Merge pull request #98 from jdeathe/centos-7-develop

Release changes for 2.2.0

Author: jdeathe

.dockerignore

@@ -1,7 +1,12 @@
+.env
+.env.example
 .git
 .gitignore
 dist
 test
+var
+docker-compose.yml
+docker-compose-*.yml
 LICENSE
 README-short.txt
 *.md

.env.example

@@ -0,0 +1,15 @@
+APACHE_SSL_CERTIFICATE=/run/secrets/haproxy_ssl_certificate
+
+HAPROXY_SSL_CERTIFICATE=/run/secrets/haproxy_ssl_certificate
+HAPROXY_CONFIG=/etc/haproxy/haproxy-http.cfg
+HAPROXY_HOST_NAMES=www.app.local app.local localhost.localdomain
+
+VARNISH_MAX_THREADS=2000
+VARNISH_MIN_THREADS=100
+VARNISH_OPTIONS=
+VARNISH_STORAGE=malloc,256M
+VARNISH_THREAD_TIMEOUT=120
+VARNISH_TTL=120
+VARNISH_VARNISHNCSA_FORMAT=%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"
+VARNISH_VARNISHNCSA_OPTIONS=
+VARNISH_VCL_CONF=/etc/varnish/docker-default.vcl

.gitignore

@@ -1 +1,2 @@
+.env
 dist

CHANGELOG.md

@@ -6,6 +6,40 @@ Summary of release changes for Version 2.
 
 CentOS-7 7.5.1804 x86_64 - HAProxy 1.8 / HATop 0.7.
 
+### 2.2.0 - 2019-05-30
+
+- Updates `haproxy18u` packages to 1.8.19-1.
+- Updates source image to [2.5.1](https://github.com/jdeathe/centos-ssh/releases/tag/2.5.1).
+- Updates and restructures Dockerfile.
+- Updates container naming conventions and readability of `Makefile`.
+- Updates healthcheck retries to 4.
+- Updates docker-compose configuration examples.
+- Updates default tls/ssl certificate name from `localhost.localdomain.crt` to `localhost.crt`.
+- Fixes issue with unexpected published port in run templates when `DOCKER_PORT_MAP_TCP_80` or `DOCKER_PORT_MAP_TCP_443` is set to an empty string or 0.
+- Fixes binary paths in systemd unit files for compatibility with both EL and Ubuntu hosts.
+- Fixes environment variable name typo in README for `HAPROXY_CONFIG`.
+- Adds port incrementation to Makefile's run template for container names with an instance suffix.
+- Adds placeholder replacement of `RELEASE_VERSION` docker argument to systemd service unit template.
+- Adds improvement to pull logic in systemd unit install template.
+- Adds `SSH_AUTOSTART_SUPERVISOR_STDOUT` with a value "false", disabling startup of `supervisor_stdout`.
+- Adds improved logging output.
+- Adds consideration for event lag into test cases for unhealthy health_status events.
+- Adds error messages to healthcheck script and includes supervisord check.
+- Adds improved `healtchcheck`, `haproxy-wrapper` and `rsyslogd-wrapper` scripts.
+- Adds improved lock/state file implementation in wrapper scripts.
+- Adds config path and tls/ssl certificate fingerprint to `haproxy-wrapper` Details output.
+- Adds support for hitless reload via `haproxy-wrapper`.
+- Adds configuration of Apache certificate via `APACHE_SSL_CERTIFICATE` in `.env` for the tcp example.
+- Adds SNI forwarding in the TLS/SSL tcp example configuration.
+- Adds `/status` (`monitor-uri`) endpoints and custom error responses to http example configuration.
+- Adds `socat` package to the image to allow for non-interactive HAProxy CLI usage.
+- Removes use of `/etc/services-config` paths.
+- Removes the unused group element from the default container name.
+- Removes the node element from the default container name.
+- Removes unused environment variables from Makefile and scmi configuration.
+- Removes X-Fleet section from etcd register template unit-file.
+- Removes use of `stick-table` in `haproxy-tcp.cfg` as it should not be necessary for web backends that support shared persistence/session data stores.
+
 ### 2.1.1 - 2018-12-27
 
 - Updates `haproxy18u` packages to 1.8.14-1.

Dockerfile

@@ -1,162 +1,103 @@
-# =============================================================================
-# jdeathe/centos-ssh-haproxy
-# =============================================================================
-FROM jdeathe/centos-ssh:2.4.1
+FROM jdeathe/centos-ssh:2.5.1
 
 ARG HATOP_VERSION="0.7.7"
+ARG RELEASE_VERSION="2.2.0"
 
-# -----------------------------------------------------------------------------
-# Install HAProxy
-# -----------------------------------------------------------------------------
-RUN rpm --rebuilddb \
-	&& yum -y install \
+# ------------------------------------------------------------------------------
+# Base install of required packages
+# ------------------------------------------------------------------------------
+RUN yum -y install \
 			--setopt=tsflags=nodocs \
 			--disableplugin=fastestmirror \
-		haproxy18u-1.8.14-1.ius.centos7 \
+		haproxy18u-1.8.19-1.ius.centos7 \
 		rsyslog-8.24.0-34.el7 \
+		socat-1.7.3.2-2.el7 \
 	&& yum versionlock add \
 		haproxy \
 		rsyslog \
+		socat \
 	&& yum clean all \
-	&& mv \
-		/etc/haproxy/haproxy.cfg \
-		/etc/haproxy/haproxy.cfg.default \
-	&& mkdir -p \
-		/etc/pki/tls/certs/sni
-
-# -----------------------------------------------------------------------------
-# Enable local syslog logging
-# -----------------------------------------------------------------------------
-RUN sed -i \
-		-e 's~^#\$ModLoad imudp$~\$ModLoad imudp~' \
-		-e 's~^#\$UDPServerRun 514$~\$UDPServerRun 514~' \
-		-e 's~^\(\$OmitLocalLogging .*\)$~#\1~' \
-		-e 's~^\(\$ModLoad imuxsock .*\)$~#\1~' \
-		-e 's~^\(\$ModLoad imjournal .*\)$~#\1~' \
-		-e 's~^\(\$IMJournalStateFile .*\)$~#\1~' \
-		/etc/rsyslog.conf \
-	&& mkdir -p \
-		/run/systemd/journal \
-	&& { \
-		echo '$UDPServerAddress 127.0.0.1'; \
-		echo 'local2.* /var/log/haproxy.log'; \
-		echo '& stop'; \
-	} > /etc/rsyslog.d/listen.conf
-
-# -----------------------------------------------------------------------------
-# Install HATop
-#   usage: env TERM=xterm hatop -s /var/lib/haproxy/stats
-# -----------------------------------------------------------------------------
-RUN curl -LsSO \
+	&& curl -LsSO \
 		https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hatop/hatop-${HATOP_VERSION}.tar.gz \
 	&& tar -xzf hatop-${HATOP_VERSION}.tar.gz \
 	&& cd hatop-${HATOP_VERSION} \
 	&& install \
 		-m 0755 \
 		bin/hatop \
 		/usr/local/bin \
-	&& rm -rf /hatop-${HATOP_VERSION}* \
-	&& echo 'alias hatop="hatop -s /var/lib/haproxy/stats-1 -i 1"' \
-		> /etc/profile.d/hatop.sh
-
-# -----------------------------------------------------------------------------
-# Increase the system limits
-# -----------------------------------------------------------------------------
-RUN { \
-		echo ''; \
-		echo -e 'haproxy\tsoft\tnofile\t8388608'; \
-		echo -e 'haproxy\thard\tnofile\t16777216'; \
-	} >> /etc/security/limits.conf
+	&& rm -rf /hatop-${HATOP_VERSION}*
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Copy files into place
-# -----------------------------------------------------------------------------
-ADD src/usr/bin \
-	/usr/bin/
-ADD src/usr/sbin \
-	/usr/sbin/
-ADD src/opt/scmi \
-	/opt/scmi/
-ADD src/etc/services-config/haproxy \
-	/etc/services-config/haproxy/
-ADD src/etc/services-config/supervisor/supervisord.d \
-	/etc/services-config/supervisor/supervisord.d/
-ADD src/etc/systemd/system \
-	/etc/systemd/system/
+# ------------------------------------------------------------------------------
+ADD src /
 
-RUN ln -sf \
-		/etc/services-config/haproxy/haproxy-http.example.cfg \
+# ------------------------------------------------------------------------------
+# Provisioning
+# - Increase the system limits
+# - Add required directories
+# - Enable local syslog logging
+# - Add hatop alias
+# - Replace placeholders with values in systemd service unit template
+# - Backup default haproxy configuration
+# - Replace default haproxy configuration with haproxy-http.cfg
+# - Set permissions
+# ------------------------------------------------------------------------------
+RUN { printf -- \
+		'\nhaproxy\tsoft\tnofile\t%s\nhaproxy\thard\tnofile\t%s\n' \
+		'8388608' \
+		'16777216'; \
+	} >> /etc/security/limits.conf \
+	&& mkdir -p \
+		{/etc/pki/tls/certs/sni,/run/systemd/journal} \
+	&& sed -i \
+		-e 's~^#\$ModLoad imudp$~\$ModLoad imudp~' \
+		-e 's~^#\$UDPServerRun 514$~\$UDPServerRun 514~' \
+		-e 's~^\(\$OmitLocalLogging .*\)$~#\1~' \
+		-e 's~^\(\$ModLoad imjournal .*\)$~#\1~' \
+		-e 's~^\(\$ModLoad imklog .*\)$~#\1~' \
+		-e 's~^\(\$ModLoad imuxsock .*\)$~#\1~' \
+		-e 's~^\(\$IMJournalStateFile .*\)$~#\1~' \
+		/etc/rsyslog.conf \
+	&& { printf -- \
+		'$UDPServerAddress %s\nlocal2.* %s\n& stop\n' \
+		'127.0.0.1' \
+		'/dev/stdout'; \
+	} > /etc/rsyslog.d/listen.conf \
+	&& printf -- 'alias hatop="%s"' \
+		"hatop -s /var/lib/haproxy/stats-1 -i 1" \
+		> /etc/profile.d/hatop.sh \
+	&& sed -i \
+		-e "s~{{RELEASE_VERSION}}~${RELEASE_VERSION}~g" \
+		/etc/systemd/system/[email protected] \
+	&& mv \
 		/etc/haproxy/haproxy.cfg \
-	&& ln -sf \
-		/etc/services-config/haproxy/haproxy-http.example.cfg \
+		/etc/haproxy/haproxy.cfg.default \
+	&& cp \
 		/etc/haproxy/haproxy-http.cfg \
-	&& ln -sf \
-		/etc/services-config/haproxy/haproxy-http-proxy.example.cfg \
-		/etc/haproxy/haproxy-http-proxy.cfg \
-	&& ln -sf \
-		/etc/services-config/haproxy/haproxy-h2.example.cfg \
-		/etc/haproxy/haproxy-h2.cfg \
-	&& ln -sf \
-		/etc/services-config/haproxy/haproxy-h2-proxy.example.cfg \
-		/etc/haproxy/haproxy-h2-proxy.cfg \
-	&& ln -sf \
-		/etc/services-config/haproxy/haproxy-tcp.example.cfg \
-		/etc/haproxy/haproxy-tcp.cfg \
-	&& ln -sf \
-		/etc/services-config/haproxy/haproxy-bootstrap.conf \
-		/etc/haproxy-bootstrap.conf \
-	&& ln -sf \
-		/etc/services-config/haproxy/400.html.http \
-		/etc/haproxy/400.html.http \
-	&& ln -sf \
-		/etc/services-config/haproxy/403.html.http \
-		/etc/haproxy/403.html.http \
-	&& ln -sf \
-		/etc/services-config/haproxy/408.html.http \
-		/etc/haproxy/408.html.http \
-	&& ln -sf \
-		/etc/services-config/haproxy/500.html.http \
-		/etc/haproxy/500.html.http \
-	&& ln -sf \
-		/etc/services-config/haproxy/502.html.http \
-		/etc/haproxy/502.html.http \
-	&& ln -sf \
-		/etc/services-config/haproxy/503.html.http \
-		/etc/haproxy/503.html.http \
-	&& ln -sf \
-		/etc/services-config/haproxy/504.html.http \
-		/etc/haproxy/504.html.http \
-	&& ln -sf \
-		/etc/services-config/supervisor/supervisord.d/haproxy-bootstrap.conf \
-		/etc/supervisord.d/haproxy-bootstrap.conf \
-	&& ln -sf \
-		/etc/services-config/supervisor/supervisord.d/haproxy-wrapper.conf \
-		/etc/supervisord.d/haproxy-wrapper.conf \
-	&& ln -sf \
-		/etc/services-config/supervisor/supervisord.d/rsyslogd-wrapper.conf \
-		/etc/supervisord.d/rsyslogd-wrapper.conf \
+		/etc/haproxy/haproxy.cfg \
 	&& chmod 600 \
-		/etc/services-config/haproxy/{haproxy-{http,http-proxy,h2,h2-proxy,tcp}.example.cfg,{400,403,408,500,502,503,504}.html.http} \
+		/etc/haproxy/{{haproxy,haproxy-{http,http-proxy,h2,h2-proxy,tcp}}.cfg,{400,403,408,500,502,503,504}.html.http} \
 	&& chmod 600 \
-		/etc/services-config/supervisor/supervisord.d/{haproxy-bootstrap,{haproxy,rsyslogd}-wrapper}.conf \
+		/etc/supervisord.d/{haproxy-bootstrap,{haproxy,rsyslogd}-wrapper}.conf \
 	&& chmod 700 \
 		/usr/{bin/healthcheck,sbin/{haproxy-bootstrap,{haproxy,rsyslogd}-wrapper}}
 
 EXPOSE 80 443
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Set default environment variables
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 ENV HAPROXY_SSL_CERTIFICATE="" \
 	HAPROXY_CONFIG="/etc/haproxy/haproxy.cfg" \
 	HAPROXY_HOST_NAMES="localhost.localdomain" \
-	SSH_AUTOSTART_SSHD=false \
-	SSH_AUTOSTART_SSHD_BOOTSTRAP=false
+	SSH_AUTOSTART_SSHD="false" \
+	SSH_AUTOSTART_SSHD_BOOTSTRAP="false" \
+	SSH_AUTOSTART_SUPERVISOR_STDOUT="false"
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Set image metadata
-# -----------------------------------------------------------------------------
-ARG RELEASE_VERSION="2.1.1"
+# ------------------------------------------------------------------------------
 LABEL \
 	maintainer="James Deathe <[email protected]>" \
 	install="docker run \
@@ -186,9 +127,9 @@ jdeathe/centos-ssh-haproxy:${RELEASE_VERSION} \
 	org.deathe.description="CentOS-7 7.5.1804 x86_64 - HAProxy 1.8 / HATop 0.7."
 
 HEALTHCHECK \
-	--interval=0.5s \
+	--interval=1s \
 	--timeout=1s \
 	--retries=4 \
 	CMD ["/usr/bin/healthcheck"]
 
-CMD ["/usr/bin/supervisord", "--configuration=/etc/supervisord.conf"]
+CMD ["/usr/bin/supervisord", "--configuration=/etc/supervisord.conf"]