search

sclorg / httpd-container

Apache HTTP container images based on Red Hat Software Collections and intended for OpenShift and general usage. Users can choose between Red Hat Enterprise Linux, Fedora, and CentOS based images.
http://softwarecollections.org
Apache License 2.0
47 stars 123 forks source link

Support c10s in httpd-container #224

Closed phracek closed 1 month ago

phracek commented 1 month ago

This pull request adds support for C10S and it is separated into multiple commits.

phracek commented 1 month ago

Diff between Dockerfile.fedora and Dockerfile.c10s:

$ diff -u 2.4/Dockerfile.fedora 2.4/Dockerfile.c10s
--- 2.4/Dockerfile.fedora   2024-08-07 09:58:46
+++ 2.4/Dockerfile.c10s 2024-08-07 10:29:17
@@ -1,12 +1,12 @@
-FROM quay.io/fedora/s2i-core:40
+FROM quay.io/sclorg/s2i-core-c10s:c10s

 # Apache HTTP Server image.
 #
 # Volumes:
 #  * /var/www - Datastore for httpd
-#  * /var/log/httpd - Storage for logs when $HTTPD_LOG_TO_VOLUME is set
+#  * /var/log/httpd24 - Storage for logs when $HTTPD_LOG_TO_VOLUME is set
 # Environment:
-#  * $HTTPD_LOG_TO_VOLUME (optional) - When set, httpd will log into /var/log/httpd
+#  * $HTTPD_LOG_TO_VOLUME (optional) - When set, httpd will log into /var/log/httpd24

 ENV HTTPD_VERSION=2.4 \
     HTTPD_SHORT_VERSION=24 \
@@ -22,25 +22,25 @@

 LABEL summary="$SUMMARY" \
       description="$DESCRIPTION" \
-      io.k8s.description="$SUMMARY" \
+      io.k8s.description="$DESCRIPTION" \
       io.k8s.display-name="Apache httpd $HTTPD_VERSION" \
       io.openshift.expose-services="8080:http,8443:https" \
-      io.openshift.tags="builder,$NAME,$NAME24" \
-      com.redhat.component="$NAME" \
-      name="fedora/$NAME-$HTTPD_SHORT_VERSION" \
-      version="$HTTPD_VERSION" \
-      usage="s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ quya.io/fedora/$NAME-$HTTPD_SHORT_VERSION sample-server" \
+      io.openshift.tags="builder,$NAME,$NAME-$HTTPD_SHORT_VERSION" \
+      name="sclorg/$NAME-$HTTPD_SHORT_VERSION-c10s" \
+      version="1" \
+      com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#rhel" \
+      com.redhat.component="httpd-24-container" \
+      usage="s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ quay.io/sclorg/$NAME-$HTTPD_SHORT_VERSION-c10s sample-server" \
       maintainer="SoftwareCollections.org <sclorg@redhat.com>"

 EXPOSE 8080
 EXPOSE 8443

-RUN dnf install -y yum-utils gettext hostname && \
-    INSTALL_PKGS="nss_wrapper bind-utils httpd mod_ssl mod_ldap mod_session mod_security sscg" && \
+RUN INSTALL_PKGS="gettext hostname nss_wrapper bind-utils httpd mod_ssl mod_ldap mod_session sscg" && \
     dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
     httpd -v | grep -qe "Apache/$HTTPD_VERSION" && echo "Found VERSION $HTTPD_VERSION" && \
-    dnf clean all
+    dnf -y clean all --enablerepo='*'

 ENV HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
     HTTPD_APP_ROOT=${APP_ROOT} \
@@ -57,7 +57,6 @@
 COPY 2.4/s2i/bin/ $STI_SCRIPTS_PATH
 COPY 2.4/root /

-# Generate SSL certs and reset permissions of filesystem to default values
 # Reset permissions of filesystem to default values
 RUN /usr/libexec/httpd-prepare && rpm-file-permissions

Diff between C9S and C10S:

$ diff -u 2.4/Dockerfile.c9s 2.4/Dockerfile.c10s
--- 2.4/Dockerfile.c9s  2024-04-22 12:11:03
+++ 2.4/Dockerfile.c10s 2024-08-07 10:29:17
@@ -1,4 +1,4 @@
-FROM quay.io/sclorg/s2i-core-c9s:c9s
+FROM quay.io/sclorg/s2i-core-c10s:c10s

 # Apache HTTP Server image.
 #
@@ -8,7 +8,10 @@
 # Environment:
 #  * $HTTPD_LOG_TO_VOLUME (optional) - When set, httpd will log into /var/log/httpd24

-ENV HTTPD_VERSION=2.4
+ENV HTTPD_VERSION=2.4 \
+    HTTPD_SHORT_VERSION=24 \
+    NAME=httpd \
+    ARCH=x86_64

 ENV SUMMARY="Platform for running Apache httpd $HTTPD_VERSION or building httpd-based application" \
     DESCRIPTION="Apache httpd $HTTPD_VERSION available as container, is a powerful, efficient, \
@@ -22,22 +25,22 @@
       io.k8s.description="$DESCRIPTION" \
       io.k8s.display-name="Apache httpd $HTTPD_VERSION" \
       io.openshift.expose-services="8080:http,8443:https" \
-      io.openshift.tags="builder,httpd,httpd-24" \
-      name="sclorg/httpd-24-c9s" \
+      io.openshift.tags="builder,$NAME,$NAME-$HTTPD_SHORT_VERSION" \
+      name="sclorg/$NAME-$HTTPD_SHORT_VERSION-c10s" \
       version="1" \
       com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#rhel" \
       com.redhat.component="httpd-24-container" \
-      usage="s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ quay.io/sclorg/httpd-24-c9s sample-server" \
+      usage="s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ quay.io/sclorg/$NAME-$HTTPD_SHORT_VERSION-c10s sample-server" \
       maintainer="SoftwareCollections.org <sclorg@redhat.com>"

 EXPOSE 8080
 EXPOSE 8443

-RUN INSTALL_PKGS="gettext hostname nss_wrapper bind-utils httpd mod_ssl mod_ldap mod_session mod_security mod_auth_mellon sscg" && \
-    yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
+RUN INSTALL_PKGS="gettext hostname nss_wrapper bind-utils httpd mod_ssl mod_ldap mod_session sscg" && \
+    dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
     httpd -v | grep -qe "Apache/$HTTPD_VERSION" && echo "Found VERSION $HTTPD_VERSION" && \
-    yum -y clean all --enablerepo='*'
+    dnf -y clean all --enablerepo='*'

Diff between C10S and RHEL9:

$ diff -u 2.4/Dockerfile.rhel9 2.4/Dockerfile.c10s
--- 2.4/Dockerfile.rhel9    2024-08-07 09:58:46
+++ 2.4/Dockerfile.c10s 2024-08-07 10:29:17
@@ -1,4 +1,4 @@
-FROM ubi9/s2i-core:1
+FROM quay.io/sclorg/s2i-core-c10s:c10s

 # Apache HTTP Server image.
 #
@@ -10,7 +10,8 @@

 ENV HTTPD_VERSION=2.4 \
     HTTPD_SHORT_VERSION=24 \
-    NAME
+    NAME=httpd \
+    ARCH=x86_64

 ENV SUMMARY="Platform for running Apache httpd $HTTPD_VERSION or building httpd-based application" \
     DESCRIPTION="Apache httpd $HTTPD_VERSION available as container, is a powerful, efficient, \
@@ -25,21 +26,21 @@
       io.k8s.display-name="Apache httpd $HTTPD_VERSION" \
       io.openshift.expose-services="8080:http,8443:https" \
       io.openshift.tags="builder,$NAME,$NAME-$HTTPD_SHORT_VERSION" \
-      name="rhel9/$NAME-$HTTPD_SHORT_VERSION" \
+      name="sclorg/$NAME-$HTTPD_SHORT_VERSION-c10s" \
       version="1" \
-      com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI" \
-      com.redhat.component="$NAME-$HTTPD_SHORT_VERSION-container" \
-      usage="s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ rhel9/$NAME-$HTTPD_SHORT_VERSION sample-server" \
+      com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#rhel" \
+      com.redhat.component="httpd-24-container" \
+      usage="s2i build https://github.com/sclorg/httpd-container.git --context-dir=examples/sample-test-app/ quay.io/sclorg/$NAME-$HTTPD_SHORT_VERSION-c10s sample-server" \
       maintainer="SoftwareCollections.org <sclorg@redhat.com>"

 EXPOSE 8080
 EXPOSE 8443

-RUN INSTALL_PKGS="gettext hostname nss_wrapper bind-utils httpd mod_ssl mod_ldap mod_session mod_security mod_auth_mellon sscg" && \
-    yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
+RUN INSTALL_PKGS="gettext hostname nss_wrapper bind-utils httpd mod_ssl mod_ldap mod_session sscg" && \
+    dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
     httpd -v | grep -qe "Apache/$HTTPD_VERSION" && echo "Found VERSION $HTTPD_VERSION" && \
-    yum -y clean all --enablerepo='*'
+    dnf -y clean all --enablerepo='*'

 ENV HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
     HTTPD_APP_ROOT=${APP_ROOT} \
phracek commented 1 month ago

[test]

phracek commented 1 month ago

[test-openshift-pytest][test-openshift]

phracek commented 1 month ago

ALL TESTS PASSED

phracek commented 1 month ago

There seems to be some package differences between Fedora/c10s and ubi9/c10s (mod_security, mod_auth_mellon), that I'd suggest to merge -- using ubi9 package set might be the best match IMO.

@uhliarik what do you think?

@hhorak I had a conversion with Tomas Halman and the packages have been removed. The solution is to move from SAML to OAuth (mod_auth_openidc)

uhliarik commented 1 month ago

Removing mod_security and mod_auth_melon is totally fine for el10, since these components are not shipped there.

phracek commented 1 month ago

mod_auth_mellon is present in Fedora builds. https://koji.fedoraproject.org/koji/packageinfo?packageID=17461

And mod_auth_mellon is present in RHEL9 here: https://brewweb.engineering.redhat.com/brew/packageinfo?packageID=46765