refactor: create a rootless image

2019-09-28 21:00:56 +02:00 · 2019-09-28 21:00:56 +02:00 · 3a6c690f46
parent 0879be2dfc
commit 3a6c690f46
12 changed files with 74 additions and 494 deletions
--- a/Dockerfile.linux.amd64
+++ b/Dockerfile.linux.amd64
@ -1,4 +1,4 @@
-FROM alpine:3.10.0
+FROM xoxys/nginx:latest

 LABEL maintainer="Robert Kaussow <mail@geeklabor.de>" \
    org.label-schema.name="Kanboard" \
@ -10,32 +10,38 @@ ARG KANBOARD_VERSION=master
 ARG KANBOARD_TARBALL=https://github.com/kanboard/kanboard/archive/${KANBOARD_VERSION}.tar.gz

 RUN apk --update add --virtual .build-deps tar curl && \
-    apk --update add nginx ca-certificates s6 ssmtp mailx php7 php7-phar php7-curl \
+    apk --update add ssmtp mailx php7 php7-phar php7-curl \
    php7-fpm php7-json php7-zlib php7-xml php7-dom php7-ctype php7-opcache php7-zip php7-iconv \
    php7-pdo php7-pdo_mysql php7-pdo_sqlite php7-pdo_pgsql php7-mbstring php7-session php7-bcmath \
    php7-gd php7-mcrypt php7-openssl php7-sockets php7-posix php7-ldap php7-simplexml && \
    rm -rf /var/www/localhost && \
    rm -f /etc/php7/php-fpm.d/www.conf && \
    mkdir -p /var/www/app && \
-    curl -SsL -o /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v3.5.0/gomplate_linux-amd64-slim && \
-    chmod 755 /usr/local/bin/gomplate && \
    curl -SsL ${KANBOARD_TARBALL} | tar xz -C /var/www/app/ --strip-components=1 && \
    curl -SsL -o /etc/php7/browscap.ini https://browscap.org/stream?q=Lite_PHP_BrowsCapINI && \
+    curl -SsL -o /usr/local/bin/supercronic https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64 && \
+    chmod 755 /usr/local/bin/supercronic && \
    apk del .build-deps && \
    rm -rf /var/cache/apk/* && \
    rm -rf /tmp/* && \
+    mkdir -p /var/run/php && \
+    chown -R nginx /var/run/php && \
    mkdir -p /var/lib/php/tmp_upload && \
    mkdir -p /var/lib/php/soap_cache && \
    mkdir -p /var/lib/php/session && \
-    chown -R nginx:nginx /var/lib/php/tmp_upload && \
-    chown -R nginx:nginx /var/lib/php/soap_cache && \
-    chown -R nginx:nginx /var/lib/php/session
+    chown -R nginx /var/lib/php && \
+    chown nginx /etc/php7/php.ini && \
+    chown -R nginx /var/www/app

 ADD overlay/ /

 VOLUME /var/www/app/plugins

-EXPOSE 80
+EXPOSE 8080
+
+USER nginx
+
+STOPSIGNAL SIGTERM

 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD /usr/local/bin/healthcheck.sh
--- a/overlay/etc/crontabs/nginx
+++ b/overlay/etc/crontabs/nginx
@ -1 +1,3 @@
+SHELL=/bin/sh
 0 8 * * * cd /var/www/app && ./cli cronjob >/dev/null 2>&1
+* * * * * echo "XXXXX"
--- a/overlay/etc/nginx/nginx.conf
+++ b/overlay/etc/nginx/nginx.conf
@ -1,76 +0,0 @@
-user nginx;
-worker_processes 1;
-pid /var/run/nginx.pid;
-
-events {
-    worker_connections 1024;
-}
-
-http {
-    include       mime.types;
-    default_type  application/octet-stream;
-
-    sendfile           on;
-    tcp_nopush         on;
-    tcp_nodelay        on;
-    keepalive_timeout  65;
-    server_tokens      off;
-    access_log         off;
-    error_log          /dev/stderr;
-
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
-
-    server {
-        listen       80;
-        server_name  localhost;
-        index        index.php;
-        root         /var/www/app;
-        client_max_body_size 32M;
-
-        location / {
-            try_files $uri $uri/ /index.php$is_args$args;
-        }
-
-        location ~ \.php$ {
-            try_files $uri =404;
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_pass unix:/var/run/php-fpm.sock;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_index index.php;
-            include fastcgi_params;
-        }
-
-        location ~ /data {
-            return 404;
-        }
-
-        location ~* ^.+\.(log|sqlite)$ {
-            return 404;
-        }
-
-        location ~ /\.ht {
-            return 404;
-        }
-
-        location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
-            log_not_found off;
-            expires 7d;
-            etag on;
-        }
-
-        gzip on;
-        gzip_comp_level 3;
-        gzip_disable "msie6";
-        gzip_vary on;
-        gzip_types
-            text/javascript
-            application/javascript
-            application/json
-            text/xml
-            application/xml
-            application/rss+xml
-            text/css
-            text/plain;
-    }
-}
--- a/overlay/etc/nginx/vhost.conf
+++ b/overlay/etc/nginx/vhost.conf
@ -0,0 +1,52 @@
+server {
+    listen       8080;
+    server_name  localhost;
+    index        index.php;
+    root         /var/www/app;
+    client_max_body_size 32M;
+
+    location / {
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include fastcgi_params;
+    }
+
+    location ~ /data {
+        return 404;
+    }
+
+    location ~* ^.+\.(log|sqlite)$ {
+        return 404;
+    }
+
+    location ~ /\.ht {
+        return 404;
+    }
+
+    location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
+        log_not_found off;
+        expires 7d;
+        etag on;
+    }
+
+    gzip on;
+    gzip_comp_level 3;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_types
+        text/javascript
+        application/javascript
+        application/json
+        text/xml
+        application/xml
+        application/rss+xml
+        text/css
+        text/plain;
+}
--- a/overlay/etc/php7/php-fpm.conf
+++ b/overlay/etc/php7/php-fpm.conf
@ -11,7 +11,7 @@ group = nginx

 listen.owner = nginx
 listen.group = nginx
-listen = /var/run/php-fpm.sock
+listen = /var/run/php/php-fpm.sock

 pm = dynamic
 pm.max_children = 20
--- a/overlay/etc/php7/php.ini
+++ b/overlay/etc/php7/php.ini
@ -1,391 +0,0 @@
-[PHP]
-user_ini.filename = ".user.ini"
-user_ini.cache_ttl = 300
-
-engine = On
-short_open_tag = Off
-
-precision = 14
-
-output_buffering = 0
-;output_handler =
-
-zlib.output_compression = Off
-;zlib.output_compression_level = -1
-;zlib.output_handler =
-
-implicit_flush = Off
-
-unserialize_callback_func =
-serialize_precision = 17
-
-open_basedir = "/var/www/app:/var/lib/php/tmp_upload:/var/lib/php/session:/var/lib/php/soap_cache"
-
-disable_functions = system, exec, shell_exec, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
-disable_classes =
-
-;highlight.string  = #DD0000
-;highlight.comment = #FF9900
-;highlight.keyword = #007700
-;highlight.default = #0000BB
-;highlight.html    = #000000
-
-;ignore_user_abort = On
-
-;realpath_cache_size = 16k
-;realpath_cache_ttl = 120
-
-zend.enable_gc = On
-;zend.multibyte = Off
-;zend.script_encoding =
-
-expose_php = Off
-
-max_execution_time = 30
-max_input_time = 60
-;max_input_nesting_level = 64
-max_input_vars = 100
-memory_limit = 50M
-
-error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-display_errors = Off
-display_startup_errors = Off
-log_errors = On
-log_errors_max_len = 1024
-ignore_repeated_errors = Off
-ignore_repeated_source = Off
-report_memleaks = On
-;report_zend_debug = 0
-;xmlrpc_errors = 0
-;xmlrpc_error_number = 0
-html_errors = On
-;docref_root = "/phpmanual/"
-;docref_ext = .html
-;error_prepend_string = "<span style='color: #ff0000'>"
-;error_append_string = "</span>"
-error_log = /proc/self/fd/2
-;windows.show_crt_warning
-
-;arg_separator.output = "&amp;"
-;arg_separator.input = ";&"
-
-variables_order = "GPCS"
-request_order = "GP"
-
-register_argc_argv = Off
-auto_globals_jit = On
-;enable_post_data_reading = Off
-post_max_size = 8M
-
-auto_prepend_file =
-auto_append_file =
-
-default_mimetype = "text/html"
-default_charset = "UTF-8"
-;internal_encoding =
-;input_encoding =
-;output_encoding =
-
-;include_path = ".:/php7/includes"
-
-doc_root =
-user_dir =
-
-extension_dir = "/usr/lib/php7/modules"
-;sys_temp_dir = "/tmp"
-enable_dl = Off
-
-cgi.force_redirect = 1
-;cgi.nph = 1
-;cgi.redirect_status_env =
-cgi.fix_pathinfo = 0
-cgi.discard_path = 1
-
-;fastcgi.impersonate = 1
-;fastcgi.logging = 0
-;cgi.rfc2616_headers = 0
-;cgi.check_shebang_line = 1
-
-file_uploads = Off
-upload_tmp_dir = /var/lib/php/tmp_upload
-upload_max_filesize = 2M
-max_file_uploads = 2
-
-allow_url_fopen = On
-allow_url_include = Off
-
-;from="john@doe.com"
-;user_agent="PHP"
-
-default_socket_timeout = 60
-;auto_detect_line_endings = Off
-
-[CLI Server]
-cli_server.color = On
-
-[Date]
-date.timezone = Europe/Berlin
-;date.default_latitude = 31.7667
-;date.default_longitude = 35.2333
-;date.sunrise_zenith = 90.583333
-;date.sunset_zenith = 90.583333
-
-[filter]
-;filter.default = unsafe_raw
-;filter.default_flags =
-
-[iconv]
-;iconv.input_encoding =
-;iconv.internal_encoding =
-;iconv.output_encoding =
-
-[intl]
-;intl.default_locale =
-;intl.error_level = E_WARNING
-;intl.use_exceptions = 0
-
-[sqlite3]
-;sqlite3.extension_dir =
-
-[Pcre]
-;pcre.backtrack_limit = 100000
-;pcre.recursion_limit = 100000
-;pcre.jit = 1
-
-[Pdo]
-;pdo_odbc.connection_pooling = strict
-;pdo_odbc.db2_instance_name
-
-[Pdo_mysql]
-pdo_mysql.cache_size = 2000
-pdo_mysql.default_socket =
-
-[Phar]
-;phar.readonly = On
-;phar.require_hash = On
-;phar.cache_list =
-
-[mail function]
-SMTP = localhost
-smtp_port = 25
-;sendmail_path =
-
-;mail.force_extra_parameters =
-mail.add_x_header = On
-;mail.log =
-;mail.log = syslog
-
-[SQL]
-sql.safe_mode = On
-
-[ODBC]
-;odbc.default_db = Not yet implemented
-;odbc.default_user = Not yet implemented
-;odbc.default_pw = Not yet implemented
-;odbc.default_cursortype
-odbc.allow_persistent = On
-odbc.check_persistent = On
-odbc.max_persistent = -1
-odbc.max_links = -1
-odbc.defaultlrl = 4096
-odbc.defaultbinmode = 1
-;birdstep.max_links = -1
-
-[Interbase]
-ibase.allow_persistent = 1
-ibase.max_persistent = -1
-ibase.max_links = -1
-;ibase.default_db =
-;ibase.default_user =
-;ibase.default_password =
-;ibase.default_charset =
-ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
-ibase.dateformat = "%Y-%m-%d"
-ibase.timeformat = "%H:%M:%S"
-
-[MySQLi]
-;mysqli.allow_local_infile = On
-mysqli.max_persistent = -1
-mysqli.allow_persistent = On
-mysqli.max_links = -1
-mysqli.cache_size = 2000
-mysqli.default_port = 3306
-mysqli.default_socket =
-mysqli.default_host =
-mysqli.default_user =
-mysqli.default_pw =
-mysqli.reconnect = Off
-
-[mysqlnd]
-mysqlnd.collect_statistics = On
-mysqlnd.collect_memory_statistics = Off
-;mysqlnd.debug =
-;mysqlnd.log_mask = 0
-;mysqlnd.mempool_default_size = 16000
-;mysqlnd.net_cmd_buffer_size = 2048
-;mysqlnd.net_read_buffer_size = 32768
-;mysqlnd.net_read_timeout = 31536000
-;mysqlnd.sha256_server_public_key =
-
-[OCI8]
-;oci8.privileged_connect = Off
-;oci8.max_persistent = -1
-;oci8.persistent_timeout = -1
-;oci8.ping_interval = 60
-;oci8.connection_class =
-;oci8.events = Off
-;oci8.statement_cache_size = 20
-;oci8.default_prefetch = 100
-;oci8.old_oci_close_semantics = Off
-
-[PostgreSQL]
-pgsql.allow_persistent = On
-pgsql.auto_reset_persistent = Off
-pgsql.max_persistent = -1
-pgsql.max_links = -1
-pgsql.ignore_notice = 0
-pgsql.log_notice = 0
-
-[bcmath]
-bcmath.scale = 0
-
-[browscap]
-browscap = /etc/php7/browscap.ini
-
-[Session]
-session.save_handler = files
-session.save_path = "/var/lib/php/session"
-session.use_strict_mode = 1
-session.use_cookies = 1
-session.cookie_secure = 0
-session.use_only_cookies = 1
-session.name = PHPSESSID
-session.auto_start = Off
-session.cookie_lifetime = 14400
-session.cookie_path = /
-session.cookie_domain =
-session.cookie_httponly = 1
-session.serialize_handler = php
-session.gc_probability = 1
-session.gc_divisor = 1000
-session.gc_maxlifetime = 1440
-session.referer_check =
-;session.entropy_length = 32
-;session.entropy_file = /dev/urandom
-session.cache_limiter = nocache
-session.cache_expire = 30
-session.use_trans_sid = 0
-session.hash_function = sha512
-session.hash_bits_per_character = 5
-url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
-;session.upload_progress.enabled = On
-;session.upload_progress.cleanup = On
-;session.upload_progress.prefix = "upload_progress_"
-;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
-;session.upload_progress.freq =  "1%"
-;session.upload_progress.min_freq = "1"
-;session.lazy_write = On
-
-[Assertion]
-zend.assertions = -1
-;assert.active = On
-;assert.exception = On
-;assert.warning = On
-;assert.bail = Off
-;assert.callback = 0
-;assert.quiet_eval = 0
-
-[COM]
-;com.typelib_file =
-;com.allow_dcom = true
-;com.autoregister_typelib = true
-;com.autoregister_casesensitive = false
-;com.autoregister_verbose = true
-;com.code_page=
-
-[mbstring]
-;mbstring.language = Japanese
-;mbstring.internal_encoding =
-;mbstring.http_input =
-;mbstring.http_output =
-;mbstring.encoding_translation = Off
-;mbstring.detect_order = auto
-;mbstring.substitute_character = none
-;mbstring.func_overload = 0
-;mbstring.strict_detection = On
-;mbstring.http_output_conv_mimetype =
-
-[gd]
-;gd.jpeg_ignore_warning = 0
-
-[exif]
-;exif.encode_unicode = ISO-8859-15
-;exif.decode_unicode_motorola = UCS-2BE
-;exif.decode_unicode_intel = UCS-2LE
-;exif.encode_jis =
-;exif.decode_jis_motorola = JIS
-;exif.decode_jis_intel = JIS
-
-[Tidy]
-;tidy.default_config = /usr/local/lib/php7/default.tcfg
-tidy.clean_output = Off
-
-[soap]
-soap.wsdl_cache_enabled = 1
-soap.wsdl_cache_dir = "/var/lib/php/soap_cache"
-soap.wsdl_cache_ttl = 86400
-soap.wsdl_cache_limit = 5
-
-[sysvshm]
-;sysvshm.init_mem = 10000
-
-[ldap]
-ldap.max_links = -1
-
-[mcrypt]
-;mcrypt.algorithms_dir =
-;mcrypt.modes_dir =
-
-[dba]
-;dba.default_handler =
-
-[opcache]
-;opcache.enable = 0
-;opcache.enable_cli = 0
-;opcache.memory_consumption = 64
-;opcache.interned_strings_buffer = 4
-;opcache.max_accelerated_files = 2000
-;opcache.max_wasted_percentage = 5
-;opcache.use_cwd = 1
-;opcache.validate_timestamps = 1
-;opcache.revalidate_freq = 2
-;opcache.revalidate_path = 0
-;opcache.save_comments = 1
-;opcache.fast_shutdown = 0
-;opcache.enable_file_override = 0
-;opcache.optimization_level = 0xffffffff
-;opcache.dups_fix = 0
-;opcache.blacklist_filename =
-;opcache.max_file_size = 0
-;opcache.consistency_checks = 0
-;opcache.force_restart_timeout = 180
-;opcache.error_log =
-;opcache.log_verbosity_level = 1
-;opcache.preferred_memory_model =
-;opcache.protect_memory = 0
-;opcache.restrict_api =
-;opcache.mmap_base =
-;opcache.file_cache =
-;opcache.file_cache_only = 0
-;opcache.file_cache_consistency_checks = 1
-;opcache.file_cache_fallback = 1
-;opcache.huge_code_pages = 1
-;opcache.validate_permission = 0
-;opcache.validate_root = 0
-
-[curl]
-curl.cainfo = /etc/ssl/certs/ca-certificates.crt
-
-[openssl]
-openssl.cafile = /etc/ssl/certs/ca-certificates.crt
-openssl.capath = /etc/ssl/certs
--- a/overlay/etc/services.d/.s6-svscan/crash
+++ b/overlay/etc/services.d/.s6-svscan/crash
@ -1,4 +0,0 @@
-#!/bin/sh
-set -e
-echo "Container crashed. Exiting..."
-exit 1
--- a/overlay/etc/services.d/.s6-svscan/finish
+++ b/overlay/etc/services.d/.s6-svscan/finish
@ -1,2 +0,0 @@
-#!/bin/sh
-exit 0
--- a/overlay/etc/services.d/cron/run
+++ b/overlay/etc/services.d/cron/run
@ -1,2 +0,0 @@
-#!/bin/execlineb -P
-crond -f
--- a/overlay/etc/services.d/nginx/run
+++ b/overlay/etc/services.d/nginx/run
@ -1,2 +0,0 @@
-#!/bin/execlineb -P
-nginx -g "daemon off;"
--- a/overlay/etc/services.d/php/run
+++ b/overlay/etc/services.d/php/run
@ -1,2 +0,0 @@
-#!/bin/execlineb -P
-php-fpm7 -F
--- a/overlay/usr/local/bin/entrypoint.sh
+++ b/overlay/usr/local/bin/entrypoint.sh
@ -1,8 +1,7 @@
 #!/bin/sh
-/usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl
-/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl
+/usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl 1>/dev/null
+/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl 1>/dev/null

-chown -R nginx:nginx /var/www/app/data
-chown -R nginx:nginx /var/www/app/plugins
-
-exec /bin/s6-svscan /etc/services.d
+exec supercronic -split-logs /etc/crontabs/nginx 1>/dev/null &
+exec php-fpm7 -F &
+exec nginx -g "daemon off;"