From a2332047665e50434ce15e93badf069827f10655 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 10 Sep 2019 20:23:34 -0300 Subject: [PATCH 1/4] redis --- Dockerfile | 15 +++++++++++++++ monit.conf | 4 ++++ 2 files changed, 19 insertions(+) create mode 100644 monit.conf diff --git a/Dockerfile b/Dockerfile index 59c5898..3669a88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,2 +1,17 @@ FROM sutty/monit:latest MAINTAINER "f " + +RUN apk add --no-cache redis su-exec + +COPY ./monit.conf /etc/monit.d/redis.conf + +RUN sed -re "/^bind /d" -i /etc/redis.conf +RUN sed -re "/^protected-mode /d" -i /etc/redis.conf +RUN sed -re "/^logfile /d" -i /etc/redis.conf +RUN sed -re "s/^# (syslog-enabled).*/\1 yes/" -i /etc/redis.conf +RUN sed -re "s/^(appendonly).*/\1 yes/" -i /etc/redis.conf +RUN echo "pidfile /run/redis/redis.pid" >> /etc/redis.conf +RUN echo "daemonize yes" >> /etc/redis.conf + +EXPOSE 6379 +VOLUME "/var/lib/redis" diff --git a/monit.conf b/monit.conf new file mode 100644 index 0000000..8779722 --- /dev/null +++ b/monit.conf @@ -0,0 +1,4 @@ +check process redis with pidfile /run/redis/redis.pid + start program = "/sbin/su-exec redis /usr/bin/redis-server /etc/redis.conf" + stop program = "/usr/bin/redis-cli shutdown" + if failed port 6379 protocol redis 3 times within 5 cycles then restart From f3620e7c490e3aaea6a6d1e538eca271f3b4ff73 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 17 Sep 2019 21:58:31 -0300 Subject: [PATCH 2/4] disable protected mode --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 3669a88..3dadfa0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ RUN sed -re "s/^# (syslog-enabled).*/\1 yes/" -i /etc/redis.conf RUN sed -re "s/^(appendonly).*/\1 yes/" -i /etc/redis.conf RUN echo "pidfile /run/redis/redis.pid" >> /etc/redis.conf RUN echo "daemonize yes" >> /etc/redis.conf +RUN echo "protected-mode no" >> /etc/redis.conf EXPOSE 6379 VOLUME "/var/lib/redis" From 4c5861f9b8391ca615a2d8e5e9d6e2a217716e0d Mon Sep 17 00:00:00 2001 From: f Date: Mon, 11 May 2020 12:09:13 -0300 Subject: [PATCH 3/4] eviction policy and maxmemory we're low on resources so 50MB is the most we can give it --- Dockerfile | 4 +++- monit.conf | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3dadfa0..ca7e8a8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM sutty/monit:latest MAINTAINER "f " -RUN apk add --no-cache redis su-exec +RUN apk add --no-cache redis COPY ./monit.conf /etc/monit.d/redis.conf @@ -13,6 +13,8 @@ RUN sed -re "s/^(appendonly).*/\1 yes/" -i /etc/redis.conf RUN echo "pidfile /run/redis/redis.pid" >> /etc/redis.conf RUN echo "daemonize yes" >> /etc/redis.conf RUN echo "protected-mode no" >> /etc/redis.conf +RUN echo "maxmemory-policy allkeys-lfu" >> /etc/redis.conf +RUN echo "maxmemory 50mb" >> /etc/redis.conf EXPOSE 6379 VOLUME "/var/lib/redis" diff --git a/monit.conf b/monit.conf index 8779722..a2a8fd1 100644 --- a/monit.conf +++ b/monit.conf @@ -1,4 +1,4 @@ check process redis with pidfile /run/redis/redis.pid - start program = "/sbin/su-exec redis /usr/bin/redis-server /etc/redis.conf" + start program = "/usr/bin/redis-server /etc/redis.conf" as uid "redis" and gid "redis" stop program = "/usr/bin/redis-cli shutdown" if failed port 6379 protocol redis 3 times within 5 cycles then restart From cdedfc1ab1e9f55880a9944d0ba3e96d37e4de7a Mon Sep 17 00:00:00 2001 From: f Date: Tue, 17 Nov 2020 14:58:36 -0300 Subject: [PATCH 4/4] rspamd --- Dockerfile | 47 ++++++++++++++++++++++++++++++++++++++++++++--- local.conf | 1 + local_addrs.sh | 8 ++++++++ rspamd.conf | 8 ++++++++ 4 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 local.conf create mode 100755 local_addrs.sh create mode 100644 rspamd.conf diff --git a/Dockerfile b/Dockerfile index ca7e8a8..bcf6055 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,8 +13,49 @@ RUN sed -re "s/^(appendonly).*/\1 yes/" -i /etc/redis.conf RUN echo "pidfile /run/redis/redis.pid" >> /etc/redis.conf RUN echo "daemonize yes" >> /etc/redis.conf RUN echo "protected-mode no" >> /etc/redis.conf -RUN echo "maxmemory-policy allkeys-lfu" >> /etc/redis.conf RUN echo "maxmemory 50mb" >> /etc/redis.conf +RUN echo "maxmemory-policy volatile-ttl" >> /etc/redis.conf +RUN echo "bind 127.0.0.1 ::1" >> /etc/redis.conf +RUN sed -re "s/^(dir).*/\1 \/var\/lib\/rspamd-redis/" -i /etc/redis.conf -EXPOSE 6379 -VOLUME "/var/lib/redis" +RUN apk add --no-cache rspamd rspamd-client rspamd-proxy rspamd-controller +RUN install -dm 755 /etc/rspamd/local.d +RUN install -dm 750 -o rspamd -g rspamd /var/lib/rspamd +RUN install -dm 750 -o redis -g redis /var/lib/rspamd-redis + +# TODO: Deprecate OpenDKIM +RUN echo "enabled = false;" >> /etc/rspamd/local.d/dkim_signing.conf + +# Redis +RUN echo "write_servers = \"localhost\";" >> /etc/rspamd/local.d/redis.conf +RUN echo "read_servers = \"localhost\";" >> /etc/rspamd/local.d/redis.conf + +# Workers +RUN echo "bind_socket = \"*:11332\";" >> /etc/rspamd/local.d/worker-proxy.inc +RUN echo "bind_socket = \"*:11333\";" >> /etc/rspamd/local.d/worker-normal.inc +RUN echo "bind_socket = \"*:11334\";" >> /etc/rspamd/local.d/worker-controller.inc +# We don't really care about the password... +RUN echo "password = \"`rspamadm pw -p '12345678'`\";" >> /etc/rspamd/local.d/worker-controller.inc + +# Options +# Rspamd doesn't seem to write a pid file and upstream not really +# helpful about it: https://github.com/rspamd/rspamd/issues/3096 +# RUN echo "pid_file = \"/tmp/rspamd.pid\";" >> /etc/rspamd/local.d/options.inc +RUN echo "local_addrs = \"/etc/rspamd/local.d/maps.d/local_addrs\";" >> /etc/rspamd/local.d/options.inc + +# Logging +RUN echo "type = \"syslog\";" >> /etc/rspamd/local.d/logging.inc +RUN echo "facility = \"daemon\";" >> /etc/rspamd/local.d/logging.inc + +# Learn spam +RUN echo "servers = \"localhost\";" >> /etc/rspamd/local.d/classifier-bayes.conf +RUN echo "autolearn = [-5,5];" >> /etc/rspamd/local.d/classifier-bayes.conf + +COPY ./local_addrs.sh /usr/local/bin/local_addrs +COPY ./rspamd.conf /etc/monit.d/rspamd.conf + +EXPOSE 11332 +EXPOSE 11333 +EXPOSE 11334 +VOLUME "/var/lib/rspamd-redis" +VOLUME "/var/lib/rspamd" diff --git a/local.conf b/local.conf new file mode 100644 index 0000000..aac8fc1 --- /dev/null +++ b/local.conf @@ -0,0 +1 @@ +bind_socket = "*:11333"; diff --git a/local_addrs.sh b/local_addrs.sh new file mode 100755 index 0000000..2aec2d7 --- /dev/null +++ b/local_addrs.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +local_addrs="/etc/rspamd/local.d/maps.d/local_addrs" + +test -f "${local_addrs}" && exit + +ip -4 route | cut -d " " -f 1 | grep -v default >> "${local_addrs}" +ip -6 route | cut -d " " -f 1 | grep -v default >> "${local_addrs}" diff --git a/rspamd.conf b/rspamd.conf new file mode 100644 index 0000000..24cfa50 --- /dev/null +++ b/rspamd.conf @@ -0,0 +1,8 @@ +check process rspamd with matching "rspamd: main" + start program = "/usr/sbin/rspamd" as uid "rspamd" and gid "rspamd" + stop program = "/usr/bin/killall rspamd" + +check program local_addrs + with path "/usr/local/bin/local_addrs" + every 1 cycle + if status = 0 then unmonitor