Merge 1815408e73 into 07fcb205b4

* Switch server to Granian

Because the development of Nginx Unit has been stopped, switch the server
to Granian which still allows to serve the Python application and the
static files from one server.

* Addressed review comments

* Update docker/launch-netbox.sh

Co-authored-by: Christian Mäder <cimnine@users.noreply.github.com>

* Update docker/launch-netbox.sh

Co-authored-by: Christian Mäder <cimnine@users.noreply.github.com>

---------

Co-authored-by: Christian Mäder <cimnine@users.noreply.github.com>

.github/workflows/push.yml

@@ -42,6 +42,7 @@ jobs:
           VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_GITLEAKS: false
           VALIDATE_JSCPD: false
+          VALIDATE_PYTHON_PYLINT: false
           VALIDATE_TRIVY: false
           FILTER_REGEX_EXCLUDE: (.*/)?(LICENSE|configuration/.*)
           EDITORCONFIG_FILE_NAME: .editorconfig-checker.json

Dockerfile

@@ -27,7 +27,7 @@ ARG NETBOX_PATH
 COPY ${NETBOX_PATH}/requirements.txt requirements-container.txt /
 ENV VIRTUAL_ENV=/opt/netbox/venv
 RUN \
-    # Gunicorn is not needed because we use Nginx Unit
+    # Gunicorn is not needed because we use Granian
     sed -i -e '/gunicorn/d' /requirements.txt && \
     # We need 'social-auth-core[all]' in the Docker image. But if we put it in our own requirements-container.txt
     # we have potential version conflicts and the build will fail.
@@ -46,8 +46,6 @@ RUN \
 ARG FROM
 FROM ${FROM} AS main
 
-COPY docker/unit.list /etc/apt/sources.list.d/unit.list
-ADD --chmod=444 --chown=0:0 https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg
 RUN export DEBIAN_FRONTEND=noninteractive \
     && apt-get update -qq \
     && apt-get upgrade \
@@ -64,8 +62,6 @@ RUN export DEBIAN_FRONTEND=noninteractive \
       openssl \
       python3 \
       tini \
-      unit-python3.12=1.34.2-1~noble \
-      unit=1.34.2-1~noble \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy the modified 'requirements*.txt' files, to have the files actually used during installation
@@ -81,21 +77,21 @@ COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY docker/docker-entrypoint.sh /opt/netbox/docker-entrypoint.sh
 COPY docker/launch-netbox.sh /opt/netbox/launch-netbox.sh
 COPY configuration/ /etc/netbox/config/
-COPY docker/nginx-unit.json /etc/unit/
+COPY docker/granian.py /opt/netbox/netbox/netbox/granian.py
 COPY VERSION /opt/netbox/VERSION
 
 WORKDIR /opt/netbox/netbox
 
 # Must set permissions for '/opt/netbox/netbox/media' directory
 # to g+w so that pictures can be uploaded to netbox.
-RUN mkdir -p static media /opt/unit/state/ /opt/unit/tmp/ \
-      && chown -R unit:root /opt/unit/ media reports scripts \
-      && chmod -R g+w /opt/unit/ media reports scripts \
-      && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
-          --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
-      && DEBUG="true" SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input \
-      && mkdir /opt/netbox/netbox/local \
-      && echo "build: Docker-$(cat /opt/netbox/VERSION)" > /opt/netbox/netbox/local/release.yaml
+RUN useradd --home-dir /opt/netbox/ --no-create-home --no-user-group --system --shell /bin/false --uid 999 --gid 0 netbox \
+    && mkdir -p static media local \
+    && chown -R netbox:root media reports scripts \
+    && chmod -R g+w media reports scripts \
+    && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
+        --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
+    && DEBUG="true" SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input \
+    && echo "build: Docker-$(cat /opt/netbox/VERSION)" > /opt/netbox/netbox/local/release.yaml
 
 ENV LANG=C.utf8 PATH=/opt/netbox/venv/bin:$PATH VIRTUAL_ENV=/opt/netbox/venv UV_NO_CACHE=1
 ENTRYPOINT [ "/usr/bin/tini", "--" ]

VERSION

@@ -1 +1 @@
-3.4.1
+3.4.2

build.sh

@@ -104,6 +104,9 @@ GH_ACTION   If defined, special 'echo' statements are enabled that set the
 
 CHECK_ONLY  Only checks if the build is needed and sets the GH Action output.
             ${_GREEN}Default:${_CLEAR} undefined
+            
+NO_CACHE    Disables Docker Build Cache.
+            ${_GREEN}Default:${_CLEAR} undefined
 
 ${_BOLD}Examples:${_CLEAR}
 
@@ -409,7 +412,9 @@ fi
 if [ -n "${NO_PROXY}" ]; then
   DOCKER_BUILD_ARGS+=(--build-arg "no_proxy=${NO_PROXY}")
 fi
-
+if [ -n "${NO_CACHE}" ]; then
+  DOCKER_BUILD_ARGS+=(--no-cache)
+fi
 DOCKER_BUILD_ARGS+=(--platform "${BUILDX_PLATFORM-linux/amd64}")
 if [ "${2}" == "--push" ]; then
   # output type=docker does not work with pushing

docker-compose.override.yml.example

@@ -2,9 +2,6 @@ services:
   netbox:
     ports:
       - "8000:8080"
-    # If you want the Nginx unit status page visible from the
-    # outside of the container add the following port mapping:
-    # - "8001:8081"
     # healthcheck:
       # Time for which the health check can fail after the container is started.
       # This depends mostly on the performance of your database. On the first start,
@@ -19,4 +16,3 @@ services:
       # SUPERUSER_EMAIL: ""
       # SUPERUSER_NAME: ""
       # SUPERUSER_PASSWORD: ""
-

docker-compose.test.yml

@@ -9,7 +9,7 @@ services:
       redis-cache:
         condition: service_healthy
     env_file: env/netbox.env
-    user: "unit:root"
+    user: "netbox:root"
     volumes:
       - ./test-configuration/test_config.py:/etc/netbox/config/test_config.py:z,ro
     healthcheck:
@@ -30,7 +30,7 @@ services:
       interval: 15s
 
   postgres:
-    image: docker.io/postgres:17-alpine
+    image: docker.io/postgres:18-alpine
     env_file: env/postgres.env
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER ## $$ because of docker-compose
@@ -40,7 +40,7 @@ services:
       retries: 5
 
   redis: &redis
-    image: docker.io/valkey/valkey:8.1-alpine
+    image: docker.io/valkey/valkey:9.0-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env

docker-compose.yml

@@ -6,7 +6,7 @@ services:
       - redis
       - redis-cache
     env_file: env/netbox.env
-    user: "unit:root"
+    user: "netbox:root"
     healthcheck:
       test: curl -f http://localhost:8080/login/ || exit 1
       start_period: 90s
@@ -34,7 +34,7 @@ services:
 
   # postgres
   postgres:
-    image: docker.io/postgres:17-alpine
+    image: docker.io/postgres:18-alpine
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER
       start_period: 20s
@@ -47,7 +47,7 @@ services:
 
   # redis
   redis:
-    image: docker.io/valkey/valkey:8.1-alpine
+    image: docker.io/valkey/valkey:9.0-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env
@@ -62,7 +62,7 @@ services:
     volumes:
       - netbox-redis-data:/data
   redis-cache:
-    image: docker.io/valkey/valkey:8.1-alpine
+    image: docker.io/valkey/valkey:9.0-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env

docker/granian.py

@@ -0,0 +1,13 @@
+from granian.utils.proxies import wrap_wsgi_with_proxy_headers
+from netbox.wsgi import application
+
+application = wrap_wsgi_with_proxy_headers(
+    application,
+    trusted_hosts=[
+        "10.0.0.0/8",
+        "172.16.0.0/12",
+        "192.168.0.0/16",
+        "fc00::/7",
+        "fe80::/10",
+    ],
+)

docker/launch-netbox.sh

@@ -1,57 +1,20 @@
 #!/bin/bash
 
-UNIT_CONFIG="${UNIT_CONFIG-/etc/unit/nginx-unit.json}"
-# Also used in "nginx-unit.json"
-UNIT_SOCKET="/opt/unit/unit.sock"
-
-load_configuration() {
-  MAX_WAIT=10
-  WAIT_COUNT=0
-  while [ ! -S $UNIT_SOCKET ]; do
-    if [ $WAIT_COUNT -ge $MAX_WAIT ]; then
-      echo "⚠️ No control socket found; configuration will not be loaded."
-      return 1
-    fi
-
-    WAIT_COUNT=$((WAIT_COUNT + 1))
-    echo "⏳ Waiting for control socket to be created... (${WAIT_COUNT}/${MAX_WAIT})"
-
-    sleep 1
-  done
-
-  # even when the control socket exists, it does not mean unit has finished initialisation
-  # this curl call will get a reply once unit is fully launched
-  curl --silent --output /dev/null --request GET --unix-socket $UNIT_SOCKET http://localhost/
-
-  echo "⚙️ Applying configuration from $UNIT_CONFIG"
-
-  RESP_CODE=$(
-    curl \
-      --silent \
-      --output /dev/null \
-      --write-out '%{http_code}' \
-      --request PUT \
-      --data-binary "@${UNIT_CONFIG}" \
-      --unix-socket $UNIT_SOCKET \
-      http://localhost/config
-  )
-  if [ "$RESP_CODE" != "200" ]; then
-    echo "⚠️ Could not load Unit configuration"
-    kill "$(cat /opt/unit/unit.pid)"
-    return 1
-  fi
-
-  echo "✅ Unit configuration loaded successfully"
-}
-
-load_configuration &
-
-exec unitd \
-  --no-daemon \
-  --control unix:$UNIT_SOCKET \
-  --pid /opt/unit/unit.pid \
-  --log /dev/stdout \
-  --statedir /opt/unit/state/ \
-  --tmpdir /opt/unit/tmp/ \
-  --user unit \
-  --group root
+exec granian \
+  --host "::" \
+  --port "8080" \
+  --interface "wsgi" \
+  --no-ws \
+  --workers "${GRANIAN_WORKERS:-4}" \
+  --respawn-failed-workers \
+  --backpressure "${GRANIAN_BACKPRESSURE:-${GRANIAN_WORKERS:-4}}" \
+  --loop "uvloop" \
+  --log \
+  --log-level "info" \
+  --access-log \
+  --working-dir "/opt/netbox/netbox/" \
+  --static-path-route "/static" \
+  --static-path-mount "/opt/netbox/netbox/static/" \
+  --pid-file "/tmp/granian.pid" \
+  "${GRANIAN_EXTRA_ARGS[@]}" \
+  "netbox.granian:application"

docker/nginx-unit.json

@@ -1,82 +0,0 @@
-{
-  "listeners": {
-    "0.0.0.0:8080": {
-      "pass": "routes/main",
-      "forwarded": {
-        "client_ip": "X-Forwarded-For",
-        "protocol": "X-Forwarded-Proto",
-        "source": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-      }
-    },
-    "0.0.0.0:8081": {
-      "pass": "routes/status",
-      "forwarded": {
-        "client_ip": "X-Forwarded-For",
-        "protocol": "X-Forwarded-Proto",
-        "source": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-      }
-    },
-    "[::]:8080": {
-      "pass": "routes/main",
-      "forwarded": {
-        "client_ip": "X-Forwarded-For",
-        "protocol": "X-Forwarded-Proto",
-        "source": ["fc00::/7", "fe80::/10"]
-      }
-    },
-    "[::]:8081": {
-      "pass": "routes/status",
-      "forwarded": {
-        "client_ip": "X-Forwarded-For",
-        "protocol": "X-Forwarded-Proto",
-        "source": ["fc00::/7", "fe80::/10"]
-      }
-    }
-  },
-  "routes": {
-    "main": [
-      {
-        "match": {
-          "uri": "/static/*"
-        },
-        "action": {
-          "share": "/opt/netbox/netbox${uri}"
-        }
-      },
-      {
-        "action": {
-          "pass": "applications/netbox"
-        }
-      }
-    ],
-    "status": [
-      {
-        "match": {
-          "uri": "/status/*"
-        },
-        "action": {
-          "proxy": "http://unix:/opt/unit/unit.sock"
-        }
-      }
-    ]
-  },
-  "applications": {
-    "netbox": {
-      "type": "python 3",
-      "path": "/opt/netbox/netbox/",
-      "module": "netbox.wsgi",
-      "home": "/opt/netbox/venv",
-      "processes": {
-        "max": 4,
-        "spare": 1,
-        "idle_timeout": 120
-      }
-    }
-  },
-  "access_log": "/dev/stdout",
-  "settings": {
-    "http": {
-      "max_body_size": 104857600
-    }
-  }
-}

docker/unit.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] http://packages.nginx.org/unit/ubuntu/ noble unit

env/netbox.env

@@ -15,6 +15,8 @@ EMAIL_USERNAME=netbox
 # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
 EMAIL_USE_SSL=false
 EMAIL_USE_TLS=false
+GRANIAN_BACKPRESSURE=4
+GRANIAN_WORKERS=4
 GRAPHQL_ENABLED=true
 MEDIA_ROOT=/opt/netbox/netbox/media
 METRICS_ENABLED=false

requirements-container.txt

@@ -1,6 +1,7 @@
 django-auth-ldap==5.2.0
-dulwich==0.24.6
+dulwich==0.24.10
+granian[uvloop]==2.5.7
 python3-saml==1.16.0
 --no-binary lxml
 --no-binary xmlsec
-sentry-sdk[django]==2.42.1
+sentry-sdk[django]==2.44.0