NGINX Plus + Agent - Dockerfile and start script updates (#139)

* Added API Connectivity Manager 1.5.0 support

* Ownership fix

* Startup script fix

* NGINX App Protect WAF updates

* Tested with NGINX Instance Manager 2.9.1

* Added docker-compose support

* Tested with NGINX Instance Manager 2.10.0 and Security Monitoring 1.4.0

* Tested with NGINX Instance Manager 2.10.0 and API Connectivity Manager 1.5.0

* Tested with API Connectivity Manager 1.6.0

* Tested with API Connectivity Manager 1.6.0

* README updated

* Added support for NGINX Instance Manager 2.10.1 and App Delivery Manager 4.0.0

* Fixed NGINX App Protect detection bug for NGINX Instance Manager 2.10.0+

* Fixed agent syslog receiver bug

* README updated

* Tested with NGINX Instance Manager 2.11.0 and Security Monitoring 1.5.0

* Tested with NGINX Instance Manager 2.11.0

* Tested with NGINX API Connectivity Manager 1.7.0

* Tested with NGINX Instance Manager 2.12.0 and Security Monitoring 1.6.0

* Tested with API Connectivity Manager 1.8.0

* Tested with API Connectivity Manager 1.8.0

* Tested with NGINX Instance Manager 2.12.0

* Dockerfile updated

* Support for NGINX Instance Manager 2.13

* Tested with NGINX Instance Manager 2.13

* Tested with NIM 2.14.0 and SM 1.7.0

* Tested with NIM 2.14.0 and SM 1.7.0

* Tested with NGINX Instance Manager 2.14.0

* Tested with NGINX Instance Manager 2.14.0

* Tested with NGINX App Protect compiler v4.583.0

* Start script updated

* Advanced metrics support added

* Advanced metrics support added

* Removed Application Delivery Manger, tested with NGINX Instance Manager 2.15.0

* Removed devportal, tested with NGINX Instance Manager 2.15.0

* Removed API Connectivity Manager

* Dockerfile and container start updated

* Dockerfile and container start updated

* README updated

* Tested with NGINX Instance Manager 2.15.1

* NGINX Agent updates

* Manifest fix

* NGINX Agent updates

---------

Signed-off-by: 65397 <[email protected]>

Author: fabriziofiorucci

nginx-agent-docker/Dockerfile

@@ -22,27 +22,24 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 	&& wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \
 	&& apt-get -y update \
 	&& apt-get -y install nginx-plus nginx-plus-module-njs nginx-plus-module-prometheus \
-
 # Optional NGINX App Protect WAF
 	&& if [ "$NAP_WAF" = "true" ] ; then \
 	wget -qO - https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor > /usr/share/keyrings/app-protect-security-updates.gpg \
 	&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/debian `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect.list \
 	&& printf "deb [signed-by=/usr/share/keyrings/app-protect-security-updates.gpg] https://pkgs.nginx.com/app-protect-security-updates/debian `lsb_release -cs` nginx-plus\n" >> /etc/apt/sources.list.d/nginx-app-protect.list \
 	&& apt-get -y update \
 	&& apt-get -y install app-protect app-protect-attack-signatures; fi \
-
 # Forward request logs to Docker log collector
 	&& ln -sf /dev/stdout /var/log/nginx/access.log \
 	&& ln -sf /dev/stderr /var/log/nginx/error.log \
-
+# User and group
 	&& groupadd -g 1001 nginx-agent \
 	&& usermod root -G nginx-agent \
 	&& usermod nginx -G nginx-agent \
-
 # NGINX Instance Manager agent installation
 	&& if [ `curl -o /dev/null -sk -w "%{http_code}\n" $NMS_URL/install/nginx-agent` = 200 ] ; then \
-	bash -c 'curl -k $NMS_URL/install/nginx-agent | sh' && echo "NGINX Agent installed"; else \
-	bash -c 'export DATAPLANE_KEY="placeholder" && curl -k $NMS_URL/nginx-agent/install | sh || :' && echo "NGINX Agent installed"; fi
+	bash -c 'export DATA_PLANE_KEY="placeholder" && curl -k $NMS_URL/install/nginx-agent | sh' && echo "NGINX Agent installed"; else \
+	bash -c 'export DATA_PLANE_KEY="placeholder" && curl -k $NMS_URL/nginx-agent/install | sh || :' && echo "NGINX Agent installed"; fi
 
 # Startup script
 COPY ./container/start.sh /deployment/

nginx-agent-docker/README.md

@@ -6,17 +6,19 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In
 
 ## Tested releases
 
-This repository has been tested with NGINX agent for:
+This repository has been tested with: NGINX agent for:
 
-- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.15.0
+- NGINX Agent 2.14+
+- NGINX Instance Manager 2.15+
 - NGINX App Protect WAF 4.100.1+
+- NGINX One Cloud Console
 
 ## Prerequisites
 
 - Linux host running Docker to build the image
 - NGINX Plus license
-- One of 
-  - [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/)         
+- One of
+  - [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/)
   - [NGINX One Cloud Console](https://docs.nginx.com/nginx-one/)
 - Openshift/Kubernetes cluster
 

nginx-agent-docker/container/start.sh

@@ -10,14 +10,12 @@ AGENT_VERSION_MINOR=`echo $AGENT_VERSION | awk -F\. '{print $2}'`
 
 echo "=> NGINX Agent version $AGENT_VERSION"
 
-OLD_AGENT=false
-if ([ $AGENT_VERSION_MAJOR -le 2 ] && [ $AGENT_VERSION_MINOR -lt 24 ])
-then
-	echo "=> Pre-v2.24 NGINX Agent detected"
-	OLD_AGENT=true
-fi
+PARM=""
 
-PARM="--server-grpcport $NIM_GRPC_PORT --server-host $NIM_HOST"
+yq -i '
+  .server.host=strenv(NIM_HOST) |
+  .server.grpcPort=strenv(NIM_GRPC_PORT)
+  ' /etc/nginx-agent/nginx-agent.conf
 
 if [[ ! -z "$NIM_INSTANCEGROUP" ]]; then
    PARM="${PARM} --instance-group $NIM_INSTANCEGROUP"
@@ -34,9 +32,7 @@ if [[ ! -z "$NIM_TOKEN" ]]; then
 fi
 
 if [[ "$NIM_ADVANCED_METRICS" == "true" ]]; then
-   if [ $OLD_AGENT == "false" ]
-   then
-      yq -i '
+	yq -i '
 	.advanced_metrics.socket_path="/var/run/nginx-agent/advanced-metrics.sock" |
 	.advanced_metrics.aggregation_period="1s" |
 	.advanced_metrics.publishing_period="3s" |
@@ -46,44 +42,33 @@ if [[ "$NIM_ADVANCED_METRICS" == "true" ]]; then
 	.advanced_metrics.table_sizes_limits.priority_table_threshold= 1000 |
 	.extensions += ["advanced-metrics"]
 	' /etc/nginx-agent/nginx-agent.conf
-   fi
 fi
 
 if [[ "$NAP_WAF" == "true" ]]; then
-   if [ $OLD_AGENT == "true" ]
-   then
-      PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514"
-   else
-      export FQDN=127.0.0.1
+  export FQDN=127.0.0.1
 
-      yq -i '
-	.nap_monitoring.collector_buffer_size=50000 |
-	.nap_monitoring.processor_buffer_size=50000 |
-	.nap_monitoring.syslog_ip=strenv(FQDN) |
-	.nap_monitoring.syslog_port=514 |
-	.extensions += ["nginx-app-protect","nap-monitoring"]
-	' /etc/nginx-agent/nginx-agent.conf
-   fi
+  yq -i '
+    .nap_monitoring.collector_buffer_size=50000 |
+    .nap_monitoring.processor_buffer_size=50000 |
+    .nap_monitoring.syslog_ip=strenv(FQDN) |
+    .nap_monitoring.syslog_port=514 |
+    .extensions += ["nginx-app-protect","nap-monitoring"]
+    ' /etc/nginx-agent/nginx-agent.conf
 
-   su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &"
-   su - nginx -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &"
+  su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &"
+  su - nginx -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &"
 
-   while ([ ! -e /opt/app_protect/pipe/app_protect_plugin_socket ] || [ ! -e /opt/app_protect/pipe/ts_agent_pipe ])
-   do
-     sleep 1
-   done
+  while ([ ! -e /opt/app_protect/pipe/app_protect_plugin_socket ] || [ ! -e /opt/app_protect/pipe/ts_agent_pipe ])
+  do
+    sleep 1
+  done
 
-   chown nginx:nginx /opt/app_protect/pipe/*
+  chown nginx:nginx /opt/app_protect/pipe/*
 
 if [[ "$NAP_WAF_PRECOMPILED_POLICIES" == "true" ]]; then
-   if [ $OLD_AGENT == "true" ]
-   then
-      PARM="${PARM} --nginx-app-protect-precompiled-publication"
-   else
-      yq -i '
-	.nginx_app_protect.precompiled_publication=true
-	' /etc/nginx-agent/nginx-agent.conf
-   fi
+  yq -i '
+    .nginx_app_protect.precompiled_publication=true
+    ' /etc/nginx-agent/nginx-agent.conf
 fi
 
 fi

nginx-agent-docker/manifests/1.nginx-with-agent.yaml

@@ -24,7 +24,7 @@ spec:
           containerPort: 80
         env:
           - name: NIM_HOST
-            # Default value to use if NGINX Instance Manager is installed using https://github.com/nginxinc/NGINX-Demos/tree/master/nginx-nms-docker or https://github.com/fabriziofiorucci/NGINX-NMS-Docker
+            # NGINX Instance Manager hostname or IP address
             value: "nginx-nim2.nginx-nim2"
           - name: NIM_GRPC_PORT
             value: "443"
@@ -35,16 +35,16 @@ spec:
           - name: NIM_TAGS
             value: "preprod,devops"
 
+          # Optional to enable advanced metrics collection - set to "true" to enable
+          - name: NIM_ADVANCED_METRICS
+            value: "true"
+
           # Optional if NGINX App Protect WAF is available in the docker image - set to "true" to enable
           #- name: NAP_WAF
           #  value: "true"
           #- name: NAP_WAF_PRECOMPILED_POLICIES
           #  value: "true"
 
-          # Optional if API Connectivity Manager Developer Portal is available in the docker image - set to "true" to enable
-          #- name: ACM_DEVPORTAL
-          #  value: "true"
-
 ---
 apiVersion: v1
 kind: Service
@@ -60,7 +60,7 @@ spec:
   - name: api
     port: 8080
   selector:
-    app: nginx
+    app: nginx-nim
   type: ClusterIP
 
 ---
@@ -86,6 +86,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: nginx
+                name: nginx-nim
                 port:
                   number: 80