mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-11-15 09:58:42 -07:00
Pull request 1909: 5939-rm-healthcheck
Updates #5939.
Squashed commit of the following:
commit 087309b4ef100e97339f49cf1c2e90ba2fa4293f
Merge: 360df813d c21f958ea
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Fri Jul 7 13:18:52 2023 +0300
Merge branch 'master' into 5939-rm-healthcheck
commit 360df813d995f935c591aaea9c56fe4372ca2281
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Jul 5 14:16:18 2023 +0300
all: rm docker healthcheck
This commit is contained in:
Ainar Garipov
parent
c21f958eaf
commit
f7dd832517
21
CHANGELOG.md
21
CHANGELOG.md
@ -57,11 +57,26 @@ In this release, the schema version has changed from 23 to 24.
|
||||
To rollback this change, remove the new object `log`, set back `log_` and
|
||||
`verbose` properties and change the `schema_version` back to `23`.
|
||||
|
||||
### Deprecated
|
||||
|
||||
- Default exposure of the non-standard ports 784 and 8853 for DNS-over-QUIC in
|
||||
the `Dockerfile`.
|
||||
|
||||
### Fixed
|
||||
|
||||
- Excessive RAM and CPU consumption by Safe Browsing and Parental Control
|
||||
filters ([#5896]).
|
||||
|
||||
### Removed
|
||||
|
||||
- The `HEALTHCHECK` section and the use of `tini` in the `ENTRYPOINT` section in
|
||||
`Dockerfile` ([#5939]). They caused a lot of issues, especially with tools
|
||||
like `docker-compose` and `podman`.
|
||||
|
||||
**NOTE:** Some Docker tools may cache `ENTRYPOINT` sections, so some users may
|
||||
be required to backup their configuration, stop the container, purge the old
|
||||
image, and reload it from scratch.
|
||||
|
||||
[#5896]: https://github.com/AdguardTeam/AdGuardHome/issues/5896
|
||||
|
||||
<!--
|
||||
@ -188,9 +203,9 @@ In this release, the schema version has changed from 20 to 23.
|
||||
|
||||
### Deprecated
|
||||
|
||||
- `HEALTHCHECK` and `ENTRYPOINT` sections in `Dockerfile` ([#5939]). They cause
|
||||
a lot of issues, especially with tools like `docker-compose` and `podman`, and
|
||||
will be removed in a future release.
|
||||
- The `HEALTHCHECK` section and the use of `tini` in the `ENTRYPOINT` section in
|
||||
`Dockerfile` ([#5939]). They cause a lot of issues, especially with tools
|
||||
like `docker-compose` and `podman`, and will be removed in a future release.
|
||||
- Flags `-h`, `--host`, `-p`, `--port` have been deprecated. The `-h` flag
|
||||
will work as an alias for `--help`, instead of the deprecated `--host` in the
|
||||
future releases.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# A docker file for scripts/make/build-docker.sh.
|
||||
|
||||
FROM alpine:3.17
|
||||
FROM alpine:3.18
|
||||
|
||||
ARG BUILD_DATE
|
||||
ARG VERSION
|
||||
@ -25,8 +25,6 @@ RUN apk --no-cache add ca-certificates libcap tzdata && \
|
||||
mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \
|
||||
chown -R nobody: /opt/adguardhome
|
||||
|
||||
RUN apk --no-cache add tini
|
||||
|
||||
ARG DIST_DIR
|
||||
ARG TARGETARCH
|
||||
ARG TARGETOS
|
||||
@ -43,43 +41,24 @@ RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome
|
||||
# 68 : UDP : DHCP (client)
|
||||
# 80 : TCP : HTTP (main)
|
||||
# 443 : TCP, UDP : HTTPS, DNS-over-HTTPS (incl. HTTP/3), DNSCrypt (main)
|
||||
# 784 : UDP : DNS-over-QUIC (experimental)
|
||||
# 784 : UDP : DNS-over-QUIC (deprecated; use 853)
|
||||
# 853 : TCP, UDP : DNS-over-TLS, DNS-over-QUIC
|
||||
# 3000 : TCP, UDP : HTTP(S) (alt, incl. HTTP/3)
|
||||
# 3001 : TCP, UDP : HTTP(S) (beta, incl. HTTP/3)
|
||||
# 5443 : TCP, UDP : DNSCrypt (alt)
|
||||
# 6060 : TCP : HTTP (pprof)
|
||||
# 8853 : UDP : DNS-over-QUIC (experimental)
|
||||
# 8853 : UDP : DNS-over-QUIC (deprecated; use 853)
|
||||
#
|
||||
# TODO(a.garipov): Remove the old, non-standard 784 and 8853 ports for
|
||||
# DNS-over-QUIC in a future release.
|
||||
EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 784/udp\
|
||||
853/tcp 853/udp 3000/tcp 3000/udp 5443/tcp\
|
||||
5443/udp 6060/tcp 8853/udp
|
||||
853/tcp 853/udp 3000/tcp 3000/udp 5443/tcp 5443/udp 6060/tcp\
|
||||
8853/udp
|
||||
|
||||
WORKDIR /opt/adguardhome/work
|
||||
|
||||
# Install helpers for healthcheck.
|
||||
COPY --chown=nobody:nogroup\
|
||||
./${DIST_DIR}/docker/scripts\
|
||||
/opt/adguardhome/scripts
|
||||
|
||||
HEALTHCHECK \
|
||||
--interval=30s \
|
||||
--timeout=10s \
|
||||
--retries=3 \
|
||||
CMD [ "/opt/adguardhome/scripts/healthcheck.sh" ]
|
||||
|
||||
# It seems that the healthckech script sometimes spawns zombie processes, so we
|
||||
# need a way to handle them, since AdGuard Home doesn't know how to keep track
|
||||
# of the processes delegated to it by the OS. Use tini as entry point because
|
||||
# it needs the PID=1 to be the default parent for orphaned processes.
|
||||
#
|
||||
# See https://github.com/adguardTeam/adGuardHome/issues/3290.
|
||||
ENTRYPOINT [ "/sbin/tini", "--" ]
|
||||
ENTRYPOINT ["/opt/adguardhome/AdGuardHome"]
|
||||
|
||||
CMD [ \
|
||||
"/opt/adguardhome/AdGuardHome", \
|
||||
"--no-check-update", \
|
||||
"-c", "/opt/adguardhome/conf/AdGuardHome.yaml", \
|
||||
"-w", "/opt/adguardhome/work" \
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
/^[^[:space:]]/ { is_dns = /^dns:/ }
|
||||
|
||||
/^[[:space:]]+bind_hosts:/ { if (is_dns) prev_line = FNR }
|
||||
|
||||
/^[[:space:]]+- .+/ {
|
||||
if (FNR - prev_line == 1) {
|
||||
addrs[$2] = true
|
||||
prev_line = FNR
|
||||
|
||||
if ($2 == "0.0.0.0" || $2 == "'::'") {
|
||||
# Drop all the other addresses.
|
||||
delete addrs
|
||||
addrs[""] = true
|
||||
prev_line = -1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/^[[:space:]]+port:/ { if (is_dns) port = $2 }
|
||||
|
||||
END {
|
||||
for (addr in addrs) {
|
||||
if (match(addr, ":")) {
|
||||
print "[" addr "]:" port
|
||||
} else {
|
||||
print addr ":" port
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,107 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# AdGuard Home Docker healthcheck script
|
||||
|
||||
# Exit the script if a pipeline fails (-e), prevent accidental filename
|
||||
# expansion (-f), and consider undefined variables as errors (-u).
|
||||
set -e -f -u
|
||||
|
||||
# Function error_exit is an echo wrapper that writes to stderr and stops the
|
||||
# script execution with code 1.
|
||||
error_exit() {
|
||||
echo "$1" 1>&2
|
||||
|
||||
exit 1
|
||||
}
|
||||
|
||||
agh_dir="/opt/adguardhome"
|
||||
readonly agh_dir
|
||||
|
||||
filename="${agh_dir}/conf/AdGuardHome.yaml"
|
||||
readonly filename
|
||||
|
||||
if ! [ -f "$filename" ]
|
||||
then
|
||||
wget "http://127.0.0.1:3000" -O /dev/null -q || exit 1
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
||||
help_dir="${agh_dir}/scripts"
|
||||
readonly help_dir
|
||||
|
||||
# Parse web host
|
||||
|
||||
web_url="$( awk -f "${help_dir}/web-bind.awk" "$filename" )"
|
||||
readonly web_url
|
||||
|
||||
if [ "$web_url" = '' ]
|
||||
then
|
||||
error_exit "no web bindings could be retrieved from $filename"
|
||||
fi
|
||||
|
||||
# TODO(e.burkov): Deal with 0 port.
|
||||
case "$web_url"
|
||||
in
|
||||
(*':0')
|
||||
error_exit '0 in web port is not supported by healthcheck'
|
||||
;;
|
||||
(*)
|
||||
# Go on.
|
||||
;;
|
||||
esac
|
||||
|
||||
# Parse DNS hosts
|
||||
|
||||
dns_hosts="$( awk -f "${help_dir}/dns-bind.awk" "$filename" )"
|
||||
readonly dns_hosts
|
||||
|
||||
if [ "$dns_hosts" = '' ]
|
||||
then
|
||||
error_exit "no DNS bindings could be retrieved from $filename"
|
||||
fi
|
||||
|
||||
first_dns="$( echo "$dns_hosts" | head -n 1 )"
|
||||
readonly first_dns
|
||||
|
||||
# TODO(e.burkov): Deal with 0 port.
|
||||
case "$first_dns"
|
||||
in
|
||||
(*':0')
|
||||
error_exit '0 in DNS port is not supported by healthcheck'
|
||||
;;
|
||||
(*)
|
||||
# Go on.
|
||||
;;
|
||||
esac
|
||||
|
||||
# Check
|
||||
|
||||
# Skip SSL certificate validation since there is no guarantee the container
|
||||
# trusts the one used. It should be safe to drop the SSL validation since the
|
||||
# current script intended to be used from inside the container and only checks
|
||||
# the endpoint availability, ignoring the content of the response.
|
||||
#
|
||||
# See https://github.com/AdguardTeam/AdGuardHome/issues/5642.
|
||||
wget --no-check-certificate "$web_url" -O /dev/null -q || exit 1
|
||||
|
||||
test_fqdn="healthcheck.adguardhome.test."
|
||||
readonly test_fqdn
|
||||
|
||||
# The awk script currently returns only port prefixed with colon in case of
|
||||
# unspecified address.
|
||||
case "$first_dns"
|
||||
in
|
||||
(':'*)
|
||||
nslookup -type=a "$test_fqdn" "127.0.0.1${first_dns}" > /dev/null ||\
|
||||
nslookup -type=a "$test_fqdn" "[::1]${first_dns}" > /dev/null ||\
|
||||
error_exit "nslookup failed for $host"
|
||||
;;
|
||||
(*)
|
||||
echo "$dns_hosts" | while read -r host
|
||||
do
|
||||
nslookup -type=a "$test_fqdn" "$host" > /dev/null ||\
|
||||
error_exit "nslookup failed for $host"
|
||||
done
|
||||
;;
|
||||
esac
|
||||
@ -1,5 +0,0 @@
|
||||
# Don't consider the HTTPS hostname since the enforced HTTPS redirection should
|
||||
# work if the SSL check skipped. See file docker/healthcheck.sh.
|
||||
/^[^[:space:]]/ { is_http = /^http:/ }
|
||||
|
||||
/^[[:space:]]+address:/ { if (is_http) print "http://" $2 }
|
||||
@ -107,18 +107,6 @@ cp "${dist_dir}/AdGuardHome_linux_arm_7/AdGuardHome/AdGuardHome"\
|
||||
cp "${dist_dir}/AdGuardHome_linux_ppc64le/AdGuardHome/AdGuardHome"\
|
||||
"${dist_docker}/AdGuardHome_linux_ppc64le_"
|
||||
|
||||
# Copy the helper scripts. See file docker/Dockerfile.
|
||||
dist_docker_scripts="${dist_docker}/scripts"
|
||||
readonly dist_docker_scripts
|
||||
|
||||
mkdir -p "$dist_docker_scripts"
|
||||
cp "./docker/dns-bind.awk"\
|
||||
"${dist_docker_scripts}/dns-bind.awk"
|
||||
cp "./docker/web-bind.awk"\
|
||||
"${dist_docker_scripts}/web-bind.awk"
|
||||
cp "./docker/healthcheck.sh"\
|
||||
"${dist_docker_scripts}/healthcheck.sh"
|
||||
|
||||
# Don't use quotes with $docker_version_tag and $docker_channel_tag, because we
|
||||
# want word splitting and or an empty space if tags are empty.
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user