Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for env var replacement #19

Closed
wants to merge 3 commits into from
Closed

Support for env var replacement #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5627af2
Support for env var replacement
wtrocki Jan 31, 2017
1849d78
Add additional line breaks and minor fixes
wtrocki Feb 1, 2017
5482717
Allow to change scripts after s2i process
wtrocki Feb 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions 1.8/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ VOLUME ["/var/opt/rh/rh-nginx18/log/nginx/"]

ENV BASH_ENV=/opt/app-root/etc/scl_enable \
ENV=/opt/app-root/etc/scl_enable \
PRE_RUN_SCRIPT=/opt/app-root/etc/init_script \
PROMPT_COMMAND=". /opt/app-root/etc/scl_enable"

CMD $STI_SCRIPTS_PATH/usage
1 change: 1 addition & 0 deletions 1.8/Dockerfile.rhel7
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ VOLUME ["/var/opt/rh/rh-nginx18/log/nginx/"]

ENV BASH_ENV=/opt/app-root/etc/scl_enable \
ENV=/opt/app-root/etc/scl_enable \
PRE_RUN_SCRIPT=/opt/app-root/etc/init_script \
PROMPT_COMMAND=". /opt/app-root/etc/scl_enable"

CMD $STI_SCRIPTS_PATH/usage
4 changes: 3 additions & 1 deletion 1.8/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@ S2I build folder structure:

| Folder name | Description |
| :--------------------- | ----------------------------------------- |
| ./nginx-cfg/*.conf | Should contain all nginx configuration we want to include into image |
| ./nginx-cfg/*.conf | Should contain nginx configuration files that should be included into image |
| ./ | Should contain nginx application source code |
| ./bin/init_script | Script that would be executed before launching nginx process. Can be used to replace values in configuration.|


Configuration
-------------
Expand Down
24 changes: 24 additions & 0 deletions 1.8/contrib/etc/init_script
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
## Placeholder for script that would be executed before running container
## To replace this file you should create ./bin/init_script in your s2i context folder. See: `--context-dir` option.

## This file can be used to inject environment variables into the configuration files

## Setup default DNS_SERVER for proxy requests
setup_dns_env_var() {
if [ -z "$DNS_SERVER" ]; then
export DNS_SERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '`
echo "Using system dns server ${DNS_SERVER}"
else
echo "Using user defined dns server: ${DNS_SERVER}"
fi
}

## Inject environment variables
inject_env_vars() {
## Replace only specified environment variables in specified file.
envsubst '${DNS_SERVER}
${LOG_LEVEL}' < "${NGINX_CONFIGURATION_PATH}/$1" > "${NGINX_CONFIGURATION_PATH}/$1"
}

# setup_dns_env_var
# inject_env_vars "default.conf"
8 changes: 8 additions & 0 deletions 1.8/s2i/bin/assemble
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,17 @@ if [ -d ./nginx-cfg ]; then
echo "---> Copying nginx configuration files..."
if [ "$(ls -A ./nginx-cfg/*.conf)" ]; then
cp -v ./nginx-cfg/*.conf "${NGINX_CONFIGURATION_PATH}"
chmod -Rf 777 ${NGINX_CONFIGURATION_PATH}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wtrocki Is 777 necessary? It is very open...

Copy link
Contributor Author

@wtrocki wtrocki Feb 2, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order to change configuration in running container we would need to have write access to config for default user. Files are created by root user, so we can:

  • Change file owner to default (risky as container can use different user)
  • Make files writable by others by setting 666 👿 mask on file

Making files writable do not impose security risk. If attacker would get access to the container he can switch configuration to any file he wants and then send HUP signal to the nginx process to reload it.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Change file owner to default (risky as container can use different user)
  • Make files writable by others by setting 666 👿 mask on file

I am not sure, but I think GID remains the same. So some other images g+rw is used to allow running with arbitrary user.

rm -rf ./nginx-cfg
fi
fi

if [ -f ./bin/init_script ]; then
echo "---> Copying nginx init script..."
cp -vf ./bin/init_script $PRE_RUN_SCRIPT
chmod +x $PRE_RUN_SCRIPT
rm -rf ./bin
fi

# Fix source directory permissions
fix-permissions ./
1 change: 1 addition & 0 deletions 1.8/s2i/bin/run
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#!/bin/bash

source /opt/app-root/etc/generate_container_user
source $PRE_RUN_SCRIPT

set -e

Expand Down
19 changes: 19 additions & 0 deletions 1.8/test/test-app/bin/init_script
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
setup_dns_env_var() {
if [ -z "$DNS_SERVER" ]; then
export DNS_SERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '`
echo "Using system dns server ${DNS_SERVER}"
else
echo "Using user defined dns server: ${DNS_SERVER}"
fi
}

inject_env_vars() {
## Replace only specified environment variables in specified file.
envsubst '${DNS_SERVER}
${INDEX_FILE}' < "${NGINX_CONFIGURATION_PATH}/$1" > "${NGINX_CONFIGURATION_PATH}/$1"
}

export INDEX_FILE=index2.html
setup_dns_env_var
inject_env_vars "default.conf"

4 changes: 3 additions & 1 deletion 1.8/test/test-app/nginx-cfg/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,7 @@ server {
listen 8080 default_server;
server_name localhost2;
root /opt/app-root/src;
index index2.html;
index ${INDEX_FILE};
resolver ${DNS_SERVER};

}