diff --git a/images/nginx/38cb695de87cfeadcba5eeaf57f39e41d529aa1f.tar.gz b/images/nginx/38cb695de87cfeadcba5eeaf57f39e41d529aa1f.tar.gz new file mode 100644 index 0000000000..b1e05c55b9 Binary files /dev/null and b/images/nginx/38cb695de87cfeadcba5eeaf57f39e41d529aa1f.tar.gz differ diff --git a/images/nginx/Makefile b/images/nginx/Makefile index da8482bba7..da8deb47a3 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -13,7 +13,7 @@ # limitations under the License. # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.96 +TAG ?= 0.97 REGISTRY ?= quay.io/kubernetes-ingress-controller IMGNAME = nginx @@ -64,7 +64,9 @@ release: push .PHONY: init-docker-buildx init-docker-buildx: +ifneq ($(shell docker buildx 2>&1 >/dev/null; echo $?),) + $(error "buildx not vailable. Docker 19.03 or higher is required") +endif docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d docker buildx create --name ingress-nginx --use || true docker buildx inspect --bootstrap -endif diff --git a/images/nginx/README.md b/images/nginx/README.md index f06f8dc37e..ee3d50bff9 100644 --- a/images/nginx/README.md +++ b/images/nginx/README.md @@ -18,7 +18,7 @@ This image provides a default configuration file with no backend servers. _Using docker_ ```console -docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro quay.io/kubernetes-ingress-controller/nginx:0.95 +docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro quay.io/kubernetes-ingress-controller/nginx:0.97 ``` _Creating a replication controller_ diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml index f5ce5521a4..d9fa7ef6e8 100644 --- a/images/nginx/rc.yaml +++ b/images/nginx/rc.yaml @@ -38,7 +38,7 @@ spec: spec: containers: - name: nginx - image: quay.io/kubernetes-ingress-controller/nginx:0.95 + image: quay.io/kubernetes-ingress-controller/nginx:0.97 ports: - containerPort: 80 - containerPort: 443 diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index e4955d42a5..59558ceb1a 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.11 as builder +FROM --platform=$BUILDPLATFORM alpine:3.11 as builder COPY . / @@ -21,7 +21,7 @@ RUN apk add -U bash \ && /build.sh # Use a multi-stage build -FROM alpine:3.11 +FROM --platform=$BUILDPLATFORM alpine:3.11 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index c37778cdb4..2e35508432 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -21,7 +21,7 @@ set -o pipefail export DEBIAN_FRONTEND=noninteractive -export NGINX_VERSION=1.17.7 +export NGINX_VERSION=1.17.8 export NDK_VERSION=0.3.1rc1 export SETMISC_VERSION=0.32 export MORE_HEADERS_VERSION=0.33 @@ -44,10 +44,11 @@ export NGINX_INFLUXDB_VERSION=5b09391cb7b9a889687c0aa67964c06a2d933e8b export GEOIP2_VERSION=3.3 export NGINX_AJP_VERSION=bf6cd93f2098b59260de8d494f0f4b1f11a84627 export RESTY_LUAROCKS_VERSION=3.1.3 -export LUAJIT_VERSION=9d5750d28478abfdcaefdfdc408f87752a21e431 +export LUAJIT_VERSION=38cb695de87cfeadcba5eeaf57f39e41d529aa1f export LUA_RESTY_BALANCER=0.03 export LUA_RESTY_CORE=0.1.17 export LUA_CJSON_VERSION=2.1.0.7 +export LUA_RESTY_COOKIE_VERSION=766ad8c15e498850ac77f5e0265f1d3f30dc4027 export BUILD_PATH=/tmp/build @@ -131,7 +132,7 @@ mkdir --verbose -p "$BUILD_PATH" cd "$BUILD_PATH" # download, verify and extract the source files -get_src b62756842807e5693b794e5d0ae289bd8ae5b098e66538b2a91eb80f25c591ff \ +get_src 97d23ecf6d5150b30e284b40e8a6f7e3bb5be6b601e373a4d013768d5a25965b \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" get_src 49f50d4cd62b166bc1aaf712febec5e028d9f187cedbc27a610dfd01bdde2d36 \ @@ -176,7 +177,7 @@ get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \ get_src 2a69815e4ae01aa8b170941a8e1a10b6f6a9aab699dee485d58f021dd933829a \ "https://github.com/openresty/lua-upstream-nginx-module/archive/v$LUA_UPSTREAM_VERSION.tar.gz" -get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \ +get_src 7df70318762f4150e6fe27dd1838b4b89a24ed9351c82d0b332d7d8457dd1b95 \ "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" get_src 052fd37cd698e24ab73ee18fc3fa55acd1d43153c12a0e65b0fba0447de1117e \ @@ -212,6 +213,9 @@ get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ get_src 59d2f18ecadba48be61061004c8664eaed1111a3372cd2567cb24c5a47eb41fe \ "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" +get_src f818b5cef0881e5987606f2acda0e491531a0cb0c126d8dca02e2343edf641ef \ + "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" + # improve compilation times CORES=$(($(grep -c ^processor /proc/cpuinfo) - 0)) @@ -556,8 +560,11 @@ cd "$BUILD_PATH/lua-cjson-$LUA_CJSON_VERSION" make all make install +cd "$BUILD_PATH/lua-resty-cookie-$LUA_RESTY_COOKIE_VERSION" +make all +make install + luarocks install lua-resty-iputils 0.3.0-1 -luarocks install lua-resty-cookie 0.1.0-1 luarocks install lua-resty-lrucache 0.09-2 luarocks install lua-resty-lock 0.08-0 luarocks install lua-resty-dns 0.21-1 diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-balancer_status_code.patch b/images/nginx/rootfs/patches/nginx-1.17.8-balancer_status_code.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.17.4-balancer_status_code.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-balancer_status_code.patch diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-cache_manager_exit.patch b/images/nginx/rootfs/patches/nginx-1.17.8-cache_manager_exit.patch new file mode 100644 index 0000000000..f1f81da2ca --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-cache_manager_exit.patch @@ -0,0 +1,19 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1383598130 28800 +# Node ID f64218e1ac963337d84092536f588b8e0d99bbaa +# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c +Cache: gracefully exit the cache manager process. + +diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c +--- a/src/os/unix/ngx_process_cycle.c Thu Oct 31 18:23:49 2013 +0400 ++++ b/src/os/unix/ngx_process_cycle.c Mon Nov 04 12:48:50 2013 -0800 +@@ -1335,7 +1335,7 @@ + + if (ngx_terminate || ngx_quit) { + ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); +- exit(0); ++ ngx_worker_process_exit(cycle); + } + + if (ngx_reopen) { diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-hash_overflow.patch b/images/nginx/rootfs/patches/nginx-1.17.8-hash_overflow.patch new file mode 100644 index 0000000000..449d214bab --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-hash_overflow.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1412276417 25200 +# Thu Oct 02 12:00:17 2014 -0700 +# Node ID 4032b992f23b054c1a2cfb0be879330d2c6708e5 +# Parent 1ff0f68d9376e3d184d65814a6372856bf65cfcd +Hash: buffer overflow might happen when exceeding the pre-configured limits. + +diff -r 1ff0f68d9376 -r 4032b992f23b src/core/ngx_hash.c +--- a/src/core/ngx_hash.c Tue Sep 30 15:50:28 2014 -0700 ++++ b/src/core/ngx_hash.c Thu Oct 02 12:00:17 2014 -0700 +@@ -312,6 +312,8 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng + continue; + } + ++ size--; ++ + ngx_log_error(NGX_LOG_WARN, hinit->pool->log, 0, + "could not build optimal %s, you should increase " + "either %s_max_size: %i or %s_bucket_size: %i; " diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-larger_max_error_str.patch b/images/nginx/rootfs/patches/nginx-1.17.8-larger_max_error_str.patch similarity index 62% rename from images/nginx/rootfs/patches/nginx-1.17.4-larger_max_error_str.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-larger_max_error_str.patch index 77137f2640..128bd9e0da 100644 --- a/images/nginx/rootfs/patches/nginx-1.17.4-larger_max_error_str.patch +++ b/images/nginx/rootfs/patches/nginx-1.17.8-larger_max_error_str.patch @@ -1,5 +1,5 @@ ---- nginx-1.17.4/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 -+++ nginx-1.17.4-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 +--- nginx-1.17.8/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 ++++ nginx-1.17.8-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 @@ -64,7 +64,9 @@ struct ngx_log_s { }; diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/nginx-1.17.8-reuseport_close_unused_fds.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.17.4-reuseport_close_unused_fds.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-reuseport_close_unused_fds.patch diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-single_process_graceful_exit.patch b/images/nginx/rootfs/patches/nginx-1.17.8-single_process_graceful_exit.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.17.4-single_process_graceful_exit.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-single_process_graceful_exit.patch diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-socket_cloexec.patch b/images/nginx/rootfs/patches/nginx-1.17.8-socket_cloexec.patch new file mode 100644 index 0000000000..985ce573b5 --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-socket_cloexec.patch @@ -0,0 +1,185 @@ +diff --git a/auto/unix b/auto/unix +index 10835f6c..b5b33bb3 100644 +--- a/auto/unix ++++ b/auto/unix +@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res; + if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1; + freeaddrinfo(res)' + . auto/feature ++ ++ngx_feature="SOCK_CLOEXEC support" ++ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC" ++ngx_feature_run=no ++ngx_feature_incs="#include ++ #include " ++ngx_feature_path= ++ngx_feature_libs= ++ngx_feature_test="int fd; ++ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);" ++. auto/feature ++ ++ngx_feature="FD_CLOEXEC support" ++ngx_feature_name="NGX_HAVE_FD_CLOEXEC" ++ngx_feature_run=no ++ngx_feature_incs="#include ++ #include ++ #include " ++ngx_feature_path= ++ngx_feature_libs= ++ngx_feature_test="int fd; ++ fd = socket(AF_INET, SOCK_STREAM, 0); ++ fcntl(fd, F_SETFD, FD_CLOEXEC);" ++. auto/feature +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index cd55520c..438e0806 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) + ngx_event_t *rev, *wev; + ngx_connection_t *c; + ++#if (NGX_HAVE_SOCKET_CLOEXEC) ++ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0); ++ ++#else + s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0); + ++#endif ++ + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s); + + if (s == (ngx_socket_t) -1) { +@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) + goto failed; + } + ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ++ goto failed; ++ } ++#endif ++ + rev = c->read; + wev = c->write; + +diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h +index 19fec68..8c2f01a 100644 +--- a/src/event/ngx_event.h ++++ b/src/event/ngx_event.h +@@ -73,6 +73,9 @@ struct ngx_event_s { + /* to test on worker exit */ + unsigned channel:1; + unsigned resolver:1; ++#if (HAVE_SOCKET_CLOEXEC_PATCH) ++ unsigned skip_socket_leak_check:1; ++#endif + + unsigned cancelable:1; + +diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c +index 77563709..5827b9d0 100644 +--- a/src/event/ngx_event_accept.c ++++ b/src/event/ngx_event_accept.c +@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev) + + #if (NGX_HAVE_ACCEPT4) + if (use_accept4) { +- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK); ++ s = accept4(lc->fd, &sa.sockaddr, &socklen, ++ SOCK_NONBLOCK | SOCK_CLOEXEC); ++ + } else { + s = accept(lc->fd, &sa.sockaddr, &socklen); + } +@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev) + ngx_close_accepted_connection(c); + return; + } ++ ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ngx_close_accepted_connection(c); ++ return; ++ } ++#endif ++ + } + } + +diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c +index c5bb8068..cf33b1d2 100644 +--- a/src/event/ngx_event_connect.c ++++ b/src/event/ngx_event_connect.c +@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) + + type = (pc->type ? pc->type : SOCK_STREAM); + ++#if (NGX_HAVE_SOCKET_CLOEXEC) ++ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0); ++ ++#else + s = ngx_socket(pc->sockaddr->sa_family, type, 0); + ++#endif ++ ++ + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d", + (type == SOCK_STREAM) ? "stream" : "dgram", s); + +@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) + goto failed; + } + ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ++ goto failed; ++ } ++#endif ++ + if (pc->local) { + + #if (NGX_HAVE_TRANSPARENT_PROXY) +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index c4376a5..48e8fa8 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -1032,6 +1032,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle) + for (i = 0; i < cycle->connection_n; i++) { + if (c[i].fd != -1 + && c[i].read ++#if (HAVE_SOCKET_CLOEXEC_PATCH) ++ && !c[i].read->skip_socket_leak_check ++#endif + && !c[i].read->accept + && !c[i].read->channel + && !c[i].read->resolver) +diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h +index fcc51533..d1eebf47 100644 +--- a/src/os/unix/ngx_socket.h ++++ b/src/os/unix/ngx_socket.h +@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s); + + #endif + ++#if (NGX_HAVE_FD_CLOEXEC) ++ ++#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC) ++#define ngx_cloexec_n "fcntl(FD_CLOEXEC)" ++ ++/* at least FD_CLOEXEC is required to ensure connection fd is closed ++ * after execve */ ++#define HAVE_SOCKET_CLOEXEC_PATCH 1 ++ ++#endif ++ + int ngx_tcp_nopush(ngx_socket_t s); + int ngx_tcp_push(ngx_socket_t s); + diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.17.8-ssl_cert_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.17.4-ssl_cert_cb_yield.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-ssl_cert_cb_yield.patch diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-ssl_sess_cb_yield.patch b/images/nginx/rootfs/patches/nginx-1.17.8-ssl_sess_cb_yield.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.17.4-ssl_sess_cb_yield.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-ssl_sess_cb_yield.patch diff --git a/images/nginx/rootfs/patches/nginx-1.17.8-upstream_pipelining.patch b/images/nginx/rootfs/patches/nginx-1.17.8-upstream_pipelining.patch new file mode 100644 index 0000000000..aed80365ad --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.17.8-upstream_pipelining.patch @@ -0,0 +1,23 @@ +commit f9907b72a76a21ac5413187b83177a919475c75f +Author: Yichun Zhang (agentzh) +Date: Wed Feb 10 16:05:08 2016 -0800 + + bugfix: upstream: keep sending request data after the first write attempt. + + See + http://mailman.nginx.org/pipermail/nginx-devel/2012-March/002040.html + for more details on the issue. + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 69019417..92b7c97f 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2239,7 +2239,7 @@ ngx_http_upstream_send_request_handler(ngx_http_request_t *r, + + #endif + +- if (u->header_sent && !u->conf->preserve_output) { ++ if (u->request_body_sent && !u->conf->preserve_output) { + u->write_event_handler = ngx_http_upstream_dummy_handler; + + (void) ngx_handle_write_event(c->write, 0); diff --git a/images/nginx/rootfs/patches/nginx-1.17.4-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/nginx-1.17.8-upstream_timeout_fields.patch similarity index 100% rename from images/nginx/rootfs/patches/nginx-1.17.4-upstream_timeout_fields.patch rename to images/nginx/rootfs/patches/nginx-1.17.8-upstream_timeout_fields.patch