Merge in upstream changes (#11)

* Update dependency psycopg to v3.1.17

* Add env var for CENSUS_REPORTING_ENABLED

See netbox-community#999

* Add Redis Sentinel config as environment vars

* Update dependency psycopg to v3.1.18

* fix segfault

* docker-entrypoint.sh: clarify default token message

When a default admin API token is found, a warning is displayed. As it is only called "token", some users might not know what token is referred to. Also the message should give a hint or link to a documentation on how to remove it.

* Update Ubuntu and Nginx Unit

* Use ARM64 self-hosted runner

* Update dependency django-auth-ldap to v4.7.0

* Avoid duplicate checks for Renovate PRs

* Fix netbox-community#1127: Added sentry-sdk to requirements

* Update dependency sentry-sdk to v1.44.0

* Removed version line from the yaml file as it is obsolete

* Update dependency sentry-sdk to v1.44.1

* Update dependency django-auth-ldap to v4.8.0

* Update dependency sentry-sdk to v1.45.0

* Prepare for Netbox 4.0

* Cancel workflow runs for in progress PRs

* Update dependency dulwich to v0.22.0

* Update dependency dulwich to v0.22.1

* Adds SECURE_* parameters introduced in 3.7.6

See netbox-community/netbox#15644

* Update github/super-linter action to v6

* Update dependency sentry-sdk to v2

* Disabled new tests

* Update dependency django-storages to v1.14.3

* Fixed regex for social-auth-core replacement

* Update dependency sentry-sdk to v2.1.1

* Preparation for 2.9.0

* Fix netbox-community#1222: Use /login/ as health check URL

* Install Sentry Django integration correctly

* Preparation for 2.9.1

* Github -> GitHub

Trying to assuage textlint

* Temporarily comment out the netbox_dns plugin addition

Looks like this is causing the upstream netbox CI tests to fail.

* Partially revert upstream CI changes

We don't have a self-hosted linux/arm64 platform to use, so reinstate
the use of QEMU.  Yes, it's slow, but slow and working always beats
broken at any speed.

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Tobias Genannt <[email protected]>
Co-authored-by: kindlich <[email protected]>
Co-authored-by: NdFeB <[email protected]>
Co-authored-by: tbotnz <[email protected]>
Co-authored-by: Florian Knodt <[email protected]>
Co-authored-by: Tobias Genannt <[email protected]>
Co-authored-by: Chandan Kumar <[email protected]>
Co-authored-by: Christian Mäder <[email protected]>
Co-authored-by: Christian Mäder <[email protected]>

.github/workflows/push.yml

@@ -11,6 +11,10 @@ on:
       - release
       - oxcert
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -25,15 +29,17 @@ jobs:
         with:
           python-version: '3.9'
       - name: Lint Code Base
-        uses: github/super-linter@v5
+        uses: github/super-linter@v6
         env:
           DEFAULT_BRANCH: develop
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SUPPRESS_POSSUM: true
           LINTER_RULES_PATH: /
           VALIDATE_ALL_CODEBASE: false
+          VALIDATE_CHECKOV: false
           VALIDATE_DOCKERFILE: false
           VALIDATE_GITLEAKS: false
+          VALIDATE_JSCPD: false
           FILTER_REGEX_EXCLUDE: (.*/)?(LICENSE|configuration/.*)
           EDITORCONFIG_FILE_NAME: .ecrc
           DOCKERFILE_HADOLINT_FILE_NAME: .hadolint.yaml
@@ -53,6 +59,8 @@ jobs:
         platform:
           - linux/amd64
           - linux/arm64
+        os:
+          - ubuntu-latest
       fail-fast: false
     env:
       GH_ACTION: enable
@@ -70,11 +78,15 @@ jobs:
       - id: buildx-setup
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - id: arm-buildx-platform
+        name: Set BUILDX_PLATFORM to ARM64
+        if: matrix.platform == 'linux/arm64'
+        run: |
+          echo "BUILDX_PLATFORM=linux/arm64" >>"${GITHUB_ENV}"
       - id: docker-build
         name: Build the image for '${{ matrix.platform }}' with '${{ matrix.build_cmd }}'
         run: ${{ matrix.build_cmd }}
         env:
-          BUILDX_PLATFORM: ${{ matrix.platform }}
           BUILDX_BUILDER_NAME: ${{ steps.buildx-setup.outputs.name }}
       - id: arm-time-limit
         name: Set Netbox container start_period higher on ARM64

Dockerfile

@@ -31,14 +31,12 @@ RUN export DEBIAN_FRONTEND=noninteractive \
 ARG NETBOX_PATH
 COPY ${NETBOX_PATH}/requirements.txt requirements-container.txt requirements-plugins.txt /
 RUN \
-    # We compile 'psycopg' in the build process
-    sed -i -e '/psycopg/d' /requirements.txt && \
     # Gunicorn is not needed because we use Nginx Unit
     sed -i -e '/gunicorn/d' /requirements.txt && \
     # We need 'social-auth-core[all]' in the Docker image. But if we put it in our own requirements-container.txt
     # we have potential version conflicts and the build will fail.
     # That's why we just replace it in the original requirements.txt.
-    sed -i -e 's/social-auth-core\[openidconnect\]/social-auth-core\[all\]/g' /requirements.txt && \
+    sed -i -e 's/social-auth-core/social-auth-core\[all\]/g' /requirements.txt && \
     /opt/netbox/venv/bin/pip install \
       -r /requirements.txt \
       -r /requirements-container.txt \
@@ -70,13 +68,13 @@ RUN export DEBIAN_FRONTEND=noninteractive \
       tini \
     && curl --silent --output /usr/share/keyrings/nginx-keyring.gpg \
       https://unit.nginx.org/keys/nginx-keyring.gpg \
-    && echo "deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] https://packages.nginx.org/unit/ubuntu/ lunar unit" \
+    && echo "deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] https://packages.nginx.org/unit/ubuntu/ mantic unit" \
       > /etc/apt/sources.list.d/unit.list \
     && apt-get update -qq \
     && apt-get install \
       --yes -qq --no-install-recommends \
-      unit=1.31.1-1~lunar \
-      unit-python3.11=1.31.1-1~lunar \
+      unit=1.32.0-1~mantic \
+      unit-python3.11=1.32.0-1~mantic \
     && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /opt/netbox/venv /opt/netbox/venv

README.md

@@ -11,15 +11,15 @@ the oxcert branch, from where we build our netbox containers, etc. When there ar
 [![GitHub release (latest by date)](https://img.shields.io/github/v/release/netbox-community/netbox-docker)][github-release]
 [![GitHub stars](https://img.shields.io/github/stars/netbox-community/netbox-docker)][github-stargazers]
 ![GitHub closed pull requests](https://img.shields.io/github/issues-pr-closed-raw/netbox-community/netbox-docker)
-![Github release workflow](https://img.shields.io/github/actions/workflow/status/netbox-community/netbox-docker/release.yml?branch=release)
+![GitHub release workflow](https://img.shields.io/github/actions/workflow/status/netbox-community/netbox-docker/release.yml?branch=release)
 ![Docker Pulls](https://img.shields.io/docker/pulls/netboxcommunity/netbox)
 [![GitHub license](https://img.shields.io/github/license/netbox-community/netbox-docker)][netbox-docker-license]
 
 [The GitHub repository][netbox-docker-github] houses the components needed to build NetBox as a container.
 Images are built regularly using the code in that repository and are pushed to [Docker Hub][netbox-dockerhub], [Quay.io][netbox-quayio] and [GitHub Container Registry][netbox-ghcr].
 
 Do you have any questions?
-Before opening an issue on Github,
+Before opening an issue on GitHub,
 please join [our Slack][netbox-docker-slack] and ask for help in the [`#netbox-docker`][netbox-docker-slack-channel] channel.
 
 [github-stargazers]: https://github.com/netbox-community/netbox-docker/stargazers
@@ -42,7 +42,6 @@ There is a more complete [_Getting Started_ guide on our wiki][wiki-getting-star
 git clone -b release https://github.com/netbox-community/netbox-docker.git
 cd netbox-docker
 tee docker-compose.override.yml <<EOF
-version: '3.4'
 services:
   netbox:
     ports:

VERSION

@@ -1 +1 @@
-1.2.2
+1.2.3

build.sh

@@ -61,7 +61,7 @@ DOCKERFILE  The name of Dockerfile to use.
             ${_GREEN}Default:${_CLEAR} Dockerfile
 
 DOCKER_FROM The base image to use.
-            ${_GREEN}Default:${_CLEAR} 'ubuntu:23.04'
+            ${_GREEN}Default:${_CLEAR} 'ubuntu:23.10'
 
 BUILDX_PLATFORMS
             Specifies the platform(s) to build the image for.
@@ -219,7 +219,7 @@ fi
 # Determining the value for DOCKER_FROM
 ###
 if [ -z "$DOCKER_FROM" ]; then
-  DOCKER_FROM="docker.io/ubuntu:23.04"
+  DOCKER_FROM="docker.io/ubuntu:23.10"
 fi
 
 ###

configuration/configuration.py

@@ -86,6 +86,9 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn:
     'tasks': {
         'HOST': environ.get('REDIS_HOST', 'localhost'),
         'PORT': _environ_get_and_map('REDIS_PORT', 6379, _AS_INT),
+        'SENTINELS': [tuple(uri.split(':')) for uri in _environ_get_and_map('REDIS_SENTINELS', '', _AS_LIST) if uri != ''],
+        'SENTINEL_SERVICE': environ.get('REDIS_SENTINEL_SERVICE', 'default'),
+        'SENTINEL_TIMEOUT': _environ_get_and_map('REDIS_SENTINEL_TIMEOUT', 10, _AS_INT),
         'USERNAME': environ.get('REDIS_USERNAME', ''),
         'PASSWORD': _read_secret('redis_password', environ.get('REDIS_PASSWORD', '')),
         'DATABASE': _environ_get_and_map('REDIS_DATABASE', 0, _AS_INT),
@@ -95,6 +98,8 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn:
     'caching': {
         'HOST': environ.get('REDIS_CACHE_HOST', environ.get('REDIS_HOST', 'localhost')),
         'PORT': _environ_get_and_map('REDIS_CACHE_PORT', environ.get('REDIS_PORT', '6379'), _AS_INT),
+        'SENTINELS': [tuple(uri.split(':')) for uri in _environ_get_and_map('REDIS_CACHE_SENTINELS', '', _AS_LIST) if uri != ''],
+        'SENTINEL_SERVICE': environ.get('REDIS_CACHE_SENTINEL_SERVICE', environ.get('REDIS_SENTINEL_SERVICE', 'default')),
         'USERNAME': environ.get('REDIS_CACHE_USERNAME', environ.get('REDIS_USERNAME', '')),
         'PASSWORD': _read_secret('redis_cache_password', environ.get('REDIS_CACHE_PASSWORD', environ.get('REDIS_PASSWORD', ''))),
         'DATABASE': _environ_get_and_map('REDIS_CACHE_DATABASE', '1', _AS_INT),
@@ -183,6 +188,13 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn:
 if 'ENFORCE_GLOBAL_UNIQUE' in environ:
     ENFORCE_GLOBAL_UNIQUE = _environ_get_and_map('ENFORCE_GLOBAL_UNIQUE', None, _AS_BOOL)
 
+# By default, netbox sends census reporting data using a single HTTP request each time a worker starts.
+# This data enables the project maintainers to estimate how many NetBox deployments exist and track the adoption of new versions over time.
+# The only data reported by this function are the NetBox version, Python version, and a pseudorandom unique identifier.
+# To opt out of census reporting, set CENSUS_REPORTING_ENABLED to False.
+if 'CENSUS_REPORTING_ENABLED' in environ:
+    CENSUS_REPORTING_ENABLED = _environ_get_and_map('CENSUS_REPORTING_ENABLED', None, _AS_BOOL)
+
 # Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
 # by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
 EXEMPT_VIEW_PERMISSIONS = _environ_get_and_map('EXEMPT_VIEW_PERMISSIONS', '', _AS_LIST)
@@ -300,6 +312,23 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn:
 # The name to use for the session cookie.
 SESSION_COOKIE_NAME = environ.get('SESSION_COOKIE_NAME', 'sessionid')
 
+# If true, the `includeSubDomains` directive will be included in the HTTP Strict Transport Security (HSTS) header.
+# This directive instructs the browser to apply the HSTS policy to all subdomains of the current domain.
+SECURE_HSTS_INCLUDE_SUBDOMAINS = _environ_get_and_map('SECURE_HSTS_INCLUDE_SUBDOMAINS', 'False', _AS_BOOL)
+
+# If true, the `preload` directive will be included in the HTTP Strict Transport Security (HSTS) header.
+# This directive instructs the browser to preload the site in HTTPS. Browsers that use the HSTS preload list will force the
+# site to be accessed via HTTPS even if the user types HTTP in the address bar.
+SECURE_HSTS_PRELOAD = _environ_get_and_map('SECURE_HSTS_PRELOAD', 'False', _AS_BOOL)
+
+# If set to a non-zero integer value, the SecurityMiddleware sets the HTTP Strict Transport Security (HSTS) header on all
+# responses that do not already have it. This will instruct the browser that the website must be accessed via HTTPS,
+# blocking any HTTP request.
+SECURE_HSTS_SECONDS = _environ_get_and_map('SECURE_HSTS_SECONDS', 0, _AS_INT)
+
+# If true, all non-HTTPS requests will be automatically redirected to use HTTPS.
+SECURE_SSL_REDIRECT = _environ_get_and_map('SECURE_SSL_REDIRECT', 'False', _AS_BOOL)
+
 # By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
 # local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
 # database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
@@ -308,11 +337,3 @@ def _environ_get_and_map(variable_name: str, default: str | None = None, map_fn:
 # Time zone (default: UTC)
 TIME_ZONE = environ.get('TIME_ZONE', 'UTC')
 
-# Date/time formatting. See the following link for supported formats:
-# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
-DATE_FORMAT = environ.get('DATE_FORMAT', 'N j, Y')
-SHORT_DATE_FORMAT = environ.get('SHORT_DATE_FORMAT', 'Y-m-d')
-TIME_FORMAT = environ.get('TIME_FORMAT', 'g:i a')
-SHORT_TIME_FORMAT = environ.get('SHORT_TIME_FORMAT', 'H:i:s')
-DATETIME_FORMAT = environ.get('DATETIME_FORMAT', 'N j, Y g:i a')
-SHORT_DATETIME_FORMAT = environ.get('SHORT_DATETIME_FORMAT', 'Y-m-d H:i')

configuration/plugins.py

@@ -4,7 +4,7 @@
 # To learn how to build images with your required plugins
 # See https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins
 
-PLUGINS = ["netbox_dns"]
+#PLUGINS = ["netbox_dns"]
 
 # PLUGINS_CONFIG = {
 #   "netbox_bgp": {

docker-compose.override.yml.example

@@ -1,4 +1,3 @@
-version: '3.4'
 services:
   netbox:
     ports:

docker-compose.test.override.yml

@@ -1,4 +1,3 @@
-version: '3.4'
 services:
   netbox:
     ports:

docker-compose.test.yml

@@ -1,4 +1,3 @@
-version: '3.4'
 services:
   netbox: &netbox
     image: ${IMAGE-netboxcommunity/netbox:latest}

docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3.4'
 services:
   netbox: &netbox
     image: ghcr.io/oxcert/netbox:${VERSION-latest}
@@ -12,7 +11,7 @@ services:
       start_period: 60s
       timeout: 3s
       interval: 15s
-      test: "curl -f http://localhost:8080/api/ || exit 1"
+      test: "curl -f http://localhost:8080/login/ || exit 1"
     volumes:
     - ./configuration:/etc/netbox/config:z,ro
     - netbox-media-files:/opt/netbox/netbox/media:rw

docker/docker-entrypoint.sh

@@ -72,10 +72,9 @@ else
   fi
 
   ./manage.py shell --interface python <<END
-from django.contrib.auth.models import User
-from users.models import Token
+from users.models import Token, User
 if not User.objects.filter(username='${SUPERUSER_NAME}'):
-    u=User.objects.create_superuser('${SUPERUSER_NAME}', '${SUPERUSER_EMAIL}', '${SUPERUSER_PASSWORD}')
+    u = User.objects.create_superuser('${SUPERUSER_NAME}', '${SUPERUSER_EMAIL}', '${SUPERUSER_PASSWORD}')
     Token.objects.create(user=u, key='${SUPERUSER_API_TOKEN}')
 END
 
@@ -87,7 +86,7 @@ from users.models import Token
 try:
     old_default_token = Token.objects.get(key="0123456789abcdef0123456789abcdef01234567")
     if old_default_token:
-        print("⚠️ Warning: You have the old default admin token in your database. This token is widely known; please remove it.")
+        print("⚠️ Warning: You have the old default admin API token in your database. This token is widely known; please remove it. Log in as your superuser and check API Tokens in your user menu.")
 except Token.DoesNotExist:
     pass
 END

requirements-container.txt

@@ -1,5 +1,5 @@
-django-auth-ldap==4.6.0
-django-storages[azure,boto3,dropbox,google,libcloud,sftp]==1.14.2
-dulwich==0.21.7
-psycopg[c,pool]==3.1.16
-python3-saml==1.16.0
+django-auth-ldap==4.8.0
+django-storages[azure,boto3,dropbox,google,libcloud,sftp]==1.14.3
+dulwich==0.22.1
+python3-saml==1.16.0 --no-binary lxml
+sentry-sdk[django]==2.1.1

requirements-plugins.txt

@@ -1 +1 @@
-netbox-plugin-dns
+#netbox-plugin-dns