From c14a031c014aa2219aea2e73786f577300756f0b Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 11 Oct 2017 16:32:12 -0700 Subject: [PATCH] Refactor code to use a list of upstream URLs for fetching dists --- 2.2/Dockerfile | 115 ++++++++++++++++++++++------------------ 2.2/alpine/Dockerfile | 118 ++++++++++++++++++++++++------------------ 2.4/Dockerfile | 107 +++++++++++++++++++++++--------------- 2.4/alpine/Dockerfile | 110 ++++++++++++++++++++++++--------------- update.sh | 67 +++++++++++++----------- 5 files changed, 304 insertions(+), 213 deletions(-) diff --git a/2.2/Dockerfile b/2.2/Dockerfile index 2a266ef..cfb9c44 100644 --- a/2.2/Dockerfile +++ b/2.2/Dockerfile @@ -10,7 +10,7 @@ RUN mkdir -p "$HTTPD_PREFIX" \ WORKDIR $HTTPD_PREFIX # install httpd runtime dependencies -# https://httpd.apache.org/docs/2.4/install.html#requirements +# https://httpd.apache.org/docs/2.2/install.html#requirements RUN apt-get update \ && apt-get install -y --no-install-recommends \ libapr1 \ @@ -23,20 +23,23 @@ RUN apt-get update \ && rm -r /var/lib/apt/lists/* ENV HTTPD_VERSION 2.2.34 -ENV HTTPD_SHA1 829206394e238af0b800fc78d19c74ee466ecb23 +ENV HTTPD_SHA256 e53183d5dfac5740d768b4c9bea193b1099f4b06b57e5f28d7caaf9ea7498160 -# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 -ENV HTTPD_BZ2_URL https://www.apache.org/dyn/closer.cgi?action=download&filename=httpd/httpd-$HTTPD_VERSION.tar.bz2 -# not all the mirrors actually carry the .asc files :'( -ENV HTTPD_ASC_URL https://www.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +# https://httpd.apache.org/security/vulnerabilities_22.html +ENV HTTPD_PATCHES="CVE-2017-9798-patch-2.2.patch 42c610f8a8f8d4d08664db6d9857120c2c252c9b388d56f238718854e6013e46" -# if the version is outdated, we have to pull from the archive :/ -ENV HTTPD_BZ2_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2 -ENV HTTPD_ASC_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +ENV APACHE_DIST_URLS \ +# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 + https://www.apache.org/dyn/closer.cgi?action=download&filename= \ +# if the version is outdated (or we're grabbing the .asc file), we might have to pull from the dist/archive :/ + https://www-us.apache.org/dist/ \ + https://www.apache.org/dist/ \ + https://archive.apache.org/dist/ # see https://httpd.apache.org/docs/2.2/install.html#requirements -RUN set -x \ - && buildDeps=' \ +RUN set -eux; \ + \ + buildDeps=' \ bzip2 \ ca-certificates \ dpkg-dev \ @@ -45,58 +48,72 @@ RUN set -x \ libssl-dev \ make \ wget \ - ' \ - && apt-get update \ - && apt-get install -y --no-install-recommends $buildDeps \ - && rm -r /var/lib/apt/lists/* \ + '; \ + apt-get update; \ + apt-get install -y --no-install-recommends -V $buildDeps; \ + rm -r /var/lib/apt/lists/*; \ + \ + ddist() { \ + local f="$1"; shift; \ + local distFile="$1"; shift; \ + local success=; \ + local distUrl=; \ + for distUrl in $APACHE_DIST_URLS; do \ + if wget -O "$f" "$distUrl$distFile"; then \ + success=1; \ + break; \ + fi; \ + done; \ + [ -n "$success" ]; \ + }; \ + \ + ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2"; \ + echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -; \ \ - && { \ - wget -O httpd.tar.bz2 "$HTTPD_BZ2_URL" \ - || wget -O httpd.tar.bz2 "$HTTPD_BZ2_FALLBACK_URL" \ - ; } \ - && echo "$HTTPD_SHA1 *httpd.tar.bz2" | sha1sum -c - \ # see https://httpd.apache.org/download.cgi#verify - && { \ - wget -O httpd.tar.bz2.asc "$HTTPD_ASC_URL" \ - || wget -O httpd.tar.bz2.asc "$HTTPD_ASC_FALLBACK_URL" \ - ; } \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B1B96F45DFBDCCF974019235193F180AB55D9977 \ - && gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2 \ - && rm -rf "$GNUPGHOME" httpd.tar.bz2.asc \ + ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B1B96F45DFBDCCF974019235193F180AB55D9977; \ + gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2; \ + rm -rf "$GNUPGHOME" httpd.tar.bz2.asc; \ + \ + mkdir -p src; \ + tar -xf httpd.tar.bz2 -C src --strip-components=1; \ + rm httpd.tar.bz2; \ + cd src; \ \ - && mkdir -p src \ - && tar -xf httpd.tar.bz2 -C src --strip-components=1 \ - && rm httpd.tar.bz2 \ - && cd src \ + patches() { \ + while [ "$#" -gt 0 ]; do \ + local patchFile="$1"; shift; \ + local patchSha256="$1"; shift; \ + ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \ + echo "$patchSha256 *$patchFile" | sha256sum -c -; \ + patch -p0 < "$patchFile"; \ + rm -f "$patchFile"; \ + done; \ + }; \ + patches $HTTPD_PATCHES; \ \ -# Apply source patches - && { \ - wget -O CVE-2017-9798-patch-2.2.patch "https://www-us.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch" \ - && echo "42c610f8a8f8d4d08664db6d9857120c2c252c9b388d56f238718854e6013e46 CVE-2017-9798-patch-2.2.patch" | sha256sum -c - \ - && patch -p0 < CVE-2017-9798-patch-2.2.patch \ - && rm CVE-2017-9798-patch-2.2.patch \ - ; } \ -# End source patch list - && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - && ./configure \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ --build="$gnuArch" \ --prefix="$HTTPD_PREFIX" \ # https://httpd.apache.org/docs/2.2/programs/configure.html # Caveat: --enable-mods-shared=all does not actually build all modules. To build all modules then, one might use: --enable-mods-shared='all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache' \ - && make -j "$(nproc)" \ - && make install \ + ; \ + make -j "$(nproc)"; \ + make install; \ \ - && cd .. \ - && rm -r src man manual \ + cd ..; \ + rm -r src man manual; \ \ - && sed -ri \ + sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \ -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \ - "$HTTPD_PREFIX/conf/httpd.conf" \ + "$HTTPD_PREFIX/conf/httpd.conf"; \ \ - && apt-get purge -y --auto-remove $buildDeps + apt-get purge -y --auto-remove $buildDeps COPY httpd-foreground /usr/local/bin/ diff --git a/2.2/alpine/Dockerfile b/2.2/alpine/Dockerfile index 75f8732..cc86b23 100644 --- a/2.2/alpine/Dockerfile +++ b/2.2/alpine/Dockerfile @@ -20,26 +20,29 @@ RUN mkdir -p "$HTTPD_PREFIX" \ WORKDIR $HTTPD_PREFIX ENV HTTPD_VERSION 2.2.34 -ENV HTTPD_SHA1 829206394e238af0b800fc78d19c74ee466ecb23 +ENV HTTPD_SHA256 e53183d5dfac5740d768b4c9bea193b1099f4b06b57e5f28d7caaf9ea7498160 -# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 -ENV HTTPD_BZ2_URL https://www.apache.org/dyn/closer.cgi?action=download&filename=httpd/httpd-$HTTPD_VERSION.tar.bz2 -# not all the mirrors actually carry the .asc files :'( -ENV HTTPD_ASC_URL https://www.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +# https://httpd.apache.org/security/vulnerabilities_22.html +ENV HTTPD_PATCHES="CVE-2017-9798-patch-2.2.patch 42c610f8a8f8d4d08664db6d9857120c2c252c9b388d56f238718854e6013e46" -# if the version is outdated, we have to pull from the archive :/ -ENV HTTPD_BZ2_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2 -ENV HTTPD_ASC_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +ENV APACHE_DIST_URLS \ +# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 + https://www.apache.org/dyn/closer.cgi?action=download&filename= \ +# if the version is outdated (or we're grabbing the .asc file), we might have to pull from the dist/archive :/ + https://www-us.apache.org/dist/ \ + https://www.apache.org/dist/ \ + https://archive.apache.org/dist/ # see https://httpd.apache.org/docs/2.2/install.html#requirements -RUN set -x \ - && runDeps=' \ +RUN set -eux; \ + \ + runDeps=' \ apr-dev \ apr-util-dev \ apr-util-ldap \ perl \ - ' \ - && apk add --no-cache --virtual .build-deps \ + '; \ + apk add --no-cache --virtual .build-deps \ $runDeps \ ca-certificates \ coreutils \ @@ -52,61 +55,78 @@ RUN set -x \ openssl-dev \ pcre-dev \ tar \ +# install GNU wget (Busybox wget in Alpine 3.4 gives us "wget: error getting response: Connection reset by peer" for some reason) + wget \ + ; \ + \ + ddist() { \ + local f="$1"; shift; \ + local distFile="$1"; shift; \ + local success=; \ + local distUrl=; \ + for distUrl in $APACHE_DIST_URLS; do \ + if wget -O "$f" "$distUrl$distFile"; then \ + success=1; \ + break; \ + fi; \ + done; \ + [ -n "$success" ]; \ + }; \ + \ + ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2"; \ + echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -; \ \ - && { \ - wget -O httpd.tar.bz2 "$HTTPD_BZ2_URL" \ - || wget -O httpd.tar.bz2 "$HTTPD_BZ2_FALLBACK_URL" \ - ; } \ - && echo "$HTTPD_SHA1 *httpd.tar.bz2" | sha1sum -c - \ # see https://httpd.apache.org/download.cgi#verify - && { \ - wget -O httpd.tar.bz2.asc "$HTTPD_ASC_URL" \ - || wget -O httpd.tar.bz2.asc "$HTTPD_ASC_FALLBACK_URL" \ - ; } \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B1B96F45DFBDCCF974019235193F180AB55D9977 \ - && gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2 \ - && rm -rf "$GNUPGHOME" httpd.tar.bz2.asc \ + ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B1B96F45DFBDCCF974019235193F180AB55D9977; \ + gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2; \ + rm -rf "$GNUPGHOME" httpd.tar.bz2.asc; \ + \ + mkdir -p src; \ + tar -xf httpd.tar.bz2 -C src --strip-components=1; \ + rm httpd.tar.bz2; \ + cd src; \ \ - && mkdir -p src \ - && tar -xf httpd.tar.bz2 -C src --strip-components=1 \ - && rm httpd.tar.bz2 \ - && cd src \ + patches() { \ + while [ "$#" -gt 0 ]; do \ + local patchFile="$1"; shift; \ + local patchSha256="$1"; shift; \ + ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \ + echo "$patchSha256 *$patchFile" | sha256sum -c -; \ + patch -p0 < "$patchFile"; \ + rm -f "$patchFile"; \ + done; \ + }; \ + patches $HTTPD_PATCHES; \ \ -# Apply source patches - && { \ - wget -O CVE-2017-9798-patch-2.2.patch "https://www-us.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch" \ - && echo "42c610f8a8f8d4d08664db6d9857120c2c252c9b388d56f238718854e6013e46 CVE-2017-9798-patch-2.2.patch" | sha256sum -c - \ - && patch -p0 < CVE-2017-9798-patch-2.2.patch \ - && rm CVE-2017-9798-patch-2.2.patch \ - ; } \ -# End source patch list - && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - && ./configure \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ --build="$gnuArch" \ --prefix="$HTTPD_PREFIX" \ # https://httpd.apache.org/docs/2.2/programs/configure.html # Caveat: --enable-mods-shared=all does not actually build all modules. To build all modules then, one might use: --enable-mods-shared='all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache' \ - && make -j "$(nproc)" \ - && make install \ + ; \ + make -j "$(nproc)"; \ + make install; \ \ - && cd .. \ - && rm -r src man manual \ + cd ..; \ + rm -r src man manual; \ \ - && sed -ri \ + sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \ -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \ - "$HTTPD_PREFIX/conf/httpd.conf" \ + "$HTTPD_PREFIX/conf/httpd.conf"; \ \ - && runDeps="$runDeps $( \ + runDeps="$runDeps $( \ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ | tr ',' '\n' \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ - )" \ - && apk add --virtual .httpd-rundeps $runDeps \ - && apk del .build-deps + )"; \ + apk add --virtual .httpd-rundeps $runDeps; \ + apk del .build-deps COPY httpd-foreground /usr/local/bin/ diff --git a/2.4/Dockerfile b/2.4/Dockerfile index 169fa04..6bd2eab 100644 --- a/2.4/Dockerfile +++ b/2.4/Dockerfile @@ -45,22 +45,25 @@ RUN apt-get update \ && rm -r /var/lib/apt/lists/* ENV HTTPD_VERSION 2.4.28 -ENV HTTPD_SHA1 0b37522b808dcee72e1d56d656b0def530b820a2 +ENV HTTPD_SHA256 c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666 -# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 -ENV HTTPD_BZ2_URL https://www.apache.org/dyn/closer.cgi?action=download&filename=httpd/httpd-$HTTPD_VERSION.tar.bz2 -# not all the mirrors actually carry the .asc files :'( -ENV HTTPD_ASC_URL https://www.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +# https://httpd.apache.org/security/vulnerabilities_24.html +ENV HTTPD_PATCHES="" -# if the version is outdated, we have to pull from the archive :/ -ENV HTTPD_BZ2_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2 -ENV HTTPD_ASC_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +ENV APACHE_DIST_URLS \ +# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 + https://www.apache.org/dyn/closer.cgi?action=download&filename= \ +# if the version is outdated (or we're grabbing the .asc file), we might have to pull from the dist/archive :/ + https://www-us.apache.org/dist/ \ + https://www.apache.org/dist/ \ + https://archive.apache.org/dist/ # see https://httpd.apache.org/docs/2.4/install.html#requirements -RUN set -x \ +RUN set -eux; \ + \ # mod_http2 mod_lua mod_proxy_html mod_xml2enc # https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/debian/control?id=adb6f181257af28ee67af15fc49d2699a0080d4c - && buildDeps=" \ + buildDeps=" \ bzip2 \ ca-certificates \ dpkg-dev \ @@ -73,50 +76,70 @@ RUN set -x \ zlib1g-dev \ make \ wget \ - " \ - && apt-get update \ - && apt-get install -y --no-install-recommends -V $buildDeps \ - && rm -r /var/lib/apt/lists/* \ + "; \ + apt-get update; \ + apt-get install -y --no-install-recommends -V $buildDeps; \ + rm -r /var/lib/apt/lists/*; \ + \ + ddist() { \ + local f="$1"; shift; \ + local distFile="$1"; shift; \ + local success=; \ + local distUrl=; \ + for distUrl in $APACHE_DIST_URLS; do \ + if wget -O "$f" "$distUrl$distFile"; then \ + success=1; \ + break; \ + fi; \ + done; \ + [ -n "$success" ]; \ + }; \ + \ + ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2"; \ + echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -; \ \ - && { \ - wget -O httpd.tar.bz2 "$HTTPD_BZ2_URL" \ - || wget -O httpd.tar.bz2 "$HTTPD_BZ2_FALLBACK_URL" \ - ; } \ - && echo "$HTTPD_SHA1 *httpd.tar.bz2" | sha1sum -c - \ # see https://httpd.apache.org/download.cgi#verify - && { \ - wget -O httpd.tar.bz2.asc "$HTTPD_ASC_URL" \ - || wget -O httpd.tar.bz2.asc "$HTTPD_ASC_FALLBACK_URL" \ - ; } \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A93D62ECC3C8EA12DB220EC934EA76E6791485A8 \ - && gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2 \ - && rm -rf "$GNUPGHOME" httpd.tar.bz2.asc \ + ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A93D62ECC3C8EA12DB220EC934EA76E6791485A8; \ + gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2; \ + rm -rf "$GNUPGHOME" httpd.tar.bz2.asc; \ + \ + mkdir -p src; \ + tar -xf httpd.tar.bz2 -C src --strip-components=1; \ + rm httpd.tar.bz2; \ + cd src; \ \ - && mkdir -p src \ - && tar -xf httpd.tar.bz2 -C src --strip-components=1 \ - && rm httpd.tar.bz2 \ - && cd src \ + patches() { \ + while [ "$#" -gt 0 ]; do \ + local patchFile="$1"; shift; \ + local patchSha256="$1"; shift; \ + ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \ + echo "$patchSha256 *$patchFile" | sha256sum -c -; \ + patch -p0 < "$patchFile"; \ + rm -f "$patchFile"; \ + done; \ + }; \ + patches $HTTPD_PATCHES; \ \ -# Apply source patches -# End source patch list - && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - && ./configure \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ --build="$gnuArch" \ --prefix="$HTTPD_PREFIX" \ --enable-mods-shared=reallyall \ - && make -j "$(nproc)" \ - && make install \ + ; \ + make -j "$(nproc)"; \ + make install; \ \ - && cd .. \ - && rm -r src man manual \ + cd ..; \ + rm -r src man manual; \ \ - && sed -ri \ + sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \ -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \ - "$HTTPD_PREFIX/conf/httpd.conf" \ + "$HTTPD_PREFIX/conf/httpd.conf"; \ \ - && apt-get purge -y --auto-remove $buildDeps + apt-get purge -y --auto-remove $buildDeps COPY httpd-foreground /usr/local/bin/ diff --git a/2.4/alpine/Dockerfile b/2.4/alpine/Dockerfile index 9653d33..79a3784 100644 --- a/2.4/alpine/Dockerfile +++ b/2.4/alpine/Dockerfile @@ -16,26 +16,29 @@ RUN mkdir -p "$HTTPD_PREFIX" \ WORKDIR $HTTPD_PREFIX ENV HTTPD_VERSION 2.4.28 -ENV HTTPD_SHA1 0b37522b808dcee72e1d56d656b0def530b820a2 +ENV HTTPD_SHA256 c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666 -# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 -ENV HTTPD_BZ2_URL https://www.apache.org/dyn/closer.cgi?action=download&filename=httpd/httpd-$HTTPD_VERSION.tar.bz2 -# not all the mirrors actually carry the .asc files :'( -ENV HTTPD_ASC_URL https://www.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +# https://httpd.apache.org/security/vulnerabilities_24.html +ENV HTTPD_PATCHES="" -# if the version is outdated, we have to pull from the archive :/ -ENV HTTPD_BZ2_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2 -ENV HTTPD_ASC_FALLBACK_URL https://archive.apache.org/dist/httpd/httpd-$HTTPD_VERSION.tar.bz2.asc +ENV APACHE_DIST_URLS \ +# https://issues.apache.org/jira/browse/INFRA-8753?focusedCommentId=14735394#comment-14735394 + https://www.apache.org/dyn/closer.cgi?action=download&filename= \ +# if the version is outdated (or we're grabbing the .asc file), we might have to pull from the dist/archive :/ + https://www-us.apache.org/dist/ \ + https://www.apache.org/dist/ \ + https://archive.apache.org/dist/ # see https://httpd.apache.org/docs/2.4/install.html#requirements -RUN set -x \ - && runDeps=' \ +RUN set -eux; \ + \ + runDeps=' \ apr-dev \ apr-util-dev \ apr-util-ldap \ perl \ - ' \ - && apk add --no-cache --virtual .build-deps \ + '; \ + apk add --no-cache --virtual .build-deps \ $runDeps \ ca-certificates \ coreutils \ @@ -57,53 +60,74 @@ RUN set -x \ tar \ # mod_deflate zlib-dev \ + ; \ + \ + ddist() { \ + local f="$1"; shift; \ + local distFile="$1"; shift; \ + local success=; \ + local distUrl=; \ + for distUrl in $APACHE_DIST_URLS; do \ + if wget -O "$f" "$distUrl$distFile"; then \ + success=1; \ + break; \ + fi; \ + done; \ + [ -n "$success" ]; \ + }; \ + \ + ddist 'httpd.tar.bz2' "httpd/httpd-$HTTPD_VERSION.tar.bz2"; \ + echo "$HTTPD_SHA256 *httpd.tar.bz2" | sha256sum -c -; \ \ - && { \ - wget -O httpd.tar.bz2 "$HTTPD_BZ2_URL" \ - || wget -O httpd.tar.bz2 "$HTTPD_BZ2_FALLBACK_URL" \ - ; } \ - && echo "$HTTPD_SHA1 *httpd.tar.bz2" | sha1sum -c - \ # see https://httpd.apache.org/download.cgi#verify - && { \ - wget -O httpd.tar.bz2.asc "$HTTPD_ASC_URL" \ - || wget -O httpd.tar.bz2.asc "$HTTPD_ASC_FALLBACK_URL" \ - ; } \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A93D62ECC3C8EA12DB220EC934EA76E6791485A8 \ - && gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2 \ - && rm -rf "$GNUPGHOME" httpd.tar.bz2.asc \ + ddist 'httpd.tar.bz2.asc' "httpd/httpd-$HTTPD_VERSION.tar.bz2.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A93D62ECC3C8EA12DB220EC934EA76E6791485A8; \ + gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2; \ + rm -rf "$GNUPGHOME" httpd.tar.bz2.asc; \ + \ + mkdir -p src; \ + tar -xf httpd.tar.bz2 -C src --strip-components=1; \ + rm httpd.tar.bz2; \ + cd src; \ \ - && mkdir -p src \ - && tar -xf httpd.tar.bz2 -C src --strip-components=1 \ - && rm httpd.tar.bz2 \ - && cd src \ + patches() { \ + while [ "$#" -gt 0 ]; do \ + local patchFile="$1"; shift; \ + local patchSha256="$1"; shift; \ + ddist "$patchFile" "httpd/patches/apply_to_$HTTPD_VERSION/$patchFile"; \ + echo "$patchSha256 *$patchFile" | sha256sum -c -; \ + patch -p0 < "$patchFile"; \ + rm -f "$patchFile"; \ + done; \ + }; \ + patches $HTTPD_PATCHES; \ \ -# Apply source patches -# End source patch list - && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - && ./configure \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ --build="$gnuArch" \ --prefix="$HTTPD_PREFIX" \ --enable-mods-shared=reallyall \ - && make -j "$(nproc)" \ - && make install \ + ; \ + make -j "$(nproc)"; \ + make install; \ \ - && cd .. \ - && rm -r src man manual \ + cd ..; \ + rm -r src man manual; \ \ - && sed -ri \ + sed -ri \ -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \ -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \ - "$HTTPD_PREFIX/conf/httpd.conf" \ + "$HTTPD_PREFIX/conf/httpd.conf"; \ \ - && runDeps="$runDeps $( \ + runDeps="$runDeps $( \ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ | tr ',' '\n' \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ - )" \ - && apk add --virtual .httpd-rundeps $runDeps \ - && apk del .build-deps + )"; \ + apk add --virtual .httpd-rundeps $runDeps; \ + apk del .build-deps COPY httpd-foreground /usr/local/bin/ diff --git a/update.sh b/update.sh index cb50345..a353c6f 100755 --- a/update.sh +++ b/update.sh @@ -9,40 +9,47 @@ if [ ${#versions[@]} -eq 0 ]; then fi versions=( "${versions[@]%/}" ) -nghttp2VersionDebian="$(docker run -i --rm debian:stretch-slim bash -c 'apt-get update -qq && apt-cache show "$@"' -- "libnghttp2-dev" |tac|tac| awk -F ': ' '$1 == "Version" { print $2; exit }')" -opensslVersionDebian="$(docker run -i --rm debian:jessie-backports bash -c 'apt-get update -qq && apt-cache show "$@"' -- "openssl" |tac|tac| awk -F ': ' '$1 == "Version" { print $2; exit }')" +nghttp2VersionDebian="$(docker run -i --rm debian:stretch-slim bash -c 'apt-get update -qq && apt-cache show "$@"' -- 'libnghttp2-dev' |tac|tac| awk -F ': ' '$1 == "Version" { print $2; exit }')" +opensslVersionDebian="$(docker run -i --rm debian:jessie-backports bash -c 'apt-get update -qq && apt-cache show "$@"' -- 'openssl' |tac|tac| awk -F ': ' '$1 == "Version" { print $2; exit }')" travisEnv= for version in "${versions[@]}"; do - fullVersion="$(curl -sSL --compressed "https://www-us.apache.org/dist/httpd/" | grep -E ' $patchInsert - if curl -fsIo /dev/null "$patchUrl/"; then - patchFiles="$(curl -fssL "$patchUrl/?C=M;O=A" | grep -E 'Source code patch$' | sed -r 's!.*> $patchInsert - echo " wget -O ${patch} \"$patchUrl/$patch\" \\" >> $patchInsert - echo " && echo \"${psum} ${patch}\" | sha256sum -c - \\" >> $patchInsert - echo " && patch -p0 < ${patch} \\" >>$patchInsert - echo " && rm ${patch} \\" >> $patchInsert - echo " ; } \\" >> $patchInsert - done + fullVersion="$( + wget -qO- "https://www-us.apache.org/dist/httpd/" \ + | grep -E '> $patchInsert - ( - set -x - sed -ri \ - -e 's/^(ENV HTTPD_VERSION) .*/\1 '"$fullVersion"'/' \ - -e 's/^(ENV HTTPD_SHA1) .*/\1 '"$sha1"'/' \ - -e 's/^(ENV NGHTTP2_VERSION) .*/\1 '"$nghttp2VersionDebian"'/' \ - -e 's/^(ENV OPENSSL_VERSION) .*/\1 '"$opensslVersionDebian"'/' \ - -e '/# Apply source patches/{:a;N;/# End source patch list/!ba;' -e 'r '"$patchInsert" -e 'd;};' \ - "$version/Dockerfile" "$version"/*/Dockerfile - ) - rm $patchInsert + + sed -ri \ + -e 's/^(ENV HTTPD_VERSION) .*/\1 '"$fullVersion"'/' \ + -e 's/^(ENV HTTPD_SHA256) .*/\1 '"$sha256"'/' \ + -e 's/^(ENV NGHTTP2_VERSION) .*/\1 '"$nghttp2VersionDebian"'/' \ + -e 's/^(ENV OPENSSL_VERSION) .*/\1 '"$opensslVersionDebian"'/' \ + -e 's/^(ENV HTTPD_PATCHES=").*(")$/\1'"${patches[*]}"'\2/' \ + "$version/Dockerfile" "$version"/*/Dockerfile for variant in alpine; do travisEnv='\n - VERSION='"$version VARIANT=$variant$travisEnv"