fix: Support for Agent v2 (#42)

Author: fabriziofiorucci

nginx/docker-image-builder/Dockerfile.oss

@@ -2,6 +2,7 @@ FROM nginx:stable-bullseye-perl@sha256:fc78d87401fdbadf36c638febdad36ae17dd51d7b
 
 ARG NMS_URL
 ARG NGINX_AGENT=false
+ARG NGINX_AGENT_VERSION=2
 
 # Initial packages setup
 RUN apt-get -y update \
@@ -22,7 +23,7 @@ RUN apt-get -y update \
         && curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \
         && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/debian/ `lsb_release -cs` agent" > /etc/apt/sources.list.d/nginx-agent.list \
         && apt-get -y update \
-        && apt-get -y install nginx-agent; fi
+        && apt-get -y install nginx-agent=`apt-cache madison nginx-agent | grep "| $NGINX_AGENT_VERSION\." | awk '{print $3}' | head -n1`; fi
 
 # Startup script
 COPY ./container/start.sh /deployment/

nginx/docker-image-builder/Dockerfile.plus

@@ -2,6 +2,7 @@ FROM debian:bullseye-slim@sha256:779034981fec838da124ff6ab9211499ba5d4e769dabdfd
 
 ARG NAP_WAF=false
 ARG NGINX_AGENT=false
+ARG NGINX_AGENT_VERSION=2
 
 # Initial packages setup
 RUN apt-get -y update \
@@ -37,7 +38,7 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
 	curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \
 	&& echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/debian/ `lsb_release -cs` agent" > /etc/apt/sources.list.d/nginx-agent.list \
 	&& apt-get -y update \
-	&& apt-get -y install nginx-agent; fi
+        && apt-get -y install nginx-agent=`apt-cache madison nginx-agent | grep "| $NGINX_AGENT_VERSION\." | awk '{print $3}' | head -n1`; fi
 
 # Startup script
 COPY ./container/start.sh /deployment/

nginx/docker-image-builder/Dockerfile.plus.unprivileged

@@ -2,6 +2,7 @@ FROM debian:bullseye-slim@sha256:779034981fec838da124ff6ab9211499ba5d4e769dabdfd
 
 ARG NAP_WAF=false
 ARG NGINX_AGENT=false
+ARG NGINX_AGENT_VERSION=2
 
 ARG UID=101
 ARG GID=101
@@ -12,6 +13,8 @@ RUN apt-get -y update \
 	&& mkdir -p /deployment /etc/ssl/nginx /etc/nms \
 	&& addgroup --system --gid $GID nginx \
 	&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid $UID nginx \
+        && addgroup --system --gid 1001 nginx-agent \
+        && usermod nginx -G nginx-agent \
 	&& wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq \
 	&& chmod +x /usr/bin/yq
 
@@ -44,7 +47,7 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644
         curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg \
         && echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://packages.nginx.org/nginx-agent/debian/ `lsb_release -cs` agent" > /etc/apt/sources.list.d/nginx-agent.list \
         && apt-get -y update \
-        && apt-get -y install nginx-agent \
+        && apt-get -y install nginx-agent=`apt-cache madison nginx-agent | grep "| $NGINX_AGENT_VERSION\." | awk '{print $3}' | head -n1` \
 # implement changes required to run NGINX Agent as an unprivileged user
         && chown -R $UID:0 /etc/nginx-agent \
         && chmod -R g+w /etc/nginx-agent \
@@ -68,7 +71,9 @@ RUN rm /etc/nginx/conf.d/default.conf \
     && chown -R $UID:0 /usr/lib/nginx/modules \
     && chmod -R g+w /usr/lib/nginx/modules \
     && chown -R $UID:0 /etc/nms \
-    && chmod -R g+w /etc/nms
+    && chmod -R g+w /etc/nms \
+    && chown -R $UID:0 /run \
+    && chmod -R g+w /run
 
 # Startup script
 COPY ./container/start.sh /deployment/

nginx/docker-image-builder/README.md

@@ -51,21 +51,21 @@ NGINX Docker Image builder
  -w                     - Add NGINX App Protect WAF (requires NGINX Plus)
  -O                     - Use NGINX Open Source instead of NGINX Plus
  -u                     - Build unprivileged image (only for NGINX Plus)
- -a                     - Add NGINX Agent
+ -a [2|3]               - Add NGINX Agent v2 or v3
 
  === Examples:
 
  NGINX Plus and NGINX Agent image:
- ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-agent-root -a
+ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-agent-root -a 2
 
  NGINX Plus, NGINX App Protect WAF and NGINX Agent image:
- ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-root -w -a
+ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-root -w -a 2
 
  NGINX Plus, NGINX App Protect WAF and NGINX Agent unprivileged image:
- ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -a
+ ./scripts/build.sh -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -a 2
 
  NGINX Opensource and NGINX Agent image:
- ./scripts/build.sh -O -t registry.ff.lan:31005/nginx-docker:oss-root -a
+ ./scripts/build.sh -O -t registry.ff.lan:31005/nginx-docker:oss-root -a 2
 ```
 
 1. Clone this repository

nginx/docker-image-builder/container/start.sh

@@ -14,14 +14,6 @@ nginx
 sleep 2
 
 if [[ "$NGINX_AGENT_ENABLED" == "true" ]]; then
-
-  # NGINX Agent version detection, change in behaviour in v2.24.0+
-  AGENT_VERSION=`nginx-agent -v|awk '{print $3}'`
-  AGENT_VERSION_MAJOR=`echo $AGENT_VERSION | awk -F\. '{print $1}' | sed 's/v//'`
-  AGENT_VERSION_MINOR=`echo $AGENT_VERSION | awk -F\. '{print $2}'`
-
-  echo "=> NGINX Agent version $AGENT_VERSION"
-
   PARM=""
 
   yq -i '

nginx/docker-image-builder/scripts/build.sh

@@ -14,21 +14,21 @@ $0 [options]\n\n
 -w\t\t\t- Add NGINX App Protect WAF (requires NGINX Plus)\n
 -O\t\t\t- Use NGINX Open Source instead of NGINX Plus\n
 -u\t\t\t- Build unprivileged image (only for NGINX Plus)\n
--a\t\t\t- Add NGINX Agent\n\n
+-a [2|3]\t\t- Add NGINX Agent v2 or v3\n\n
 === Examples:\n\n
 NGINX Plus and NGINX Agent image:\n
-  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-agent-root -a\n\n
+  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-agent-root -a 2\n\n
 
 NGINX Plus, NGINX App Protect WAF and NGINX Agent image:\n
-  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-root -w -a\n\n
+  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-root -w -a 2\n\n
 
 NGINX Plus, NGINX App Protect WAF and NGINX Agent unprivileged image:\n
-  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -a\n\n
+  $0 -C nginx-repo.crt -K nginx-repo.key -t registry.ff.lan:31005/nginx-docker:plus-nap-agent-nonroot -w -u -a 2\n\n
 
 NGINX Opensource and NGINX Agent image:\n
-  $0 -O -t registry.ff.lan:31005/nginx-docker:oss-root -a\n"
+  $0 -O -t registry.ff.lan:31005/nginx-docker:oss-root -a 2\n"
 
-while getopts 'ht:C:K:awOu' OPTION
+while getopts 'ht:C:K:a:wOu' OPTION
 do
 	case "$OPTION" in
 		h)
@@ -46,6 +46,7 @@ do
 		;;
 		a)
 			NGINX_AGENT=true
+			NGINX_AGENT_VERSION=$OPTARG
 		;;
 		w)
 			NAP_WAF=true
@@ -71,6 +72,12 @@ then
         exit
 fi
 
+if [ -z "${NGINX_AGENT_VERSION}" ]
+then
+        echo "NGINX Agent version is required"
+        exit
+fi
+
 if ([ -z "${NGINX_OSS}" ] && ([ -z "${NGINX_CERT}" ] || [ -z "${NGINX_KEY}" ]) )
 then
         echo "NGINX certificate and key are required for automated installation"
@@ -81,7 +88,13 @@ echo "=> Target docker image is $IMAGENAME"
 
 if [ "${NGINX_AGENT}" ]
 then
-	echo "=> Building with NGINX Agent"
+	if [ "${NGINX_AGENT_VERSION}" -eq "2" ] || [ "${NGINX_AGENT_VERSION}" -eq "3" ]
+	then
+		echo "=> Building with NGINX Agent v${NGINX_AGENT_VERSION}"
+	else
+		echo "NGINX Agent version must be either '2' or '3'"
+		exit
+	fi
 fi
 
 if ([ ! -z "${NAP_WAF}" ] && [ -z "${NGINX_OSS}" ])
@@ -104,12 +117,14 @@ then
 	DOCKER_BUILDKIT=1 docker build --no-cache -f $DOCKERFILE_NAME \
 		--secret id=nginx-key,src=$NGINX_KEY --secret id=nginx-crt,src=$NGINX_CERT \
 		--build-arg NAP_WAF=$NAP_WAF --build-arg NGINX_AGENT=$NGINX_AGENT \
+		--build-arg NGINX_AGENT_VERSION=$NGINX_AGENT_VERSION \
 		$OPT_PLATFORM \
 		-t $IMAGENAME .
 else
 	echo "=> Building with NGINX Open Source"
 	DOCKER_BUILDKIT=1 docker build --no-cache -f Dockerfile.oss \
 		--build-arg NGINX_AGENT=$NGINX_AGENT \
+		--build-arg NGINX_AGENT_VERSION=$NGINX_AGENT_VERSION \
 		-t $IMAGENAME .
 fi