From 478d4f5aeb40da4db00478747972f1b6d3772d02 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 17:08:56 +0800 Subject: [PATCH 01/15] feat: upgrade apisix-runtime to OpenResty 1.29.2.4 --- build-apisix-runtime.sh | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 92f340878..4d13baa8a 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -21,10 +21,13 @@ ld_opt=${ld_opt:-"-L$zlib_prefix/lib -L$pcre_prefix/lib -L$OPENSSL_PREFIX/lib -W # dependencies for building openresty OPENSSL_VERSION=${OPENSSL_VERSION:-"3.4.1"} -OPENRESTY_VERSION="1.27.1.2" -ngx_multi_upstream_module_ver="1.3.2" +OPENRESTY_VERSION=${OPENRESTY_VERSION:-"1.29.2.4"} +ngx_multi_upstream_module_ver="openresty-1.29.2-patches" +ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit-"0081acfacb2e79b7a5aa4f1f455316dd343e145f"} mod_dubbo_ver="1.0.2" -apisix_nginx_module_ver="1.19.4" +apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} +# TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. +apisix_nginx_module_commit=${apisix_nginx_module_commit-"36c6de78d74dd0f093e9a25910875762f6f56da6"} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" @@ -52,7 +55,7 @@ install_openssl_3(){ --with-zlib-lib=$zlib_prefix/lib \ --with-zlib-include=$zlib_prefix/include make -j $(nproc) LD_LIBRARY_PATH= CC="gcc" - sudo make install + sudo make install_sw install_ssldirs if [ -f "$OPENSSL_CONF_PATH" ]; then sudo cp "$OPENSSL_CONF_PATH" "$OPENSSL_PREFIX"/ssl/openssl.cnf fi @@ -88,12 +91,24 @@ else fi if [ "$repo" == ngx_multi_upstream_module ]; then + ngx_multi_upstream_module_cloned=0 cp -r "$prev_workdir" ./ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} else - git clone --depth=1 -b $ngx_multi_upstream_module_ver \ + ngx_multi_upstream_module_cloned=1 + ngx_multi_upstream_module_clone_ref="$ngx_multi_upstream_module_ver" + if [ -n "$ngx_multi_upstream_module_commit" ]; then + ngx_multi_upstream_module_clone_ref="master" + fi + git clone --depth=1 -b $ngx_multi_upstream_module_clone_ref \ https://github.com/api7/ngx_multi_upstream_module.git \ ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} fi +if [ -n "$ngx_multi_upstream_module_commit" ] && [ "$ngx_multi_upstream_module_cloned" = 1 ]; then + git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} fetch --depth=1 \ + origin "$ngx_multi_upstream_module_commit" + git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} checkout \ + "$ngx_multi_upstream_module_commit" +fi if [ "$repo" == mod_dubbo ]; then cp -r "$prev_workdir" ./mod_dubbo-${mod_dubbo_ver} @@ -104,12 +119,24 @@ else fi if [ "$repo" == apisix-nginx-module ]; then + apisix_nginx_module_cloned=0 cp -r "$prev_workdir" ./apisix-nginx-module-${apisix_nginx_module_ver} else - git clone --depth=1 -b $apisix_nginx_module_ver \ + apisix_nginx_module_cloned=1 + apisix_nginx_module_clone_ref="$apisix_nginx_module_ver" + if [ -n "$apisix_nginx_module_commit" ]; then + apisix_nginx_module_clone_ref="main" + fi + git clone --depth=1 -b $apisix_nginx_module_clone_ref \ https://github.com/api7/apisix-nginx-module.git \ apisix-nginx-module-${apisix_nginx_module_ver} fi +if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ]; then + git -C apisix-nginx-module-${apisix_nginx_module_ver} fetch --depth=1 \ + origin "$apisix_nginx_module_commit" + git -C apisix-nginx-module-${apisix_nginx_module_ver} checkout \ + "$apisix_nginx_module_commit" +fi if [ "$repo" == wasm-nginx-module ]; then cp -r "$prev_workdir" ./wasm-nginx-module-${wasm_nginx_module_ver} From 98b4b9061d83793033585448088315b472b230d6 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 17:54:24 +0800 Subject: [PATCH 02/15] chore: pin latest ngx_multi_upstream_module patch --- build-apisix-runtime.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 4d13baa8a..de0d0e372 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -23,7 +23,7 @@ ld_opt=${ld_opt:-"-L$zlib_prefix/lib -L$pcre_prefix/lib -L$OPENSSL_PREFIX/lib -W OPENSSL_VERSION=${OPENSSL_VERSION:-"3.4.1"} OPENRESTY_VERSION=${OPENRESTY_VERSION:-"1.29.2.4"} ngx_multi_upstream_module_ver="openresty-1.29.2-patches" -ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit-"0081acfacb2e79b7a5aa4f1f455316dd343e145f"} +ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit-"125e594a1a400165fa40d21288e4eea8952bbf89"} mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. From de59596292403088f60d495f8d5e1c77cd1047c0 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 18:00:17 +0800 Subject: [PATCH 03/15] fix: enforce pinned module commits for local sources --- build-apisix-runtime.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index de0d0e372..e0b7b4d88 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -108,6 +108,12 @@ if [ -n "$ngx_multi_upstream_module_commit" ] && [ "$ngx_multi_upstream_module_c origin "$ngx_multi_upstream_module_commit" git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} checkout \ "$ngx_multi_upstream_module_commit" +elif [ -n "$ngx_multi_upstream_module_commit" ]; then + current_commit=$(git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} rev-parse HEAD) + if [ "$current_commit" != "$ngx_multi_upstream_module_commit" ]; then + echo "ERROR: ngx_multi_upstream_module HEAD ($current_commit) does not match pinned commit ($ngx_multi_upstream_module_commit)" >&2 + exit 1 + fi fi if [ "$repo" == mod_dubbo ]; then @@ -136,6 +142,12 @@ if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ] origin "$apisix_nginx_module_commit" git -C apisix-nginx-module-${apisix_nginx_module_ver} checkout \ "$apisix_nginx_module_commit" +elif [ -n "$apisix_nginx_module_commit" ]; then + current_commit=$(git -C apisix-nginx-module-${apisix_nginx_module_ver} rev-parse HEAD) + if [ "$current_commit" != "$apisix_nginx_module_commit" ]; then + echo "ERROR: apisix-nginx-module HEAD ($current_commit) does not match pinned commit ($apisix_nginx_module_commit)" >&2 + exit 1 + fi fi if [ "$repo" == wasm-nginx-module ]; then From 329483741e7cc4d8b0010155f69f0e46a7a32605 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 18:02:20 +0800 Subject: [PATCH 04/15] fix: clone pinned modules from patch branches --- build-apisix-runtime.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index e0b7b4d88..9e05122ff 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -23,11 +23,11 @@ ld_opt=${ld_opt:-"-L$zlib_prefix/lib -L$pcre_prefix/lib -L$OPENSSL_PREFIX/lib -W OPENSSL_VERSION=${OPENSSL_VERSION:-"3.4.1"} OPENRESTY_VERSION=${OPENRESTY_VERSION:-"1.29.2.4"} ngx_multi_upstream_module_ver="openresty-1.29.2-patches" -ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit-"125e594a1a400165fa40d21288e4eea8952bbf89"} +ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a400165fa40d21288e4eea8952bbf89"} mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. -apisix_nginx_module_commit=${apisix_nginx_module_commit-"36c6de78d74dd0f093e9a25910875762f6f56da6"} +apisix_nginx_module_commit=${apisix_nginx_module_commit:-"36c6de78d74dd0f093e9a25910875762f6f56da6"} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" @@ -96,9 +96,6 @@ if [ "$repo" == ngx_multi_upstream_module ]; then else ngx_multi_upstream_module_cloned=1 ngx_multi_upstream_module_clone_ref="$ngx_multi_upstream_module_ver" - if [ -n "$ngx_multi_upstream_module_commit" ]; then - ngx_multi_upstream_module_clone_ref="master" - fi git clone --depth=1 -b $ngx_multi_upstream_module_clone_ref \ https://github.com/api7/ngx_multi_upstream_module.git \ ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} @@ -130,9 +127,6 @@ if [ "$repo" == apisix-nginx-module ]; then else apisix_nginx_module_cloned=1 apisix_nginx_module_clone_ref="$apisix_nginx_module_ver" - if [ -n "$apisix_nginx_module_commit" ]; then - apisix_nginx_module_clone_ref="main" - fi git clone --depth=1 -b $apisix_nginx_module_clone_ref \ https://github.com/api7/apisix-nginx-module.git \ apisix-nginx-module-${apisix_nginx_module_ver} From a276e7a85aa1408238fa2d2151074215e1e1db4f Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 18:08:20 +0800 Subject: [PATCH 05/15] fix: report invalid local module sources --- build-apisix-runtime.sh | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 9e05122ff..aeaee053d 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -66,6 +66,23 @@ install_openssl_3(){ cd .. } +verify_module_commit() { + local module_dir=$1 + local expected_commit=$2 + local current_commit + + if ! git -C "$module_dir" rev-parse --is-inside-work-tree > /dev/null 2>&1; then + echo "ERROR: $module_dir is not a git worktree; cannot verify pinned commit ($expected_commit)" >&2 + exit 1 + fi + + current_commit=$(git -C "$module_dir" rev-parse HEAD) + if [ "$current_commit" != "$expected_commit" ]; then + echo "ERROR: $module_dir HEAD ($current_commit) does not match pinned commit ($expected_commit)" >&2 + exit 1 + fi +} + if ([ $# -gt 0 ] && [ "$1" == "latest" ]) || [ "$runtime_version" == "0.0.0" ]; then debug_args="--with-debug" @@ -106,11 +123,8 @@ if [ -n "$ngx_multi_upstream_module_commit" ] && [ "$ngx_multi_upstream_module_c git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} checkout \ "$ngx_multi_upstream_module_commit" elif [ -n "$ngx_multi_upstream_module_commit" ]; then - current_commit=$(git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} rev-parse HEAD) - if [ "$current_commit" != "$ngx_multi_upstream_module_commit" ]; then - echo "ERROR: ngx_multi_upstream_module HEAD ($current_commit) does not match pinned commit ($ngx_multi_upstream_module_commit)" >&2 - exit 1 - fi + verify_module_commit "ngx_multi_upstream_module-${ngx_multi_upstream_module_ver}" \ + "$ngx_multi_upstream_module_commit" fi if [ "$repo" == mod_dubbo ]; then @@ -137,11 +151,8 @@ if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ] git -C apisix-nginx-module-${apisix_nginx_module_ver} checkout \ "$apisix_nginx_module_commit" elif [ -n "$apisix_nginx_module_commit" ]; then - current_commit=$(git -C apisix-nginx-module-${apisix_nginx_module_ver} rev-parse HEAD) - if [ "$current_commit" != "$apisix_nginx_module_commit" ]; then - echo "ERROR: apisix-nginx-module HEAD ($current_commit) does not match pinned commit ($apisix_nginx_module_commit)" >&2 - exit 1 - fi + verify_module_commit "apisix-nginx-module-${apisix_nginx_module_ver}" \ + "$apisix_nginx_module_commit" fi if [ "$repo" == wasm-nginx-module ]; then From fca6ee31fca62996ba6fe04165af02a02671ae68 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 18:20:45 +0800 Subject: [PATCH 06/15] fix: install C++ compiler for RPM packaging --- utils/install-common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/install-common.sh b/utils/install-common.sh index 9f4a2673a..6dabb71b6 100755 --- a/utils/install-common.sh +++ b/utils/install-common.sh @@ -19,10 +19,10 @@ install_apisix_dependencies_rpm() { install_dependencies_rpm() { # install basic dependencies if [[ $IMAGE_BASE == "registry.access.redhat.com/ubi9/ubi" ]]; then - yum install -y --disablerepo=* --enablerepo=ubi-9-appstream-rpms --enablerepo=ubi-9-baseos-rpms wget tar gcc automake autoconf libtool make git which unzip sudo + yum install -y --disablerepo=* --enablerepo=ubi-9-appstream-rpms --enablerepo=ubi-9-baseos-rpms wget tar gcc gcc-c++ automake autoconf libtool make git which unzip sudo yum install -y --disablerepo=* --enablerepo=ubi-9-appstream-rpms --enablerepo=ubi-9-baseos-rpms yum-utils else - yum install -y wget tar gcc automake autoconf libtool make curl git which unzip sudo + yum install -y wget tar gcc gcc-c++ automake autoconf libtool make curl git which unzip sudo yum install -y yum-utils fi } From 24fd11996ed52ea3798902111a0439a39b8a2ccd Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 18:48:48 +0800 Subject: [PATCH 07/15] fix: pin apisix nginx module TLS FFI fix --- build-apisix-runtime.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index aeaee053d..5adc6bad7 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -27,7 +27,7 @@ ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. -apisix_nginx_module_commit=${apisix_nginx_module_commit:-"36c6de78d74dd0f093e9a25910875762f6f56da6"} +apisix_nginx_module_commit=${apisix_nginx_module_commit:-"40492bca06153914d5084cfa92190c1dd7fd404e"} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" From 64f38e5a349ae9d1f16d00aa72c8375d8fd70f84 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 19:04:49 +0800 Subject: [PATCH 08/15] fix: pin reviewed apisix nginx module patch --- build-apisix-runtime.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 5adc6bad7..d90dd260f 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -27,7 +27,7 @@ ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. -apisix_nginx_module_commit=${apisix_nginx_module_commit:-"40492bca06153914d5084cfa92190c1dd7fd404e"} +apisix_nginx_module_commit=${apisix_nginx_module_commit:-"3a4ee4d120a0a4696efca115ec5ef254a16a5201"} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" From 927703d8322217e382808eca595acc7e915a53fb Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 19:10:21 +0800 Subject: [PATCH 09/15] fix: harden apisix nginx module source verification --- build-apisix-runtime.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index d90dd260f..11c5f6dc8 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -81,6 +81,11 @@ verify_module_commit() { echo "ERROR: $module_dir HEAD ($current_commit) does not match pinned commit ($expected_commit)" >&2 exit 1 fi + + if [ -n "$(git -C "$module_dir" status --porcelain --untracked-files=all)" ]; then + echo "ERROR: $module_dir has uncommitted changes; cannot verify pinned commit ($expected_commit)" >&2 + exit 1 + fi } @@ -141,9 +146,9 @@ if [ "$repo" == apisix-nginx-module ]; then else apisix_nginx_module_cloned=1 apisix_nginx_module_clone_ref="$apisix_nginx_module_ver" - git clone --depth=1 -b $apisix_nginx_module_clone_ref \ + git clone --depth=1 -b "$apisix_nginx_module_clone_ref" -- \ https://github.com/api7/apisix-nginx-module.git \ - apisix-nginx-module-${apisix_nginx_module_ver} + "apisix-nginx-module-${apisix_nginx_module_ver}" fi if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ]; then git -C apisix-nginx-module-${apisix_nginx_module_ver} fetch --depth=1 \ From 5290f9cecd0df31d91a818779d960ac634bef50c Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 19:15:09 +0800 Subject: [PATCH 10/15] fix: pin keepalive pool sentinel fix --- build-apisix-runtime.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 11c5f6dc8..c13d49af1 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -27,7 +27,7 @@ ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. -apisix_nginx_module_commit=${apisix_nginx_module_commit:-"3a4ee4d120a0a4696efca115ec5ef254a16a5201"} +apisix_nginx_module_commit=${apisix_nginx_module_commit:-"f2d67049784fd9d035ba02cea5fcd55eee313f9d"} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" From 2612ee6f1d4f8c9c3737dd1914f1bccb767f0285 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 19:20:41 +0800 Subject: [PATCH 11/15] fix: validate OpenResty version override --- build-apisix-runtime.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index c13d49af1..530d702ac 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -22,6 +22,10 @@ ld_opt=${ld_opt:-"-L$zlib_prefix/lib -L$pcre_prefix/lib -L$OPENSSL_PREFIX/lib -W # dependencies for building openresty OPENSSL_VERSION=${OPENSSL_VERSION:-"3.4.1"} OPENRESTY_VERSION=${OPENRESTY_VERSION:-"1.29.2.4"} +if [[ ! "$OPENRESTY_VERSION" =~ ^[0-9]+(\.[0-9]+)+$ ]]; then + echo "ERROR: invalid OPENRESTY_VERSION: $OPENRESTY_VERSION" >&2 + exit 1 +fi ngx_multi_upstream_module_ver="openresty-1.29.2-patches" ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a400165fa40d21288e4eea8952bbf89"} mod_dubbo_ver="1.0.2" @@ -101,8 +105,8 @@ cd "$workdir" || exit 1 install_openssl_3 -wget --no-check-certificate https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz -tar -zxvpf openresty-${OPENRESTY_VERSION}.tar.gz > /dev/null +wget --no-check-certificate "https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz" +tar -zxvpf "openresty-${OPENRESTY_VERSION}.tar.gz" > /dev/null if [ "$repo" == lua-resty-events ]; then cp -r "$prev_workdir" ./lua-resty-events-${lua_resty_events_ver} From 7b4d616bfa404a66bb0bbde41e131e6ce13cc089 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 20:14:44 +0800 Subject: [PATCH 12/15] fix: pin latest OpenResty patch feedback --- build-apisix-runtime.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 530d702ac..59a31573c 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -31,7 +31,7 @@ ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. -apisix_nginx_module_commit=${apisix_nginx_module_commit:-"f2d67049784fd9d035ba02cea5fcd55eee313f9d"} +apisix_nginx_module_commit=${apisix_nginx_module_commit:-"c4b38ecbb54a47223112ba5d406f1dd392d44409"} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" From acecf2cf6df577f3c5391cf77f74d9b35bb981e4 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 21 May 2026 20:35:12 +0800 Subject: [PATCH 13/15] fix: validate apisix nginx module ref --- build-apisix-runtime.sh | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 59a31573c..3fe453b9b 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -30,6 +30,10 @@ ngx_multi_upstream_module_ver="openresty-1.29.2-patches" ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a400165fa40d21288e4eea8952bbf89"} mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} +if [[ ! "$apisix_nginx_module_ver" =~ ^[A-Za-z0-9._/-]+$ ]]; then + echo "ERROR: invalid apisix_nginx_module_ver: $apisix_nginx_module_ver" >&2 + exit 1 +fi # TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. apisix_nginx_module_commit=${apisix_nginx_module_commit:-"c4b38ecbb54a47223112ba5d406f1dd392d44409"} wasm_nginx_module_ver="0.7.0" @@ -146,7 +150,7 @@ fi if [ "$repo" == apisix-nginx-module ]; then apisix_nginx_module_cloned=0 - cp -r "$prev_workdir" ./apisix-nginx-module-${apisix_nginx_module_ver} + cp -r "$prev_workdir" "./apisix-nginx-module-${apisix_nginx_module_ver}" else apisix_nginx_module_cloned=1 apisix_nginx_module_clone_ref="$apisix_nginx_module_ver" @@ -155,9 +159,9 @@ else "apisix-nginx-module-${apisix_nginx_module_ver}" fi if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ]; then - git -C apisix-nginx-module-${apisix_nginx_module_ver} fetch --depth=1 \ + git -C "apisix-nginx-module-${apisix_nginx_module_ver}" fetch --depth=1 \ origin "$apisix_nginx_module_commit" - git -C apisix-nginx-module-${apisix_nginx_module_ver} checkout \ + git -C "apisix-nginx-module-${apisix_nginx_module_ver}" checkout \ "$apisix_nginx_module_commit" elif [ -n "$apisix_nginx_module_commit" ]; then verify_module_commit "apisix-nginx-module-${apisix_nginx_module_ver}" \ @@ -184,7 +188,7 @@ cd ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} || exit 1 ./patch.sh ../openresty-${OPENRESTY_VERSION} cd .. -cd apisix-nginx-module-${apisix_nginx_module_ver}/patch || exit 1 +cd "apisix-nginx-module-${apisix_nginx_module_ver}/patch" || exit 1 ./patch.sh ../../openresty-${OPENRESTY_VERSION} cd ../.. @@ -217,9 +221,9 @@ fi $debug_args \ --add-module=../mod_dubbo-${mod_dubbo_ver} \ --add-module=../ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} \ - --add-module=../apisix-nginx-module-${apisix_nginx_module_ver} \ - --add-module=../apisix-nginx-module-${apisix_nginx_module_ver}/src/stream \ - --add-module=../apisix-nginx-module-${apisix_nginx_module_ver}/src/meta \ + --add-module="../apisix-nginx-module-${apisix_nginx_module_ver}" \ + --add-module="../apisix-nginx-module-${apisix_nginx_module_ver}/src/stream" \ + --add-module="../apisix-nginx-module-${apisix_nginx_module_ver}/src/meta" \ --add-module=../wasm-nginx-module-${wasm_nginx_module_ver} \ --add-module=../lua-var-nginx-module-${lua_var_nginx_module_ver} \ --add-module=../lua-resty-events-${lua_resty_events_ver} \ @@ -265,7 +269,7 @@ sudo install -d "$OR_PREFIX"/lualib/resty/events/compat/ sudo install -m 644 lualib/resty/events/compat/*.lua "$OR_PREFIX"/lualib/resty/events/compat/ cd .. -cd apisix-nginx-module-${apisix_nginx_module_ver} || exit 1 +cd "apisix-nginx-module-${apisix_nginx_module_ver}" || exit 1 sudo OPENRESTY_PREFIX="$OR_PREFIX" make install cd .. From 206545deeee3aecc1a2e02ab441ff4ec92ca43b9 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Fri, 22 May 2026 09:26:42 +0800 Subject: [PATCH 14/15] chore: use released OpenResty patch modules --- build-apisix-runtime.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index 3fe453b9b..e39f84945 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -26,16 +26,15 @@ if [[ ! "$OPENRESTY_VERSION" =~ ^[0-9]+(\.[0-9]+)+$ ]]; then echo "ERROR: invalid OPENRESTY_VERSION: $OPENRESTY_VERSION" >&2 exit 1 fi -ngx_multi_upstream_module_ver="openresty-1.29.2-patches" -ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-"125e594a1a400165fa40d21288e4eea8952bbf89"} +ngx_multi_upstream_module_ver="1.3.3" +ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-""} mod_dubbo_ver="1.0.2" -apisix_nginx_module_ver=${apisix_nginx_module_ver:-"openresty-1.29.2.4-patches"} +apisix_nginx_module_ver=${apisix_nginx_module_ver:-"1.19.5"} if [[ ! "$apisix_nginx_module_ver" =~ ^[A-Za-z0-9._/-]+$ ]]; then echo "ERROR: invalid apisix_nginx_module_ver: $apisix_nginx_module_ver" >&2 exit 1 fi -# TODO: switch back to an apisix-nginx-module release tag after the 1.29.2.4 patches are released. -apisix_nginx_module_commit=${apisix_nginx_module_commit:-"c4b38ecbb54a47223112ba5d406f1dd392d44409"} +apisix_nginx_module_commit=${apisix_nginx_module_commit:-""} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" From 5188d24c1ff630af7bcbcbbeaa509bf00f986739 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Fri, 22 May 2026 09:35:50 +0800 Subject: [PATCH 15/15] chore: remove temporary module commit pins --- build-apisix-runtime.sh | 53 ++--------------------------------------- 1 file changed, 2 insertions(+), 51 deletions(-) diff --git a/build-apisix-runtime.sh b/build-apisix-runtime.sh index e39f84945..f251a850c 100755 --- a/build-apisix-runtime.sh +++ b/build-apisix-runtime.sh @@ -27,14 +27,12 @@ if [[ ! "$OPENRESTY_VERSION" =~ ^[0-9]+(\.[0-9]+)+$ ]]; then exit 1 fi ngx_multi_upstream_module_ver="1.3.3" -ngx_multi_upstream_module_commit=${ngx_multi_upstream_module_commit:-""} mod_dubbo_ver="1.0.2" apisix_nginx_module_ver=${apisix_nginx_module_ver:-"1.19.5"} if [[ ! "$apisix_nginx_module_ver" =~ ^[A-Za-z0-9._/-]+$ ]]; then echo "ERROR: invalid apisix_nginx_module_ver: $apisix_nginx_module_ver" >&2 exit 1 fi -apisix_nginx_module_commit=${apisix_nginx_module_commit:-""} wasm_nginx_module_ver="0.7.0" lua_var_nginx_module_ver="v0.5.3" lua_resty_events_ver="0.2.0" @@ -73,29 +71,6 @@ install_openssl_3(){ cd .. } -verify_module_commit() { - local module_dir=$1 - local expected_commit=$2 - local current_commit - - if ! git -C "$module_dir" rev-parse --is-inside-work-tree > /dev/null 2>&1; then - echo "ERROR: $module_dir is not a git worktree; cannot verify pinned commit ($expected_commit)" >&2 - exit 1 - fi - - current_commit=$(git -C "$module_dir" rev-parse HEAD) - if [ "$current_commit" != "$expected_commit" ]; then - echo "ERROR: $module_dir HEAD ($current_commit) does not match pinned commit ($expected_commit)" >&2 - exit 1 - fi - - if [ -n "$(git -C "$module_dir" status --porcelain --untracked-files=all)" ]; then - echo "ERROR: $module_dir has uncommitted changes; cannot verify pinned commit ($expected_commit)" >&2 - exit 1 - fi -} - - if ([ $# -gt 0 ] && [ "$1" == "latest" ]) || [ "$runtime_version" == "0.0.0" ]; then debug_args="--with-debug" fi @@ -120,24 +95,12 @@ else fi if [ "$repo" == ngx_multi_upstream_module ]; then - ngx_multi_upstream_module_cloned=0 cp -r "$prev_workdir" ./ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} else - ngx_multi_upstream_module_cloned=1 - ngx_multi_upstream_module_clone_ref="$ngx_multi_upstream_module_ver" - git clone --depth=1 -b $ngx_multi_upstream_module_clone_ref \ + git clone --depth=1 -b $ngx_multi_upstream_module_ver \ https://github.com/api7/ngx_multi_upstream_module.git \ ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} fi -if [ -n "$ngx_multi_upstream_module_commit" ] && [ "$ngx_multi_upstream_module_cloned" = 1 ]; then - git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} fetch --depth=1 \ - origin "$ngx_multi_upstream_module_commit" - git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} checkout \ - "$ngx_multi_upstream_module_commit" -elif [ -n "$ngx_multi_upstream_module_commit" ]; then - verify_module_commit "ngx_multi_upstream_module-${ngx_multi_upstream_module_ver}" \ - "$ngx_multi_upstream_module_commit" -fi if [ "$repo" == mod_dubbo ]; then cp -r "$prev_workdir" ./mod_dubbo-${mod_dubbo_ver} @@ -148,24 +111,12 @@ else fi if [ "$repo" == apisix-nginx-module ]; then - apisix_nginx_module_cloned=0 cp -r "$prev_workdir" "./apisix-nginx-module-${apisix_nginx_module_ver}" else - apisix_nginx_module_cloned=1 - apisix_nginx_module_clone_ref="$apisix_nginx_module_ver" - git clone --depth=1 -b "$apisix_nginx_module_clone_ref" -- \ + git clone --depth=1 -b "$apisix_nginx_module_ver" -- \ https://github.com/api7/apisix-nginx-module.git \ "apisix-nginx-module-${apisix_nginx_module_ver}" fi -if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ]; then - git -C "apisix-nginx-module-${apisix_nginx_module_ver}" fetch --depth=1 \ - origin "$apisix_nginx_module_commit" - git -C "apisix-nginx-module-${apisix_nginx_module_ver}" checkout \ - "$apisix_nginx_module_commit" -elif [ -n "$apisix_nginx_module_commit" ]; then - verify_module_commit "apisix-nginx-module-${apisix_nginx_module_ver}" \ - "$apisix_nginx_module_commit" -fi if [ "$repo" == wasm-nginx-module ]; then cp -r "$prev_workdir" ./wasm-nginx-module-${wasm_nginx_module_ver}