Added support for NGINX Instance Manager 2.10.1 and App Delivery Manager 4.0.0 (#99)

* Added API Connectivity Manager 1.5.0 support

* Ownership fix

* Startup script fix

* NGINX App Protect WAF updates

* Tested with NGINX Instance Manager 2.9.1

* Added docker-compose support

* Tested with NGINX Instance Manager 2.10.0 and Security Monitoring 1.4.0

* Tested with NGINX Instance Manager 2.10.0 and API Connectivity Manager 1.5.0

* Tested with API Connectivity Manager 1.6.0

* Tested with API Connectivity Manager 1.6.0

* README updated

* Added support for NGINX Instance Manager 2.10.1 and App Delivery Manager 4.0.0

Author: fabriziofiorucci

nginx-agent-docker/README.md

@@ -8,7 +8,7 @@ This repository can be used to build a docker image with NGINX Plus and NGINX In
 
 This repository has been tested with NGINX agent for:
 
-- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0
+- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1
 - API Connectivity Manager 1.4.0, 1.5.0, 1.6.0
 - NGINX App Protect WAF 4.100.1+
 

nginx-agent-docker/container/start.sh

@@ -3,6 +3,20 @@
 nginx
 sleep 2
 
+# NGINX Agent version detection, change in behaviour in v2.24.0+
+AGENT_VERSION=`nginx-agent -v|awk '{print $3}'`
+AGENT_VERSION_MAJOR=`echo $AGENT_VERSION | awk -F\. '{print $1}' | sed 's/v//'`
+AGENT_VERSION_MINOR=`echo $AGENT_VERSION | awk -F\. '{print $2}'`
+
+echo "=> NGINX Agent version $AGENT_VERSION"
+
+OLD_AGENT=false
+if ([ $AGENT_VERSION_MAJOR -le 2 ] && [ $AGENT_VERSION_MINOR -lt 24 ])
+then
+	echo "=> Pre-v2.24 NGINX Agent detected"
+	OLD_AGENT=true
+fi
+
 PARM="--server-grpcport $NIM_GRPC_PORT --server-host $NIM_HOST"
 
 if [[ ! -z "$NIM_INSTANCEGROUP" ]]; then
@@ -13,9 +27,32 @@ if [[ ! -z "$NIM_TAGS" ]]; then
    PARM="${PARM} --tags $NIM_TAGS"
 fi
 
-
 if [[ "$NAP_WAF" == "true" ]]; then
-   PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514"
+   if [ $OLD_AGENT == "true" ]
+   then
+      PARM="${PARM} --nginx-app-protect-report-interval 15s --nap-monitoring-collector-buffer-size 50000 --nap-monitoring-processor-buffer-size 50000 --nap-monitoring-syslog-ip 127.0.0.1 --nap-monitoring-syslog-port 514"
+   else
+      cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf
+
+# Enable NAP and Advanced Metrics
+extensions:
+  - advanced-metrics
+  - nginx-app-protect
+  - nap-monitoring
+
+# NGINX App Protect Monitoring config
+nap_monitoring:
+  # Buffer size for collector. Will contain log lines and parsed log lines
+  collector_buffer_size: 50000
+  # Buffer size for processor. Will contain log lines and parsed log lines
+  processor_buffer_size: 50000
+  # Syslog server IP address the collector will be listening to
+  syslog_ip: "127.0.0.1"
+  # Syslog server port the collector will be listening to
+  syslog_port: 514
+__EOT__
+   fi
+
    su - nginx -s /bin/bash -c "/opt/app_protect/bin/bd_agent &"
    su - nginx -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 471859200 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config &"
 
@@ -28,7 +65,17 @@ if [[ "$NAP_WAF" == "true" ]]; then
 fi
 
 if [[ "$NAP_WAF_PRECOMPILED_POLICIES" == "true" ]]; then
-   PARM="${PARM} --nginx-app-protect-precompiled-publication"
+   if [ $OLD_AGENT == "true" ]
+   then
+      PARM="${PARM} --nginx-app-protect-precompiled-publication"
+   else
+      cat - << __EOT__ >> /etc/nginx-agent/nginx-agent.conf
+
+# Enable NGINX App Protect WAF precompiled policies
+nginx_app_protect:
+  precompiled_publication: true
+__EOT__
+   fi
 fi
 
 if [[ "$ACM_DEVPORTAL" == "true" ]]; then

nginx-nms-docker/Dockerfile.automated

@@ -4,6 +4,7 @@ ARG BUILD_WITH_SECONDSIGHT=false
 ARG ADD_ACM
 ARG ADD_SM
 ARG ADD_PUM
+ARG ADD_ADM
 
 # Initial setup
 RUN apt-get update && \
@@ -17,7 +18,8 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
         --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	set -x \
 	&& chmod +x /deployment/startNIM.sh \
-	&& printf "deb https://pkgs.nginx.com/nms/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nms.list \
+	&& printf "deb https://pkgs.nginx.com/nms/ubuntu `lsb_release -cs` nginx-plus\n" > /etc/apt/sources.list.d/nms.list \
+	&& printf "deb https://pkgs.nginx.com/adm/ubuntu `lsb_release -cs` nginx-plus\n" >> /etc/apt/sources.list.d/nms.list \
 	&& wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
 	&& wget -O /tmp/nginx_signing.key https://cs.nginx.com/static/keys/nginx_signing.key \
 	&& apt-key add /tmp/nginx_signing.key \
@@ -33,6 +35,9 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 	# Optional WAF Policy Compiler
 	&& if [ ! -z "${ADD_PUM}" ] ; then \
 	apt-get -y install nms-nap-compiler-$ADD_PUM; fi \
+	# Optional App Delivery Manager
+	&& if [ ! -z "${ADD_ADM}" ] ; then \
+	apt-get -y install nms-app-delivery-manager; fi \
 	# Set permissions
 	&& chmod +x /etc/nms/scripts/*.sh
 

nginx-nms-docker/README.md

@@ -8,12 +8,12 @@ Docker image creation is supported for:
 
 - [NGINX Instance Manager](https://docs.nginx.com/nginx-instance-manager/) 2.4.0+
 - [NGINX Management Suite API Connectivity Manager](https://docs.nginx.com/nginx-management-suite/acm/) 1.0.0+
-- [Security Monitoring](https://docs.nginx.com/nginx-management-suite/admin-guides/installation/install-guide/#install-nms-modules) 1.0.0+
+- [Security Monitoring](https://docs.nginx.com/nginx-management-suite/security/) 1.0.0+
 - [NGINX App Protect WAF compiler](https://docs.nginx.com/nginx-management-suite/nim/how-to/app-protect/setup-waf-config-management)
+- [NGINX App Delivery Manager](https://docs.nginx.com/nginx-management-suite/adm/) 4.0.0+
 
 The image can optionally be built with [Second Sight](https://github.com/F5Networks/SecondSight) support
 
-
 ## Deployment through the official Helm chart
 
 A bash script to quickly install NGINX Management Suite through the official Helm chart is available here:
@@ -24,10 +24,11 @@ A bash script to quickly install NGINX Management Suite through the official Hel
 
 This repository has been tested with:
 
-- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0
+- NGINX Instance Manager 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1
 - NGINX Management Suite API Connectivity Manager 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0
 - Security Monitoring 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0
 - NGINX App Protect WAF compiler 3.1088.2, 4.2.0, 4.100.1, 4.218.0
+- NGINX App Delivery Manager 4.0.0
 
 ## Prerequisites
 
@@ -74,6 +75,7 @@ NGINX Management Suite Docker image builder
  -A                     - Enable API Connectivity Manager - optional
  -W                     - Enable Security Monitoring - optional
  -P [version]           - Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional
+ -D                     - Enable App Delivery Manager - optional
 
  === Examples:
 
@@ -86,7 +88,7 @@ NGINX Management Suite Docker image builder
 
  Automated build:
         ./scripts/buildNIM.sh -i -C nginx-repo.crt -K nginx-repo.key
-                -A -W -P v4.218.0 -t my.registry.tld/nginx-nms:2.9.0
+                -A -W -P v4.218.0 -D -t my.registry.tld/nginx-nms:2.9.0
 ```
 
 ### Automated build
@@ -119,6 +121,12 @@ NGINX Instance Manager, API Connectivity Manager, WAF Policy Compiler and Securi
 ./scripts/buildNIM.sh -t registry.ff.lan:31005/nginx-nim2:automated -i -C certs/nginx-repo.crt -K certs/nginx-repo.key -A -W -P v4.2.0
 ```
 
+NGINX Instance Manager, API Connectivity Manager, WAF Policy Compiler, Security Monitoring and App Delivery Manager
+
+```
+./scripts/buildNIM.sh -t registry.ff.lan:31005/nginx-nim2:automated -i -C certs/nginx-repo.crt -K certs/nginx-repo.key -A -W -P v4.2.0 -D
+```
+
 ### Manual build
 
 1. Clone this repo
@@ -251,6 +259,7 @@ and then restart nginx-agent
 
 - [Grafana dashboard for telemetry](contrib/grafana)
 - [Helm installer](contrib/helm-installer)
+- [Docker compose](contrib/docker-compose)
 
 
 # Starting NGINX Management Suite

nginx-nms-docker/buildNIM.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+
+BANNER="NGINX Management Suite Docker image builder\n\n
+This tool builds a Docker image to run NGINX Management Suite\n\n
+=== Usage:\n\n
+$0 [options]\n\n
+=== Options:\n\n
+-h\t\t\t- This help\n
+-t [target image]\t- Docker image name to be created\n
+-s\t\t\t- Enable Second Sight (https://github.com/F5Networks/SecondSight/) - optional\n\n
+Manual build:\n\n
+-n [filename]\t\t- NGINX Instance Manager .deb package filename\n
+-a [filename]\t\t- API Connectivity Manager .deb package filename - optional\n
+-w [filename]\t\t- Security Monitoring .deb package filename - optional\n
+-p [filename]\t\t- WAF policy compiler .deb package filename - optional\n\n
+Automated build:\n\n
+-i\t\t\t- Automated build - requires cert & key\n
+-C [file.crt]\t\t- Certificate file to pull packages from the official NGINX repository\n
+-K [file.key]\t\t- Key file to pull packages from the official NGINX repository\n
+-A\t\t\t- Enable API Connectivity Manager - optional\n
+-W\t\t\t- Enable Security Monitoring - optional\n
+-P [version]\t\t- Enable WAF policy compiler, version can be [v3.1088.2|v4.2.0|v4.100.1|v4.218.0] - optional\n
+-D\t\t\t- Enable App Delivery Manager - optional\n\n
+=== Examples:\n\n
+Manual build:\n
+\t$0 -n nim-files/nms-instance-manager_2.6.0-698150575~focal_amd64.deb \\\\\n
+\t\t-a nim-files/nms-api-connectivity-manager_1.2.0.668430332~focal_amd64.deb \\\\\n
+\t\t-w nim-files/nms-sm_1.0.0-697204659~focal_amd64.deb \\\\\n
+\t\t-p nim-files/nms-nap-compiler-v4.2.0.deb \\\\\n
+\t\t-t my.registry.tld/nginx-nms:2.6.0\n\n
+Automated build:\n
+\t$0 -i -C nginx-repo.crt -K nginx-repo.key\n
+\t\t-A -W -P v4.2.0 -t my.registry.tld/nginx-nms:2.6.0\n
+"
+
+# Defaults
+COUNTER=false
+
+while getopts 'hn:a:w:p:t:siC:K:AWP:D' OPTION
+do
+	case "$OPTION" in
+		h)
+			echo -e $BANNER
+			exit
+		;;
+		n)
+			DEBFILE=$OPTARG
+		;;
+		a)
+			ACM_IMAGE=$OPTARG
+		;;
+		w)
+			SM_IMAGE=$OPTARG
+		;;
+		p)
+			PUM_IMAGE=$OPTARG
+		;;
+		t)
+			IMGNAME=$OPTARG
+		;;
+		s)
+			COUNTER=true
+		;;
+		i)
+			AUTOMATED_INSTALL=true
+		;;
+		C)
+			NGINX_CERT=$OPTARG
+		;;
+		K)
+			NGINX_KEY=$OPTARG
+		;;
+		A)
+			ADD_ACM=true
+		;;
+		W)
+			ADD_SM=true
+		;;
+                P)
+                        ADD_PUM=$OPTARG
+                ;;
+		D)
+			ADD_ADM=true
+		;;
+	esac
+done
+
+if [ -z "$1" ]
+then
+	echo -e $BANNER
+	exit
+fi
+
+if [ -z "${IMGNAME}" ]
+then
+	echo "Docker image name is required"
+	exit
+fi
+
+if ([ -z "${AUTOMATED_INSTALL}" ] && [ -z "${DEBFILE}" ])
+then
+	echo "NGINX Instance Manager package is required for manual installation"
+	exit
+fi
+
+if ([ ! -z "${AUTOMATED_INSTALL}" ] && ([ -z "${NGINX_CERT}" ] || [ -z "${NGINX_KEY}" ]))
+then
+	echo "NGINX certificate and key are required for automated installation"
+        exit
+fi
+
+echo "==> Building NGINX Management Suite docker image"
+
+if [ -z "${AUTOMATED_INSTALL}" ]
+then
+        docker build --no-cache -f Dockerfile.manual --build-arg NIM_DEBFILE=$DEBFILE --build-arg BUILD_WITH_SECONDSIGHT=$COUNTER \
+                --build-arg ACM_IMAGE=$ACM_IMAGE --build-arg SM_IMAGE=$SM_IMAGE --build-arg PUM_IMAGE=$PUM_IMAGE -t $IMGNAME .
+else
+	DOCKER_BUILDKIT=1 docker build --no-cache -f Dockerfile.automated --secret id=nginx-key,src=$NGINX_KEY --secret id=nginx-crt,src=$NGINX_CERT \
+                --build-arg ADD_ACM=$ADD_ACM --build-arg ADD_SM=$ADD_SM --build-arg ADD_PUM=$ADD_PUM --build-arg ADD_ADM=$ADD_ADM \
+		--build-arg BUILD_WITH_SECONDSIGHT=$COUNTER \
+                -t $IMGNAME .
+fi
+
+docker push $IMGNAME

nginx-nms-docker/container/startNIM.sh

@@ -64,8 +64,6 @@ clickhouse:
 	;;
 esac
 
-/etc/init.d/nginx start
-
 # Start nms core - from /lib/systemd/system/nms-core.service
 /bin/bash -c '`which mkdir` -p /var/lib/nms/dqlite/'
 /bin/bash -c '`which mkdir` -p /var/lib/nms/secrets/'
@@ -114,13 +112,26 @@ su - nms -c "/usr/bin/nms-ingestion &" -s /bin/bash
 su - nms -c "/usr/bin/nms-integrations &" -s /bin/bash
 
 # Start API Connectivity Manager - from /lib/systemd/system/nms-acm.service
-sleep 5
-su - nms -c "/usr/bin/nms-acm server &" -s /bin/bash
+if [ -f /usr/bin/nms-acm ]
+then
+	sleep 5
+	su - nms -c "/usr/bin/nms-acm server &" -s /bin/bash
+fi
+
+# Start App Delivery Manager
+if [ -f /usr/bin/nms-adm ]
+then
+	/bin/bash -c '`which mkdir` -p /var/run/nms/modules/adm'
+	/bin/bash -c '`which chown` -R nms:nms /var/run/nms/modules/adm'
+	su - nms -c "/usr/bin/nms-adm server &" -s /bin/bash
+fi
 
 sleep 5
 
 chmod 666 /var/run/nms/*.sock
 
+/etc/init.d/nginx start
+
 # License activation
 if ((${#NIM_LICENSE[@]}))
 then

nginx-nms-docker/scripts/buildNIM.sh

@@ -29,7 +29,7 @@ Manual build:\n
 \t\t-t my.registry.tld/nginx-nms:2.6.0\n\n
 Automated build:\n
 \t$0 -i -C nginx-repo.crt -K nginx-repo.key\n
-\t\t-A -W -P v4.218.0 -t my.registry.tld/nginx-nms:2.9.0\n
+\t\t-A -W -P v4.218.0 -D -t my.registry.tld/nginx-nms:2.9.0\n
 "
 
 # Defaults