Pull request 1909: 5939-rm-healthcheck
Updates #5939.
Squashed commit of the following:
commit 087309b4ef100e97339f49cf1c2e90ba2fa4293f
Merge: 360df813d c21f958ea
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Fri Jul 7 13:18:52 2023 +0300
Merge branch 'master' into 5939-rm-healthcheck
commit 360df813d995f935c591aaea9c56fe4372ca2281
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Jul 5 14:16:18 2023 +0300
all: rm docker healthcheck
This commit is contained in:
parent
c21f958eaf
commit
f7dd832517
21
CHANGELOG.md
21
CHANGELOG.md
|
@ -57,11 +57,26 @@ In this release, the schema version has changed from 23 to 24.
|
||||||
To rollback this change, remove the new object `log`, set back `log_` and
|
To rollback this change, remove the new object `log`, set back `log_` and
|
||||||
`verbose` properties and change the `schema_version` back to `23`.
|
`verbose` properties and change the `schema_version` back to `23`.
|
||||||
|
|
||||||
|
### Deprecated
|
||||||
|
|
||||||
|
- Default exposure of the non-standard ports 784 and 8853 for DNS-over-QUIC in
|
||||||
|
the `Dockerfile`.
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
- Excessive RAM and CPU consumption by Safe Browsing and Parental Control
|
- Excessive RAM and CPU consumption by Safe Browsing and Parental Control
|
||||||
filters ([#5896]).
|
filters ([#5896]).
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
- The `HEALTHCHECK` section and the use of `tini` in the `ENTRYPOINT` section in
|
||||||
|
`Dockerfile` ([#5939]). They caused a lot of issues, especially with tools
|
||||||
|
like `docker-compose` and `podman`.
|
||||||
|
|
||||||
|
**NOTE:** Some Docker tools may cache `ENTRYPOINT` sections, so some users may
|
||||||
|
be required to backup their configuration, stop the container, purge the old
|
||||||
|
image, and reload it from scratch.
|
||||||
|
|
||||||
[#5896]: https://github.com/AdguardTeam/AdGuardHome/issues/5896
|
[#5896]: https://github.com/AdguardTeam/AdGuardHome/issues/5896
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
|
@ -188,9 +203,9 @@ In this release, the schema version has changed from 20 to 23.
|
||||||
|
|
||||||
### Deprecated
|
### Deprecated
|
||||||
|
|
||||||
- `HEALTHCHECK` and `ENTRYPOINT` sections in `Dockerfile` ([#5939]). They cause
|
- The `HEALTHCHECK` section and the use of `tini` in the `ENTRYPOINT` section in
|
||||||
a lot of issues, especially with tools like `docker-compose` and `podman`, and
|
`Dockerfile` ([#5939]). They cause a lot of issues, especially with tools
|
||||||
will be removed in a future release.
|
like `docker-compose` and `podman`, and will be removed in a future release.
|
||||||
- Flags `-h`, `--host`, `-p`, `--port` have been deprecated. The `-h` flag
|
- Flags `-h`, `--host`, `-p`, `--port` have been deprecated. The `-h` flag
|
||||||
will work as an alias for `--help`, instead of the deprecated `--host` in the
|
will work as an alias for `--help`, instead of the deprecated `--host` in the
|
||||||
future releases.
|
future releases.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# A docker file for scripts/make/build-docker.sh.
|
# A docker file for scripts/make/build-docker.sh.
|
||||||
|
|
||||||
FROM alpine:3.17
|
FROM alpine:3.18
|
||||||
|
|
||||||
ARG BUILD_DATE
|
ARG BUILD_DATE
|
||||||
ARG VERSION
|
ARG VERSION
|
||||||
|
@ -25,8 +25,6 @@ RUN apk --no-cache add ca-certificates libcap tzdata && \
|
||||||
mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \
|
mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \
|
||||||
chown -R nobody: /opt/adguardhome
|
chown -R nobody: /opt/adguardhome
|
||||||
|
|
||||||
RUN apk --no-cache add tini
|
|
||||||
|
|
||||||
ARG DIST_DIR
|
ARG DIST_DIR
|
||||||
ARG TARGETARCH
|
ARG TARGETARCH
|
||||||
ARG TARGETOS
|
ARG TARGETOS
|
||||||
|
@ -43,43 +41,24 @@ RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome
|
||||||
# 68 : UDP : DHCP (client)
|
# 68 : UDP : DHCP (client)
|
||||||
# 80 : TCP : HTTP (main)
|
# 80 : TCP : HTTP (main)
|
||||||
# 443 : TCP, UDP : HTTPS, DNS-over-HTTPS (incl. HTTP/3), DNSCrypt (main)
|
# 443 : TCP, UDP : HTTPS, DNS-over-HTTPS (incl. HTTP/3), DNSCrypt (main)
|
||||||
# 784 : UDP : DNS-over-QUIC (experimental)
|
# 784 : UDP : DNS-over-QUIC (deprecated; use 853)
|
||||||
# 853 : TCP, UDP : DNS-over-TLS, DNS-over-QUIC
|
# 853 : TCP, UDP : DNS-over-TLS, DNS-over-QUIC
|
||||||
# 3000 : TCP, UDP : HTTP(S) (alt, incl. HTTP/3)
|
# 3000 : TCP, UDP : HTTP(S) (alt, incl. HTTP/3)
|
||||||
# 3001 : TCP, UDP : HTTP(S) (beta, incl. HTTP/3)
|
|
||||||
# 5443 : TCP, UDP : DNSCrypt (alt)
|
# 5443 : TCP, UDP : DNSCrypt (alt)
|
||||||
# 6060 : TCP : HTTP (pprof)
|
# 6060 : TCP : HTTP (pprof)
|
||||||
# 8853 : UDP : DNS-over-QUIC (experimental)
|
# 8853 : UDP : DNS-over-QUIC (deprecated; use 853)
|
||||||
#
|
#
|
||||||
# TODO(a.garipov): Remove the old, non-standard 784 and 8853 ports for
|
# TODO(a.garipov): Remove the old, non-standard 784 and 8853 ports for
|
||||||
# DNS-over-QUIC in a future release.
|
# DNS-over-QUIC in a future release.
|
||||||
EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 784/udp\
|
EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 784/udp\
|
||||||
853/tcp 853/udp 3000/tcp 3000/udp 5443/tcp\
|
853/tcp 853/udp 3000/tcp 3000/udp 5443/tcp 5443/udp 6060/tcp\
|
||||||
5443/udp 6060/tcp 8853/udp
|
8853/udp
|
||||||
|
|
||||||
WORKDIR /opt/adguardhome/work
|
WORKDIR /opt/adguardhome/work
|
||||||
|
|
||||||
# Install helpers for healthcheck.
|
ENTRYPOINT ["/opt/adguardhome/AdGuardHome"]
|
||||||
COPY --chown=nobody:nogroup\
|
|
||||||
./${DIST_DIR}/docker/scripts\
|
|
||||||
/opt/adguardhome/scripts
|
|
||||||
|
|
||||||
HEALTHCHECK \
|
|
||||||
--interval=30s \
|
|
||||||
--timeout=10s \
|
|
||||||
--retries=3 \
|
|
||||||
CMD [ "/opt/adguardhome/scripts/healthcheck.sh" ]
|
|
||||||
|
|
||||||
# It seems that the healthckech script sometimes spawns zombie processes, so we
|
|
||||||
# need a way to handle them, since AdGuard Home doesn't know how to keep track
|
|
||||||
# of the processes delegated to it by the OS. Use tini as entry point because
|
|
||||||
# it needs the PID=1 to be the default parent for orphaned processes.
|
|
||||||
#
|
|
||||||
# See https://github.com/adguardTeam/adGuardHome/issues/3290.
|
|
||||||
ENTRYPOINT [ "/sbin/tini", "--" ]
|
|
||||||
|
|
||||||
CMD [ \
|
CMD [ \
|
||||||
"/opt/adguardhome/AdGuardHome", \
|
|
||||||
"--no-check-update", \
|
"--no-check-update", \
|
||||||
"-c", "/opt/adguardhome/conf/AdGuardHome.yaml", \
|
"-c", "/opt/adguardhome/conf/AdGuardHome.yaml", \
|
||||||
"-w", "/opt/adguardhome/work" \
|
"-w", "/opt/adguardhome/work" \
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
/^[^[:space:]]/ { is_dns = /^dns:/ }
|
|
||||||
|
|
||||||
/^[[:space:]]+bind_hosts:/ { if (is_dns) prev_line = FNR }
|
|
||||||
|
|
||||||
/^[[:space:]]+- .+/ {
|
|
||||||
if (FNR - prev_line == 1) {
|
|
||||||
addrs[$2] = true
|
|
||||||
prev_line = FNR
|
|
||||||
|
|
||||||
if ($2 == "0.0.0.0" || $2 == "'::'") {
|
|
||||||
# Drop all the other addresses.
|
|
||||||
delete addrs
|
|
||||||
addrs[""] = true
|
|
||||||
prev_line = -1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/^[[:space:]]+port:/ { if (is_dns) port = $2 }
|
|
||||||
|
|
||||||
END {
|
|
||||||
for (addr in addrs) {
|
|
||||||
if (match(addr, ":")) {
|
|
||||||
print "[" addr "]:" port
|
|
||||||
} else {
|
|
||||||
print addr ":" port
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,107 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# AdGuard Home Docker healthcheck script
|
|
||||||
|
|
||||||
# Exit the script if a pipeline fails (-e), prevent accidental filename
|
|
||||||
# expansion (-f), and consider undefined variables as errors (-u).
|
|
||||||
set -e -f -u
|
|
||||||
|
|
||||||
# Function error_exit is an echo wrapper that writes to stderr and stops the
|
|
||||||
# script execution with code 1.
|
|
||||||
error_exit() {
|
|
||||||
echo "$1" 1>&2
|
|
||||||
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
agh_dir="/opt/adguardhome"
|
|
||||||
readonly agh_dir
|
|
||||||
|
|
||||||
filename="${agh_dir}/conf/AdGuardHome.yaml"
|
|
||||||
readonly filename
|
|
||||||
|
|
||||||
if ! [ -f "$filename" ]
|
|
||||||
then
|
|
||||||
wget "http://127.0.0.1:3000" -O /dev/null -q || exit 1
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
help_dir="${agh_dir}/scripts"
|
|
||||||
readonly help_dir
|
|
||||||
|
|
||||||
# Parse web host
|
|
||||||
|
|
||||||
web_url="$( awk -f "${help_dir}/web-bind.awk" "$filename" )"
|
|
||||||
readonly web_url
|
|
||||||
|
|
||||||
if [ "$web_url" = '' ]
|
|
||||||
then
|
|
||||||
error_exit "no web bindings could be retrieved from $filename"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# TODO(e.burkov): Deal with 0 port.
|
|
||||||
case "$web_url"
|
|
||||||
in
|
|
||||||
(*':0')
|
|
||||||
error_exit '0 in web port is not supported by healthcheck'
|
|
||||||
;;
|
|
||||||
(*)
|
|
||||||
# Go on.
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# Parse DNS hosts
|
|
||||||
|
|
||||||
dns_hosts="$( awk -f "${help_dir}/dns-bind.awk" "$filename" )"
|
|
||||||
readonly dns_hosts
|
|
||||||
|
|
||||||
if [ "$dns_hosts" = '' ]
|
|
||||||
then
|
|
||||||
error_exit "no DNS bindings could be retrieved from $filename"
|
|
||||||
fi
|
|
||||||
|
|
||||||
first_dns="$( echo "$dns_hosts" | head -n 1 )"
|
|
||||||
readonly first_dns
|
|
||||||
|
|
||||||
# TODO(e.burkov): Deal with 0 port.
|
|
||||||
case "$first_dns"
|
|
||||||
in
|
|
||||||
(*':0')
|
|
||||||
error_exit '0 in DNS port is not supported by healthcheck'
|
|
||||||
;;
|
|
||||||
(*)
|
|
||||||
# Go on.
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# Check
|
|
||||||
|
|
||||||
# Skip SSL certificate validation since there is no guarantee the container
|
|
||||||
# trusts the one used. It should be safe to drop the SSL validation since the
|
|
||||||
# current script intended to be used from inside the container and only checks
|
|
||||||
# the endpoint availability, ignoring the content of the response.
|
|
||||||
#
|
|
||||||
# See https://github.com/AdguardTeam/AdGuardHome/issues/5642.
|
|
||||||
wget --no-check-certificate "$web_url" -O /dev/null -q || exit 1
|
|
||||||
|
|
||||||
test_fqdn="healthcheck.adguardhome.test."
|
|
||||||
readonly test_fqdn
|
|
||||||
|
|
||||||
# The awk script currently returns only port prefixed with colon in case of
|
|
||||||
# unspecified address.
|
|
||||||
case "$first_dns"
|
|
||||||
in
|
|
||||||
(':'*)
|
|
||||||
nslookup -type=a "$test_fqdn" "127.0.0.1${first_dns}" > /dev/null ||\
|
|
||||||
nslookup -type=a "$test_fqdn" "[::1]${first_dns}" > /dev/null ||\
|
|
||||||
error_exit "nslookup failed for $host"
|
|
||||||
;;
|
|
||||||
(*)
|
|
||||||
echo "$dns_hosts" | while read -r host
|
|
||||||
do
|
|
||||||
nslookup -type=a "$test_fqdn" "$host" > /dev/null ||\
|
|
||||||
error_exit "nslookup failed for $host"
|
|
||||||
done
|
|
||||||
;;
|
|
||||||
esac
|
|
|
@ -1,5 +0,0 @@
|
||||||
# Don't consider the HTTPS hostname since the enforced HTTPS redirection should
|
|
||||||
# work if the SSL check skipped. See file docker/healthcheck.sh.
|
|
||||||
/^[^[:space:]]/ { is_http = /^http:/ }
|
|
||||||
|
|
||||||
/^[[:space:]]+address:/ { if (is_http) print "http://" $2 }
|
|
|
@ -107,18 +107,6 @@ cp "${dist_dir}/AdGuardHome_linux_arm_7/AdGuardHome/AdGuardHome"\
|
||||||
cp "${dist_dir}/AdGuardHome_linux_ppc64le/AdGuardHome/AdGuardHome"\
|
cp "${dist_dir}/AdGuardHome_linux_ppc64le/AdGuardHome/AdGuardHome"\
|
||||||
"${dist_docker}/AdGuardHome_linux_ppc64le_"
|
"${dist_docker}/AdGuardHome_linux_ppc64le_"
|
||||||
|
|
||||||
# Copy the helper scripts. See file docker/Dockerfile.
|
|
||||||
dist_docker_scripts="${dist_docker}/scripts"
|
|
||||||
readonly dist_docker_scripts
|
|
||||||
|
|
||||||
mkdir -p "$dist_docker_scripts"
|
|
||||||
cp "./docker/dns-bind.awk"\
|
|
||||||
"${dist_docker_scripts}/dns-bind.awk"
|
|
||||||
cp "./docker/web-bind.awk"\
|
|
||||||
"${dist_docker_scripts}/web-bind.awk"
|
|
||||||
cp "./docker/healthcheck.sh"\
|
|
||||||
"${dist_docker_scripts}/healthcheck.sh"
|
|
||||||
|
|
||||||
# Don't use quotes with $docker_version_tag and $docker_channel_tag, because we
|
# Don't use quotes with $docker_version_tag and $docker_channel_tag, because we
|
||||||
# want word splitting and or an empty space if tags are empty.
|
# want word splitting and or an empty space if tags are empty.
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in New Issue