我正在尝试为自定义nginx版本制作快照包-想法是我可以运行快照,它将使用快照包含的HTML内容启动nginx服务器。
到目前为止,我有一个可以很好地snapcraft.yaml构建的工作文件nginx,并且其中的一个钩子脚本hooks/install为nginx创建了一个默认配置。
这是我的snapcraft.yaml:
name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.
grade: devel
confinement: strict
apps:
nginx:
command: bin/nginx
plugs: [network, network-bind]
parts:
nginx:
plugin: autotools
source: https://github.com/nginx/nginx.git
source-type: git
source-tag: release-1.13.6
prepare: |
wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
mkdir zlib
tar xvf zlib.tar.gz --strip-components 1 -C zlib/
wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
mkdir pcre
tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
build: |
auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --sbin-path=$SNAP_DATA/nginx --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
make
install: |
mkdir -p $SNAPCRAFT_PART_INSTALL/bin
cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
build-packages:
- libc6
- libgd3
- libgeoip1
- libpcre3
- libssl1.0.0
- libxml2
- libxslt1.1
- zlib1g
这是我在其中的文件hooks/install:
#!/bin/sh -e
# Create a default config file
echo "
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}" > "$SNAP_DATA/nginx.conf"
echo "
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff (sorry it's quite long, obviously once this works properly I'm going to tidy it up instead of just echo'ing it to a file). tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}" > "$SNAP_DATA/mime.types"
mkdir $SNAP_COMMON/logs
touch $SNAP_COMMON/logs/nginx.log
touch $SNAP_COMMON/logs/error.log
mkdir $SNAP_DATA/html
echo "<!DOCTYPE html>
<html>
<body>
<h1>Hello World</h1>
<p>This is Sean. With nginx. In a snap.</p>
</body>
</html>
" > $SNAP_DATA/html/index.html
(抱歉,它很长,很明显,一旦工作正常,我将整理一下它,而不仅仅是将其回显到文件中)。
无论如何,我可以先运行snapcraft prime然后再运行sudo snap try --devmode prime/。我使用来启动服务器,sudo nginx-custom.nginx然后可以转到http://localhost/index.html并获取我的世界世界页面。
但是,从中可以/var/log/syslog看到以下警告:
Nov 2 09:52:58 sean kernel: [211015.893585] audit: type=1400 audit(1509576778.917:105841): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30856 comm="nginx" capability=0 capname="chown"
Nov 2 09:52:58 sean kernel: [211015.893933] audit: type=1400 audit(1509576778.917:105842): apparmor="ALLOWED" operation="capable" profile="snap.nginx-custom.nginx" pid=30870 comm="nginx" capability=6 capname="setgid"
而且,如果我尝试在不带--devmode标志的情况下运行它,则会从nginx崩溃:
Bad system call (core dumped)
并在syslog:
Nov 2 10:02:36 sean kernel: [211593.967970] audit: type=1326 audit(1509577356.986:105851): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=31156 comm="nginx" exe="/snap/nginx-custom/x1/bin/nginx" sig=31 arch=c000003e syscall=92 compat=0 ip=0x7f19db75b2c7 code=0x0
似乎nginx正在尝试调用chown和setgid,但是被阻止了。
我找到了一个较旧的示例nginx snapcraft文件,但它使用的是我认为较旧的语法已不再起作用。除此之外,snapcraft文档中似乎没有关于此类权限的任何信息。
有没有办法允许快照受限的应用程序调用chown和setgid?或者,如果失败了,一种禁用Nginx而不需要它们的方法?
我通过分叉nginx并注释了引起禁闭违规的各种系统调用来使此工作正常进行。注意:我尚未对此进行广泛的测试,但它似乎确实可以用于我一直使用的目的。您可以在此处查看我所做的更改。
snapcraft.yaml
name: nginx-custom
version: 0.0.1
summary: small, powerful, scalable web/proxy server
description: Nginx ("engine X") is a high-performance web and reverse proxy server created by Igor Sysoev. It can be used both as a standalone web server and as a proxy to reduce the load on back-end HTTP or mail servers.
grade: devel
confinement: strict
apps:
nginx:
command: bin/nginx
daemon: forking
stop-command: bin/nginx -s stop
stop-timeout: 10s
plugs: [network, network-bind]
parts:
nginx:
plugin: autotools
source: https://github.com/seanlano/nginx.git
source-type: git
source-tag: release-1.13.6_snap-fix
prepare: |
wget https://sourceforge.net/projects/libpng/files/zlib/1.2.11/zlib-1.2.11.tar.gz/download -O zlib.tar.gz
mkdir zlib
tar xvf zlib.tar.gz --strip-components 1 -C zlib/
wget https://ftp.pcre.org/pub/pcre/pcre-8.41.tar.bz2 -O pcre.tar.bz2
mkdir pcre
tar xvf pcre.tar.bz2 --strip-components 1 -C pcre/
build: |
auto/configure --prefix=/var/snap/nginx-custom/current --conf-path=/var/snap/nginx-custom/current/nginx.conf --pid-path=/var/snap/nginx-custom/current/nginx.pid --with-zlib=zlib/ --with-pcre=pcre/ --error-log-path=/var/snap/nginx-custom/common/logs/error.log --http-log-path=/var/snap/nginx-custom/common/logs/nginx.log
make
install: |
mkdir -p $SNAPCRAFT_PART_INSTALL/bin
cp objs/nginx $SNAPCRAFT_PART_INSTALL/bin/nginx
build-packages:
- libc6
- libgd3
- libgeoip1
- libssl1.0.0
- libxml2
- libxslt1.1
您需要制作一个适当的nginx.conf文件,该文件引用受限环境中的正确路径。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句