switch to nginx (#6)

kheeklab · Mar 25, 2021 · e69eee8 · e69eee8
1 parent 4ee76d5
commit e69eee8
Show file tree

Hide file tree

Showing 10 changed files with 243 additions and 81 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,32 +1,79 @@
-FROM python:3.8.8
+FROM python:3.8.8-buster
 
 LABEL maintainer="Sida Say <sida.say@khalibre.com>"
 
-ENV PYTHONPATH=/app \
-    PI_SKIP_BOOTSTRAP=false \
+ENV PI_SKIP_BOOTSTRAP=false \
     DB_VENDOR=sqlite \
     PI_VERSION=3.5.1
 
-RUN apt-get update; \
-    pip install meinheld gunicorn pymysql-sa PyMySQL; \
+COPY ./configs/install-nginx-debian.sh /
+
+RUN bash /install-nginx-debian.sh
+
+EXPOSE 80
+
+# Expose 443, in case of LTS / HTTPS
+EXPOSE 443
+
+
+# COPY PI configuration
+COPY ./configs/config.py /etc/privacyidea/pi.cfg
+
+# Remove default configuration from Nginx
+RUN rm /etc/nginx/conf.d/default.conf
+# Copy the base uWSGI ini file to enable default dynamic uwsgi process number
+COPY ./configs/uwsgi.ini /etc/uwsgi/
+
+# Install Supervisord
+RUN set -xe; \
+    apt-get update && apt-get install -y supervisor ca-certificates gosu; \
+    gosu nobody true; \
+    rm -rf /var/lib/apt/lists/*
+# Custom Supervisord config
+COPY ./configs/supervisord-debian.conf /etc/supervisor/conf.d/supervisord.conf
+
+# Install uWSGI and PrivacyIdea
+RUN pip install uwsgi pymysql-sa PyMySQL;\
     pip install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_VERSION}/requirements.txt; \
     pip install git+https://github.com/privacyidea/privacyidea.git@v${PI_VERSION}
 
-COPY ./configs/gunicorn_conf.py /gunicorn_conf.py
-COPY ./configs/config.py /etc/privacyidea/pi.cfg
-COPY ./configs/app /app
-COPY ./configs/entrypoint.sh /entrypoint.sh
-COPY ./configs/start.sh /start.sh
-RUN chmod +x /start.sh; \
-    chmod +x /entrypoint.sh
+# Which uWSGI .ini file should be used, to make it customizable
+ENV UWSGI_INI /app/uwsgi.ini
 
-WORKDIR /app/
-VOLUME [ "/data/privacyidea" ]
+# By default, run 2 processes
+ENV UWSGI_CHEAPER 2
 
-EXPOSE 80
+# By default, when on demand, run up to 16 processes
+ENV UWSGI_PROCESSES 16
+
+# By default, allow unlimited file sizes, modify it to limit the file sizes
+# To have a maximum of 1 MB (Nginx's default) change the line to:
+# ENV NGINX_MAX_UPLOAD 1m
+ENV NGINX_MAX_UPLOAD 0
+
+# By default, Nginx will run a single worker process, setting it to auto
+# will create a worker for each CPU core
+ENV NGINX_WORKER_PROCESSES 1
+
+# By default, Nginx listens on port 80.
+# To modify this, change LISTEN_PORT environment variable.
+# (in a Dockerfile or with an option for `docker run`)
+ENV LISTEN_PORT 80
+    # Copy start.sh script that will check for a /app/prestart.sh script and run it before starting the app
+COPY ./configs/start.sh /start.sh
+RUN chmod +x /start.sh
+
+# Copy the entrypoint that will generate Nginx additional configs
+COPY ./configs/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 
+# Add demo app
+COPY ./configs/app /app
+WORKDIR /app
+VOLUME [ "/data/privacyidea" ]
+
 # Run the start script, it will check for an /app/prestart.sh script (e.g. for migrations)
-# And then will start Gunicorn with Meinheld
+# And then will start Supervisor, which in turn will start Nginx and uWSGI
 CMD ["/start.sh"]
diff --git a/README.md b/README.md
@@ -28,7 +28,6 @@ Login to http://localhost:5000 with "admin"/"privacyidea".
 > You must not use this in productive environment, since it contains fixed credentail, encryption keys!
 
 ## Advanced usage
-This image extended from [meinheld-gunicorn-docker](https://github.com/tiangolo/meinheld-gunicorn-docker). Some enviromment variables are inherited from parent image. Pease refer to above link for more infomation.
 
 ### PrivacyIdea Environment variables
 
@@ -45,3 +44,5 @@ This image extended from [meinheld-gunicorn-docker](https://github.com/tiangolo/
 - SECRET_KEY
 - PI_ADMIN_USER
 - PI_ADMIN_PASSWORD
+
+Inspired by https://github.com/tiangolo/uwsgi-nginx-docker
diff --git a/configs/app/main.py b/configs/app/main.py
@@ -2,5 +2,4 @@
 sys.stdout = sys.stderr
 from privacyidea.app import create_app
 # Now we can select the config file:
-app = create_app(config_name="production",
-                    config_file="/etc/privacyidea/pi.cfg")
+application = create_app(config_name="production", config_file="/etc/privacyidea/pi.cfg")
diff --git a/configs/app/uwsgi.ini b/configs/app/uwsgi.ini
@@ -0,0 +1,2 @@
+[uwsgi]
+wsgi-file=/app/main.py
diff --git a/configs/entrypoint.sh b/configs/entrypoint.sh
@@ -1,22 +1,70 @@
 #!/usr/bin/env sh
 set -e
 
-if [ -f /app/app/main.py ]; then
-    DEFAULT_MODULE_NAME=app.main
-elif [ -f /app/main.py ]; then
-    DEFAULT_MODULE_NAME=main
-fi
-MODULE_NAME=${MODULE_NAME:-$DEFAULT_MODULE_NAME}
-VARIABLE_NAME=${VARIABLE_NAME:-app}
-export APP_MODULE=${APP_MODULE:-"$MODULE_NAME:$VARIABLE_NAME"}
-
-if [ -f /app/gunicorn_conf.py ]; then
-    DEFAULT_GUNICORN_CONF=/app/gunicorn_conf.py
-elif [ -f /app/app/gunicorn_conf.py ]; then
-    DEFAULT_GUNICORN_CONF=/app/app/gunicorn_conf.py
+# Get the maximum upload file size for Nginx, default to 0: unlimited
+USE_NGINX_MAX_UPLOAD=${NGINX_MAX_UPLOAD:-0}
+
+# Get the number of workers for Nginx, default to 1
+USE_NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
+
+# Set the max number of connections per worker for Nginx, if requested
+# Cannot exceed worker_rlimit_nofile, see NGINX_WORKER_OPEN_FILES below
+NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-1024}
+
+# Get the listen port for Nginx, default to 80
+USE_LISTEN_PORT=${LISTEN_PORT:-80}
+
+if [ -f /app/nginx.conf ]; then
+    cp /app/nginx.conf /etc/nginx/nginx.conf
 else
-    DEFAULT_GUNICORN_CONF=/gunicorn_conf.py
+    content='user  nginx;\n'
+    # Set the number of worker processes in Nginx
+    content=$content"worker_processes ${USE_NGINX_WORKER_PROCESSES};\n"
+    content=$content'error_log  /var/log/nginx/error.log warn;\n'
+    content=$content'pid        /var/run/nginx.pid;\n'
+    content=$content'events {\n'
+    content=$content"    worker_connections ${NGINX_WORKER_CONNECTIONS};\n"
+    content=$content'}\n'
+    content=$content'http {\n'
+    content=$content'    include       /etc/nginx/mime.types;\n'
+    content=$content'    default_type  application/octet-stream;\n'
+    content=$content'    log_format  main  '"'\$remote_addr - \$remote_user [\$time_local] \"\$request\" '\n"
+    content=$content'                      '"'\$status \$body_bytes_sent \"\$http_referer\" '\n"
+    content=$content'                      '"'\"\$http_user_agent\" \"\$http_x_forwarded_for\"';\n"
+    content=$content'    access_log  /var/log/nginx/access.log  main;\n'
+    content=$content'    sendfile        on;\n'
+    content=$content'    keepalive_timeout  65;\n'
+    content=$content'    include /etc/nginx/conf.d/*.conf;\n'
+    content=$content'}\n'
+    content=$content'daemon off;\n'
+    # Set the max number of open file descriptors for Nginx workers, if requested
+    if [ -n "${NGINX_WORKER_OPEN_FILES}" ] ; then
+        content=$content"worker_rlimit_nofile ${NGINX_WORKER_OPEN_FILES};\n"
+    fi
+    # Save generated /etc/nginx/nginx.conf
+    printf "$content" > /etc/nginx/nginx.conf
+
+    content_server='server {\n'
+    content_server=$content_server"    listen ${USE_LISTEN_PORT};\n"
+    content_server=$content_server'    location / {\n'
+    content_server=$content_server'        include uwsgi_params;\n'
+    content_server=$content_server'        uwsgi_pass unix:///tmp/uwsgi.sock;\n'
+    content_server=$content_server'    }\n'
+    content_server=$content_server'}\n'
+    # Save generated server /etc/nginx/conf.d/nginx.conf
+    printf "$content_server" > /etc/nginx/conf.d/nginx.conf
+
+    # Generate Nginx config for maximum upload file size
+    printf "client_max_body_size $USE_NGINX_MAX_UPLOAD;\n" > /etc/nginx/conf.d/upload.conf
+
+    # Remove default Nginx config from Alpine
+    printf "" > /etc/nginx/conf.d/default.conf
 fi
-export GUNICORN_CONF=${GUNICORN_CONF:-$DEFAULT_GUNICORN_CONF}
 
+# For Alpine:
+# Explicitly add installed Python packages and uWSGI Python packages to PYTHONPATH
+# Otherwise uWSGI can't import Flask
+if [ -n "$ALPINEPYTHON" ] ; then
+    export PYTHONPATH=$PYTHONPATH:/usr/local/lib/$ALPINEPYTHON/site-packages:/usr/lib/$ALPINEPYTHON/site-packages
+fi
 exec "$@"
diff --git a/configs/gunicorn_conf.py b/configs/gunicorn_conf.py
diff --git a/configs/install-nginx-debian.sh b/configs/install-nginx-debian.sh
@@ -0,0 +1,81 @@
+#! /usr/bin/env bash
+
+# From official Nginx Docker image, as a script to re-use it, removing internal comments
+# Ref: https://github.com/nginxinc/docker-nginx/blob/594ce7a8bc26c85af88495ac94d5cd0096b306f7/mainline/buster/Dockerfile
+
+# Standard set up Nginx
+export NGINX_VERSION=1.17.10
+export NJS_VERSION=0.3.9
+export PKG_RELEASE=1~buster
+
+set -x \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
+    && \
+    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+    found=''; \
+    for server in \
+        ha.pool.sks-keyservers.net \
+        hkp://keyserver.ubuntu.com:80 \
+        hkp://p80.pool.sks-keyservers.net:80 \
+        pgp.mit.edu \
+    ; do \
+        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+        apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+    done; \
+    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
+    && dpkgArch="$(dpkg --print-architecture)" \
+    && nginxPackages=" \
+        nginx=${NGINX_VERSION}-${PKG_RELEASE} \
+        nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \
+        nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \
+        nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
+        nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} \
+    " \
+    && case "$dpkgArch" in \
+        amd64|i386) \
+            echo "deb https://nginx.org/packages/mainline/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list \
+            && apt-get update \
+            ;; \
+        *) \
+            echo "deb-src https://nginx.org/packages/mainline/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list \
+            \
+            && tempDir="$(mktemp -d)" \
+            && chmod 777 "$tempDir" \
+            \
+            && savedAptMark="$(apt-mark showmanual)" \
+            \
+            && apt-get update \
+            && apt-get build-dep -y $nginxPackages \
+            && ( \
+                cd "$tempDir" \
+                && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
+                    apt-get source --compile $nginxPackages \
+            ) \
+            \
+            && apt-mark showmanual | xargs apt-mark auto > /dev/null \
+            && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
+            \
+            && ls -lAFh "$tempDir" \
+            && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \
+            && grep '^Package: ' "$tempDir/Packages" \
+            && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
+            && apt-get -o Acquire::GzipIndexes=false update \
+            ;; \
+    esac \
+    \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+                        $nginxPackages \
+                        gettext-base \
+    && apt-get remove --purge --auto-remove -y ca-certificates && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
+    \
+    && if [ -n "$tempDir" ]; then \
+        apt-get purge -y --auto-remove \
+        && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+    fi
+
+# forward request and error logs to docker log collector
+ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+# Standard set up Nginx finished
diff --git a/configs/start.sh b/configs/start.sh
@@ -6,10 +6,10 @@ PRE_START_PATH=/app/prestart.sh
 echo "Checking for script in $PRE_START_PATH"
 if [ -f $PRE_START_PATH ] ; then
     echo "Running script $PRE_START_PATH"
-    . "$PRE_START_PATH"
+    . $PRE_START_PATH
 else
     echo "There is no script $PRE_START_PATH"
 fi
 
-# Start Gunicorn
-exec gunicorn -k egg:meinheld#gunicorn_worker -c "$GUNICORN_CONF" "$APP_MODULE"
+# Start Supervisor, with Nginx and uWSGI
+exec /usr/bin/supervisord
diff --git a/configs/supervisord-debian.conf b/configs/supervisord-debian.conf
@@ -0,0 +1,18 @@
+[supervisord]
+nodaemon=true
+
+[program:uwsgi]
+command=/usr/local/bin/uwsgi --ini /etc/uwsgi/uwsgi.ini
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:nginx]
+command=/usr/sbin/nginx
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+# Graceful stop, see http://nginx.org/en/docs/control.html
+stopsignal=QUIT
diff --git a/configs/uwsgi.ini b/configs/uwsgi.ini
@@ -0,0 +1,10 @@
+[uwsgi]
+socket = /tmp/uwsgi.sock
+chown-socket = nginx:nginx
+chmod-socket = 664
+# Graceful shutdown on SIGTERM, see https://github.com/unbit/uwsgi/issues/849#issuecomment-118869386
+hook-master-start = unix_signal:15 gracefully_kill_them_all
+need-app = true
+die-on-term = true
+# For debugging and testing
+show-config = true