summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)AuthorFilesLines
2024-09-17pkg/docker: Update dockerfiles for 1.33.0Andrew Clayton17-51/+229
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-17tools/unitctl: change reload to restartAva Hahn3-4/+4
Signed-off-by: Ava Hahn <a.hahn@f5.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-17tools/unitctl: adjust readme for socket addressesGabor Javorszky2-2/+3
CONTROL_SOCKET_ADDRESS is singular, adds note that the flag can be specified multiple times, and adjusts code to print CONTROL_SOCKET_ADDRESS as singular. Signed-off-by: Gabor Javorszky <g.javorszky@f5.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-17tools/unitctl: add export subcommand to readmeGabor Javorszky1-0/+1
Signed-off-by: Gabor Javorszky <g.javorszky@f5.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-17tools/unitctl: rename UNIT -> UnitGabor Javorszky8-15/+15
The correct capitalisation of the name of the software is Unit, not all caps. Signed-off-by: Gabor Javorszky <g.javorszky@f5.com> [ A bunch more s/UNIT/Unit/ - Andrew ] Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-16docs: add SECURITY.mdGabor Javorszky1-0/+21
All new NGINX projects are created from the template repository which has a SECURITY.md file in it. This adopts the file. NOTE; We wrap the file around the 76-78 character mark for consistency and readability. Link: <https://github.com/nginxinc/template-repository> Closes: https://github.com/nginx/unit/issues/1408 Signed-off-by: Gabor Javorszky <g.javorszky@f5.com> [ Tweaked commit message - Andrew ] Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-16docs: remove security.txt fileGabor Javorszky1-30/+0
This comes after internal conversation with the NGINX security council. Signed-off-by: Gabor Javorszky <g.javorszky@f5.com>
2024-09-16tools/unitctl: rename app -> apps, fix readmeGabor Javorszky3-4/+5
Signed-off-by: Gabor Javorszky <g.javorszky@f5.com>
2024-09-16tools/unitctl: whitespace fixesGabor Javorszky1-5/+17
Signed-off-by: Gabor Javorszky <g.javorszky@f5.com>
2024-09-16unitctl: Don't track unit-openapi/.openapi-generator/Andrew Clayton3-156/+1
The two files under unit-openapi/.openapi-generator/, FILES and VERSIONS are auto-generated. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-13python: Don't decrement a reference to a borrowed objectAndrew Clayton1-0/+1
On some Python 3.11 systems, 3.11.9 & 3.11.10, we were seeing a crash triggered by Py_Finalize() in nxt_python_atexit() when running one of our pytests, namely test/test_python_factory.py::test_python_factory_invalid_callable_value 2024/09/12 15:07:29 [alert] 5452#5452 factory "wsgi_invalid_callable" in module "wsgi" can not be called to fetch callable Fatal Python error: none_dealloc: deallocating None: bug likely caused by a refcount error in a C extension Python runtime state: finalizing (tstate=0x00007f560b88a718) Current thread 0x00007f560bde7ad0 (most recent call first): <no Python frame> 2024/09/12 15:07:29 [alert] 5451#5451 app process 5452 exited on signal 6 (core dumped) This was due to obj = PyDict_GetItemString(PyModule_GetDict(module), callable); in nxt_python_set_target() which returns a *borrowed* reference, then due to the test meaning this is a `None` object we `goto fail` and call Py_DECREF(obj); which then causes `Py_Finalize()` to blow up. The simple fix is to just increment its reference count before the `goto fail`. Note: This problem only showed up under (the various versions of Python we test on); 3.11.9 & 3.11.10. It doesn't show up under; 3.6, 3.7, 3.9, 3.10, 3.12 Cc: Konstantin Pavlov <thresh@nginx.com> Closes: https://github.com/nginx/unit/issues/1413 Fixes: a9aa9e76d ("python: Support application factories") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-10http: Fix router process crash whilst using proxyZhidao HONG2-3/+9
When the client closes the connection before the upstream, the proxy's error handler was calling cleanup operation like peer close and request close twice, this fix ensures the cleanup is performed only once, improving proxy stability. Closes: https://github.com/nginx/unit/issues/828
2024-09-10tests: Suppress cargo-component outputAndrew Clayton1-1/+4
Suppress the output from cargo-component when we first run it to check if it's available, otherwise you may see the following $ pytest test/test_wasm-wasi-component.py which: no go in (/home/andrew/.local/bin:/home/andrew/bin:/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin) error: no such command: `component` View all installed commands with `cargo --list` Find a package to install `component` with `cargo search cargo-component Note: This didn't stop the tests from working, just an aesthetic issue. Closes: https://github.com/nginx/unit/issues/1410 Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-10tests: Fix routing tests in the no njs caseAndrew Clayton1-4/+19
Don't try and run the tests that require njs if it isn't enabled. Closes: https://github.com/nginx/unit/issues/1411 Fixes: 43c4bfdcd ("tests: "if" option in http route match") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-10ci: Trigger ci.yml for changes under pkg/contribAndrew Clayton1-0/+2
This will catch changes to the likes of wasmtime and njs. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-09ci: Fix wasmtime paths in ci.ymlAndrew Clayton1-1/+1
With commit 9998918db ("Packages: bump wasmtime to 24.0.0 and wasi-sysroot to 24.0.") the paths to the wasmtime C API include and lib directories changed which broke the wasm ci tests. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-09Packages: bump wasmtime to 24.0.0 and wasi-sysroot to 24.0.Konstantin Pavlov8-21/+41
Wasm module is now not built for Amazon Linux 2, Debian 11 and Ubuntu 2.0.04, since it requires cmake version newer than what's available on those OSes. wasm-wasi-component is not affected.
2024-09-09ci: Fix tags on ad hoc unitctl releasesDan Callahan1-4/+2
- Adds `unitctl/` prefix to tags generated by manual workflow runs. Previously, only release titles (but not tags) were prefixed. - Omits superfluous `name` field; falls back to `tag` when absent. - Removes unnecessary conditional from `prelease` field. This results in the following tagging / releasing behavior: 1. Running manually creates a pre-release and tags it `unitctl/VERSION` 2. Pushing a tag formatted like `x.y.z` creates a normal release Refines: 3501a50ffb93756e145295021ff9313ac77f1ba9
2024-09-07java: Update third-party componentsSergey A. Osokin3-17/+17
[ Tweaked subject - Andrew ] Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-04wasm-wc: Enable environment inheritanceRobbie McKinstry1-0/+1
While the C based wasm language module inherits the process environment the Rust based wasm-wasi-component language module did not. One upshot of this is that with wasm-wasi-component you don't get access to any environment variables specified in the Unit configuration. wasm-wasi-component was based on wasmtime 17.0.0. This capability wasn't added to the wasmtime-crate until version 20.0.0. Now that wasm-wasi-component has been updated to a newer wasmtime-crate we can enable this functionality. Closes: https://github.com/nginx/unit/issues/1312 [ Commit message - Andrew ] Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-09-04wasm-wc: bump wasmtime to v24Ava Hahn3-299/+334
Signed-off-by: Ava Hahn <a.hahn@f5.com>
2024-08-28ci: Enable the wasm-wasi-component testsAndrew Clayton1-9/+14
We now have tests for this module via commit cad6aed52 ("Tests: initial "wasm-wasi-component" test"). We need to install cargo-component for this test target. Also the only way I found I could get this test to run was by running as non-root. The issue I was seeing was that despite cargo being installed into /home/runner/.cargo/bin *and* that being in the path, it kept claiming it couldn't find cargo. E.g. $ sudo -E echo $PATH Showed /home/runner/.cargo/bin in there. $ sudo -E /home/runner/.cargo/bin/cargo -V Worked. $ sudo -E cargo -V cargo command not found. (Also other oddities, despite claiming to be using bash, it couldn't find shell builtins like 'hash' and 'export', perhaps some Ubuntu weirdness...) However, no problem, there is *no* need for it run as root anyway so result! Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-28test/wasm-wc: Rename test_wasm_component.pyAndrew Clayton1-0/+0
Rename this to 'test_wasm-wasi-component.py' to match the language module name and the name as used in the CI. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-28test/wasm-wc: Target wasm32-wasip1Andrew Clayton1-1/+1
Changes are afoot... wasm32-wasi has been renamed wasm32-wasip1, there is also a wasm32-wasip2 (seems not yet fully realised) and wasm32-wasi is being kept clear for an eventual WASI 1.0 release. cargo-component targets wasm32-wasip1 by default and adapts the module to the preview2 version of WASI supported by the component model. This means that the component is now found under target/wasm32-wasip1/... Link: <https://doc.rust-lang.org/nightly/rustc/platform-support/wasm32-wasip1.html> Link: <https://github.com/bytecodealliance/cargo-component/blob/main/README.md#wasi-support> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-28tests: Fix `/status' endpoint to cater for listsAndrew Clayton1-1/+1
We can now get list objects from the /status endpoint in the case of having different versions of the same language module. That led to this error > return d1 - d2 E TypeError: unsupported operand type(s) for -: 'list' and 'list' We already cover a similar case for when we have simple strings so add this to that. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-28Added .gitignore for pkg/contrib/tarballsKonstantin Pavlov1-0/+2
This directory is needed for contribs to function.
2024-08-28Remove .hgignore filesAndrew Clayton2-9/+0
Probably not needed now... Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-28Remove .hgtagsAndrew Clayton1-43/+0
This is no longer needed since GitHub is our primary repository now. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-26Docker: leave artifacts when build targets succeedKonstantin Pavlov1-0/+2
2024-08-26Docker: introduce "slim" python imagesKonstantin Pavlov1-6/+14
Closes: https://github.com/nginx/unit/issues/1352
2024-08-26Docker: update Rust versionKonstantin Pavlov1-1/+1
2024-08-26Docker: bump Go versionsKonstantin Pavlov1-1/+1
2024-08-26socket: Prevent buffer under-read in nxt_inet_addr()Arjun1-0/+5
This was found via ASan. Given a listener address like ":" (or any address where the first character is a colon) we can end up under-reading the addr->start buffer here if (nxt_slow_path(*(buf + length - 1) == '.')) { due to length (essentially the position of the ":" in the string) being 0. Seeing as any address that starts with a ":" is invalid Unit config wise, we should simply reject the address if length == 0 in nxt_sockaddr_inet_parse(). Link: <https://clang.llvm.org/docs/AddressSanitizer.html> Signed-off-by: Arjun <pkillarjun@protonmail.com> [ Commit message - Andrew ] Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-26fuzzing: fixed harness bugArjun1-0/+10
False positive bug in harness due to improper use of the internal API. Fixes: a93d878 ("fuzzing: add fuzzing targets") Signed-off-by: Arjun <pkillarjun@protonmail.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-21docs/openapi: Add new config optionsAndrew Clayton1-0/+152
Add entries for the new 'backlog' and 'listen_threads' config options introduced in commits 57c88fd40 ("router: Make the number of router threads configurable") and 76489fb7e ("conf, router: Make the listen(2) backlog configurable"). Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-21docs/openapi: Fix brokennessAndrew Clayton1-43/+62
- Missing end quotes - Wrong indentation - Missing langMod parameter definition - Wrong type specification Fixes: ae4795aa1 ("docs/openapi: Add entries for the new /status/modules endpoint") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-20Tests: initial "wasm-wasi-component" testAndrei Zeliankou9-1/+283
2024-08-20ci/unitctl: Update pathsAndrew Clayton1-0/+1
unitctl makes use of 'docs/unit-openapi.yaml' so be sure to run these checks if that file changes. Fixes: 6d0880c99 ("Add unitctl build and release CI") Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-20tests: "if" option in http route matchZhidao HONG1-0/+57
2024-08-20http: Add "if" option to the "match" objectZhidao HONG2-4/+46
This feature allows users to specify conditions to check if one route is matched. It is used the same way as the "if" option in the access log. Example: { "match": { "if": "`${headers['User-Agent'].split('/')[0] == 'curl'}`" }, "action": { "return": 204 } }
2024-08-20http: Get rid of nxt_http_request_access_log()Zhidao HONG1-22/+5
2024-08-20http: Refactor out nxt_tstr_cond_t from the access log moduleZhidao HONG6-45/+80
This nxt_tstr_cond_t will be reused for the feature of adding "if" option to the "match" object. The two "if" options have the same usage.
2024-08-20var: Remove unused functions and structure fieldsZhidao HONG3-60/+0
2024-08-20http: Refactor access log writeZhidao HONG1-25/+11
2024-08-20http: Refactor static actionZhidao HONG1-28/+22
2024-08-20http: Refactor route pass queryZhidao HONG1-26/+15
2024-08-20http: Refactor return actionZhidao HONG1-28/+13
2024-08-20var: Restrict nxt_tstr_query() to only support synchronous operationZhidao HONG5-16/+15
Initially, variable query was designed to accomodate both synchronous and asynchronous operations. However, upon consideration of actual requirements, we recognized that asynchronous support was not needed. The refactoring ensures that the success or failure of the variable query operation is now directly indicated by its return value. This change streamlines the function's usage and enhances code clarity, as it facilitates immediate error handling without the need for asynchronous callbacks or additional error checking functions. Note the patch only works for Unit native variables but not njs variables.
2024-08-20conf, router: Make the listen(2) backlog configurableAndrew Clayton2-9/+50
@oopsoop2 on GitHub reported a performance issue related to the default listen(2) backlog size of 511 on nginx. They found that increasing it helped, nginx has a config option to configure this. They would like to be able to do the same on Unit (which also defaults to 511 on some systems). This seems reasonable. NOTE: On Linux before commit 97c15fa38 ("socket: Use a default listen backlog of -1 on Linux") we defaulted to 511. Since that commit we default to the Kernels default, which before 5.4 is 128 and after is 4096. This adds a new per-listener 'backlog' config option, e.g { "listeners": { "[::1]:8080": { "pass": "routes", "backlog": 1024 }, } ... } This doesn't effect the control socket. Closes: https://github.com/nginx/unit/issues/1384 Reported-by: <https://github.com/oopsoop2> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2024-08-19socket: Use a default listen backlog of -1 on LinuxAndrew Clayton1-4/+4
On FreeBSD, OpenBSD & macOS we use a default listen(2) backlog of -1 which means use the OS's default value. On Linux (and others) we used a hard coded value of 511, presumably due to this comment /* Linux, Solaris, and NetBSD treat negative value as 0. */ On Linux (at least since 2.4), this is wrong, Linux treats -1 (and so on) as use the OS's default (net.core.somaxconn). See this code in net/socket.c::__sys_listen() if ((unsigned int)backlog > somaxconn) backlog = somaxconn; On Linux prior to 5.4 somaxconn defaulted to 128, since 5.4 it defaults to 4096. We've had complaints that a listen backlog of 511 is too small. This would help in those cases. Unless they are on an old Kernel, in which case it's worse, but then the plan is to also make this configurable. This would effect RHEL 8, which is based on 4.10, however they seem to set somaxconn to 2048, so that's fine. Another advantage of using -1 is that we will automatically keep up to date with the kernels default value. Before this change $ ss -tunxlp | grep unit Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str LISTEN 0 511 /opt/unit/control.unit.sock.tmp 4302333 * 0 users:(("unitd",pid=18290,fd=6),("unitd",pid=18289,fd=6),("unitd",pid=18287,fd=6)) tcp LISTEN 0 511 127.0.0.1:8080 0.0.0.0:* users:(("unitd",pid=18290,fd=12)) tcp LISTEN 0 511 [::1]:8080 [::]:* users:(("unitd",pid=18290,fd=11)) After $ ss -tunxlp | grep unit Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process u_str LISTEN 0 4096 /opt/unit/control.unit.sock.tmp 5408464 * 0 users:(("unitd",pid=132442,fd=6),("unitd",pid=132441,fd=6),("unitd",pid=132439,fd=6)) tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:* users:(("unitd",pid=132442,fd=12)) tcp LISTEN 0 4096 [::1]:8080 [::]:* users:(("unitd",pid=132442,fd=11)) Link: <https://github.com/nginx/unit/issues/1384> Link: <https://lore.kernel.org/netdev/20191030163620.140387-1-edumazet@google.com/> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>