Merge branch 'release/v1.26.1-1'

CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.26.1-1] - 2024-06-14
+### Changed
+- Write app.conf into volume instead of the container file system (#90)
+   - this should make nginx more robust against container re-creations
+- replace deprecated `http2` option against the current directive 
+- Update nginx to 1.26.1 (#88)
+- Update base image to Alpine 3.19.1
+
+### Security
+- Fixed medium CVEs:
+    - CVE-2023-42366
+    - CVE-2024-4603
+- Fixed low CVE: CVE-2024-2511
+
 ## [v1.23.2-10] - 2024-01-29
 ### Changed
 - Update `ces-confd` to `0.9.0` (#84)
@@ -42,11 +56,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [v1.23.2-3] - 2023-02-17
 ### Changed
 - Update warp-menu to v1.7.2 (#70)
-  
+
 ## [v1.23.2-2] - 2023-02-02
 ### Changed
 - Update warp-menu to v1.7.1 (#68)
-  - This will fix the bug where the warp menu was visible in print view
+   - This will fix the bug where the warp menu was visible in print view
 
 ## [v1.23.2-1] - 2023-01-23
 ### Changed

Dockerfile

@@ -3,8 +3,8 @@ LABEL maintainer="[email protected]"
 
 # dockerfile is based on https://github.com/dockerfile/nginx and https://github.com/bellycard/docker-loadbalancer
 
-ENV NGINX_VERSION=1.23.2 \
-    NGINX_TAR_SHA256="a80cc272d3d72aaee70aa8b517b4862a635c0256790434dbfc4d618a999b0b46" \
+ENV NGINX_VERSION=1.26.1 \
+    NGINX_TAR_SHA256="f9187468ff2eb159260bfd53867c25ff8e334726237acf227b9e870e53d3e36b" \
     CES_CONFD_VERSION=0.9.0 \
     CES_CONFD_TAR_SHA256="8507f40824562b8d2c1f32afb43ce1aad576a82febd2f97bd2cf31b0753a8cbd" \
     WARP_MENU_VERSION=1.7.3 \
@@ -58,10 +58,10 @@ RUN wget --progress=bar:force:noscroll -O /tmp/theme.zip https://github.com/clou
     && unzip /tmp/theme.zip -d /tmp/theme \
     && cp -r /tmp/theme/ces-theme-${CES_THEME_VERSION}/dist/errors /build/var/www/html
 
-FROM registry.cloudogu.com/official/base:3.17.3-2
+FROM registry.cloudogu.com/official/base:3.19.1-2
 LABEL maintainer="[email protected]" \
       NAME="official/nginx" \
-      VERSION="1.23.2-10"
+      VERSION="1.26.1-1"
 
 ENV CES_MAINTENANCE_MODE=false
 
@@ -85,11 +85,10 @@ COPY --from=builder /build /
 RUN ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log
 
-# Volumes are used to avoid writing to containers writable layer https://docs.docker.com/storage/
 # Compared to the bind mounted volumes we declare in the dogu.json,
 # the volumes declared here are not mounted to the dogu if the container is destroyed/recreated,
 # e.g. after a dogu upgrade
-VOLUME ["/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"]
+VOLUME ["/var/nginx/conf.d/", "/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"]
 
 # Define working directory.
 WORKDIR /etc/nginx

Jenkinsfile

@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/dogu-build-lib@v2.0.0', 'github.com/cloudogu/ces-build-lib@1.64.1']) _
+@Library(['github.com/cloudogu/dogu-build-lib@v2.3.1', 'github.com/cloudogu/ces-build-lib@2.2.1']) _
 import com.cloudogu.ces.dogubuildlib.*
 import com.cloudogu.ces.cesbuildlib.*
 
@@ -33,7 +33,8 @@ node('vagrant') {
         }
 
         stage('Lint') {
-            lintDockerfile()
+            Dockerfile dockerfile = new Dockerfile(this)
+            dockerfile.lint()
         }
 
         stage('Check Markdown Links') {
@@ -48,7 +49,7 @@ node('vagrant') {
         try {
 
             stage('Provision') {
-                ecoSystem.provision("/dogu");
+                ecoSystem.provision("/dogu")
             }
 
             stage('Setup') {
@@ -104,7 +105,7 @@ node('vagrant') {
                 }
             }
             if (gitflow.isReleaseBranch()) {
-                String releaseVersion = git.getSimpleBranchName();
+                String releaseVersion = git.getSimpleBranchName()
 
                 stage('Finish Release') {
                     gitflow.finishRelease(releaseVersion)

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/nginx",
-  "Version": "1.23.2-10",
+  "Version": "1.26.1-1",
   "DisplayName": "Nginx",
   "Description": "Nginx WebServer.",
   "Logo": "https://cloudogu.com/images/dogus/nginx.png",
@@ -87,6 +87,13 @@
       "Owner": "1000",
       "Group": "1000",
       "NeedsBackup": true
+    },
+    {
+      "Name": "appconf",
+      "Path": "/var/nginx/conf.d/",
+      "Owner": "0",
+      "Group": "0",
+      "NeedsBackup": true
     }
   ],
   "ExposedPorts": [

resources/etc/ces-confd/config.yaml.tpl

@@ -22,7 +22,7 @@ warp:
 service:
   source:
     path: /services
-  target: /etc/nginx/conf.d/app.conf
+  target: {{ .Env.Get "APPCONF_VOL_DIR" }}/app.conf
   template: /etc/ces-confd/templates/app.conf.tpl
   maintenance-mode: /config/_global/maintenance
   tag: webapp

resources/etc/nginx/include.d/ssl.conf.tpl

@@ -1,4 +1,5 @@
-listen 443 ssl http2;
+listen 443 ssl;
+http2 on;
 server_name {{ .GlobalConfig.Get "fqdn" }};
 
 ssl_certificate /etc/ssl/server.crt;

resources/etc/nginx/nginx.conf.tpl

@@ -54,4 +54,5 @@ http {
 
 	# include app configuration
   include /etc/nginx/conf.d/*.conf;
+  include {{ .Env.Get "APPCONF_VOL_DIR" }}/*.conf;
 }

resources/startup.sh

@@ -15,6 +15,8 @@ echo "                   V///   '°°°°      (/////)      °°°°'   ////  "
 echo "                    V/////(////////\. '°°°' ./////////(///(/'   "
 echo "                       'V/(/////////////////////////////V'      "
 
+export APPCONF_VOL_DIR=/var/nginx/conf.d
+
 function export_log_level() {
     ETCD_LOG_LEVEL="$(doguctl config logging/root --default "WARN")"
     echo "Found etcd log level: ${ETCD_LOG_LEVEL}"

spec/goss/goss.yaml

@@ -1,5 +1,5 @@
 file:
-  /etc/nginx/conf.d/app.conf:
+  /var/nginx/conf.d/app.conf:
     exists: true
     owner: root
     group: root