Merge 39d2b726af into 10a57990e2

.github/workflows/push.yml

@@ -23,7 +23,7 @@ jobs:
       packages: read
       statuses: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`
@@ -42,7 +42,6 @@ jobs:
           VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_GITLEAKS: false
           VALIDATE_JSCPD: false
-          VALIDATE_PYTHON_PYLINT: false
           VALIDATE_TRIVY: false
           FILTER_REGEX_EXCLUDE: (.*/)?(LICENSE|configuration/.*)
           EDITORCONFIG_FILE_NAME: .editorconfig-checker.json
@@ -74,7 +73,7 @@ jobs:
     steps:
       - id: git-checkout
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - id: buildx-setup
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/release.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - id: source-checkout
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
         with:
           ref: ${{ matrix.build.branch }}
       - id: set-netbox-docker-version

Dockerfile

@@ -27,7 +27,7 @@ ARG NETBOX_PATH
 COPY ${NETBOX_PATH}/requirements.txt requirements-container.txt /
 ENV VIRTUAL_ENV=/opt/netbox/venv
 RUN \
-    # Gunicorn is not needed because we use Granian
+    # Gunicorn is not needed because we use Nginx Unit
     sed -i -e '/gunicorn/d' /requirements.txt && \
     # We need 'social-auth-core[all]' in the Docker image. But if we put it in our own requirements-container.txt
     # we have potential version conflicts and the build will fail.
@@ -46,6 +46,8 @@ RUN \
 ARG FROM
 FROM ${FROM} AS main
 
+COPY docker/unit.list /etc/apt/sources.list.d/unit.list
+ADD --chmod=444 --chown=0:0 https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg
 RUN export DEBIAN_FRONTEND=noninteractive \
     && apt-get update -qq \
     && apt-get upgrade \
@@ -62,6 +64,8 @@ RUN export DEBIAN_FRONTEND=noninteractive \
       openssl \
       python3 \
       tini \
+      unit-python3.12=1.34.2-1~noble \
+      unit=1.34.2-1~noble \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy the modified 'requirements*.txt' files, to have the files actually used during installation
@@ -77,21 +81,21 @@ COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
 COPY docker/docker-entrypoint.sh /opt/netbox/docker-entrypoint.sh
 COPY docker/launch-netbox.sh /opt/netbox/launch-netbox.sh
 COPY configuration/ /etc/netbox/config/
-COPY docker/granian.py /opt/netbox/netbox/netbox/granian.py
+COPY docker/nginx-unit.json /etc/unit/
 COPY VERSION /opt/netbox/VERSION
 
 WORKDIR /opt/netbox/netbox
 
 # Must set permissions for '/opt/netbox/netbox/media' directory
 # to g+w so that pictures can be uploaded to netbox.
-RUN useradd --home-dir /opt/netbox/ --no-create-home --no-user-group --system --shell /bin/false --uid 999 --gid 0 netbox \
+RUN mkdir -p static media /opt/unit/state/ /opt/unit/tmp/ \
-    && mkdir -p static media local \
+      && chown -R unit:root /opt/unit/ media reports scripts \
-    && chown -R netbox:root media reports scripts \
+      && chmod -R g+w /opt/unit/ media reports scripts \
-    && chmod -R g+w media reports scripts \
+      && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
-    && cd /opt/netbox/ && SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python -m mkdocs build \
+          --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
-        --config-file /opt/netbox/mkdocs.yml --site-dir /opt/netbox/netbox/project-static/docs/ \
+      && DEBUG="true" SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input \
-    && DEBUG="true" SECRET_KEY="dummyKeyWithMinimumLength-------------------------" /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py collectstatic --no-input \
+      && mkdir /opt/netbox/netbox/local \
-    && echo "build: Docker-$(cat /opt/netbox/VERSION)" > /opt/netbox/netbox/local/release.yaml
+      && echo "build: Docker-$(cat /opt/netbox/VERSION)" > /opt/netbox/netbox/local/release.yaml
 
 ENV LANG=C.utf8 PATH=/opt/netbox/venv/bin:$PATH VIRTUAL_ENV=/opt/netbox/venv UV_NO_CACHE=1
 ENTRYPOINT [ "/usr/bin/tini", "--" ]

VERSION

@@ -1 +1 @@
-3.4.2
+3.4.1

docker-compose.override.yml.example

@@ -2,6 +2,9 @@ services:
   netbox:
     ports:
       - "8000:8080"
+    # If you want the Nginx unit status page visible from the
+    # outside of the container add the following port mapping:
+    # - "8001:8081"
     # healthcheck:
       # Time for which the health check can fail after the container is started.
       # This depends mostly on the performance of your database. On the first start,
@@ -29,5 +32,4 @@ services:
 #   okta_openidconnect_secret:
 #     file: ./secrets/okta_secret.txt
 #   google_oauth2_secret:
-#     file: ./secrets/google_secret.txt
+#     file: ./secrets/google_secret.txt
-

docker-compose.test.yml

@@ -9,7 +9,7 @@ services:
       redis-cache:
         condition: service_healthy
     env_file: env/netbox.env
-    user: "netbox:root"
+    user: "unit:root"
     volumes:
       - ./test-configuration/test_config.py:/etc/netbox/config/test_config.py:z,ro
     healthcheck:
@@ -30,7 +30,7 @@ services:
       interval: 15s
 
   postgres:
-    image: docker.io/postgres:18-alpine
+    image: docker.io/postgres:17-alpine
     env_file: env/postgres.env
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER ## $$ because of docker-compose
@@ -40,7 +40,7 @@ services:
       retries: 5
 
   redis: &redis
-    image: docker.io/valkey/valkey:9.0-alpine
+    image: docker.io/valkey/valkey:8.1-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env

docker-compose.yml

@@ -6,7 +6,7 @@ services:
       - redis
       - redis-cache
     env_file: env/netbox.env
-    user: "netbox:root"
+    user: "unit:root"
     healthcheck:
       test: curl -f http://localhost:8080/login/ || exit 1
       start_period: 90s
@@ -34,7 +34,7 @@ services:
 
   # postgres
   postgres:
-    image: docker.io/postgres:18-alpine
+    image: docker.io/postgres:17-alpine
     healthcheck:
       test: pg_isready -q -t 2 -d $$POSTGRES_DB -U $$POSTGRES_USER
       start_period: 20s
@@ -47,7 +47,7 @@ services:
 
   # redis
   redis:
-    image: docker.io/valkey/valkey:9.0-alpine
+    image: docker.io/valkey/valkey:8.1-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env
@@ -62,7 +62,7 @@ services:
     volumes:
       - netbox-redis-data:/data
   redis-cache:
-    image: docker.io/valkey/valkey:9.0-alpine
+    image: docker.io/valkey/valkey:8.1-alpine
     command:
       - sh
       - -c # this is to evaluate the $REDIS_PASSWORD from the env

docker/granian.py

@@ -1,13 +0,0 @@
-from granian.utils.proxies import wrap_wsgi_with_proxy_headers
-from netbox.wsgi import application
-
-application = wrap_wsgi_with_proxy_headers(
-    application,
-    trusted_hosts=[
-        "10.0.0.0/8",
-        "172.16.0.0/12",
-        "192.168.0.0/16",
-        "fc00::/7",
-        "fe80::/10",
-    ],
-)

docker/launch-netbox.sh

@@ -1,20 +1,57 @@
 #!/bin/bash
 
-exec granian \
+UNIT_CONFIG="${UNIT_CONFIG-/etc/unit/nginx-unit.json}"
-  --host "::" \
+# Also used in "nginx-unit.json"
-  --port "8080" \
+UNIT_SOCKET="/opt/unit/unit.sock"
-  --interface "wsgi" \
+
-  --no-ws \
+load_configuration() {
-  --workers "${GRANIAN_WORKERS:-4}" \
+  MAX_WAIT=10
-  --respawn-failed-workers \
+  WAIT_COUNT=0
-  --backpressure "${GRANIAN_BACKPRESSURE:-${GRANIAN_WORKERS:-4}}" \
+  while [ ! -S $UNIT_SOCKET ]; do
-  --loop "uvloop" \
+    if [ $WAIT_COUNT -ge $MAX_WAIT ]; then
-  --log \
+      echo "⚠️ No control socket found; configuration will not be loaded."
-  --log-level "info" \
+      return 1
-  --access-log \
+    fi
-  --working-dir "/opt/netbox/netbox/" \
+
-  --static-path-route "/static" \
+    WAIT_COUNT=$((WAIT_COUNT + 1))
-  --static-path-mount "/opt/netbox/netbox/static/" \
+    echo "⏳ Waiting for control socket to be created... (${WAIT_COUNT}/${MAX_WAIT})"
-  --pid-file "/tmp/granian.pid" \
+
-  "${GRANIAN_EXTRA_ARGS[@]}" \
+    sleep 1
-  "netbox.granian:application"
+  done
+
+  # even when the control socket exists, it does not mean unit has finished initialisation
+  # this curl call will get a reply once unit is fully launched
+  curl --silent --output /dev/null --request GET --unix-socket $UNIT_SOCKET http://localhost/
+
+  echo "⚙️ Applying configuration from $UNIT_CONFIG"
+
+  RESP_CODE=$(
+    curl \
+      --silent \
+      --output /dev/null \
+      --write-out '%{http_code}' \
+      --request PUT \
+      --data-binary "@${UNIT_CONFIG}" \
+      --unix-socket $UNIT_SOCKET \
+      http://localhost/config
+  )
+  if [ "$RESP_CODE" != "200" ]; then
+    echo "⚠️ Could not load Unit configuration"
+    kill "$(cat /opt/unit/unit.pid)"
+    return 1
+  fi
+
+  echo "✅ Unit configuration loaded successfully"
+}
+
+load_configuration &
+
+exec unitd \
+  --no-daemon \
+  --control unix:$UNIT_SOCKET \
+  --pid /opt/unit/unit.pid \
+  --log /dev/stdout \
+  --statedir /opt/unit/state/ \
+  --tmpdir /opt/unit/tmp/ \
+  --user unit \
+  --group root

docker/nginx-unit.json

@@ -0,0 +1,82 @@
+{
+  "listeners": {
+    "0.0.0.0:8080": {
+      "pass": "routes/main",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      }
+    },
+    "0.0.0.0:8081": {
+      "pass": "routes/status",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      }
+    },
+    "[::]:8080": {
+      "pass": "routes/main",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["fc00::/7", "fe80::/10"]
+      }
+    },
+    "[::]:8081": {
+      "pass": "routes/status",
+      "forwarded": {
+        "client_ip": "X-Forwarded-For",
+        "protocol": "X-Forwarded-Proto",
+        "source": ["fc00::/7", "fe80::/10"]
+      }
+    }
+  },
+  "routes": {
+    "main": [
+      {
+        "match": {
+          "uri": "/static/*"
+        },
+        "action": {
+          "share": "/opt/netbox/netbox${uri}"
+        }
+      },
+      {
+        "action": {
+          "pass": "applications/netbox"
+        }
+      }
+    ],
+    "status": [
+      {
+        "match": {
+          "uri": "/status/*"
+        },
+        "action": {
+          "proxy": "http://unix:/opt/unit/unit.sock"
+        }
+      }
+    ]
+  },
+  "applications": {
+    "netbox": {
+      "type": "python 3",
+      "path": "/opt/netbox/netbox/",
+      "module": "netbox.wsgi",
+      "home": "/opt/netbox/venv",
+      "processes": {
+        "max": 4,
+        "spare": 1,
+        "idle_timeout": 120
+      }
+    }
+  },
+  "access_log": "/dev/stdout",
+  "settings": {
+    "http": {
+      "max_body_size": 104857600
+    }
+  }
+}

docker/unit.list

@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] http://packages.nginx.org/unit/ubuntu/ noble unit

env/netbox.env

@@ -15,8 +15,6 @@ EMAIL_USERNAME=netbox
 # EMAIL_USE_SSL and EMAIL_USE_TLS are mutually exclusive, i.e. they can't both be `true`!
 EMAIL_USE_SSL=false
 EMAIL_USE_TLS=false
-GRANIAN_BACKPRESSURE=4
-GRANIAN_WORKERS=4
 GRAPHQL_ENABLED=true
 MEDIA_ROOT=/opt/netbox/netbox/media
 METRICS_ENABLED=false

requirements-container.txt

@@ -1,7 +1,6 @@
 django-auth-ldap==5.2.0
-dulwich==0.24.10
+dulwich==0.24.7
-granian[uvloop]==2.6.0
 python3-saml==1.16.0
 --no-binary lxml
 --no-binary xmlsec
-sentry-sdk[django]==2.47.0
+sentry-sdk[django]==2.42.1