diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 52ff888..5ee89ae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,30 +15,30 @@ jobs: build: strategy: matrix: - version: ["6.0", "7.2", "7.3"] + version: ["6.0", "7.3", "7.4"] include: - version: "6.0" - tag: "6.0.11-1" - - version: "7.2" - tag: "7.2.1-1" + tag: "6.0.12" - version: "7.3" - tag: "7.3.0-1" + tag: "7.3.1" + - version: "7.4" + tag: "7.4.2" runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 # https://github.com/docker/setup-qemu-action - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v3 # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - - name: Login to github docker registry - uses: docker/login-action@v2 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.idea/misc.xml b/.idea/misc.xml index dc9ea49..9de2865 100644 --- a/.idea/misc.xml +++ b/.idea/misc.xml @@ -1,4 +1,7 @@ + + \ No newline at end of file diff --git a/6.0/Dockerfile b/6.0/Dockerfile index 62aae55..308f83a 100644 --- a/6.0/Dockerfile +++ b/6.0/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bullseye-slim +FROM debian:bookworm-slim LABEL org.opencontainers.image.source = "https://github.com/emgag/docker-varnish" # @@ -19,7 +19,7 @@ RUN apt-get update \ libpcre3-dev \ libtool \ pkg-config \ - python \ + python-is-python3 \ python3 \ python3-docutils \ python3-sphinx \ @@ -30,8 +30,8 @@ RUN apt-get update \ # # install varnish # -ENV VARNISH_VERSION=6.0.11 -ENV VARNISH_SHA256SUM=515900dbeb47ffd30eb39065cae033167983ecf9bd03a9435a273607e1d128db +ENV VARNISH_VERSION=6.0.12 +ENV VARNISH_SHA256SUM=387cebd3abb34373065ac0e26e6f2bda2140c410a8b5203e115f5a672b2bd6a5 RUN mkdir -p /usr/local/src && \ cd /usr/local/src && \ @@ -47,11 +47,11 @@ RUN mkdir -p /usr/local/src && \ # # install stock varnish module library # -ENV VARNISHMODULES_BRANCH=6.0 -ENV VARNISHMODULES_COMMIT=059497cbddd7faeff529c1b9038715e5ba6891ee +ENV VARNISHMODULES_BRANCH=6.0-lts +ENV VARNISHMODULES_COMMIT=d472c29300ffa1ea5d0916125d449ba43a64f1bd RUN cd /usr/local/src/ && \ - git clone -b ${VARNISHMODULES_BRANCH} https://github.com/nigoroll/varnish-modules.git && \ + git clone -b ${VARNISHMODULES_BRANCH} https://github.com/varnish/varnish-modules.git && \ cd varnish-modules && \ git reset --hard ${VARNISHMODULES_COMMIT} && \ ./bootstrap && \ diff --git a/7.3/Dockerfile b/7.3/Dockerfile index 95bb3dc..a4fd443 100644 --- a/7.3/Dockerfile +++ b/7.3/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:experimental -FROM debian:bullseye-slim +FROM debian:bookworm-slim LABEL org.opencontainers.image.source = "https://github.com/emgag/docker-varnish" # @@ -35,8 +35,8 @@ RUN apt-get update \ # # install varnish # -ENV VARNISH_VERSION=7.3.0 -ENV VARNISH_SHA256SUM=e2dbbb0ec270a90647c386866e6e226993aed46e48de751a72bb819737f14ae7 +ENV VARNISH_VERSION=7.3.1 +ENV VARNISH_SHA256SUM=a3dec46e6a8a4f472bb33da99be5068279d6924c475cce8ce7e03615ec0b972b ENV VARNISHSRC=/usr/local/src/varnish-${VARNISH_VERSION} RUN mkdir -p /usr/local/src && \ diff --git a/7.2/Dockerfile b/7.4/Dockerfile similarity index 91% rename from 7.2/Dockerfile rename to 7.4/Dockerfile index d04fd2b..808de69 100644 --- a/7.2/Dockerfile +++ b/7.4/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:experimental -FROM debian:bullseye-slim +FROM debian:bookworm-slim LABEL org.opencontainers.image.source = "https://github.com/emgag/docker-varnish" # @@ -35,8 +35,9 @@ RUN apt-get update \ # # install varnish # -ENV VARNISH_VERSION=7.2.1 -ENV VARNISH_SHA256SUM=4d937d1720a8ec19c533f972d9303a1c9889b7bfca7437893ae5c27cf204a940 +ENV VARNISH_VERSION=7.4.2 +ENV VARNISH_SHA256SUM=6d3d03c67514e6bb4e8584e40a381f51e708607d39337a63dc4ae42061d9a46f +ENV VARNISHSRC=/usr/local/src/varnish-${VARNISH_VERSION} RUN mkdir -p /usr/local/src && \ cd /usr/local/src && \ @@ -52,8 +53,8 @@ RUN mkdir -p /usr/local/src && \ # # install stock varnish module library # -ENV VARNISHMODULES_VERSION=0.21.0 -ENV VARNISHMODULES_SHA256SUM=d2c69323c6d4ee9ee6023c9a93739ff3828dca1017eb86030511cdb5be3cd70b +ENV VARNISHMODULES_VERSION=0.23.0 +ENV VARNISHMODULES_SHA256SUM=dadefece55282f11865d221415afe1e2cdd2a1f479bc13a8f5c0832580e0ae76 RUN cd /usr/local/src/ && \ curl -sfLO https://github.com/varnish/varnish-modules/archive/${VARNISHMODULES_VERSION}.tar.gz && \ @@ -72,7 +73,7 @@ RUN cd /usr/local/src/ && \ # install libvmod-dynamic # ENV LIBVMOD_DYNAMIC_BRANCH=master -ENV LIBVMOD_DYNAMIC_COMMIT=025e9918f6cba33135e16e0fb0d86b4c34b6dd5a +ENV LIBVMOD_DYNAMIC_COMMIT=32c331e79dba857b0309ba0d527ba17bf64ff2c7 RUN cd /usr/local/src/ && \ git clone -b ${LIBVMOD_DYNAMIC_BRANCH} https://github.com/nigoroll/libvmod-dynamic.git && \ diff --git a/7.2/init.sh b/7.4/init.sh similarity index 100% rename from 7.2/init.sh rename to 7.4/init.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 42750e2..a71391f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +## 2023-12-28 + +* Add [7.4](https://varnish-cache.org/releases/rel7.4.0.html#rel7-4-0) release. +* Update to 6.0.12, 7.3.1 and 7.4.2 to address [VSV00013 Varnish HTTP/2 Rapid Reset Attack](https://varnish-cache.org/security/VSV00013.html#vsv00013). +* Switch base images to debian:bookworm-slim. +* EOL'd version 7.2. + ## 2023-08-18 * Update [vmod-digest](https://github.com/varnish/libvmod-digest) to address [VSV00012 Base64 decoding vulnerability in vmod-digest](https://varnish-cache.org/security/VSV00012.html), updated images are 7.3.0-1, 7.2.1-1 and 6.0.11-1. diff --git a/README.md b/README.md index 34b8696..13320da 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ **WARNING:** Dockerhub images are no longer maintained. Please use ghcr.io! -[Varnish](http://varnish-cache.org/) container image used within EMGAG environments. Originally based on [newsdev/docker-varnish](https://github.com/newsdev) (not available anymore), but updated to recent varnish versions (6.0, 7.1 and 7.2), shipped with some additional [vmods](http://varnish-cache.org/vmods/#vmods), better support for custom configuration and built for multiple architectures. +[Varnish](http://varnish-cache.org/) container image used within EMGAG environments. Originally based on [newsdev/docker-varnish](https://github.com/newsdev) (not available anymore), but updated to recent varnish versions (6.0, 7.3 and 7.4), shipped with some additional [vmods](http://varnish-cache.org/vmods/#vmods), better support for custom configuration and built for multiple architectures. Shipped VMODs: * [libvmod-digest](https://github.com/varnish/libvmod-digest): HMAC, hash and base64 functions @@ -20,22 +20,19 @@ Shipped VMODs: ## Supported tags and respective `Dockerfile` links -* [`7.3.0-1` (*7.3.0-1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.3/Dockerfile), based on debian:bullseye-slim. +* [`7.4.2` (*7.4.2/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.4/Dockerfile), based on debian:bookworm-slim. * linux/amd64 - * linux/arm64 (see notes) -* [`7.2.1-1` (*7.2.1-1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.2/Dockerfile), based on debian:bullseye-slim. + * linux/arm64 +* [`7.3.1` (*7.3.1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/7.3/Dockerfile), based on debian:bookworm-slim. * linux/amd64 - * linux/arm64 (see notes) -* [`6.0.11-1` (*6.0.11-1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/6.0/Dockerfile), based on debian:bullseye-slim. + * linux/arm64 +* [`6.0.12` (*6.0.11-1/Dockerfile*)](https://github.com/emgag/docker-varnish/blob/master/6.0/Dockerfile), based on debian:bookworm-slim. * linux/amd64 - * linux/arm64 (see notes) + * linux/arm64 **Notes:** -* While the container images are built for Linux amd64 and arm64, **only amd64 is tested and used in production**, the others may or may not work. * This repository does **not contain shorthand tags** (e.g. latest, 6, 6.1, etc.), just fully qualified versions corresponding to shipped varnish version and occasionally an additional package version (e.g. 6.0.3-1) if something in the image changed within a varnish release. This is because it might happen that a specific vmod stopped being supported for whatever reason and removing it will break future releases, which is outside of our control (e.g. old releases contained libvmod-geoip, which isn't supported anymore). -* **Only 7.3, 7.2 and 6.0** are [versions supported by varnish](https://varnish-cache.org/releases/index.html), maintained in this repo and available for download from github container registry and dockerhub. -* The most recent of the **unsupported** legacy versions, 4.1.11, 5.0.0. 5.1.3 and 5.2.1 are available from dockerhub as well. -* For docs and code for versions 4.x and 5.x see [branch 4.1](https://github.com/emgag/docker-varnish/tree/4.1). +* **Only 7.4, 7.3 and 6.0** are [versions supported by varnish](https://varnish-cache.org/releases/index.html), maintained in this repo. ## Varnish @@ -46,7 +43,7 @@ From [varnish-cache.org](https://varnish-cache.org/intro/index.html): _Varnish C By default, varnish reads `/etc/varnish/default.vcl` on startup. Either copy your VCL file in your Dockerfile ``` -FROM ghcr.io/emgag/varnish:7.3.0-1 +FROM ghcr.io/emgag/varnish:7.4.2 COPY default.vcl /etc/varnish/default.vcl ``` @@ -56,7 +53,7 @@ or mount a volume containing the varnish configuration to `/etc/varnish`, e.g wi version: '3' services: varnish: - image: ghcr.io/emgag/varnish:7.3.0-1 + image: ghcr.io/emgag/varnish:7.4.2 volumes: - ./varnish:/etc/varnish ports: diff --git a/test/7.2.vcl b/test/7.4.vcl similarity index 100% rename from test/7.2.vcl rename to test/7.4.vcl