Ingress-nginx: Allow run time updating of GeoIP databases

Created on 15 Feb 2018  路  9Comments  路  Source: kubernetes/ingress-nginx

Hey,
At the moment, the following GeoIP databases are downloaded as part of the nginx base image build:

  - geoip_country       /etc/nginx/GeoIP.dat;
  - geoip_city          /etc/nginx/GeoLiteCity.dat;
  - geoip_org           /etc/nginx/GeoIPASNum.dat;

These databases get updated (GeoIPASNum more than others), and I think it'd be nice to find a way to update this outside the update cycle of ingress-nginx

I'm unsure however, the best way to do this so didn't want to implement a PR without talking it through first. I see the following options:

  1. Add --update-geo-ip, which downloads these files every time the container boots, or if they're over some arbitrary age.
  2. Have a separate side car which keeps these files up to date, but that would some how have to trigger an nginx -s reload

I'm totally open to ideas?

picture Stono

Most helpful comment

@Stono ok, then I can add another notify listener for the geoip directory and trigger a reload like here https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/nginx.go#L170

picture aledbf on 16 Feb 2018
👍3

All 9 comments

@Stono what we can do is to change the path of the files to a directory like /etc/nginx/geoip and then you can use a custom deployment with an additional container that updates the file and an emptyDir volume mounted in /etc/nginx/geoip

aledbf picture aledbf on 16 Feb 2018
👍1

@aledbf that makes sense, but then how would that side car trigger an nginx -s reload when the db changes?

Stono picture Stono on 16 Feb 2018

that makes sense, but then how would that side car trigger an nginx -s reload when the db changes?

I was thinking to just wait until the next event that triggers an update in the controller

aledbf picture aledbf on 16 Feb 2018

@Stono or run nginx -s reload using kubectl exec from the side car

aledbf picture aledbf on 16 Feb 2018

hmm then i'd have to give the sidecar RBAC access to exec pods on kubectl which feels a bit wrong ;'(

Stono picture Stono on 16 Feb 2018

@Stono ok, then I can add another notify listener for the geoip directory and trigger a reload like here https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/nginx.go#L170

aledbf picture aledbf on 16 Feb 2018
👍3

Ahh great idea @aledbf - leave it with me and I'll (try) to do a PR!

Stono picture Stono on 16 Feb 2018

OK @aledbf - gave it my best shot! See the attached PR

Stono picture Stono on 16 Feb 2018

can this help, the feature is already provided by geoip2 module, can we exploit that.

http {

    geoip2 /etc/GeoLite2-Country.mmdb {
        **auto_reload 5m;**
        $geoip2_metadata_country_build metadata build_epoch;
        $geoip2_data_country_code default=US source=$http_x_forwarded_for country iso_code;
        $geoip2_data_country_name source=$http_x_forwarded_for country names en;
    }
Niteesh picture Niteesh on 9 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

oilbeater picture oilbeater  路  3Comments
boazj picture boazj  路  3Comments
c-mccutcheon picture c-mccutcheon  路  3Comments
sophaskins picture sophaskins  路  3Comments
geek876 picture geek876  路  3Comments