.github/workflows/push.yml

@@ -23,27 +23,23 @@ jobs:
       packages: read
       statuses: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`
           fetch-depth: 0
       - name: Lint Code Base
-        uses: super-linter/super-linter@v8
+        uses: super-linter/super-linter@v7
         env:
           DEFAULT_BRANCH: develop
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SUPPRESS_POSSUM: true
           LINTER_RULES_PATH: /
           VALIDATE_ALL_CODEBASE: false
-          VALIDATE_BIOME_FORMAT: false
           VALIDATE_CHECKOV: false
           VALIDATE_DOCKERFILE: false
-          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_GITLEAKS: false
           VALIDATE_JSCPD: false
-          VALIDATE_PYTHON_PYLINT: false
-          VALIDATE_TRIVY: false
           FILTER_REGEX_EXCLUDE: (.*/)?(LICENSE|configuration/.*)
           EDITORCONFIG_FILE_NAME: .editorconfig-checker.json
           DOCKERFILE_HADOLINT_FILE_NAME: .hadolint.yaml
@@ -74,7 +70,7 @@ jobs:
     steps:
       - id: git-checkout
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - id: buildx-setup
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/release.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - id: source-checkout
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ matrix.build.branch }}
       - id: set-netbox-docker-version

Dockerfile

@@ -1,7 +1,7 @@
 ARG FROM
 FROM ${FROM} AS builder
 
-COPY --from=ghcr.io/astral-sh/uv:0.9 /uv /usr/local/bin/
+COPY --from=ghcr.io/astral-sh/uv:0.7 /uv /usr/local/bin/
 RUN export DEBIAN_FRONTEND=noninteractive \
     && apt-get update -qq \
     && apt-get upgrade \
@@ -27,7 +27,7 @@ ARG NETBOX_PATH
 COPY ${NETBOX_PATH}/requirements.txt requirements-container.txt /
 ENV VIRTUAL_ENV=/opt/netbox/venv
 RUN \
-    # Gunicorn is not needed because we use Granian
+    # Gunicorn is not needed because we use Nginx Unit
     sed -i -e '/gunicorn/d' /requirements.txt && \
     # We need 'social-auth-core[all]' in the Docker image. But if we put it in our own requirements-container.txt
     # we have potential version conflicts and the build will fail.
@@ -46,6 +46,8 @@ RUN \
 ARG FROM
 FROM ${FROM} AS main
 
+COPY docker/unit.list /etc/apt/sources.list.d/unit.list
+ADD --chmod=444 --chown=0:0 https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg
 RUN export DEBIAN_FRONTEND=noninteractive \
     && apt-get update -qq \
     && apt-get upgrade \
@@ -62,6 +64,8 @@ RUN export DEBIAN_FRONTEND=noninteractive \
       openssl \
       python3 \
       tini \
+      unit-python3.12=1.34.2-1~noble \
+      unit=1.34.2-1~noble \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy the modified 'requirements*.txt' files, to have the files actually used during installation
@@ -75,22 +79,23 @@ COPY ${NETBOX_PATH} /opt/netbox
 COPY docker/configuration.docker.py /opt/netbox/netbox/netbox/configuration.py
 COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY docker/docker-entrypoint.sh /opt/netbox/docker-entrypoint.sh
+COPY docker/housekeeping.sh /opt/netbox/housekeeping.sh
 COPY docker/launch-netbox.sh /opt/netbox/launch-netbox.sh
 COPY configuration/ /etc/netbox/config/
-COPY docker/granian.py /opt/netbox/netbox/netbox/granian.py
+COPY docker/nginx-unit.json /etc/unit/
 COPY VERSION /opt/netbox/VERSION
 
 WORKDIR /opt/netbox/netbox
 
 # Must set permissions for '/opt/netbox/netbox/media' directory
 # to g+w so that pictures can be uploaded to netbox.
-RUN useradd --home-dir /opt/netbox/ --no-create-home --no-user-group --system --shell /bin/false --uid 999 --gid 0 netbox \
-    && mkdir -p static media local \
-    && chown -R netbox:root media reports scripts \
-    && chmod -R g+w media reports scripts \
+RUN mkdir -p static /opt/unit/state/ /opt/unit/tmp/ \
+      && chown -R unit:root /opt/unit/ media reports scripts \
+      && chmod -R g+w /opt/unit/ media reports scripts \
       && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
           --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
       && DEBUG="true" SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input \
+      && mkdir /opt/netbox/netbox/local \
       && echo "build: Docker-$(cat /opt/netbox/VERSION)" > /opt/netbox/netbox/local/release.yaml
 
 ENV LANG=C.utf8 PATH=/opt/netbox/venv/bin:$PATH VIRTUAL_ENV=/opt/netbox/venv UV_NO_CACHE=1

README.md

@@ -39,9 +39,12 @@ There is a more complete [_Getting Started_ guide on our wiki][wiki-getting-star
 ```bash
 git clone -b release https://github.com/netbox-community/netbox-docker.git
 cd netbox-docker
-# Copy the example override file
-cp docker-compose.override.yml.example docker-compose.override.yml
-# Read and edit the file to your liking
+tee docker-compose.override.yml <<EOF
+services:
+  netbox:
+    ports:
+      - 8000:8080
+EOF
 docker compose pull
 docker compose up
 ```

VERSION

@@ -1 +1 @@
-3.4.2
+3.3.0

build.sh

@@ -62,7 +62,7 @@ DOCKERFILE  The name of Dockerfile to use.
 DOCKER_FROM The base image to use.
             ${_GREEN}Default:${_CLEAR} 'ubuntu:24.04'
 
-BUILDX_PLATFORM
+BUILDX_PLATFORMS
             Specifies the platform(s) to build the image for.
             ${_CYAN}Example:${_CLEAR} 'linux/amd64,linux/arm64'
             ${_GREEN}Default:${_CLEAR} 'linux/amd64'
@@ -223,7 +223,7 @@ fi
 ###
 # Variables for labelling the docker image
 ###
-BUILD_DATE="$(date -u '+%Y-%m-%dT%H:%M:%S+00:00')"
+BUILD_DATE="$(date -u '+%Y-%m-%dT%H:%M+00:00')"
 
 if [ -d ".git" ] && [ -z "${SKIP_GIT}" ]; then
   GIT_REF="$(git rev-parse HEAD)"

configuration/configuration.py

@@ -64,8 +64,7 @@ if '*' not in ALLOWED_HOSTS and 'localhost' not in ALLOWED_HOSTS:
 
 # PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
 #   https://docs.djangoproject.com/en/stable/ref/settings/#databases
-DATABASES = {
-    'default': {
+DATABASE = {
     'NAME': environ.get('DB_NAME', 'netbox'),       # Database name
     'USER': environ.get('DB_USER', ''),             # PostgreSQL username
     'PASSWORD': _read_secret('db_password', environ.get('DB_PASSWORD', '')),
@@ -78,7 +77,6 @@ DATABASES = {
                                                     # Max database connection age
     'DISABLE_SERVER_SIDE_CURSORS': _environ_get_and_map('DB_DISABLE_SERVER_SIDE_CURSORS', 'False', _AS_BOOL),
                                                     # Disable the use of server-side cursors transaction pooling
-    }
 }
 
 # Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
@@ -116,11 +114,6 @@ REDIS = {
 # https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
 SECRET_KEY = _read_secret('secret_key', environ.get('SECRET_KEY', ''))
 
-API_TOKEN_PEPPERS = {}
-if api_token_pepper := _read_secret('api_token_pepper_1', environ.get('API_TOKEN_PEPPER_1', '')):
-    API_TOKEN_PEPPERS.update({1: api_token_pepper})
-
-
 
 #########################
 #                       #

configuration/ldap/ldap_config.py

@@ -109,6 +109,3 @@ AUTH_LDAP_USER_ATTR_MAP = {
     "last_name": environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
     "email": environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
 }
-
-# Update user object with the latest values from the LDAP directory every time the user logs in.
-AUTH_LDAP_ALWAYS_UPDATE_USER = environ.get('AUTH_LDAP_ALWAYS_UPDATE_USER', 'True').lower() == 'true'

docker-compose.override.yml.example

@@ -2,6 +2,9 @@ services:
   netbox:
     ports:
       - "8000:8080"
+    # If you want the Nginx unit status page visible from the
+    # outside of the container add the following port mapping:
+    # - "8001:8081"
     # healthcheck:
       # Time for which the health check can fail after the container is started.
       # This depends mostly on the performance of your database. On the first start,
@@ -30,4 +33,3 @@ services:
 #     file: ./secrets/okta_secret.txt
 #   google_oauth2_secret:
 #     file: ./secrets/google_secret.txt
-

docker-compose.test.yml

@@ -9,7 +9,7 @@ services:
       redis-cache:
         condition: service_healthy
     env_file: env/netbox.env
-    user: "netbox:root"
+    user: "unit:root"
     volumes:
       - ./test-configuration/test_config.py:/etc/netbox/config/test_config.py:z,ro
     healthcheck:
@@ -28,9 +28,18 @@ services:
       start_period: 40s
       timeout: 3s
       interval: 15s
+  netbox-housekeeping:
+    <<: *netbox
+    command:
+      - /opt/netbox/housekeeping.sh
+    healthcheck:
+      test: ps -aux | grep -v grep | grep -q housekeeping || exit 1
+      start_period: 40s
+      timeout: 3s
+      interval: 15s
 
   postgres:
-    image: docker.io/postgres:18-alpine
+    image: docker.io/postgres:17-alpine
     env_file: env/postgres.env
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER ## $$ because of docker-compose
@@ -40,7 +49,7 @@ services:
       retries: 5
 
   redis: &redis
-    image: docker.io/valkey/valkey:9.0-alpine
+    image: docker.io/valkey/valkey:8.1-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env

docker-compose.yml

@@ -1,12 +1,12 @@
 services:
   netbox: &netbox
-    image: docker.io/netboxcommunity/netbox:${VERSION-v4.4-3.4.1}
+    image: docker.io/netboxcommunity/netbox:${VERSION-v4.3-3.3.0}
     depends_on:
       - postgres
       - redis
       - redis-cache
     env_file: env/netbox.env
-    user: "netbox:root"
+    user: "unit:root"
     healthcheck:
       test: curl -f http://localhost:8080/login/ || exit 1
       start_period: 90s
@@ -31,10 +31,22 @@ services:
       start_period: 20s
       timeout: 3s
       interval: 15s
+  netbox-housekeeping:
+    <<: *netbox
+    depends_on:
+      netbox:
+        condition: service_healthy
+    command:
+      - /opt/netbox/housekeeping.sh
+    healthcheck:
+      test: ps -aux | grep -v grep | grep -q housekeeping || exit 1
+      start_period: 20s
+      timeout: 3s
+      interval: 15s
 
   # postgres
   postgres:
-    image: docker.io/postgres:18-alpine
+    image: docker.io/postgres:17-alpine
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER
       start_period: 20s
@@ -47,7 +59,7 @@ services:
 
   # redis
   redis:
-    image: docker.io/valkey/valkey:9.0-alpine
+    image: docker.io/valkey/valkey:8.1-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env
@@ -62,7 +74,7 @@ services:
     volumes:
       - netbox-redis-data:/data
   redis-cache:
-    image: docker.io/valkey/valkey:9.0-alpine
+    image: docker.io/valkey/valkey:8.1-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env

docker/granian.py

@@ -1,13 +0,0 @@
-from granian.utils.proxies import wrap_wsgi_with_proxy_headers
-from netbox.wsgi import application
-
-application = wrap_wsgi_with_proxy_headers(
-    application,
-    trusted_hosts=[
-        "10.0.0.0/8",
-        "172.16.0.0/12",
-        "192.168.0.0/16",
-        "fc00::/7",
-        "fe80::/10",
-    ],
-)

docker/housekeeping.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+SLEEP_SECONDS=${HOUSEKEEPING_INTERVAL:=86400}
+echo "Interval set to ${SLEEP_SECONDS} seconds"
+while true; do
+  date
+  /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py housekeeping
+  sleep "${SLEEP_SECONDS}s"
+done

docker/launch-netbox.sh

@@ -1,20 +1,57 @@
 #!/bin/bash
 
-exec granian \
-  --host "::" \
-  --port "8080" \
-  --interface "wsgi" \
-  --no-ws \
-  --workers "${GRANIAN_WORKERS:-4}" \
-  --respawn-failed-workers \
-  --backpressure "${GRANIAN_BACKPRESSURE:-${GRANIAN_WORKERS:-4}}" \
-  --loop "uvloop" \
-  --log \
-  --log-level "info" \
-  --access-log \
-  --working-dir "/opt/netbox/netbox/" \
-  --static-path-route "/static" \
-  --static-path-mount "/opt/netbox/netbox/static/" \
-  --pid-file "/tmp/granian.pid" \
-  "${GRANIAN_EXTRA_ARGS[@]}" \
-  "netbox.granian:application"
+UNIT_CONFIG="${UNIT_CONFIG-/etc/unit/nginx-unit.json}"
+# Also used in "nginx-unit.json"
+UNIT_SOCKET="/opt/unit/unit.sock"
+
+load_configuration() {
+  MAX_WAIT=10
+  WAIT_COUNT=0
+  while [ ! -S $UNIT_SOCKET ]; do
+    if [ $WAIT_COUNT -ge $MAX_WAIT ]; then
+      echo "⚠️ No control socket found; configuration will not be loaded."
+      return 1
+    fi
+
+    WAIT_COUNT=$((WAIT_COUNT + 1))
+    echo "⏳ Waiting for control socket to be created... (${WAIT_COUNT}/${MAX_WAIT})"
+
+    sleep 1
+  done
+
+  # even when the control socket exists, it does not mean unit has finished initialisation
+  # this curl call will get a reply once unit is fully launched
+  curl --silent --output /dev/null --request GET --unix-socket $UNIT_SOCKET http://localhost/
+
+  echo "⚙️ Applying configuration from $UNIT_CONFIG"
+
+  RESP_CODE=$(
+    curl \
+      --silent \
+      --output /dev/null \
+      --write-out '%{http_code}' \
+      --request PUT \
+      --data-binary "@${UNIT_CONFIG}" \
+      --unix-socket $UNIT_SOCKET \
+      http://localhost/config
+  )
+  if [ "$RESP_CODE" != "200" ]; then
+    echo "⚠️ Could no load Unit configuration"
+    kill "$(cat /opt/unit/unit.pid)"
+    return 1
+  fi
+
+  echo "✅ Unit configuration loaded successfully"
+}
+
+load_configuration &
+
+exec unitd \
+  --no-daemon \
+  --control unix:$UNIT_SOCKET \
+  --pid /opt/unit/unit.pid \
+  --log /dev/stdout \
+  --statedir /opt/unit/state/ \
+  --tmpdir /opt/unit/tmp/ \
+  --user unit \
+  --group root

docker/nginx-unit.json

@@ -0,0 +1,77 @@
+{
+  "listeners": {
+    "0.0.0.0:8080": {
+      "pass": "routes/main",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      }
+    },
+    "0.0.0.0:8081": {
+      "pass": "routes/status",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      }
+    },
+    "[::]:8080": {
+      "pass": "routes/main",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["fc00::/7", "fe80::/10"]
+      }
+    },
+    "[::]:8081": {
+      "pass": "routes/status",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["fc00::/7", "fe80::/10"]
+      }
+    }
+  },
+  "routes": {
+    "main": [
+      {
+        "match": {
+          "uri": "/static/*"
+        },
+        "action": {
+          "share": "/opt/netbox/netbox${uri}"
+        }
+      },
+      {
+        "action": {
+          "pass": "applications/netbox"
+        }
+      }
+    ],
+    "status": [
+      {
+        "match": {
+          "uri": "/status/*"
+        },
+        "action": {
+          "proxy": "http://unix:/opt/unit/unit.sock"
+        }
+      }
+    ]
+  },
+  "applications": {
+    "netbox": {
+      "type": "python 3",
+      "path": "/opt/netbox/netbox/",
+      "module": "netbox.wsgi",
+      "home": "/opt/netbox/venv",
+      "processes": {
+        "max": 4,
+        "spare": 1,
+        "idle_timeout": 120
+      }
+    }
+  },
+  "access_log": "/dev/stdout"
+}

docker/unit.list

@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] http://packages.nginx.org/unit/ubuntu/ noble unit

env/netbox.env

@@ -1,4 +1,3 @@
-API_TOKEN_PEPPER_1=Qy+F=OTeGskWQ(wTMgjc+NPPlz6YwFXY=KHIIg=wpYXT&e(6u8
 CORS_ORIGIN_ALLOW_ALL=True
 DB_HOST=postgres
 DB_NAME=netbox
@@ -15,9 +14,8 @@ EMAIL_USERNAME=netbox
 # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
 EMAIL_USE_SSL=false
 EMAIL_USE_TLS=false
-GRANIAN_BACKPRESSURE=4
-GRANIAN_WORKERS=4
 GRAPHQL_ENABLED=true
+HOUSEKEEPING_INTERVAL=86400
 MEDIA_ROOT=/opt/netbox/netbox/media
 METRICS_ENABLED=false
 REDIS_CACHE_DATABASE=1

requirements-container.txt

@@ -1,7 +1,6 @@
-django-auth-ldap==5.2.0
-dulwich==0.24.10
-granian[uvloop]==2.6.0
+django-auth-ldap==5.1.0
+dulwich==0.22.8
 python3-saml==1.16.0
 --no-binary lxml
 --no-binary xmlsec
-sentry-sdk[django]==2.47.0
+sentry-sdk[django]==2.27.0

test-configuration/test_config.py

@@ -10,7 +10,3 @@ PLUGINS = [
 ALLOW_TOKEN_RETRIEVAL = True
 
 DEFAULT_PERMISSIONS = {}
-
-API_TOKEN_PEPPERS = {
-    1: 'TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE-TEST-VALUE-DO-NOT-USE',
-}