now with generated secret, and can bind mount in the params and vcl

fedora-varnish/Dockerfile

@@ -1,9 +1,9 @@
 FROM fedora
 
-RUN yum install -y --setopt=override_install_langs=en --setopt=tsflags=nodocs varnish /usr/lib/rpm/redhat/redhat-hardened-cc1 && rm -rf /var/cache/yum
+RUN yum install -y --setopt=override_install_langs=en --setopt=tsflags=nodocs varnish redhat-rpm-config && rm -rf /var/cache/yum
-ADD run.sh /srv/run.sh
+ADD . /srv/
 
-VOLUME ["/etc/varnish","/var/lib/varnish"]
+VOLUME ["/var/lib/varnish"]
 
 EXPOSE 6081 6082
 CMD ["/srv/run.sh"]

fedora-varnish/default.vcl

@@ -0,0 +1,124 @@
+# This is a basic VCL configuration file for varnish.  See the vcl(7)
+# man page for details on VCL syntax and semantics.
+# 
+# Default backend definition.  Set this to point to your content
+# server.
+# 
+backend default {
+  .host = "127.0.0.1";
+  .port = "80";
+}
+# 
+# Below is a commented-out copy of the default VCL logic.  If you
+# redefine any of these subroutines, the built-in logic will be
+# appended to your code.
+# sub vcl_recv {
+#     if (req.restarts == 0) {
+# 	if (req.http.x-forwarded-for) {
+# 	    set req.http.X-Forwarded-For =
+# 		req.http.X-Forwarded-For + ", " + client.ip;
+# 	} else {
+# 	    set req.http.X-Forwarded-For = client.ip;
+# 	}
+#     }
+#     if (req.request != "GET" &&
+#       req.request != "HEAD" &&
+#       req.request != "PUT" &&
+#       req.request != "POST" &&
+#       req.request != "TRACE" &&
+#       req.request != "OPTIONS" &&
+#       req.request != "DELETE") {
+#         /* Non-RFC2616 or CONNECT which is weird. */
+#         return (pipe);
+#     }
+#     if (req.request != "GET" && req.request != "HEAD") {
+#         /* We only deal with GET and HEAD by default */
+#         return (pass);
+#     }
+#     if (req.http.Authorization || req.http.Cookie) {
+#         /* Not cacheable by default */
+#         return (pass);
+#     }
+#     return (lookup);
+# }
+# 
+# sub vcl_pipe {
+#     # Note that only the first request to the backend will have
+#     # X-Forwarded-For set.  If you use X-Forwarded-For and want to
+#     # have it set for all requests, make sure to have:
+#     # set bereq.http.connection = "close";
+#     # here.  It is not set by default as it might break some broken web
+#     # applications, like IIS with NTLM authentication.
+#     return (pipe);
+# }
+# 
+# sub vcl_pass {
+#     return (pass);
+# }
+# 
+# sub vcl_hash {
+#     hash_data(req.url);
+#     if (req.http.host) {
+#         hash_data(req.http.host);
+#     } else {
+#         hash_data(server.ip);
+#     }
+#     return (hash);
+# }
+# 
+# sub vcl_hit {
+#     return (deliver);
+# }
+# 
+# sub vcl_miss {
+#     return (fetch);
+# }
+# 
+# sub vcl_fetch {
+#     if (beresp.ttl <= 0s ||
+#         beresp.http.Set-Cookie ||
+#         beresp.http.Vary == "*") {
+# 		/*
+# 		 * Mark as "Hit-For-Pass" for the next 2 minutes
+# 		 */
+# 		set beresp.ttl = 120 s;
+# 		return (hit_for_pass);
+#     }
+#     return (deliver);
+# }
+# 
+# sub vcl_deliver {
+#     return (deliver);
+# }
+# 
+# sub vcl_error {
+#     set obj.http.Content-Type = "text/html; charset=utf-8";
+#     set obj.http.Retry-After = "5";
+#     synthetic {"
+# <?xml version="1.0" encoding="utf-8"?>
+# <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+#  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+# <html>
+#   <head>
+#     <title>"} + obj.status + " " + obj.response + {"</title>
+#   </head>
+#   <body>
+#     <h1>Error "} + obj.status + " " + obj.response + {"</h1>
+#     <p>"} + obj.response + {"</p>
+#     <h3>Guru Meditation:</h3>
+#     <p>XID: "} + req.xid + {"</p>
+#     <hr>
+#     <p>Varnish cache server</p>
+#   </body>
+# </html>
+# "};
+#     return (deliver);
+# }
+# 
+# sub vcl_init {
+# 	return (ok);
+# }
+# 
+# sub vcl_fini {
+# 	return (ok);
+# }

fedora-varnish/run.sh

@@ -2,7 +2,13 @@
 
 set -e
 
-source /etc/varnish/varnish.params
+source /srv/varnish.params
+
+if [ ! -f ${VARNISH_SECRET_FILE} ] ; then
+	mkdir -p $(dirname ${VARNISH_SECRET_FILE})
+	uuidgen > ${VARNISH_SECRET_FILE}
+	echo "Generataed a new ${VARNISH_SECRET_FILE}"
+fi
 
 /usr/sbin/varnishd \
 	-F \

fedora-varnish/varnish.params

@@ -0,0 +1,39 @@
+# Varnish environment configuration description. This was derived from
+# the old style sysconfig/defaults settings
+
+# Set this to 1 to make systemd reload try to switch vcl without restart.
+RELOAD_VCL=1
+
+# Main configuration file. You probably want to change it.
+VARNISH_VCL_CONF=/srv/default.vcl
+
+# Default address and port to bind to. Blank address means all IPv4
+# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
+# quad, or an IPv6 address in brackets.
+# VARNISH_LISTEN_ADDRESS=192.168.1.5
+VARNISH_LISTEN_PORT=6081
+
+# Admin interface listen address and port
+VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
+VARNISH_ADMIN_LISTEN_PORT=6082
+
+# Shared secret file for admin interface
+VARNISH_SECRET_FILE=/srv/secret
+
+# The minimum and maximum number of worker threads to start
+VARNISH_MIN_THREADS=5
+VARNISH_MAX_THREADS=1000
+
+# Idle timeout for worker threads
+VARNISH_THREAD_TIMEOUT=120
+
+# Backend storage specification, see Storage Types in the varnishd(5)
+# man page for details.
+VARNISH_STORAGE="file,/var/lib/varnish/varnish_storage.bin,1G"
+
+# Default TTL used when the backend does not specify one
+VARNISH_TTL=120
+
+# User and group for the varnishd worker processes
+VARNISH_USER=varnish
+VARNISH_GROUP=varnish