Update Alpine to 3.7, openssl -> libressl, update packages #60
Comments
|
@tianon what do you think about it? |
|
I would also like to see a HAProxy version compiled against LibreSSL. The LibreSSL maintainer (OpenBSD guys) do a great job when it comes to security. To create a working Dockerfile the HAProxy patch from Alpine is needed first. Then the Dockerfile can look like this (also with pcre2 instead of older pcre1): # vim:set ft=dockerfile:
FROM alpine:3.8
ENV HAPROXY_MAJOR 1.8
ENV HAPROXY_VERSION 1.8.13
ENV HAPROXY_SHA256 2bf5dafbb5f1530c0e67ab63666565de948591f8e0ee2a1d3c84c45e738220f1
COPY libressl-2.7.patch /usr/src/libressl-2.7.patch
# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
RUN set -x \
\
&& apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
libressl-dev \
linux-headers \
lua5.3-dev \
make \
pcre2-dev \
readline-dev \
tar \
zlib-dev \
\
# install HAProxy
&& wget -O haproxy.tar.gz "https://www.haproxy.org/download/${HAPROXY_MAJOR}/src/haproxy-${HAPROXY_VERSION}.tar.gz" \
&& echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c \
&& mkdir -p /usr/src/haproxy \
&& tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1 \
&& rm haproxy.tar.gz \
\
&& ( cd /usr/src/haproxy ; patch -p1 < /usr/src/libressl-2.7.patch ) \
&& makeOpts=' \
TARGET=linux2628 \
USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 \
USE_OPENSSL=1 \
USE_PCRE2_JIT=1 USE_STATIC_PCRE2=1 PCREDIR= \
USE_ZLIB=1 \
' \
&& make -C /usr/src/haproxy -j "$(getconf _NPROCESSORS_ONLN)" all $makeOpts \
&& make -C /usr/src/haproxy install-bin $makeOpts \
\
&& mkdir -p /usr/local/etc/haproxy \
&& cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors \
&& rm -rf /usr/src/haproxy \
\
&& runDeps="$( \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
)" \
&& apk add --virtual .haproxy-rundeps $runDeps \
&& apk del .build-deps
# https://www.haproxy.org/download/1.8/doc/management.txt
# "4. Stopping and restarting HAProxy"
# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
STOPSIGNAL SIGUSR1
COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
|
|
Thanks for the bump, @aisbergg (and the example So, I'm going to close this issue, and here's my rationale: (trying to mirror the three suggestions in the OP)
|
Hello!
I have 3 suggestions how we can improve this image.
Here:
https://github.com/docker-library/haproxy/blob/master/1.8/alpine/Dockerfile#L1
replace
FROM alpine:3.6with
FROM alpine:3.7We can update packages before installing HAProxy. They will not break something because of they are from same release (3.6 or 3.7), usually it's just bugfixes to software.
Before
https://github.com/docker-library/haproxy/blob/master/1.8/alpine/Dockerfile#L14
add
Also we can replace openssl to libressl
https://github.com/docker-library/haproxy/blob/master/1.8/alpine/Dockerfile#L20-L21
replace
with
The text was updated successfully, but these errors were encountered: