From c556c7d53788a99d8322a95983f9cd5e58da6ddc Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Wed, 29 Mar 2023 19:22:09 +0200 Subject: [PATCH 01/23] Added API Connectivity Manager 1.5.0 support --- nginx-nms-docker/README.md | 2 +- nginx-nms-docker/container/startNIM.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 6cc83f31..b476273b 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -25,7 +25,7 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: - NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0 -- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1 +- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1 diff --git a/nginx-nms-docker/container/startNIM.sh b/nginx-nms-docker/container/startNIM.sh index 24334e3f..ca0c54a3 100755 --- a/nginx-nms-docker/container/startNIM.sh +++ b/nginx-nms-docker/container/startNIM.sh @@ -113,7 +113,7 @@ esac # Start API Connectivity Manager - from /lib/systemd/system/nms-acm.service sleep 5 -/usr/bin/nms-acm server & +sudo -u nms /usr/bin/nms-acm server & sleep 5 From eebf814395c742958619d9de8f80cc549ea39306 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 30 Mar 2023 11:07:15 +0200 Subject: [PATCH 02/23] Ownership fix --- nginx-nms-docker/container/startNIM.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nginx-nms-docker/container/startNIM.sh b/nginx-nms-docker/container/startNIM.sh index ca0c54a3..dbd099c5 100755 --- a/nginx-nms-docker/container/startNIM.sh +++ b/nginx-nms-docker/container/startNIM.sh @@ -77,7 +77,7 @@ esac /bin/bash -c '`which chown` nms:nms /etc/nms/certs/services/ca.crt' /bin/bash -c '`which chmod` 0700 /etc/nms/certs/services/core' /bin/bash -c '`which chmod` 0600 /etc/nms/certs/services/core/*' -/usr/bin/nms-core & +sudo -u nms /usr/bin/nms-core & # Start nms dpm - from /lib/systemd/system/nms-dpm.service /bin/bash -c '`which mkdir` -p /var/lib/nms/streaming/' @@ -90,7 +90,7 @@ esac /bin/bash -c '`which chown` nms:nms /etc/nms/certs/services/ca.crt' /bin/bash -c '`which chmod` 0700 /etc/nms/certs/services/dataplane-manager' /bin/bash -c '`which chmod` 0600 /etc/nms/certs/services/dataplane-manager/*' -/usr/bin/nms-dpm & +sudo -u nms /usr/bin/nms-dpm & # Start nms ingestion - from /lib/systemd/system/nms-ingestion.service /bin/bash -c '`which mkdir` -p /var/run/nms/' @@ -98,7 +98,7 @@ esac /bin/bash -c '`which chown` -R nms:nms /var/log/nms/' /bin/bash -c '`which chmod` 0775 /var/log/nms/' /bin/bash -c '`which chown` -R nms:nms /var/run/nms/' -/usr/bin/nms-ingestion & +sudo -u nms /usr/bin/nms-ingestion & # Start nms integrations - from /lib/systemd/system/nms-integrations.service /bin/bash -c '`which mkdir` -p /var/lib/nms/dqlite/' @@ -109,7 +109,7 @@ esac /bin/bash -c '`which chown` -R nms:nms /var/log/nms/' /bin/bash -c '`which chmod` 0775 /var/log/nms/' /bin/bash -c '`which chown` nms:nms /etc/nms/certs/services/ca.crt' -/usr/bin/nms-integrations & +sudo -u nms /usr/bin/nms-integrations & # Start API Connectivity Manager - from /lib/systemd/system/nms-acm.service sleep 5 From 9aac959316df1aa69313ba021edad9a617cd7c26 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Fri, 31 Mar 2023 12:03:57 +0200 Subject: [PATCH 03/23] Startup script fix --- nginx-nms-docker/container/startNIM.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/nginx-nms-docker/container/startNIM.sh b/nginx-nms-docker/container/startNIM.sh index dbd099c5..273bee3c 100755 --- a/nginx-nms-docker/container/startNIM.sh +++ b/nginx-nms-docker/container/startNIM.sh @@ -25,6 +25,8 @@ then python3 /deployment/app.py & fi +mkdir /nonexistent + /etc/nms/scripts/basic_passwords.sh $NIM_USERNAME $NIM_PASSWORD # NGINX Management Suite version detection @@ -77,7 +79,7 @@ esac /bin/bash -c '`which chown` nms:nms /etc/nms/certs/services/ca.crt' /bin/bash -c '`which chmod` 0700 /etc/nms/certs/services/core' /bin/bash -c '`which chmod` 0600 /etc/nms/certs/services/core/*' -sudo -u nms /usr/bin/nms-core & +su - nms -c "/usr/bin/nms-core &" -s /bin/bash # Start nms dpm - from /lib/systemd/system/nms-dpm.service /bin/bash -c '`which mkdir` -p /var/lib/nms/streaming/' @@ -90,7 +92,7 @@ sudo -u nms /usr/bin/nms-core & /bin/bash -c '`which chown` nms:nms /etc/nms/certs/services/ca.crt' /bin/bash -c '`which chmod` 0700 /etc/nms/certs/services/dataplane-manager' /bin/bash -c '`which chmod` 0600 /etc/nms/certs/services/dataplane-manager/*' -sudo -u nms /usr/bin/nms-dpm & +su - nms -c "/usr/bin/nms-dpm &" -s /bin/bash # Start nms ingestion - from /lib/systemd/system/nms-ingestion.service /bin/bash -c '`which mkdir` -p /var/run/nms/' @@ -98,7 +100,7 @@ sudo -u nms /usr/bin/nms-dpm & /bin/bash -c '`which chown` -R nms:nms /var/log/nms/' /bin/bash -c '`which chmod` 0775 /var/log/nms/' /bin/bash -c '`which chown` -R nms:nms /var/run/nms/' -sudo -u nms /usr/bin/nms-ingestion & +su - nms -c "/usr/bin/nms-ingestion &" -s /bin/bash # Start nms integrations - from /lib/systemd/system/nms-integrations.service /bin/bash -c '`which mkdir` -p /var/lib/nms/dqlite/' @@ -109,11 +111,11 @@ sudo -u nms /usr/bin/nms-ingestion & /bin/bash -c '`which chown` -R nms:nms /var/log/nms/' /bin/bash -c '`which chmod` 0775 /var/log/nms/' /bin/bash -c '`which chown` nms:nms /etc/nms/certs/services/ca.crt' -sudo -u nms /usr/bin/nms-integrations & +su - nms -c "/usr/bin/nms-integrations &" -s /bin/bash # Start API Connectivity Manager - from /lib/systemd/system/nms-acm.service sleep 5 -sudo -u nms /usr/bin/nms-acm server & +su - nms -c "/usr/bin/nms-acm server &" -s /bin/bash sleep 5 From 2fae74fd672ac29c629d499e4a3bb1dffd8d98db Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Mon, 3 Apr 2023 19:35:01 +0200 Subject: [PATCH 04/23] NGINX App Protect WAF updates --- nginx-nms-docker/README.md | 6 +++--- nginx-nms-docker/scripts/buildNIM.sh | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index b476273b..d097f4b3 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -27,7 +27,7 @@ This repository has been tested with: - NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0 -- NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1 +- NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 ## Prerequisites @@ -73,7 +73,7 @@ NGINX Management Suite Docker image builder -K [file.key] - Key file to pull packages from the official NGINX repository -A - Enable API Connectivity Manager - optional -W - Enable Security Monitoring - optional - -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1] - optional + -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional === Examples: @@ -86,7 +86,7 @@ NGINX Management Suite Docker image builder Automated build: ./scripts/buildNIM.sh -i -C nginx-repo.crt -K nginx-repo.key - -A -W -P v4.2.0 -t my.registry.tld/nginx-nms:2.6.0 + -A -W -P v4.218.0 -t my.registry.tld/nginx-nms:2.9.0 ``` ### Automated build diff --git a/nginx-nms-docker/scripts/buildNIM.sh b/nginx-nms-docker/scripts/buildNIM.sh index 22c1d08f..39a73612 100755 --- a/nginx-nms-docker/scripts/buildNIM.sh +++ b/nginx-nms-docker/scripts/buildNIM.sh @@ -19,7 +19,7 @@ Automated build:\n\n -K [file.key]\t\t- Key file to pull packages from the official NGINX repository\n -A\t\t\t- Enable API Connectivity Manager - optional\n -W\t\t\t- Enable Security Monitoring - optional\n --P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0] - optional\n\n +-P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional\n\n === Examples:\n\n Manual build:\n \t$0 -n nim-files/nms-instance-manager_2.6.0-698150575~focal_amd64.deb \\\\\n @@ -29,7 +29,7 @@ Manual build:\n \t\t-t my.registry.tld/nginx-nms:2.6.0\n\n Automated build:\n \t$0 -i -C nginx-repo.crt -K nginx-repo.key\n -\t\t-A -W -P v4.2.0 -t my.registry.tld/nginx-nms:2.6.0\n +\t\t-A -W -P v4.218.0 -t my.registry.tld/nginx-nms:2.9.0\n " # Defaults From 756b3c0133a496cf083e638bbba5f127311cbdbe Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Fri, 7 Apr 2023 23:00:30 +0200 Subject: [PATCH 05/23] Tested with NGINX Instance Manager 2.9.1 --- nginx-nms-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index d097f4b3..8bc71978 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -24,7 +24,7 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 From 380c1d5bcb5b646392002fca0d731fcb187cab2a Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Wed, 19 Apr 2023 01:27:53 +0200 Subject: [PATCH 06/23] Added docker-compose support --- nginx-nms-docker/README.md | 12 +++++++ nginx-nms-docker/contrib/docker-compose/.env | 10 ++++++ .../contrib/docker-compose/README.md | 14 ++++++++ .../docker-compose/docker-compose.yaml | 36 +++++++++++++++++++ 4 files changed, 72 insertions(+) create mode 100644 nginx-nms-docker/contrib/docker-compose/.env create mode 100644 nginx-nms-docker/contrib/docker-compose/README.md create mode 100644 nginx-nms-docker/contrib/docker-compose/docker-compose.yaml diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 8bc71978..8ccab144 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -255,6 +255,8 @@ and then restart nginx-agent # Starting NGINX Management Suite +## On Kubernetes + ``` $ ./scripts/nimDockerStart.sh start namespace/nginx-nim2 created @@ -281,9 +283,19 @@ NGINX Management Suite GUI is now reachable from outside the cluster at: - gRPC: `nim2.f5.ff.lan:30443` - Second Sight: see [usage](https://github.com/F5Networks/SecondSight/blob/main/USAGE.md) +## On docker-compose + +See [docker-compose](contrib/docker-compose) + # Stopping NGINX Management Suite +## On Kubernetes + ``` $ ./scripts/nimDockerStart.sh stop namespace "nginx-nim2" deleted ``` + +## On docker-compose + +See [docker-compose](contrib/docker-compose) diff --git a/nginx-nms-docker/contrib/docker-compose/.env b/nginx-nms-docker/contrib/docker-compose/.env new file mode 100644 index 00000000..bf6c41dd --- /dev/null +++ b/nginx-nms-docker/contrib/docker-compose/.env @@ -0,0 +1,10 @@ +# NGINX Management Suite settings +NIM_IMAGE= +NIM_LICENSE= +NIM_USERNAME=admin +NIM_PASSWORD=nimadmin + +# Clickhouse settings +NIM_CLICKHOUSE_ADDRESS=clickhouse +NIM_CLICKHOUSE_USERNAME=default +NIM_CLICKHOUSE_PASSWORD=NGINXr0cks diff --git a/nginx-nms-docker/contrib/docker-compose/README.md b/nginx-nms-docker/contrib/docker-compose/README.md new file mode 100644 index 00000000..0f693a87 --- /dev/null +++ b/nginx-nms-docker/contrib/docker-compose/README.md @@ -0,0 +1,14 @@ +# Docker-compose for NGINX Management Suite + +1. Edit the `.env` file configuring the NGINX Management Suite docker image name and the base64-encoded license +2. Start NGINX Management Suite using + +``` +docker-compose -f docker-compose.yaml up -d +``` + +3. Stop NGINX Management Suite using + +``` +docker-compose -f docker-compose.yaml down +``` diff --git a/nginx-nms-docker/contrib/docker-compose/docker-compose.yaml b/nginx-nms-docker/contrib/docker-compose/docker-compose.yaml new file mode 100644 index 00000000..fc0ffcce --- /dev/null +++ b/nginx-nms-docker/contrib/docker-compose/docker-compose.yaml @@ -0,0 +1,36 @@ +version: "3" +services: + clickhouse: + image: clickhouse/clickhouse-server:23.1.2.9 + ports: + - "9000:9000" + environment: + - CLICKHOUSE_USER=${NIM_CLICKHOUSE_USERNAME} + - CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT=1 + - CLICKHOUSE_PASSWORD=${NIM_CLICKHOUSE_PASSWORD} + volumes: + - db-data:/var/lib/clickhouse + ulimits: + nproc: 65535 + nofile: + soft: 262144 + hard: 262144 + + nms: + image: ${NIM_IMAGE} + ports: + - "443:443" + environment: + - NIM_LICENSE=${NIM_LICENSE} + - NIM_USERNAME=${NIM_USERNAME} + - NIM_PASSWORD=${NIM_PASSWORD} + - NIM_CLICKHOUSE_ADDRESS=${NIM_CLICKHOUSE_ADDRESS} + - NIM_CLICKHOUSE_PORT=9000 + - NIM_CLICKHOUSE_USERNAME=${NIM_CLICKHOUSE_USERNAME} + - NIM_CLICKHOUSE_PASSWORD=${NIM_CLICKHOUSE_PASSWORD} + volumes: + - nms-data:/var/lib/nms + +volumes: + db-data: + nms-data: From 74eabe68e0b88a96d90b2e57a321ba5c18bb356a Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 27 Apr 2023 11:42:49 +0200 Subject: [PATCH 07/23] Tested with NGINX Instance Manager 2.10.0 and Security Monitoring 1.4.0 --- nginx-nms-docker/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 8ccab144..242ae1d7 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -24,9 +24,9 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0 -- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0 +- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 ## Prerequisites From e539766a48b2f22060cfcb251eec2f251040f5de Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 27 Apr 2023 11:51:57 +0200 Subject: [PATCH 08/23] Tested with NGINX Instance Manager 2.10.0 and API Connectivity Manager 1.5.0 --- nginx-agent-docker/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx-agent-docker/README.md b/nginx-agent-docker/README.md index b5309795..72691c94 100644 --- a/nginx-agent-docker/README.md +++ b/nginx-agent-docker/README.md @@ -8,8 +8,8 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In This repository has been tested with NGINX agent for: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0 -- API Connectivity Manager 1.4.0 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0 +- API Connectivity Manager 1.4.0, 1.5.0 - NGINX App Protect WAF 4.100.1+ ## Prerequisites From 511566495160e870e82c87982453b2dce01bb28d Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 11 May 2023 21:03:54 +0200 Subject: [PATCH 09/23] Tested with API Connectivity Manager 1.6.0 --- nginx-nms-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 242ae1d7..489d790c 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -25,7 +25,7 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: - NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0 -- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0 +- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 From 9167ad4640fa17ea6a34f28177b83159131f0ee7 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Sat, 13 May 2023 17:29:26 +0200 Subject: [PATCH 10/23] Tested with API Connectivity Manager 1.6.0 --- nginx-agent-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-agent-docker/README.md b/nginx-agent-docker/README.md index 72691c94..94e489aa 100644 --- a/nginx-agent-docker/README.md +++ b/nginx-agent-docker/README.md @@ -9,7 +9,7 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In This repository has been tested with NGINX agent for: - NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0 -- API Connectivity Manager 1.4.0, 1.5.0 +- API Connectivity Manager 1.4.0, 1.5.0, 1.6.0 - NGINX App Protect WAF 4.100.1+ ## Prerequisites From 7b0e8fce3fe9c39ed4639d3e75b3166284257ba7 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Mon, 29 May 2023 10:10:28 +0200 Subject: [PATCH 11/23] README updated --- nginx-nms-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 489d790c..c94963d4 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -8,7 +8,7 @@ Docker image creation is supported for: - [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/) 2.4.0+ - [NGINX Management Suite API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/) 1.0.0+ -- [Security Monitoring](https://docs.nginx.com/nginx-management-suite/admin-guides/installation/install-guide/#install-nms-modules) 1.0.0+ +- [Security Monitoring](https://docs.nginx.com/nginx-management-suite/security/) 1.0.0+ - [NGINX App Protect WAF compiler](https://docs.nginx.com/nginx-management-suite/nim/how-to/app-protect/setup-waf-config-management) The image can optionally be built with [Second Sight](https://github.com/F5Networks/SecondSight) support From 93c75754a463a584854f763d6a1428e102a04ea1 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Mon, 29 May 2023 18:27:28 +0200 Subject: [PATCH 12/23] Added support for NGINX Instance Manager 2.10.1 and App Delivery Manager 4.0.0 --- nginx-nms-docker/Dockerfile.automated | 7 +- nginx-nms-docker/README.md | 15 ++- nginx-nms-docker/buildNIM.sh | 125 +++++++++++++++++++++++++ nginx-nms-docker/container/startNIM.sh | 19 +++- nginx-nms-docker/scripts/buildNIM.sh | 2 +- 5 files changed, 159 insertions(+), 9 deletions(-) create mode 100755 nginx-nms-docker/buildNIM.sh diff --git a/nginx-nms-docker/Dockerfile.automated b/nginx-nms-docker/Dockerfile.automated index b7ed63a0..e225fca3 100644 --- a/nginx-nms-docker/Dockerfile.automated +++ b/nginx-nms-docker/Dockerfile.automated @@ -4,6 +4,7 @@ ARG BUILD_WITH_SECONDSIGHT=false ARG ADD_ACM ARG ADD_SM ARG ADD_PUM +ARG ADD_ADM # Initial setup RUN apt-get update && \ @@ -17,7 +18,8 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ set -x \ && chmod +x /deployment/startNIM.sh \ - && printf "deb https://pkgs.nginx.com/nms/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nms.list \ + && printf "deb https://pkgs.nginx.com/nms/ubuntu `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nms.list \ + && printf "deb https://pkgs.nginx.com/adm/ubuntu `lsb_release -cs` nginx-plus\n" >> /etc/apt/sources.list.d/nms.list \ && wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \ && wget -O /tmp/nginx_signing.key https://cs.nginx.com/static/keys/nginx_signing.key \ && apt-key add /tmp/nginx_signing.key \ @@ -33,6 +35,9 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 # Optional WAF Policy Compiler && if [ ! -z "${ADD_PUM}" ] ; then \ apt-get -y install nms-nap-compiler-$ADD_PUM; fi \ + # Optional App Delivery Manager + && if [ ! -z "${ADD_ADM}" ] ; then \ + apt-get -y install nms-app-delivery-manager; fi \ # Set permissions && chmod +x /etc/nms/scripts/*.sh diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index c94963d4..03dd3bc9 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -10,10 +10,10 @@ Docker image creation is supported for: - [NGINX Management Suite API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/) 1.0.0+ - [Security Monitoring](https://docs.nginx.com/nginx-management-suite/security/) 1.0.0+ - [NGINX App Protect WAF compiler](https://docs.nginx.com/nginx-management-suite/nim/how-to/app-protect/setup-waf-config-management) +- [NGINX App Delivery Manager](https://docs.nginx.com/nginx-management-suite/adm/) 4.0.0+ The image can optionally be built with [Second Sight](https://github.com/F5Networks/SecondSight) support - ## Deployment through the official Helm chart A bash script to quickly install NGINX Management Suite through the official Helm chart is available here: @@ -24,10 +24,11 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 +- NGINX App Delivery Manager 4.0.0 ## Prerequisites @@ -74,6 +75,7 @@ NGINX Management Suite Docker image builder -A - Enable API Connectivity Manager - optional -W - Enable Security Monitoring - optional -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional + -D - Enable App Delivery Manager - optional === Examples: @@ -86,7 +88,7 @@ NGINX Management Suite Docker image builder Automated build: ./scripts/buildNIM.sh -i -C nginx-repo.crt -K nginx-repo.key - -A -W -P v4.218.0 -t my.registry.tld/nginx-nms:2.9.0 + -A -W -P v4.218.0 -D -t my.registry.tld/nginx-nms:2.9.0 ``` ### Automated build @@ -119,6 +121,12 @@ NGINX Instance Manager, API Connectivity Manager, WAF Policy Compiler and Securi ./scripts/buildNIM.sh -t registry.ff.lan:31005/nginx-nim2:automated -i -C certs/nginx-repo.crt -K certs/nginx-repo.key -A -W -P v4.2.0 ``` +NGINX Instance Manager, API Connectivity Manager, WAF Policy Compiler, Security Monitoring and App Delivery Manager + +``` +./scripts/buildNIM.sh -t registry.ff.lan:31005/nginx-nim2:automated -i -C certs/nginx-repo.crt -K certs/nginx-repo.key -A -W -P v4.2.0 -D +``` + ### Manual build 1. Clone this repo @@ -251,6 +259,7 @@ and then restart nginx-agent - [Grafana dashboard for telemetry](contrib/grafana) - [Helm installer](contrib/helm-installer) +- [Docker compose](contrib/docker-compose) # Starting NGINX Management Suite diff --git a/nginx-nms-docker/buildNIM.sh b/nginx-nms-docker/buildNIM.sh new file mode 100755 index 00000000..5f977119 --- /dev/null +++ b/nginx-nms-docker/buildNIM.sh @@ -0,0 +1,125 @@ +#!/bin/bash + +BANNER="NGINX Management Suite Docker image builder\n\n +This tool builds a Docker image to run NGINX Management Suite\n\n +=== Usage:\n\n +$0 [options]\n\n +=== Options:\n\n +-h\t\t\t- This help\n +-t [target image]\t- Docker image name to be created\n +-s\t\t\t- Enable Second Sight (https://github.com/F5Networks/SecondSight/) - optional\n\n +Manual build:\n\n +-n [filename]\t\t- NGINX Instance Manager .deb package filename\n +-a [filename]\t\t- API Connectivity Manager .deb package filename - optional\n +-w [filename]\t\t- Security Monitoring .deb package filename - optional\n +-p [filename]\t\t- WAF policy compiler .deb package filename - optional\n\n +Automated build:\n\n +-i\t\t\t- Automated build - requires cert & key\n +-C [file.crt]\t\t- Certificate file to pull packages from the official NGINX repository\n +-K [file.key]\t\t- Key file to pull packages from the official NGINX repository\n +-A\t\t\t- Enable API Connectivity Manager - optional\n +-W\t\t\t- Enable Security Monitoring - optional\n +-P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional\n +-D\t\t\t- Enable App Delivery Manager - optional\n\n +=== Examples:\n\n +Manual build:\n +\t$0 -n nim-files/nms-instance-manager_2.6.0-698150575~focal_amd64.deb \\\\\n +\t\t-a nim-files/nms-api-connectivity-manager_1.2.0.668430332~focal_amd64.deb \\\\\n +\t\t-w nim-files/nms-sm_1.0.0-697204659~focal_amd64.deb \\\\\n +\t\t-p nim-files/nms-nap-compiler-v4.2.0.deb \\\\\n +\t\t-t my.registry.tld/nginx-nms:2.6.0\n\n +Automated build:\n +\t$0 -i -C nginx-repo.crt -K nginx-repo.key\n +\t\t-A -W -P v4.2.0 -t my.registry.tld/nginx-nms:2.6.0\n +" + +# Defaults +COUNTER=false + +while getopts 'hn:a:w:p:t:siC:K:AWP:D' OPTION +do + case "$OPTION" in + h) + echo -e $BANNER + exit + ;; + n) + DEBFILE=$OPTARG + ;; + a) + ACM_IMAGE=$OPTARG + ;; + w) + SM_IMAGE=$OPTARG + ;; + p) + PUM_IMAGE=$OPTARG + ;; + t) + IMGNAME=$OPTARG + ;; + s) + COUNTER=true + ;; + i) + AUTOMATED_INSTALL=true + ;; + C) + NGINX_CERT=$OPTARG + ;; + K) + NGINX_KEY=$OPTARG + ;; + A) + ADD_ACM=true + ;; + W) + ADD_SM=true + ;; + P) + ADD_PUM=$OPTARG + ;; + D) + ADD_ADM=true + ;; + esac +done + +if [ -z "$1" ] +then + echo -e $BANNER + exit +fi + +if [ -z "${IMGNAME}" ] +then + echo "Docker image name is required" + exit +fi + +if ([ -z "${AUTOMATED_INSTALL}" ] && [ -z "${DEBFILE}" ]) +then + echo "NGINX Instance Manager package is required for manual installation" + exit +fi + +if ([ ! -z "${AUTOMATED_INSTALL}" ] && ([ -z "${NGINX_CERT}" ] || [ -z "${NGINX_KEY}" ])) +then + echo "NGINX certificate and key are required for automated installation" + exit +fi + +echo "==> Building NGINX Management Suite docker image" + +if [ -z "${AUTOMATED_INSTALL}" ] +then + docker build --no-cache -f Dockerfile.manual --build-arg NIM_DEBFILE=$DEBFILE --build-arg BUILD_WITH_SECONDSIGHT=$COUNTER \ + --build-arg ACM_IMAGE=$ACM_IMAGE --build-arg SM_IMAGE=$SM_IMAGE --build-arg PUM_IMAGE=$PUM_IMAGE -t $IMGNAME . +else + DOCKER_BUILDKIT=1 docker build --no-cache -f Dockerfile.automated --secret id=nginx-key,src=$NGINX_KEY --secret id=nginx-crt,src=$NGINX_CERT \ + --build-arg ADD_ACM=$ADD_ACM --build-arg ADD_SM=$ADD_SM --build-arg ADD_PUM=$ADD_PUM --build-arg ADD_ADM=$ADD_ADM \ + --build-arg BUILD_WITH_SECONDSIGHT=$COUNTER \ + -t $IMGNAME . +fi + +docker push $IMGNAME diff --git a/nginx-nms-docker/container/startNIM.sh b/nginx-nms-docker/container/startNIM.sh index 273bee3c..97027447 100755 --- a/nginx-nms-docker/container/startNIM.sh +++ b/nginx-nms-docker/container/startNIM.sh @@ -64,8 +64,6 @@ clickhouse: ;; esac -/etc/init.d/nginx start - # Start nms core - from /lib/systemd/system/nms-core.service /bin/bash -c '`which mkdir` -p /var/lib/nms/dqlite/' /bin/bash -c '`which mkdir` -p /var/lib/nms/secrets/' @@ -114,13 +112,26 @@ su - nms -c "/usr/bin/nms-ingestion &" -s /bin/bash su - nms -c "/usr/bin/nms-integrations &" -s /bin/bash # Start API Connectivity Manager - from /lib/systemd/system/nms-acm.service -sleep 5 -su - nms -c "/usr/bin/nms-acm server &" -s /bin/bash +if [ -f /usr/bin/nms-acm ] +then + sleep 5 + su - nms -c "/usr/bin/nms-acm server &" -s /bin/bash +fi + +# Start App Delivery Manager +if [ -f /usr/bin/nms-adm ] +then + /bin/bash -c '`which mkdir` -p /var/run/nms/modules/adm' + /bin/bash -c '`which chown` -R nms:nms /var/run/nms/modules/adm' + su - nms -c "/usr/bin/nms-adm server &" -s /bin/bash +fi sleep 5 chmod 666 /var/run/nms/*.sock +/etc/init.d/nginx start + # License activation if ((${#NIM_LICENSE[@]})) then diff --git a/nginx-nms-docker/scripts/buildNIM.sh b/nginx-nms-docker/scripts/buildNIM.sh index 39a73612..5caacad5 100755 --- a/nginx-nms-docker/scripts/buildNIM.sh +++ b/nginx-nms-docker/scripts/buildNIM.sh @@ -29,7 +29,7 @@ Manual build:\n \t\t-t my.registry.tld/nginx-nms:2.6.0\n\n Automated build:\n \t$0 -i -C nginx-repo.crt -K nginx-repo.key\n -\t\t-A -W -P v4.218.0 -t my.registry.tld/nginx-nms:2.9.0\n +\t\t-A -W -P v4.218.0 -D -t my.registry.tld/nginx-nms:2.9.0\n " # Defaults From eb04147d955334ee7a54144fd1a84b78451c864d Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Wed, 31 May 2023 17:47:34 +0200 Subject: [PATCH 13/23] Fixed NGINX App Protect detection bug for NGINX Instance Manager 2.10.0+ --- nginx-agent-docker/README.md | 2 +- nginx-agent-docker/container/start.sh | 41 +++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/nginx-agent-docker/README.md b/nginx-agent-docker/README.md index 94e489aa..f6c5f019 100644 --- a/nginx-agent-docker/README.md +++ b/nginx-agent-docker/README.md @@ -8,7 +8,7 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In This repository has been tested with NGINX agent for: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1 - API Connectivity Manager 1.4.0, 1.5.0, 1.6.0 - NGINX App Protect WAF 4.100.1+ diff --git a/nginx-agent-docker/container/start.sh b/nginx-agent-docker/container/start.sh index 653a81a1..77f0c641 100755 --- a/nginx-agent-docker/container/start.sh +++ b/nginx-agent-docker/container/start.sh @@ -3,6 +3,20 @@ nginx sleep 2 +# NGINX Agent version detection, change in behaviour in v2.24.0+ +AGENT_VERSION=`nginx-agent -v|awk '{print $3}'` +AGENT_VERSION_MAJOR=`echo $AGENT_VERSION | awk -F\. '{print $1}' | sed 's/v//'` +AGENT_VERSION_MINOR=`echo $AGENT_VERSION | awk -F\. '{print $2}'` + +echo "=> NGINX Agent version $AGENT_VERSION" + +OLD_AGENT=false +if ([ $AGENT_VERSION_MAJOR -le 2 ] && [ $AGENT_VERSION_MINOR -lt 24 ]) +then + echo "=> Pre-v2.24 NGINX Agent detected" + OLD_AGENT=true +fi + PARM="--server-grpcport $NIM_GRPC_PORT --server-host $NIM_HOST" if [[ ! -z "$NIM_INSTANCEGROUP" ]]; then @@ -13,9 +27,20 @@ if [[ ! -z "$NIM_TAGS" ]]; then PARM="${PARM} --tags $NIM_TAGS" fi - if [[ "$NAP_WAF" == "true" ]]; then - PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514" + if [ $OLD_AGENT == "true" ] + then + PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514" + else + cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf + +# Enable NAP and Advanced Metrics +extensions: + - advanced-metrics + - nginx-app-protect +__EOT__ + fi + su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &" su - nginx -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &" @@ -28,7 +53,17 @@ if [[ "$NAP_WAF" == "true" ]]; then fi if [[ "$NAP_WAF_PRECOMPILED_POLICIES" == "true" ]]; then - PARM="${PARM} --nginx-app-protect-precompiled-publication" + if [ $OLD_AGENT == "true" ] + then + PARM="${PARM} --nginx-app-protect-precompiled-publication" + else + cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf + +# Enable NGINX App Protect WAF precompiled policies +nginx_app_protect: + precompiled_publication: true +__EOT__ + fi fi if [[ "$ACM_DEVPORTAL" == "true" ]]; then From 2329a18b319796627c359ee3db6204115a3357cf Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Mon, 5 Jun 2023 18:35:52 +0200 Subject: [PATCH 14/23] Fixed agent syslog receiver bug --- nginx-agent-docker/container/start.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nginx-agent-docker/container/start.sh b/nginx-agent-docker/container/start.sh index 77f0c641..0ad195a7 100755 --- a/nginx-agent-docker/container/start.sh +++ b/nginx-agent-docker/container/start.sh @@ -38,6 +38,18 @@ if [[ "$NAP_WAF" == "true" ]]; then extensions: - advanced-metrics - nginx-app-protect + - nap-monitoring + +# NGINX App Protect Monitoring config +nap_monitoring: + # Buffer size for collector. Will contain log lines and parsed log lines + collector_buffer_size: 50000 + # Buffer size for processor. Will contain log lines and parsed log lines + processor_buffer_size: 50000 + # Syslog server IP address the collector will be listening to + syslog_ip: "127.0.0.1" + # Syslog server port the collector will be listening to + syslog_port: 514 __EOT__ fi From 1cd945318a57ba0013a3a1844d7b9b146dc08ee9 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Fri, 9 Jun 2023 17:39:12 +0200 Subject: [PATCH 15/23] README updated --- nginx-nms-docker/README.md | 2 +- nginx-nms-docker/scripts/buildNIM.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 03dd3bc9..990682cc 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -74,7 +74,7 @@ NGINX Management Suite Docker image builder -K [file.key] - Key file to pull packages from the official NGINX repository -A - Enable API Connectivity Manager - optional -W - Enable Security Monitoring - optional - -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional + -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0|v4.279.0] - optional -D - Enable App Delivery Manager - optional === Examples: diff --git a/nginx-nms-docker/scripts/buildNIM.sh b/nginx-nms-docker/scripts/buildNIM.sh index 5caacad5..63ebd1e5 100755 --- a/nginx-nms-docker/scripts/buildNIM.sh +++ b/nginx-nms-docker/scripts/buildNIM.sh @@ -19,7 +19,7 @@ Automated build:\n\n -K [file.key]\t\t- Key file to pull packages from the official NGINX repository\n -A\t\t\t- Enable API Connectivity Manager - optional\n -W\t\t\t- Enable Security Monitoring - optional\n --P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional\n\n +-P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0|v4.279.0] - optional\n\n === Examples:\n\n Manual build:\n \t$0 -n nim-files/nms-instance-manager_2.6.0-698150575~focal_amd64.deb \\\\\n From 590497928bc5dea5c6d727a96928a8f49d23ba80 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Fri, 16 Jun 2023 16:20:00 +0200 Subject: [PATCH 16/23] Tested with NGINX Instance Manager 2.11.0 and Security Monitoring 1.5.0 --- nginx-nms-docker/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 990682cc..1741c710 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -24,9 +24,9 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0 -- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 +- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 - NGINX App Delivery Manager 4.0.0 From dafcf8888d07143feef7fd8e715f6dcd34ff8891 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Fri, 16 Jun 2023 18:47:21 +0200 Subject: [PATCH 17/23] Tested with NGINX Instance Manager 2.11.0 --- nginx-agent-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-agent-docker/README.md b/nginx-agent-docker/README.md index f6c5f019..9e7ce7b4 100644 --- a/nginx-agent-docker/README.md +++ b/nginx-agent-docker/README.md @@ -8,7 +8,7 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In This repository has been tested with NGINX agent for: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0 - API Connectivity Manager 1.4.0, 1.5.0, 1.6.0 - NGINX App Protect WAF 4.100.1+ From 0ff4e8c5461ca5ff7683c047afbbaabcd9c0fca7 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Mon, 26 Jun 2023 08:47:55 +0200 Subject: [PATCH 18/23] Tested with NGINX API Connectivity Manager 1.7.0 --- nginx-nms-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 1741c710..8bb8c7b1 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -25,7 +25,7 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: - NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0 -- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0 +- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.7.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 - NGINX App Delivery Manager 4.0.0 From 40ea4f2d49b492bd321dcd414d3d2b56d1e694c3 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Mon, 24 Jul 2023 22:33:24 +0200 Subject: [PATCH 19/23] Tested with NGINX Instance Manager 2.12.0 and Security Monitoring 1.6.0 --- nginx-nms-docker/README.md | 6 +++--- nginx-nms-docker/scripts/buildNIM.sh | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 8bb8c7b1..63d7a654 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -24,9 +24,9 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.12.0 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.7.0 -- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 +- Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 - NGINX App Delivery Manager 4.0.0 @@ -74,7 +74,7 @@ NGINX Management Suite Docker image builder -K [file.key] - Key file to pull packages from the official NGINX repository -A - Enable API Connectivity Manager - optional -W - Enable Security Monitoring - optional - -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0|v4.279.0] - optional + -P [version] - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0|v4.279.0|v4.402.0] - optional -D - Enable App Delivery Manager - optional === Examples: diff --git a/nginx-nms-docker/scripts/buildNIM.sh b/nginx-nms-docker/scripts/buildNIM.sh index 63ebd1e5..c54fa610 100755 --- a/nginx-nms-docker/scripts/buildNIM.sh +++ b/nginx-nms-docker/scripts/buildNIM.sh @@ -19,7 +19,7 @@ Automated build:\n\n -K [file.key]\t\t- Key file to pull packages from the official NGINX repository\n -A\t\t\t- Enable API Connectivity Manager - optional\n -W\t\t\t- Enable Security Monitoring - optional\n --P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0|v4.279.0] - optional\n\n +-P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0|v4.279.0|v4.402.0] - optional\n\n === Examples:\n\n Manual build:\n \t$0 -n nim-files/nms-instance-manager_2.6.0-698150575~focal_amd64.deb \\\\\n From f77f6f33e7d779103f2a6f079c2173721540d568 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 27 Jul 2023 23:51:50 +0200 Subject: [PATCH 20/23] Tested with API Connectivity Manager 1.8.0 --- nginx-nms-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index 63d7a654..c8e7cc0d 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -25,7 +25,7 @@ A bash script to quickly install NGINX Management Suite through the official Hel This repository has been tested with: - NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.12.0 -- NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.7.0 +- NGINX API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.7.0, 1.8.0 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0 - NGINX App Delivery Manager 4.0.0 From 02f0260682989b4fa8830033f4f4c6fda833d702 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 27 Jul 2023 23:53:13 +0200 Subject: [PATCH 21/23] Tested with API Connectivity Manager 1.8.0 --- nginx-nms-docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx-nms-docker/README.md b/nginx-nms-docker/README.md index c8e7cc0d..96d0f683 100644 --- a/nginx-nms-docker/README.md +++ b/nginx-nms-docker/README.md @@ -7,7 +7,7 @@ This repository helps deploying NGINX Management Suite on containerized clusters Docker image creation is supported for: - [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/) 2.4.0+ -- [NGINX Management Suite API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/) 1.0.0+ +- [NGINX API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/) 1.0.0+ - [Security Monitoring](https://docs.nginx.com/nginx-management-suite/security/) 1.0.0+ - [NGINX App Protect WAF compiler](https://docs.nginx.com/nginx-management-suite/nim/how-to/app-protect/setup-waf-config-management) - [NGINX App Delivery Manager](https://docs.nginx.com/nginx-management-suite/adm/) 4.0.0+ From 5aa71006d0101e71d81a802dd49f49146872bcd5 Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 3 Aug 2023 17:09:32 +0200 Subject: [PATCH 22/23] Tested with NGINX Instance Manager 2.12.0 --- nginx-agent-docker/Dockerfile | 19 ++++++++++--------- nginx-agent-docker/README.md | 4 ++-- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/nginx-agent-docker/Dockerfile b/nginx-agent-docker/Dockerfile index 2f70621e..fe25521a 100644 --- a/nginx-agent-docker/Dockerfile +++ b/nginx-agent-docker/Dockerfile @@ -4,19 +4,17 @@ ARG NMS_URL ARG DEVPORTAL=false ARG NAP_WAF=false +# Startup script +COPY ./container/start.sh /deployment/ + # Initial packages setup RUN apt-get -y update \ && apt-get -y install apt-transport-https lsb-release ca-certificates wget gnupg2 curl debian-archive-keyring \ -# NGINX Instance Manager agent setup && mkdir -p /deployment /etc/ssl/nginx \ -# Agent installation - && bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "Agent installed from NMS" + && addgroup --system --gid 20983 nginx \ + && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 20983 nginx -# Startup script -COPY ./container/start.sh /deployment/ - -# Download certificate and key from the customer portal (https://account.f5.com) -# and copy to the build context +# Use certificate and key from kubernetes secret RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ set -x \ @@ -53,7 +51,10 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && groupadd -g 1001 nginx-agent \ && usermod root -G nginx-agent \ - && usermod nginx -G nginx-agent + && usermod nginx -G nginx-agent \ + +# NGINX Instance Manager agent installation + && bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "Agent installed from NMS" EXPOSE 80 STOPSIGNAL SIGTERM diff --git a/nginx-agent-docker/README.md b/nginx-agent-docker/README.md index 9e7ce7b4..15764f14 100644 --- a/nginx-agent-docker/README.md +++ b/nginx-agent-docker/README.md @@ -8,8 +8,8 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In This repository has been tested with NGINX agent for: -- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0 -- API Connectivity Manager 1.4.0, 1.5.0, 1.6.0 +- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.12.0 +- API Connectivity Manager 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0 - NGINX App Protect WAF 4.100.1+ ## Prerequisites From 1eb9acc8ed15731d9283541c3f7228a432340a3a Mon Sep 17 00:00:00 2001 From: Fabrizio Fiorucci Date: Thu, 3 Aug 2023 23:40:51 +0200 Subject: [PATCH 23/23] Dockerfile updated --- nginx-agent-docker/Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nginx-agent-docker/Dockerfile b/nginx-agent-docker/Dockerfile index fe25521a..92de345e 100644 --- a/nginx-agent-docker/Dockerfile +++ b/nginx-agent-docker/Dockerfile @@ -4,9 +4,6 @@ ARG NMS_URL ARG DEVPORTAL=false ARG NAP_WAF=false -# Startup script -COPY ./container/start.sh /deployment/ - # Initial packages setup RUN apt-get -y update \ && apt-get -y install apt-transport-https lsb-release ca-certificates wget gnupg2 curl debian-archive-keyring \ @@ -18,8 +15,6 @@ RUN apt-get -y update \ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ set -x \ -# Startup script - && chmod +x /deployment/start.sh && touch /.dockerenv \ # Install prerequisite packages: && wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \ && printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ @@ -56,6 +51,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 # NGINX Instance Manager agent installation && bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "Agent installed from NMS" +# Startup script +COPY ./container/start.sh /deployment/ +RUN chmod +x /deployment/start.sh && touch /.dockerenv + + EXPOSE 80 STOPSIGNAL SIGTERM