静态编译nginx
2021-06-21 本文已影响0人
止境_af83
背景
为了便于离线安装nginx,不依赖任何第三方库
难点
官方的nginx依赖 Name Service Switch, 这个NSS允许系统管理员重新配置系统以使用外部源来获取通常从 /etc/passwd、/etc/shadow、/etc/hosts、/etc/groups、/etc/resolv.conf 等查询的内容。不能编译成完全静态的可执行文件。
解决方法
去掉NSS功能,缺点是不能以root权限运行
需要打补丁:
diff --git a/src/core/nginx.c b/src/core/nginx.c
index 3213527..f61aed7 100644
--- a/src/core/nginx.c
+++ b/src/core/nginx.c
@@ -1030,29 +1030,10 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf)
#if !(NGX_WIN32)
if (ccf->user == (uid_t) NGX_CONF_UNSET_UINT && geteuid() == 0) {
- struct group *grp;
- struct passwd *pwd;
-
- ngx_set_errno(0);
- pwd = getpwnam(NGX_USER);
- if (pwd == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "getpwnam(\"" NGX_USER "\") failed");
- return NGX_CONF_ERROR;
- }
-
- ccf->username = NGX_USER;
- ccf->user = pwd->pw_uid;
-
- ngx_set_errno(0);
- grp = getgrnam(NGX_GROUP);
- if (grp == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "getgrnam(\"" NGX_GROUP "\") failed");
- return NGX_CONF_ERROR;
- }
-
- ccf->group = grp->gr_gid;
+ ngx_set_errno(ENOSYS);
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "getpwnam(\"" NGX_USER "\") disabled for static build");
+ return NGX_CONF_ERROR;
}
@@ -1122,9 +1103,6 @@ ngx_set_user(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
ngx_core_conf_t *ccf = conf;
- char *group;
- struct passwd *pwd;
- struct group *grp;
ngx_str_t *value;
if (ccf->user != (uid_t) NGX_CONF_UNSET_UINT) {
@@ -1143,29 +1121,10 @@ ngx_set_user(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
ccf->username = (char *) value[1].data;
- ngx_set_errno(0);
- pwd = getpwnam((const char *) value[1].data);
- if (pwd == NULL) {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
- "getpwnam(\"%s\") failed", value[1].data);
- return NGX_CONF_ERROR;
- }
-
- ccf->user = pwd->pw_uid;
-
- group = (char *) ((cf->args->nelts == 2) ? value[1].data : value[2].data);
-
- ngx_set_errno(0);
- grp = getgrnam(group);
- if (grp == NULL) {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
- "getgrnam(\"%s\") failed", group);
- return NGX_CONF_ERROR;
- }
-
- ccf->group = grp->gr_gid;
-
- return NGX_CONF_OK;
+ ngx_set_errno(ENOSYS);
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
+ "getpwnam(\"%s\") disabled for static build", value[1].data);
+ return NGX_CONF_ERROR;
#endif
}
diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
index 96a04fd..4ab2f7f 100644
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -1111,95 +1111,9 @@
}
-#if (NGX_HAVE_GETADDRINFO && NGX_HAVE_INET6)
-
-ngx_int_t
-ngx_inet_resolve_host(ngx_pool_t *pool, ngx_url_t *u)
-{
- u_char *host;
- ngx_uint_t n;
- struct addrinfo hints, *res, *rp;
-
- host = ngx_alloc(u->host.len + 1, pool->log);
- if (host == NULL) {
- return NGX_ERROR;
- }
-
- (void) ngx_cpystrn(host, u->host.data, u->host.len + 1);
-
- ngx_memzero(&hints, sizeof(struct addrinfo));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
-#ifdef AI_ADDRCONFIG
- hints.ai_flags = AI_ADDRCONFIG;
-#endif
-
- if (getaddrinfo((char *) host, NULL, &hints, &res) != 0) {
- u->err = "host not found";
- ngx_free(host);
- return NGX_ERROR;
- }
-
- ngx_free(host);
-
- for (n = 0, rp = res; rp != NULL; rp = rp->ai_next) {
-
- switch (rp->ai_family) {
-
- case AF_INET:
- case AF_INET6:
- break;
-
- default:
- continue;
- }
-
- n++;
- }
-
- if (n == 0) {
- u->err = "host not found";
- goto failed;
- }
-
- /* MP: ngx_shared_palloc() */
-
- for (rp = res; rp != NULL; rp = rp->ai_next) {
-
- switch (rp->ai_family) {
-
- case AF_INET:
- case AF_INET6:
- break;
-
- default:
- continue;
- }
-
- if (ngx_inet_add_addr(pool, u, rp->ai_addr, rp->ai_addrlen, n)
- != NGX_OK)
- {
- goto failed;
- }
- }
-
- freeaddrinfo(res);
- return NGX_OK;
-
-failed:
-
- freeaddrinfo(res);
- return NGX_ERROR;
-}
-
-#else /* !NGX_HAVE_GETADDRINFO || !NGX_HAVE_INET6 */
-
ngx_int_t
ngx_inet_resolve_host(ngx_pool_t *pool, ngx_url_t *u)
{
- u_char *host;
- ngx_uint_t i, n;
- struct hostent *h;
struct sockaddr_in sin;
/* AF_INET only */
@@ -1210,37 +1124,8 @@
sin.sin_addr.s_addr = ngx_inet_addr(u->host.data, u->host.len);
if (sin.sin_addr.s_addr == INADDR_NONE) {
- host = ngx_alloc(u->host.len + 1, pool->log);
- if (host == NULL) {
- return NGX_ERROR;
- }
-
- (void) ngx_cpystrn(host, u->host.data, u->host.len + 1);
-
- h = gethostbyname((char *) host);
-
- ngx_free(host);
-
- if (h == NULL || h->h_addr_list[0] == NULL) {
- u->err = "host not found";
- return NGX_ERROR;
- }
-
- for (n = 0; h->h_addr_list[n] != NULL; n++) { /* void */ }
-
- /* MP: ngx_shared_palloc() */
-
- for (i = 0; i < n; i++) {
- sin.sin_addr.s_addr = *(in_addr_t *) (h->h_addr_list[i]);
-
- if (ngx_inet_add_addr(pool, u, (struct sockaddr *) &sin,
- sizeof(struct sockaddr_in), n)
- != NGX_OK)
- {
- return NGX_ERROR;
- }
- }
-
+ u->err = "gethostbyname disabled for static build";
+ return NGX_ERROR;
} else {
/* MP: ngx_shared_palloc() */
@@ -1256,8 +1141,6 @@
return NGX_OK;
}
-#endif /* NGX_HAVE_GETADDRINFO && NGX_HAVE_INET6 */
-
static ngx_int_t
ngx_inet_add_addr(ngx_pool_t *pool, ngx_url_t *u, struct sockaddr *sockaddr,
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 5817a2c..8262993 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -833,12 +833,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
exit(2);
}
- if (initgroups(ccf->username, ccf->group) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "initgroups(%s, %d) failed",
- ccf->username, ccf->group);
- }
-
#if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES)
if (ccf->transparent && ccf->user) {
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
参考: https://github.com/ericpruitt/static-glibc-nginx
依赖musl库
musl 从头开始设计用于静态链接,功能和效率跟glibc一样,宗旨:“一次编写到处运行”