summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)AuthorFilesLines
2023-04-06Docker: drop apt-get clean usage.Konstantin Pavlov1-1/+1
It's automatic in the Debian and Ubuntu containers: https://github.com/debuerreotype/debuerreotype/blob/5cf7949ecf1cec1afece267688bda64cd34a6817/scripts/debuerreotype-minimizing-config#L85-L109
2023-04-06Docker: explicitely set uid/gid to 999 for unit user.Konstantin Pavlov1-2/+2
This allows us to be consistent through possible updates of default settings used in distributions. Previous behaviour was uid/gid were chosen automatically based on what uids/gids are already taken on the system.
2023-04-06Packages: use groupadd/useradd on Debian-based operating systems.Konstantin Pavlov2-10/+8
addgroup/adduser will no longer be installed by default in the "minbase". Also, moving to lower-level utilities saves us one runtime dependency.
2023-04-06Docker: added OCI image-spec labels.Konstantin Pavlov1-1/+7
2023-04-06Docker: specified explicit variants of images to use.Konstantin Pavlov1-8/+17
This allows us to decide when to move to a newer underlying distribution version with our pace instead of relying on Docker Hub cadence.
2023-04-06Docker: dropped a leftover from a multi-stage build.Konstantin Pavlov1-1/+1
2023-04-10Docker: check out packaging tags.Konstantin Pavlov2-2/+5
This will ensure we're checking out source code that is close to what we have in binary packages. While at it, remove the checkout directory when it's no longer needed.
2023-03-28Docker: fixed git references.Konstantin Pavlov1-2/+2
2023-03-28Regenerated Dockerfiles.Konstantin Pavlov8-135/+99
2023-02-13Docker: bumped language versions.Konstantin Pavlov1-3/+3
2023-02-13Docker: limited the waiting time for control socket creation.Konstantin Pavlov1-2/+9
While at it, fixed a typo.
2023-02-13Docker: made dockerfiles use a single stage build process.Konstantin Pavlov2-35/+22
2023-02-13Docker: added a target to generate Docker library definition.Konstantin Pavlov1-1/+18
2023-02-13Docker: cleanup unused targets.Konstantin Pavlov1-20/+2
2023-02-28Added tag 1.29.1-1 for changeset e7b7f2bb04e8.Konstantin Pavlov1-0/+1
2023-02-28contrib: fixed njs make rule.1.29.1-1Konstantin Pavlov1-1/+1
2023-02-28Merged with the 1.29 branch.Konstantin Pavlov41-119/+679
2023-02-28Generated Dockerfiles for Unit 1.29.1.1.29.1Andrei Zeliankou8-8/+8
2023-02-28Added version 1.29.1 CHANGES.Andrei Zeliankou2-2/+23
2023-02-28Changes moved to the correct section.Andrei Zeliankou1-7/+7
2023-02-28Added missing fixes in changes.xml.Andrei Zeliankou1-0/+39
2023-02-27contrib: updated njs to 0.7.10.Konstantin Pavlov3-3/+3
2023-02-23Set a safer umask(2) when running as a daemon.Andrew Clayton1-3/+3
When running as a daemon. unit currently sets umask(0), i.e no umask. This is resulting in various directories being created with a mode of 0777, e.g rwxrwxrwx this is currently affecting cgroup and rootfs directories, which are being created with a mode of 0777, and when running as a daemon as there is no umask to restrict the permissions. This also affects the language modules (the umask is inherited over fork(2)) whereby unless something explicitly sets a umask, files and directories will be created with full permissions, 0666 (rw-rw-rw-)/ 0777 (rwxrwxrwx) respectively. This could be an unwitting security issue. My original idea was to just remove the umask(0) call and thus inherit the umask from the executing shell/program. However there was some concern about just inheriting whatever umask was in effect. Alex suggested that rather than simply removing the umask(0) call we change it to a value of 022 (which is a common default), which will result in directories and files with permissions at most of 0755 (rwxr-xr-x) & 0644 (rw-r--r--). If applications need some other umask set, they can (as they always have been able to) set their own umask(2). Suggested-by: Alejandro Colomar <alx.manpages@gmail.com> Reviewed-by: Liam Crilly <liam@nginx.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2023-02-22Isolation: rootfs: Set the sticky bit on the tmp directory.Andrew Clayton1-1/+1
When using the 'rootfs' isolation option, by default a tmpfs filesystem is mounted on tmp/. Currently this is mounted with a mode of 0777, i.e drwxrwxrwx. 3 root root 60 Feb 22 11:56 tmp however this should really have the sticky bit[0] set (as is per-normal for such directories) to prevent users from having free reign on the files contained within. What we really want is it mounted with a mode of 01777, i.e drwxrwxrwt. 3 root root 60 Feb 22 11:57 tmp [0]: To quote inode(7) "The sticky bit (S_ISVTX) on a directory means that a file in that directory can be renamed or deleted only by the owner of the file, by the owner of the directory, and by a privileged process." Reviewed-by: Liam Crilly <liam@nginx.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2023-02-21Tests: added Python tests with encoding.Andrei Zeliankou3-0/+98
2022-12-15Added tag 1.29.0-1 for changeset 2927b72847d4.Konstantin Pavlov1-0/+1
2022-12-15Docs: added changelog for Python 3.11.1.29.0-1Konstantin Pavlov2-2/+16
While at it, fixed changelogs generation for Python 3.10 as well.
2022-12-15Merged with the default branch.Konstantin Pavlov175-1373/+6357
2022-12-15Unit 1.29.0 release.Andrei Zeliankou1-0/+1
2022-12-15Generated Dockerfiles for Unit 1.29.0.1.29.0Andrei Zeliankou8-8/+8
2022-12-15Added version 1.29.0 CHANGES.Andrei Zeliankou2-2/+42
2022-12-15Reordered changes for 1.29.0 by significance (subjective).Andrei Zeliankou1-17/+23
2022-12-14Tools: Updated built-in 'setup-unit' help, README.md command lines.Artem Konev2-70/+69
2022-12-14Packages: Used a more common name for pkg-config.Konstantin Pavlov1-1/+1
pkg-config package is named differently on supported rpm-based systems: - Amazon Linux 2 has pkgconfig - Fedora has pkgconf-pkg-config - RHEL 7 has pkgconfig - RHEL 8 and 9 have pkgconfig-pkg-config What they share in common is they all provide 'pkgconfig', which we can use in the spec file so we don't have to specify it per-OS.
2022-12-14Tests: added tests for "path" option in isolation/cgroup.Andrei Zeliankou1-0/+123
2022-12-07Packages: added njs support.Konstantin Pavlov5-8/+30
2022-12-01Remove the nxt_getpid() alias.Andrew Clayton2-4/+1
Since the previous commit, nxt_getpid() is only ever aliased to getpid(2). nxt_getpid() was only used once in the code, while there are multiple direct uses of getpid(2) $ grep -r "getpid()" src/ src/nxt_unit.c: nxt_unit_pid = getpid(); src/nxt_process.c: nxt_pid = nxt_getpid(); src/nxt_process.c: nxt_pid = getpid(); src/nxt_lib.c: nxt_pid = getpid(); src/nxt_process.h:#define nxt_getpid() \ src/nxt_process.h:#define nxt_getpid() \ src/nxt_process.h: getpid() Just remove it and convert the _single_ instance of nxt_getpid() to getpid(2). Reviewed-by: Alejandro Colomar <alx@nginx.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2022-11-29Added contribs and njs.Konstantin Pavlov6-0/+168
2022-12-14Tools: Added subcommands to setup-unit.Alejandro Colomar1-211/+1400
This script combines the old setup-unit (as the repo-config command), with new functionality, to provide an easy welcome website for first-time users, and also some more commands that are useful for administrating a running unitd(8) instance. Suggested-by: Liam Crilly <liam@nginx.com> Cc: Konstantin Pavlov <thresh@nginx.com> Cc: Artem Konev <a.konev@f5.com> Cc: Timo Start <t.stark@nginx.com> Cc: Andrew Clayton <a.clayton@nginx.com> Signed-off-by: Alejandro Colomar <alx@nginx.com>
2022-12-14Tools: Added unitc.Liam Crilly2-0/+310
2022-12-14Python: Added "prefix" to configuration.OutOfFocus417-23/+472
This patch gives users the option to set a `"prefix"` attribute for Python applications, either at the top level or for specific `"target"`s. If the attribute is present, the value of `"prefix"` must be a string beginning with `"/"`. If the value of the `"prefix"` attribute is longer than 1 character and ends in `"/"`, the trailing `"/"` is stripped. The purpose of the `"prefix"` attribute is to set the `SCRIPT_NAME` context value for WSGI applications and the `root_path` context value for ASGI applications, allowing applications to properly route requests regardless of the path that the server uses to expose the application. The context value is only set if the request's URL path begins with the value of the `"prefix"` attribute. In all other cases, the `SCRIPT_NAME` or `root_path` values are not set. In addition, for WSGI applications, the value of `"prefix"` will be stripped from the beginning of the request's URL path before it is sent to the application. Reviewed-by: Andrei Zeliankou <zelenkov@nginx.com> Reviewed-by: Artem Konev <artem.konev@nginx.com> Signed-off-by: Alejandro Colomar <alx@nginx.com>
2022-12-14Removed dead code.OutOfFocus41-1/+0
Signed-off-by: Alejandro Colomar <alx@nginx.com>
2022-12-14Java: upgrading third-party components.Sergey A. Osokin4-24/+27
2022-12-13Docker: limited the waiting time for control socket removal.Konstantin Pavlov1-1/+15
Fixes https://github.com/nginx/unit/issues/728 Refs https://github.com/nginx/unit/issues/718
2022-12-13Regenerated Dockerfiles.Konstantin Pavlov2-4/+4
2022-12-07Docker: bumped language versions.Konstantin Pavlov1-2/+2
2022-12-13Tests: added tests for the large header buffer settings.Andrei Zeliankou1-0/+60
Added tests for the "large_header_buffer_size" and "large_header_buffers" configuration options.
2022-12-13Configuration: made large_header_buffers a valid setting.Andrew Clayton1-0/+3
This is an extension to the previous commit, which made large_header_buffer_size a valid configuration setting. This commit makes a related value, large_header_buffers, a valid configuration setting. While large_header_buffer_size effectively limits the maximum size of any single header (although unit will try to pack multiple headers into a buffer if they wholly fit). large_header_buffers limits how many of these 'large' buffers are available. It makes sense to also allow this to be user set. large_header_buffers is already set by the configuration system in nxt_router.c it just isn't set as a valid config option in nxt_conf_validation.c With this change users can set this option in their config if required by the following "settings": { "http": { "large_header_buffers": 8 } }, It retains its default value of 4 if this is not set. NOTE: This is being released as undocumented and subject to change as it exposes internal workings of unit. Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2022-12-13Configuration: made large_header_buffer_size a valid setting.Andrew Clayton1-0/+3
@JanMikes and @tagur87 on GitHub both reported issues with long URLs that were exceeding the 8192 byte large_header_buffer_size setting, which resulted in a HTTP 431 error (Request Header Fields Too Large). This can be resolved in the code by updating the following line in src/nxt_router.c::nxt_router_conf_create() skcf->large_header_buffer_size = 8192; However, requiring users to modify unit and install custom versions is less than ideal. We could increase the value, but to what? This commit takes the option of allowing the user to set this option in their config by making large_header_buffer_size a valid configuration setting. large_header_buffer_size is already set by the configuration system in nxt_router.c it just isn't set as a valid config option in nxt_conf_validation.c With this change users can set this option in their config if required by the following "settings": { "http": { "large_header_buffer_size": 16384 } }, It retains its default value of 8192 bytes if this is not set. With this commit, without the above setting or too low a value, with a long URL you get a 431 error. With the above setting set to a large enough value, the request is successful. NOTE: This setting really determines the maximum size of any single header _value_. Also, unit will try and place multiple values into a buffer _if_ they fully fit. NOTE: This is being released as undocumented and subject to change as it exposes internal workings of unit. Closes: <https://github.com/nginx/unit/issues/521> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
2022-12-12Tests: stop execution if can't unmount any filesystem.Andrei Zeliankou2-2/+15