entrypoint: Monitor config dir for changes

We see a lot of crudges and hacks to notify nginx or the nginx container
informing it it needs to restart. While there certainly cases that
require manual control, for the most, this could be easily automated.

With inotify, we can recursively monitor /etc/nginx (or any directory
per config) for changes (currently, not monitoring for for access time
changes, e.g. reads or `touch` (not creating new files) events). On an event,
we sleep first for (configurable) seconds, the default is 10, so that
multiple updates don't cause multiple restarts. E.g. copying 10
certificates into /etc/nginx/certs, won't trigger 10 reloads.

The monitor will run indefinably, but to ensure there is 'some' way to
exit it, is to remove the pid file (configurable location) and
triggering a `/etc/nginx` change (`touch '/etc/nginx/exit'` for example
to create a file. It's not perfect, but probably will never be used
anyway.

The current configuration won't change existing behavior, it needs to be
explicitly enabled.

Signed-off-by: Olliver Schinagl <[email protected]>

Author: oliv3r

Dockerfile-alpine-slim.template

@@ -101,6 +101,8 @@ RUN set -x \
     && ln -sf /dev/stderr /var/log/nginx/error.log \
 # Ensure we can run our entrypoint
     && apk add --no-cache dumb-init \
+# Add support for manually monitoring files to trigger server reloads
+    && apk add --no-cache inotify-tools \
 # create a docker-entrypoint.d directory
     && mkdir /docker-entrypoint.d
 

Dockerfile-alpine.template

@@ -77,4 +77,6 @@ RUN set -x \
 # Bring in curl and ca-certificates to make registering on DNS SD easier
     && apk add --no-cache curl ca-certificates \
 # Ensure we can run our entrypoint
-    && apk add --no-cache dumb-init
+    && apk add --no-cache dumb-init \
+# Add support for manually monitoring files to trigger server reloads
+    && apk add --no-cache inotify-tools

Dockerfile-debian.template

@@ -83,6 +83,7 @@ RUN set -x \
                         gettext-base \
                         curl \
                         dumb-init \
+                        inotify-tools \
     && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
     \
 # if we have leftovers from building, let's purge them (including extra, unnecessary build deps)

entrypoint/99-monitor-config-changes.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+# vim:sw=2:ts=2:sts=2:et
+
+set -eu
+if [ -n "${DEBUG_TRACE_SH:-}" ] && \
+   [ "${DEBUG_TRACE_SH:-}" != "${DEBUG_TRACE_SH#*"$(basename "${0}")"*}" ] || \
+   [ "${DEBUG_TRACE_SH:-}" = 'all' ]; then
+  set -x
+fi
+
+LC_ALL=C
+
+if [ -e "${NGINX_ENTRYPOINT_MONITOR_PID:=/run/nginx_monitor.pid}" ] ||
+   [ -z "${NGINX_ENTRYPOINT_MONITOR_CONFIG+monitor}" ] || \
+   ! command -v inotifywait; then
+  exit 0
+fi
+
+echo "Monitoring for changes in '${NGINX_ENTRYPOINT_MONITOR_CONFIG:=/etc/nginx}'"
+while true; do
+  inotifywait \
+    --recursive \
+    --event 'create' \
+    --event 'delete' \
+    --event 'modify' \
+    --event 'move' \
+    "${NGINX_ENTRYPOINT_MONITOR_CONFIG}"
+
+  sleep "${NGINX_ENTRYPOINT_MONITOR_DELAY:-10s}"
+
+  if [ ! -e "${NGINX_ENTRYPOINT_MONITOR_PID}" ]; then
+    logger -s -t 'nginx' -p 'local0.3' 'Monitor failure or exit requested'
+    break
+  fi
+
+  if nginx -t; then
+    nginx -s
+  else
+    logger -s -t 'nginx' -p 'local0.3' 'Refusing to reload config, config error'
+  fi
+done &
+echo "${!}" > "${NGINX_ENTRYPOINT_MONITOR_PID}"
+
+exit 0