Merge pull request #71 from infosiftr/protected-mode-redux

Redo "protected-mode" enablement in a way that preserves "save on SIGTERM"

Author: yosifkit

3.2/32bit/Dockerfile

@@ -27,18 +27,40 @@ ENV REDIS_DOWNLOAD_SHA1 92d6d93ef2efc91e595c8bf578bf72baff397507
 RUN apt-get update && apt-get install -y libc6-i386 --no-install-recommends && rm -rf /var/lib/apt/lists/*
 
 # for redis-sentinel see: http://redis.io/topics/sentinel
-RUN buildDeps='gcc gcc-multilib libc6-dev-i386 make' \
-	&& set -x \
-	&& apt-get update && apt-get install -y $buildDeps --no-install-recommends \
+RUN set -ex \
+	\
+	&& buildDeps=' \
+		gcc \
+		gcc-multilib \
+		libc6-dev-i386 \
+		make \
+	' \
+	&& apt-get update \
+	&& apt-get install -y $buildDeps --no-install-recommends \
 	&& rm -rf /var/lib/apt/lists/* \
+	\
 	&& wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL" \
 	&& echo "$REDIS_DOWNLOAD_SHA1 *redis.tar.gz" | sha1sum -c - \
 	&& mkdir -p /usr/src/redis \
 	&& tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1 \
 	&& rm redis.tar.gz \
+	\
+# Disable Redis protected mode [1] as it is unnecessary in context
+# of Docker. Ports are not automatically exposed when running inside
+# Docker, but rather explicitely by specifying -p / -P.
+# [1] https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
+	&& grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 1$' /usr/src/redis/src/server.h \
+	&& sed -ri 's!^(#define CONFIG_DEFAULT_PROTECTED_MODE) 1$!\1 0!' /usr/src/redis/src/server.h \
+	&& grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 0$' /usr/src/redis/src/server.h \
+# for future reference, we modify this directly in the source instead of just supplying a default configuration flag because apparently "if you specify any argument to redis-server, [it assumes] you are going to specify everything"
+# see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
+# (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
+	\
 	&& make -C /usr/src/redis 32bit \
 	&& make -C /usr/src/redis install \
+	\
 	&& rm -r /usr/src/redis \
+	\
 	&& apt-get purge -y --auto-remove $buildDeps
 
 RUN mkdir /data && chown redis:redis /data

3.2/32bit/docker-entrypoint.sh

@@ -13,32 +13,4 @@ if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
 	exec gosu redis "$0" "$@"
 fi
 
-if [ "$1" = 'redis-server' ]; then
-	# Disable Redis protected mode [1] as it is unnecessary in context
-	# of Docker. Ports are not automatically exposed when running inside
-	# Docker, but rather explicitely by specifying -p / -P.
-	# [1] https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
-	doProtectedMode=1
-	configFile=
-	if [ -f "$2" ]; then
-		configFile="$2"
-		if grep -q '^protected-mode' "$configFile"; then
-			# if a config file is supplied and explicitly specifies "protected-mode", let it win
-			doProtectedMode=
-		fi
-	fi
-	if [ "$doProtectedMode" ]; then
-		shift # "redis-server"
-		if [ "$configFile" ]; then
-			shift
-		fi
-		set -- --protected-mode no "$@"
-		if [ "$configFile" ]; then
-			set -- "$configFile" "$@"
-		fi
-		set -- redis-server "$@" # redis-server [config file] --protected-mode no [other options]
-		# if this is supplied again, the "latest" wins, so "--protected-mode no --protected-mode yes" will result in an enabled status
-	fi
-fi
-
 exec "$@"

3.2/Dockerfile

@@ -25,18 +25,39 @@ ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-3.2.3.tar.gz
 ENV REDIS_DOWNLOAD_SHA1 92d6d93ef2efc91e595c8bf578bf72baff397507
 
 # for redis-sentinel see: http://redis.io/topics/sentinel
-RUN buildDeps='gcc libc6-dev make' \
-	&& set -x \
-	&& apt-get update && apt-get install -y $buildDeps --no-install-recommends \
+RUN set -ex \
+	\
+	&& buildDeps=' \
+		gcc \
+		libc6-dev \
+		make \
+	' \
+	&& apt-get update \
+	&& apt-get install -y $buildDeps --no-install-recommends \
 	&& rm -rf /var/lib/apt/lists/* \
+	\
 	&& wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL" \
 	&& echo "$REDIS_DOWNLOAD_SHA1 *redis.tar.gz" | sha1sum -c - \
 	&& mkdir -p /usr/src/redis \
 	&& tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1 \
 	&& rm redis.tar.gz \
+	\
+# Disable Redis protected mode [1] as it is unnecessary in context
+# of Docker. Ports are not automatically exposed when running inside
+# Docker, but rather explicitely by specifying -p / -P.
+# [1] https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
+	&& grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 1$' /usr/src/redis/src/server.h \
+	&& sed -ri 's!^(#define CONFIG_DEFAULT_PROTECTED_MODE) 1$!\1 0!' /usr/src/redis/src/server.h \
+	&& grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 0$' /usr/src/redis/src/server.h \
+# for future reference, we modify this directly in the source instead of just supplying a default configuration flag because apparently "if you specify any argument to redis-server, [it assumes] you are going to specify everything"
+# see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
+# (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
+	\
 	&& make -C /usr/src/redis \
 	&& make -C /usr/src/redis install \
+	\
 	&& rm -r /usr/src/redis \
+	\
 	&& apt-get purge -y --auto-remove $buildDeps
 
 RUN mkdir /data && chown redis:redis /data

3.2/alpine/Dockerfile

@@ -11,21 +11,37 @@ ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-3.2.3.tar.gz
 ENV REDIS_DOWNLOAD_SHA1 92d6d93ef2efc91e595c8bf578bf72baff397507
 
 # for redis-sentinel see: http://redis.io/topics/sentinel
-RUN set -x \
+RUN set -ex \
+	\
 	&& apk add --no-cache --virtual .build-deps \
 		gcc \
 		linux-headers \
 		make \
 		musl-dev \
 		tar \
+	\
 	&& wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL" \
 	&& echo "$REDIS_DOWNLOAD_SHA1 *redis.tar.gz" | sha1sum -c - \
 	&& mkdir -p /usr/src/redis \
 	&& tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1 \
 	&& rm redis.tar.gz \
+	\
+# Disable Redis protected mode [1] as it is unnecessary in context
+# of Docker. Ports are not automatically exposed when running inside
+# Docker, but rather explicitely by specifying -p / -P.
+# [1] https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
+	&& grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 1$' /usr/src/redis/src/server.h \
+	&& sed -ri 's!^(#define CONFIG_DEFAULT_PROTECTED_MODE) 1$!\1 0!' /usr/src/redis/src/server.h \
+	&& grep -q '^#define CONFIG_DEFAULT_PROTECTED_MODE 0$' /usr/src/redis/src/server.h \
+# for future reference, we modify this directly in the source instead of just supplying a default configuration flag because apparently "if you specify any argument to redis-server, [it assumes] you are going to specify everything"
+# see also https://github.com/docker-library/redis/issues/4#issuecomment-50780840
+# (more exactly, this makes sure the default behavior of "save on SIGTERM" stays functional by default)
+	\
 	&& make -C /usr/src/redis \
 	&& make -C /usr/src/redis install \
+	\
 	&& rm -r /usr/src/redis \
+	\
 	&& apk del .build-deps
 
 RUN mkdir /data && chown redis:redis /data

3.2/alpine/docker-entrypoint.sh

@@ -13,32 +13,4 @@ if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
 	exec su-exec redis "$0" "$@"
 fi
 
-if [ "$1" = 'redis-server' ]; then
-	# Disable Redis protected mode [1] as it is unnecessary in context
-	# of Docker. Ports are not automatically exposed when running inside
-	# Docker, but rather explicitely by specifying -p / -P.
-	# [1] https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
-	doProtectedMode=1
-	configFile=
-	if [ -f "$2" ]; then
-		configFile="$2"
-		if grep -q '^protected-mode' "$configFile"; then
-			# if a config file is supplied and explicitly specifies "protected-mode", let it win
-			doProtectedMode=
-		fi
-	fi
-	if [ "$doProtectedMode" ]; then
-		shift # "redis-server"
-		if [ "$configFile" ]; then
-			shift
-		fi
-		set -- --protected-mode no "$@"
-		if [ "$configFile" ]; then
-			set -- "$configFile" "$@"
-		fi
-		set -- redis-server "$@" # redis-server [config file] --protected-mode no [other options]
-		# if this is supplied again, the "latest" wins, so "--protected-mode no --protected-mode yes" will result in an enabled status
-	fi
-fi
-
 exec "$@"

3.2/docker-entrypoint.sh

@@ -13,32 +13,4 @@ if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
 	exec gosu redis "$0" "$@"
 fi
 
-if [ "$1" = 'redis-server' ]; then
-	# Disable Redis protected mode [1] as it is unnecessary in context
-	# of Docker. Ports are not automatically exposed when running inside
-	# Docker, but rather explicitely by specifying -p / -P.
-	# [1] https://github.com/antirez/redis/commit/edd4d555df57dc84265fdfb4ef59a4678832f6da
-	doProtectedMode=1
-	configFile=
-	if [ -f "$2" ]; then
-		configFile="$2"
-		if grep -q '^protected-mode' "$configFile"; then
-			# if a config file is supplied and explicitly specifies "protected-mode", let it win
-			doProtectedMode=
-		fi
-	fi
-	if [ "$doProtectedMode" ]; then
-		shift # "redis-server"
-		if [ "$configFile" ]; then
-			shift
-		fi
-		set -- --protected-mode no "$@"
-		if [ "$configFile" ]; then
-			set -- "$configFile" "$@"
-		fi
-		set -- redis-server "$@" # redis-server [config file] --protected-mode no [other options]
-		# if this is supplied again, the "latest" wins, so "--protected-mode no --protected-mode yes" will result in an enabled status
-	fi
-fi
-
 exec "$@"