config/nginx-manager.yaml
component: nginx-manager
product: MEF_Center
systemEnv:
- workspace
- processor
- version
TOP_DIR: "{{systemEnv.workspace}}/{{product}}/{{component}}"
compile:
input:
envVariables:
GO111MODULE: "on"
GONOSUMDB: "*"
GOPROXY: "http://mirrors.tools.huawei.com/goproxy,direct"
CGO_ENABLED: "1"
CGO_CFLAGS: "-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -fPIC -ftrapv"
CGO_CPPFLAGS: "-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -fPIC -ftrapv"
files:
exclude:
- remove: ["{{TOP_DIR}}/output/"]
- makedir:
path: "{{TOP_DIR}}/output"
include:
- sed:
option: "-i"
srcstr: "s/{{component}}:.*/{{component}}:{{version}}/"
curfile: "{{TOP_DIR}}/build/{{component}}.yaml"
process:
language: go
compilePath: "{{TOP_DIR}}/cmd"
parameters: [['buildmode', "pie"],
["mod", "mod"],
['ldflags', '-X "main.BuildName={{component}}" -X "main.BuildVersion={{version}}_linux-{{systemEnv.processor}}" -s -linkmode=external -extldflags=-Wl,-z,now'],
["o", "{{component}}"],
['trimpath',""],]
output:
files:
include:
- commands:
- command: "cd {{TOP_DIR}}/output/ && bash -x {{TOP_DIR}}/build/build.sh"
build.sh
#!/bin/bash
set -e
CUR_DIR=$(dirname "$(readlink -f "$0")")
TOP_DIR=$(realpath "${CUR_DIR}"/..)
OUTPUT_NAME="nginx-manager"
DOCKER_FILE_NAME="Dockerfile"
VER_FILE="${TOP_DIR}"/service_config.ini
build_version="3.0.0"
if [ -f "$VER_FILE" ]; then
line=$(sed -n '6p' "$VER_FILE" 2>&1)
#cut the chars after ':'
build_version=${line#*:}
fi
arch=$(arch 2>&1)
function buildNginx() {
cd "${TOP_DIR}/../opensource/nginx/"
chmod 750 auto/configure
./auto/configure --prefix=/home/MEFCenter --conf-path=/home/MEFCenter/conf/nginx.conf --error-log-path=/home/MEFCenter/log/error.log --http-log-path=/home/MEFCenter/log/access.log --pid-path=/home/MEFCenter/log/nginx.pid --lock-path=/home/MEFCenter/log/nginx.lock --with-http_ssl_module --http-client-body-temp-path=/tmp/client_body_temp --http-proxy-temp-path=/tmp/proxy_temp --http-fastcgi-temp-path=/tmp/fastcgi_temp --http-uwsgi-temp-path=/tmp/uwsgi_temp --http-scgi-temp-path=/tmp/scgi_temp
make
cp "${TOP_DIR}/../opensource/nginx/objs/nginx" "${TOP_DIR}/output/nginx_bin"
}
function mv_file() {
mkdir -p "${TOP_DIR}/output/nginx/dist"
mkdir -p "${TOP_DIR}/output/nginx/conf"
cp -R "${TOP_DIR}/../opensource/nginx/conf/mime.types" "${TOP_DIR}/output/nginx/conf/"
cp "${TOP_DIR}/build/nginx_default.conf" "${TOP_DIR}/output/nginx/conf/"
mv "${TOP_DIR}/output/nginx_bin" "${TOP_DIR}/output/nginx/nginx"
cp "${TOP_DIR}/cmd/${OUTPUT_NAME}" "${TOP_DIR}/output/nginx/"
cp -R "${TOP_DIR}/../../lib" "${TOP_DIR}/output/nginx/lib"
cp "/lib/${arch}-linux-gnu/libssl.so.1.1" "${TOP_DIR}/output/nginx/lib/"
cp "${TOP_DIR}/build/${OUTPUT_NAME}.yaml" "${TOP_DIR}/output/${OUTPUT_NAME}-${build_version}.yaml"
cp "${TOP_DIR}/build/${DOCKER_FILE_NAME}" "${TOP_DIR}/output/${DOCKER_FILE_NAME}"
cd "${TOP_DIR}/output/"
zip -ry Ascend-mindx_edge-${OUTPUT_NAME}-${build_version}_linux-${arch}.zip ./*
}
function main() {
buildNginx
mv_file
}
main
Dockerfile
FROM ubuntu:22.04 as build
RUN useradd -d /home/MEFCenter -u 8000 -m -s /usr/sbin/nologin MEFCenter
WORKDIR /home/MEFCenter
COPY nginx .
RUN mkdir -p /home/MEFCenter/log &&\
chmod 750 /home/MEFCenter &&\
chmod 750 -R /home/MEFCenter/* &&\
chown MEFCenter:MEFCenter -R /home/MEFCenter/* &&\
echo 'umask 027' >> /etc/profile && \
echo 'source /etc/profile' >> /home/MEFCenter/.bashrc
ENV LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/home/MEFCenter/lib
# MEFCenter is used as the default user of the container
USER MEFCenter
nginx-manager.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ascend-nginx-manager
namespace: mindx-edge
spec:
selector:
matchLabels:
app: ascend-nginx-manager
template:
metadata:
labels:
app: ascend-nginx-manager
spec:
nodeSelector:
masterselector: dls-master-node
imagePullSecrets:
- name: image-pull-secret
serviceAccountName: ascend-edge-manager
containers:
- name: ascend-nginx-manager
image: ascend-nginx-manager:v1.0
env:
- name: EdgeMgrSvcDomain
value: "ascend-edge-manager.mindx-edge.svc.cluster.local"
- name: EdgeMgrSvcPort
value: "8109"
- name: SoftwareMgrSvcDomain
value: "software-manager-service.mindx-edge.svc.cluster.local"
- name: SoftwareMgrSvcPort
value: "30086"
command: [ "/bin/bash", "-c", "--"]
args: ["./nginx-manager"]
volumeMounts:
- mountPath: "/home/MEFCenter/log/"
name: log-vol
- mountPath: "/home/MEFCenter/certs/"
name: certs-vol
- mountPath: "/home/data/"
name: cert-manager-config
volumes:
- name: cert-manager-config
hostPath:
path: /home/data/
- name: log-vol
hostPath:
path: /var/log/mindx-edge/nginx-manager/
- name: certs-vol
hostPath:
path: /etc/MEF_certs/nginx-manager/
---
apiVersion: v1
kind: Service
metadata:
name: ascend-nginx-manager
namespace: mindx-edge
labels:
app: ascend-nginx-manager
spec:
ports:
- name: port80
port: 80
targetPort: 80
protocol: TCP
nodePort: 30034
- name: port443
port: 443
targetPort: 443
protocol: TCP
nodePort: 30035
selector:
app: ascend-nginx-manager
type: NodePort
nginx-default.conf
worker_processes 1;
worker_cpu_affinity 0001;
worker_rlimit_nofile 4096;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
access_log /home/MEFCenter/log/access.log main;
error_log /home/MEFCenter/log/error.log;
sendfile on;
keepalive_timeout 60;
proxy_read_timeout 2400;
proxy_connect_timeout 60;
proxy_send_timeout 60;
client_header_timeout 60;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
client_body_buffer_size 16K;
client_body_timeout 60;
send_timeout 60;
server_tokens off;
port_in_redirect off;
keepalive_requests 100;
proxy_request_buffering off;
limit_req_zone global zone=req_zone:1m rate=1000r/s;
limit_req_zone $binary_remote_addr zone=event_zone:10m rate=20r/s;
limit_conn_zone $binary_remote_addr zone=conn_zone:10m;
limit_conn_zone $server_name zone=perserver:10m;
server{
listen 80;
server_name localhost;
#resolver 10.96.0.10 valid=15s;
resolver kube-dns.kube-system.svc.cluster.local valid=15s;
location / {
limit_except GET{
deny all;
}
proxy_hide_header X-Powered-By;
client_max_body_size 10m;
root /home/MEFCenter/dist;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /home/MEFCenter/dist;
}
error_page 400 401 402 403 404 405 406 407 413 414 /4xx.html;
location = /4xx.html {
root /home/MEFCenter/dist;
}
location /edgemanager {
default_type application/json;
add_header Strict-Transport-Security "max-age=31536000 includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval';object-src 'none'; " always;
add_header X-frame-options SAMEORIGIN always;
add_header Pragma no-cache always;
add_header Cache-Control no-store always;
add_header X-Download-Options noopen always;
set $EdgeMgrSvcDomain;
set $EdgeMgrSvcPort;
proxy_pass http://$EdgeMgrSvcDomain:$EdgeMgrSvcPort;
}
location /softwaremanager {
default_type application/json;
add_header Strict-Transport-Security "max-age=31536000 includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval';object-src 'none'; " always;
add_header X-frame-options SAMEORIGIN always;
add_header Pragma no-cache always;
add_header Cache-Control no-store always;
add_header X-Download-Options noopen always;
set $SoftwareMgrSvcDomain;
set $SoftwareMgrSvcPort;
proxy_pass http://$SoftwareMgrSvcDomain:$SoftwareMgrSvcPort;
}
}
server{
listen 443 ssl;
server_name localhost;
resolver kube-dns.kube-system.svc.cluster.local valid=15s;
#resolver 10.96.0.10 valid=15;
ssl_certificate /home/MEFCenter/certs/nginx-manager.crt;
ssl_certificate_key /home/MEFCenter/conf/keyPipe;
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; form-action 'self'; frame-ancestors 'self'; plugin-types 'none'";
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
limit_req zone=event_zone burst=60 nodelay;
limit_conn conn_zone 10;
limit_conn perserver 100;
location / {
limit_except GET{
deny all;
}
proxy_hide_header X-Powered-By;
client_max_body_size 10m;
root /home/MEFCenter/dist;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /home/MEFCenter/dist;
}
error_page 400 401 402 403 404 405 406 407 413 414 /4xx.html;
location = /4xx.html {
root /home/MEFCenter/dist;
}
location /edgemanager {
proxy_ssl_certificate /home/MEFCenter/certs/client.crt;
proxy_ssl_certificate_key /home/MEFCenter/conf/client_pipe_0;
proxy_ssl_trusted_certificate /home/MEFCenter/certs/ca.crt;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384";
client_max_body_size 10m;
set $EdgeMgrSvcDomain;
set $EdgeMgrSvcPort;
proxy_pass https://$EdgeMgrSvcDomain:$EdgeMgrSvcPort;
}
location /softwaremanager {
proxy_ssl_certificate /home/MEFCenter/certs/client.crt;
proxy_ssl_certificate_key /home/MEFCenter/conf/client_pipe_1;
proxy_ssl_trusted_certificate /home/MEFCenter/certs/ca.crt;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384";
client_max_body_size 10m;
set $SoftwareMgrSvcDomain;
set $SoftwareMgrSvcPort;
proxy_pass https://$SoftwareMgrSvcDomain:$SoftwareMgrSvcPort;
}
}
}
标签:MEFCenter,---,nginx,manager,proxy,home,TOP,DIR From: https://www.cnblogs.com/gongxianjin/p/17166020.html