Merge pull request #3 from linuxserver/nginx

Switch to nginx

Author: thespad

.github/workflows/external_trigger.yml

@@ -20,7 +20,8 @@ jobs:
           echo "**** External trigger running off of main branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_SOCKET_PROXY_MAIN\". ****"
           echo "External trigger running off of main branch. To disable this trigger, set a Github secret named \`PAUSE_EXTERNAL_TRIGGER_SOCKET_PROXY_MAIN\`" >> $GITHUB_STEP_SUMMARY
           echo "**** Retrieving external version ****"
-          EXT_RELEASE=$(docker run --rm quay.io/skopeo/stable:v1 inspect docker://docker.io/haproxy:lts-alpine | jq -r '.Env[] | select(startswith("HAPROXY_VERSION")) | split("=")[1]')
+          EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+            && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://')
           if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
             echo "**** Can't retrieve external version, exiting ****"
             FAILURE_REASON="Can't retrieve external version for socket-proxy branch main"
@@ -73,6 +74,14 @@ jobs:
             echo "**** Version ${EXT_RELEASE} already pushed, exiting ****"
             echo "Version ${EXT_RELEASE} already pushed, exiting" >> $GITHUB_STEP_SUMMARY
             exit 0
+          elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then
+            echo "**** New version ${EXT_RELEASE} found; but not all arch repos updated yet; exiting ****"
+            echo "New version ${EXT_RELEASE} found; but not all arch repos updated yet; exiting" >> $GITHUB_STEP_SUMMARY
+            FAILURE_REASON="New version ${EXT_RELEASE} for socket-proxy tag latest is detected, however not all arch repos are updated yet. Will try again later."
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+              "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+            exit 0
           elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-socket-proxy/job/main/lastBuild/api/json | jq -r '.building') == "true" ]; then
             echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****"
             echo "New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY

Dockerfile

@@ -1,12 +1,11 @@
 # syntax=docker/dockerfile:1
 
-ARG HAPROXY_VERSION
-
-FROM haproxy:${HAPROXY_VERSION:-lts}-alpine
+FROM docker.io/alpine:3.19
 
 # set version label
 ARG BUILD_DATE
 ARG VERSION
+ARG NGINX_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
 LABEL maintainer="thespad"
 
@@ -18,13 +17,11 @@ ENV ALLOW_RESTARTS=0 \
     COMMIT=0 \
     CONFIGS=0 \
     CONTAINERS=0 \
-    DISABLE_IPV6=0 \
     DISTRIBUTION=0 \
     EVENTS=1 \
     EXEC=0 \
     IMAGES=0 \
     INFO=0 \
-    LOG_LEVEL=info \
     NETWORKS=0 \
     NODES=0 \
     PING=1 \
@@ -40,8 +37,26 @@ ENV ALLOW_RESTARTS=0 \
     VERSION=1 \
     VOLUMES=0
 
-USER root
+# install packages
+RUN \
+  echo "**** install build packages ****" && \
+  apk add --no-cache \
+    alpine-release \
+    bash \
+    curl \
+    envsubst && \
+  if [ -z ${NGINX_VERSION+x} ]; then \
+  NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+    && awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+  fi && \
+  apk add --no-cache \
+    nginx==${NGINX_VERSION} && \
+    rm -f /etc/nginx/conf.d/stream.conf && \
+    rm -f /etc/nginx/http.d/default.conf
 
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+# add local files
+COPY root/ /
 
 EXPOSE 2375
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

Dockerfile.aarch64

@@ -1,12 +1,11 @@
 # syntax=docker/dockerfile:1
 
-ARG HAPROXY_VERSION
-
-FROM haproxy:${HAPROXY_VERSION:-lts}-alpine
+FROM docker.io/alpine:3.19
 
 # set version label
 ARG BUILD_DATE
 ARG VERSION
+ARG NGINX_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
 LABEL maintainer="thespad"
 
@@ -18,13 +17,11 @@ ENV ALLOW_RESTARTS=0 \
     COMMIT=0 \
     CONFIGS=0 \
     CONTAINERS=0 \
-    DISABLE_IPV6=0 \
     DISTRIBUTION=0 \
     EVENTS=1 \
     EXEC=0 \
     IMAGES=0 \
     INFO=0 \
-    LOG_LEVEL=info \
     NETWORKS=0 \
     NODES=0 \
     PING=1 \
@@ -40,8 +37,26 @@ ENV ALLOW_RESTARTS=0 \
     VERSION=1 \
     VOLUMES=0
 
-USER root
+# install packages
+RUN \
+  echo "**** install build packages ****" && \
+  apk add --no-cache \
+    alpine-release \
+    bash \
+    curl \
+    envsubst && \
+  if [ -z ${NGINX_VERSION+x} ]; then \
+  NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+    && awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+  fi && \
+  apk add --no-cache \
+    nginx==${NGINX_VERSION} && \
+    rm -f /etc/nginx/conf.d/stream.conf && \
+    rm -f /etc/nginx/http.d/default.conf
 
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+# add local files
+COPY root/ /
 
 EXPOSE 2375
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

Jenkinsfile

@@ -17,14 +17,17 @@ pipeline {
     GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0')
     GITLAB_NAMESPACE=credentials('gitlab-namespace-id')
     DOCKERHUB_TOKEN=credentials('docker-hub-ci-pat')
-    BUILD_VERSION_ARG = 'HAPROXY_VERSION'
+    BUILD_VERSION_ARG = 'NGINX_VERSION'
     LS_USER = 'linuxserver'
     LS_REPO = 'docker-socket-proxy'
     CONTAINER_NAME = 'socket-proxy'
     DOCKERHUB_IMAGE = 'linuxserver/socket-proxy'
     DEV_DOCKERHUB_IMAGE = 'lsiodev/socket-proxy'
     PR_DOCKERHUB_IMAGE = 'lspipepr/socket-proxy'
     DIST_IMAGE = 'alpine'
+    DIST_TAG = '3.19'
+    DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.19/main/'
+    DIST_REPO_PACKAGES = 'nginx'
     MULTIARCH='true'
     CI='false'
     CI_WEB='false'
@@ -110,14 +113,15 @@ pipeline {
     /* ########################
        External Release Tagging
        ######################## */
-    // If this is a custom command to determine version use that command
-    stage("Set tag custom bash"){
+    // If this is an alpine repo change for external version determine an md5 from the version string
+    stage("Set tag Alpine Repo"){
       steps{
         script{
           env.EXT_RELEASE = sh(
-            script: ''' docker run --rm quay.io/skopeo/stable:v1 inspect docker://docker.io/haproxy:lts-alpine | jq -r '.Env[] | select(startswith("HAPROXY_VERSION")) | split("=")[1]' ''',
+            script: '''curl -sL "${DIST_REPO}x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+                       && awk '/^P:'"${DIST_REPO_PACKAGES}"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://' ''',
             returnStdout: true).trim()
-            env.RELEASE_LINK = 'custom_command'
+            env.RELEASE_LINK = 'alpine_repo'
         }
       }
     }
@@ -837,11 +841,11 @@ pipeline {
              "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' '''
         echo "Pushing New release for Tag"
         sh '''#! /bin/bash
-              echo "Updating to ${EXT_RELEASE_CLEAN}" > releasebody.json
+              echo "Updating external repo packages to ${EXT_RELEASE_CLEAN}" > releasebody.json
               echo '{"tag_name":"'${META_TAG}'",\
                      "target_commitish": "main",\
                      "name": "'${META_TAG}'",\
-                     "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Remote Changes:**\\n\\n' > start
+                     "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Repo Changes:**\\n\\n' > start
               printf '","draft": false,"prerelease": false}' >> releasebody.json
               paste -d'\\0' start releasebody.json > releasebody.json.done
               curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done'''

README.md

@@ -32,9 +32,9 @@ Find us at:
 [![Docker Stars](https://img.shields.io/docker/stars/linuxserver/socket-proxy.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/socket-proxy)
 [![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-socket-proxy%2Fjob%2Fmain%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-socket-proxy/job/main/)
 
-[Socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) is a security-enhanced proxy for the Docker Socket.
+Socket proxy is a security-enhanced proxy for the Docker Socket.
 
-[![socket-proxy](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/docker-logo.png)](https://github.com/Tecnativa/docker-socket-proxy)
+![socket-proxy](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/docker-logo.png)
 
 ## Supported Architectures
 
@@ -52,9 +52,9 @@ The architectures supported by this image are:
 
 ## Application Setup
 
-This container is a fork of [https://github.com/Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) and as such does not follow our usual container conventions. It *does not* support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment).
+This container is based on [https://github.com/Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) and as such does not follow our usual container conventions. It *does not* support mods or custom scripts/services, or running as a user other than root (or the docker user in a rootless environment).
 
-The container should be run on the same docker network as the service(s) using it. Most containers that would normally connect to a mounted docker.sock can have their endpoint overridden using the `DOCKER_HOST` environment variable if they do not offer the option in their configuration; it should typically be pointed to tcp://socket-proxy:2375.
+The container should be run on the same docker network as the service(s) using it. Most containers that would normally connect to a mounted docker.sock can have their endpoint overridden using the `DOCKER_HOST` environment variable if they do not offer the option in their configuration; it should typically be pointed to `tcp://socket-proxy:2375`.
 
 * Never expose this container's port to a public network. It should be treated the same way you would treat the docker socket or TCP endpoint.
 * Revoke access to any API section that you consider your service should not need.
@@ -74,34 +74,32 @@ services:
     image: lscr.io/linuxserver/socket-proxy:latest
     container_name: socket-proxy
     environment:
-      - EVENTS=1 #optional
-      - PING=1 #optional
-      - VERSION=1 #optional
+      - ALLOW_START=0 #optional
+      - ALLOW_STOP=0 #optional
+      - ALLOW_RESTARTS=0 #optional
       - AUTH=0 #optional
-      - SECRETS=0 #optional
-      - POST=0 #optional
       - BUILD=0 #optional
       - COMMIT=0 #optional
       - CONFIGS=0 #optional
       - CONTAINERS=0 #optional
-      - ALLOW_START=0 #optional
-      - ALLOW_STOP=0 #optional
-      - ALLOW_RESTARTS=0 #optional
       - DISTRIBUTION=0 #optional
+      - EVENTS=1 #optional
       - EXEC=0 #optional
       - IMAGES=0 #optional
       - INFO=0 #optional
-      - LOG_LEVEL=info #optional
       - NETWORKS=0 #optional
       - NODES=0 #optional
+      - PING=1 #optional
+      - POST=0 #optional
       - PLUGINS=0 #optional
+      - SECRETS=0 #optional
       - SERVICES=0 #optional
       - SESSION=0 #optional
       - SWARM=0 #optional
       - SYSTEM=0 #optional
       - TASKS=0 #optional
+      - VERSION=1 #optional
       - VOLUMES=0 #optional
-      - DISABLE_IPV6=0 #optional
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     restart: unless-stopped
@@ -115,34 +113,32 @@ services:
 ```bash
 docker run -d \
   --name=socket-proxy \
-  -e EVENTS=1 `#optional` \
-  -e PING=1 `#optional` \
-  -e VERSION=1 `#optional` \
+  -e ALLOW_START=0 `#optional` \
+  -e ALLOW_STOP=0 `#optional` \
+  -e ALLOW_RESTARTS=0 `#optional` \
   -e AUTH=0 `#optional` \
-  -e SECRETS=0 `#optional` \
-  -e POST=0 `#optional` \
   -e BUILD=0 `#optional` \
   -e COMMIT=0 `#optional` \
   -e CONFIGS=0 `#optional` \
   -e CONTAINERS=0 `#optional` \
-  -e ALLOW_START=0 `#optional` \
-  -e ALLOW_STOP=0 `#optional` \
-  -e ALLOW_RESTARTS=0 `#optional` \
   -e DISTRIBUTION=0 `#optional` \
+  -e EVENTS=1 `#optional` \
   -e EXEC=0 `#optional` \
   -e IMAGES=0 `#optional` \
   -e INFO=0 `#optional` \
-  -e LOG_LEVEL=info `#optional` \
   -e NETWORKS=0 `#optional` \
   -e NODES=0 `#optional` \
+  -e PING=1 `#optional` \
+  -e POST=0 `#optional` \
   -e PLUGINS=0 `#optional` \
+  -e SECRETS=0 `#optional` \
   -e SERVICES=0 `#optional` \
   -e SESSION=0 `#optional` \
   -e SWARM=0 `#optional` \
   -e SYSTEM=0 `#optional` \
   -e TASKS=0 `#optional` \
+  -e VERSION=1 `#optional` \
   -e VOLUMES=0 `#optional` \
-  -e DISABLE_IPV6=0 `#optional` \
   -v /var/run/docker.sock:/var/run/docker.sock:ro \
   --restart unless-stopped \
   --read-only \
@@ -156,34 +152,32 @@ Containers are configured using parameters passed at runtime (such as those abov
 
 | Parameter | Function |
 | :----: | --- |
-| `-e EVENTS=1` | `/events` |
-| `-e PING=1` | `/_ping` |
-| `-e VERSION=1` | `/version` |
+| `-e ALLOW_START=0` | `/containers/id/start` |
+| `-e ALLOW_STOP=0` | `/containers/id/stop` |
+| `-e ALLOW_RESTARTS=0` | `/containers/id/stop`, `/containers/id/restart`, and `/containers/id/kill` |
 | `-e AUTH=0` | `/auth` |
-| `-e SECRETS=0` | `/secrets` |
-| `-e POST=0` | When set to `0`, only `GET` and `HEAD` operations are allowed, making API access read-only. |
 | `-e BUILD=0` | `/build` |
 | `-e COMMIT=0` | `/commit` |
 | `-e CONFIGS=0` | `/configs` |
 | `-e CONTAINERS=0` | `/containers` |
-| `-e ALLOW_START=0` | `/containers/id/start` |
-| `-e ALLOW_STOP=0` | `/containers/id/stop` |
-| `-e ALLOW_RESTARTS=0` | `/containers/id/stop`, `/containers/id/restart`, and `/containers/id/kill` |
 | `-e DISTRIBUTION=0` | `/distribution` |
+| `-e EVENTS=1` | `/events` |
 | `-e EXEC=0` | `/exec` & `/containers/{id}/exec` |
 | `-e IMAGES=0` | `/images` |
 | `-e INFO=0` | `/info` |
-| `-e LOG_LEVEL=info` | Default value is `info`. Possible values are: `debug`, `info`, `notice`, `warning`, `err`, `crit`, `alert`, and `emerg`. |
 | `-e NETWORKS=0` | `/networks` |
 | `-e NODES=0` | `/nodes` |
+| `-e PING=1` | `/_ping` |
 | `-e PLUGINS=0` | `/plugins` |
+| `-e POST=0` | When set to `0`, only `GET` and `HEAD` operations are allowed, making API access read-only. |
+| `-e SECRETS=0` | `/secrets` |
 | `-e SERVICES=0` | `/services` |
 | `-e SESSION=0` | `/session` |
 | `-e SWARM=0` | `/swarm` |
 | `-e SYSTEM=0` | `/system` |
 | `-e TASKS=0` | `/tasks` |
+| `-e VERSION=1` | `/version` |
 | `-e VOLUMES=0` | `/volumes` |
-| `-e DISABLE_IPV6=0` | Set to `1` to disable IPv6 bindings in scenarios where the host cannot support it. |
 | `-v /var/run/docker.sock:ro` | Mount the host docker socket into the container. |
 | `--read-only` | Make the container filesystem read-only. |
 | `--tmpfs /run` | Mount /run to tmpfs (RAM) to make it writeable. |
@@ -307,4 +301,5 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **08.04.24:** - Use nginx due to haproxy's wonky websockets handling.
 * **07.04.24:** - Initial Release.