bullseye

dfabcaad · nanahira · 8c9e91e5 · dfabcaad · dfabcaad · dfabcaad
Commit dfabcaad authored Aug 15, 2021 by nanahira
Showing with 220 additions and 0 deletions

.gitlab-ci.yml .gitlab-ci.yml +64 -0

Dockerfile Dockerfile +99 -0

docker-entrypoint.sh docker-entrypoint.sh +17 -0

haproxy.cfg haproxy.cfg +23 -0

haproxy.patch haproxy.patch +17 -0

No files found.
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+stages:
+  - build
+  - combine
+  - deploy
+variables:
+  GIT_DEPTH: "1"
+  CONTAINER_TEST_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  CONTAINER_TEST_ARM_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-arm
+  CONTAINER_TEST_X86_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-x86
+  CONTAINER_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:latest
+before_script:
+  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+build-x86:
+  stage: build
+  tags: 
+    - docker
+  script:
+    - docker build --pull -t $CONTAINER_TEST_X86_IMAGE .
+    - docker push $CONTAINER_TEST_X86_IMAGE
+build-arm:
+  stage: build
+  tags: 
+    - docker-arm
+  script:
+    - docker build --pull -t $CONTAINER_TEST_ARM_IMAGE .
+    - docker push $CONTAINER_TEST_ARM_IMAGE
+combine:
+  stage: combine
+  tags:
+    - docker
+  script:
+    - docker pull $CONTAINER_TEST_X86_IMAGE
+    - docker pull $CONTAINER_TEST_ARM_IMAGE
+    - docker manifest create $CONTAINER_TEST_IMAGE --amend $CONTAINER_TEST_X86_IMAGE --amend $CONTAINER_TEST_ARM_IMAGE
+    - docker manifest push $CONTAINER_TEST_IMAGE
+deploy_latest:
+  stage: deploy
+  tags: 
+    - docker
+  script:
+    - docker pull $CONTAINER_TEST_IMAGE
+    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_RELEASE_IMAGE
+    - docker push $CONTAINER_RELEASE_IMAGE
+  only:
+    - master
+deploy_tag:
+  stage: deploy
+  tags: 
+    - docker
+  variables:
+    CONTAINER_TAG_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
+  script:
+    - docker pull $CONTAINER_TEST_IMAGE
+    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_TAG_IMAGE
+    - docker push $CONTAINER_TAG_IMAGE
+  only:
+    - tags
--- a/Dockerfile
+++ b/Dockerfile
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+FROM debian:bullseye-slim
+# roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+RUN set -eux; \
+	groupadd --gid 99 --system haproxy; \
+	useradd \
+		--gid haproxy \
+		--home-dir /var/lib/haproxy \
+		--no-create-home \
+		--system \
+		--uid 99 \
+		haproxy
+ENV HAPROXY_VERSION 2.4.2
+ENV HAPROXY_URL https://www.haproxy.org/download/2.4/src/haproxy-2.4.2.tar.gz
+ENV HAPROXY_SHA256 edf9788f7f3411498e3d7b21777036b4dc14183e95c8e2ce7577baa0ea4ea2aa
+COPY haproxy.patch /tmp/
+# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
+RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update && apt-get install -y --no-install-recommends \
+		ca-certificates \
+		gcc \
+		libc6-dev \
+		liblua5.3-dev \
+		libpcre2-dev \
+		libssl-dev \
+		make \
+		wget \
+		patch \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
+	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
+	mkdir -p /usr/src/haproxy; \
+	tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1; \
+	rm haproxy.tar.gz; \
+	\
+	makeOpts=' \
+		TARGET=linux-glibc \
+		USE_GETADDRINFO=1 \
+		USE_LUA=1 LUA_INC=/usr/include/lua5.3 \
+		USE_OPENSSL=1 \
+		USE_PCRE2=1 USE_PCRE2_JIT=1 \
+		USE_PROMEX=1 \
+		\
+		EXTRA_OBJS=" \
+		" \
+	'; \
+# https://salsa.debian.org/haproxy-team/haproxy/-/commit/53988af3d006ebcbf2c941e34121859fd6379c70
+	dpkgArch="$(dpkg --print-architecture)"; \
+	case "$dpkgArch" in \
+		armel) makeOpts="$makeOpts ADDLIB=-latomic" ;; \
+	esac; \
+	\
+	nproc="$(nproc)"; \
+	patch -p1 -d /usr/src/haproxy < /tmp/haproxy.patch; \
+	eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
+	eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
+	\
+	mkdir -p /usr/local/etc/haproxy; \
+	cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \
+	rm -rf /usr/src/haproxy /tmp/haproxy.patch; \
+	\
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
+	find /usr/local -type f -executable -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+# smoke test
+	haproxy -v
+# https://www.haproxy.org/download/1.8/doc/management.txt
+# "4. Stopping and restarting HAProxy"
+# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
+# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
+STOPSIGNAL SIGUSR1
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+USER haproxy
+CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
+#!/bin/sh
+set -e
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- haproxy "$@"
+fi
+if [ "$1" = 'haproxy' ]; then
+	shift # "haproxy"
+	# if the user wants "haproxy", let's add a couple useful flags
+	#   -W  -- "master-worker mode" (similar to the old "haproxy-systemd-wrapper"; allows for reload via "SIGUSR2")
+	#   -db -- disables background mode
+	set -- haproxy -W -db "$@"
+fi
+exec "$@"
--- a/haproxy.cfg
+++ b/haproxy.cfg
+global
+    maxconn     100000
+    user        root
+defaults
+    mode                    tcp
+    log                     global
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          30m
+    timeout server          30m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 100000
+listen railgun
+    bind *:5000 transparent tfo
+    option transparent
+    server main *
+    source * # usesrc client
+    tcp-request content reject if LOCALHOST
--- a/haproxy.patch
+++ b/haproxy.patch
+diff -Naru original/src/proto_tcp.c patched/src/proto_tcp.c
+--- original/src/proto_tcp.c	2021-08-12 00:11:48.749316754 +0800
+++ patched/src/proto_tcp.c	2021-08-12 00:11:34.481568580 +0800
+@@ -502,6 +502,13 @@
+ 	if (global.tune.server_rcvbuf)
+                 setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &global.tune.server_rcvbuf, sizeof(global.tune.server_rcvbuf));
+#ifdef SO_MARK
+	int mark = getenv("HAPROXY_TCP_OUTBOUND_MARK") ? atoi(getenv("HAPROXY_TCP_OUTBOUND_MARK")) : 0;
+	if(mark)
+                setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark));
+#endif
+
+
+ 	addr = (conn->flags & CO_FL_SOCKS4) ? &srv->socks4_addr : conn->dst;
+ 	if (connect(fd, (const struct sockaddr *)addr, get_addr_len(addr)) == -1) {
+ 		if (errno == EINPROGRESS || errno == EALREADY) {