oss]
+        run: docker tag nginx-s3-gateway:unprivileged-oss nginxinc/nginx-s3-gateway:unprivileged-oss
+      - name: Push container image to Docker Hub [unprivileged-oss date]
+        run: docker push nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
+      - name: Push container image to Docker Hub [unprivileged-oss]
+        run: docker push nginxinc/nginx-s3-gateway:unprivileged-oss
       # oss image push [Docker Hub]
       - name: Tag container image for Push to Docker Hub [oss date]
         run: docker tag nginx-s3-gateway:latest nginxinc/nginx-s3-gateway:latest-${{ steps.date.outputs.date }}

diff --git a/Dockerfile.latest-unpriviledged → Dockerfile.unprivileged b/Dockerfile.latest-unpriviledged → Dockerfile.unprivileged
@@ -1,7 +1,7 @@
 # This container images makes the necessary modifications in the
 # inherited image (which could be OSS NGINX or NGINX Plus) in order
 # to allow running NGINX S3 Gateway as a non root user.
-# Steps are based on the official unpriviledged container:
+# Steps are based on the official unprivileged container:
 # https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-debian.template
 FROM nginx-s3-gateway
 
@@ -18,4 +18,4 @@ RUN sed -i "/^server {/a \    listen       8080;" /etc/nginx/templates/default.c
 
 EXPOSE 8080
 
-USER nginx
+USER nginx
diff --git a/test.sh b/test.sh
@@ -17,7 +17,6 @@
 #
 
 set -o errexit   # abort on nonzero exit status
-set -o nounset   # abort on unbound variable
 set -o pipefail  # don't hide errors within pipes
 
 nginx_server_proto="http"
@@ -41,28 +40,71 @@ e() {
   >&2 echo "$1"
 }
 
-
-if [ $# -eq 0 ]; then
+usage() { e "Usage: $0 [--latest-njs <default:false>] [--unprivileged <default:false>] [--type <default:oss|plus>" 1>&2; exit 1; }
+
+for arg in "$@"; do
+  shift
+  case "$arg" in
+    '--help')           set -- "$@" '-h'   ;;
+    '--latest-njs')     set -- "$@" '-j'   ;;
+    '--unprivileged')   set -- "$@" '-u'   ;;
+    '--type')           set -- "$@" '-t'   ;;
+    *)                  set -- "$@" "$arg" ;;
+  esac
+done
+
+while getopts "hjut:" arg; do
+    case "${arg}" in
+        j)
+            njs_latest="1"
+            ;;
+        u)
+            unprivileged="1"
+            ;;
+        t)
+            nginx_type="${OPTARG}"
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+startup_message=""
+
+if [ -z "${nginx_type}" ]; then
   nginx_type="oss"
-  njs_latest=0
-  p "No argument specified - defaulting to NGINX OSS. Valid arguments: oss, plus, latest-njs-oss, latest-njs-plus"
+  startup_message="Starting NGINX ${nginx_type} (default)"
+elif ! { [ ${nginx_type} == "oss" ] || [ ${nginx_type} == "plus" ]; }; then
+    e "Invalid NGINX type: ${nginx_type} - must be either 'oss' or 'plus'"
+    usage
 else
-  if [[ "${1}" == *plus ]]; then
-    nginx_type="plus"
-    p "Testing with NGINX Plus"
-  else
-    nginx_type="oss"
-    p "Testing with NGINX OSS"
-  fi
+  startup_message="Starting NGINX ${nginx_type}"
+fi
 
-  if [[ "${1}" == latest-njs-* ]]; then
-    p "Testing with latest development version of NJS"
-    njs_latest=1
-  else
-    njs_latest=0
-  fi
+if [ -z "${njs_latest}" ]; then
+  njs_latest="0"
+  startup_message="${startup_message} with the release NJS module (default)"
+elif [ ${njs_latest} -eq 1 ]; then
+  startup_message="${startup_message} with the latest NJS module"
+else
+  startup_message="${startup_message} with the release NJS module"
 fi
 
+if [ -z "${unprivileged}" ]; then
+  unprivileged="0"
+  startup_message="${startup_message} in privileged mode (default)"
+elif [ ${unprivileged} -eq 1 ]; then
+  startup_message="${startup_message} in unprivileged mode"
+else
+  startup_message="${startup_message} in privileged mode"
+fi
+
+e "${startup_message}"
+
+set -o nounset   # abort on unbound variable
+
 docker_cmd="$(command -v docker)"
 if ! [ -x "${docker_cmd}" ]; then
   e "required dependency not found: docker not found in the path or not executable"
@@ -102,7 +144,14 @@ if [ "${nginx_type}" = "plus" ]; then
 fi
 
 compose() {
-  "${docker_compose_cmd}"  -f "${test_compose_config}" -p "${test_compose_project}" "$@"
+  # Hint to docker-compose the internal port to map for the container
+  if [ ${unprivileged} -eq 1 ]; then
+    export NGINX_INTERNAL_PORT=8080
+  else
+    export NGINX_INTERNAL_PORT=80
+  fi
+
+  "${docker_compose_cmd}" -f "${test_compose_config}" -p "${test_compose_project}" "$@"
 }
 
 integration_test() {
@@ -208,6 +257,12 @@ if [ ${njs_latest} -eq 1 ]; then
     --tag nginx-s3-gateway --tag nginx-s3-gateway:latest-njs-${nginx_type} .
 fi
 
+if [ ${unprivileged} -eq 1 ]; then
+  p "Layering in unprivileged build"
+  docker build -f Dockerfile.unprivileged \
+    --tag nginx-s3-gateway --tag nginx-s3-gateway:unprivileged-${nginx_type} .
+fi
+
 ### UNIT TESTS
 
 p "Running unit tests in Docker image"

diff --git a/test/docker-compose.yaml b/test/docker-compose.yaml
@@ -9,7 +9,7 @@ services:
         condition: service_healthy
     image: "nginx-s3-gateway"
     ports:
-      - "8989:80/tcp"
+      - "8989:${NGINX_INTERNAL_PORT-80}/tcp"
     links:
       - "minio"
     restart: "no"