refactor: create a rootless image
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Robert Kaussow 2019-09-28 21:00:56 +02:00
parent 0879be2dfc
commit 3a6c690f46
12 changed files with 74 additions and 494 deletions

View File

@ -1,4 +1,4 @@
FROM alpine:3.10.0
FROM xoxys/nginx:latest
LABEL maintainer="Robert Kaussow <mail@geeklabor.de>" \
org.label-schema.name="Kanboard" \
@ -10,32 +10,38 @@ ARG KANBOARD_VERSION=master
ARG KANBOARD_TARBALL=https://github.com/kanboard/kanboard/archive/${KANBOARD_VERSION}.tar.gz
RUN apk --update add --virtual .build-deps tar curl && \
apk --update add nginx ca-certificates s6 ssmtp mailx php7 php7-phar php7-curl \
apk --update add ssmtp mailx php7 php7-phar php7-curl \
php7-fpm php7-json php7-zlib php7-xml php7-dom php7-ctype php7-opcache php7-zip php7-iconv \
php7-pdo php7-pdo_mysql php7-pdo_sqlite php7-pdo_pgsql php7-mbstring php7-session php7-bcmath \
php7-gd php7-mcrypt php7-openssl php7-sockets php7-posix php7-ldap php7-simplexml && \
rm -rf /var/www/localhost && \
rm -f /etc/php7/php-fpm.d/www.conf && \
mkdir -p /var/www/app && \
curl -SsL -o /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v3.5.0/gomplate_linux-amd64-slim && \
chmod 755 /usr/local/bin/gomplate && \
curl -SsL ${KANBOARD_TARBALL} | tar xz -C /var/www/app/ --strip-components=1 && \
curl -SsL -o /etc/php7/browscap.ini https://browscap.org/stream?q=Lite_PHP_BrowsCapINI && \
curl -SsL -o /usr/local/bin/supercronic https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64 && \
chmod 755 /usr/local/bin/supercronic && \
apk del .build-deps && \
rm -rf /var/cache/apk/* && \
rm -rf /tmp/* && \
mkdir -p /var/run/php && \
chown -R nginx /var/run/php && \
mkdir -p /var/lib/php/tmp_upload && \
mkdir -p /var/lib/php/soap_cache && \
mkdir -p /var/lib/php/session && \
chown -R nginx:nginx /var/lib/php/tmp_upload && \
chown -R nginx:nginx /var/lib/php/soap_cache && \
chown -R nginx:nginx /var/lib/php/session
chown -R nginx /var/lib/php && \
chown nginx /etc/php7/php.ini && \
chown -R nginx /var/www/app
ADD overlay/ /
VOLUME /var/www/app/plugins
EXPOSE 80
EXPOSE 8080
USER nginx
STOPSIGNAL SIGTERM
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD /usr/local/bin/healthcheck.sh

View File

@ -1 +1,3 @@
SHELL=/bin/sh
0 8 * * * cd /var/www/app && ./cli cronjob >/dev/null 2>&1
* * * * * echo "XXXXX"

View File

@ -1,76 +0,0 @@
user nginx;
worker_processes 1;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
access_log off;
error_log /dev/stderr;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
server {
listen 80;
server_name localhost;
index index.php;
root /var/www/app;
client_max_body_size 32M;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /data {
return 404;
}
location ~* ^.+\.(log|sqlite)$ {
return 404;
}
location ~ /\.ht {
return 404;
}
location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
log_not_found off;
expires 7d;
etag on;
}
gzip on;
gzip_comp_level 3;
gzip_disable "msie6";
gzip_vary on;
gzip_types
text/javascript
application/javascript
application/json
text/xml
application/xml
application/rss+xml
text/css
text/plain;
}
}

View File

@ -0,0 +1,52 @@
server {
listen 8080;
server_name localhost;
index index.php;
root /var/www/app;
client_max_body_size 32M;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /data {
return 404;
}
location ~* ^.+\.(log|sqlite)$ {
return 404;
}
location ~ /\.ht {
return 404;
}
location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
log_not_found off;
expires 7d;
etag on;
}
gzip on;
gzip_comp_level 3;
gzip_disable "msie6";
gzip_vary on;
gzip_types
text/javascript
application/javascript
application/json
text/xml
application/xml
application/rss+xml
text/css
text/plain;
}

View File

@ -11,7 +11,7 @@ group = nginx
listen.owner = nginx
listen.group = nginx
listen = /var/run/php-fpm.sock
listen = /var/run/php/php-fpm.sock
pm = dynamic
pm.max_children = 20

View File

@ -1,391 +0,0 @@
[PHP]
user_ini.filename = ".user.ini"
user_ini.cache_ttl = 300
engine = On
short_open_tag = Off
precision = 14
output_buffering = 0
;output_handler =
zlib.output_compression = Off
;zlib.output_compression_level = -1
;zlib.output_handler =
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
open_basedir = "/var/www/app:/var/lib/php/tmp_upload:/var/lib/php/session:/var/lib/php/soap_cache"
disable_functions = system, exec, shell_exec, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
disable_classes =
;highlight.string = #DD0000
;highlight.comment = #FF9900
;highlight.keyword = #007700
;highlight.default = #0000BB
;highlight.html = #000000
;ignore_user_abort = On
;realpath_cache_size = 16k
;realpath_cache_ttl = 120
zend.enable_gc = On
;zend.multibyte = Off
;zend.script_encoding =
expose_php = Off
max_execution_time = 30
max_input_time = 60
;max_input_nesting_level = 64
max_input_vars = 100
memory_limit = 50M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
;report_zend_debug = 0
;xmlrpc_errors = 0
;xmlrpc_error_number = 0
html_errors = On
;docref_root = "/phpmanual/"
;docref_ext = .html
;error_prepend_string = "<span style='color: #ff0000'>"
;error_append_string = "</span>"
error_log = /proc/self/fd/2
;windows.show_crt_warning
;arg_separator.output = "&amp;"
;arg_separator.input = ";&"
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
;enable_post_data_reading = Off
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
;internal_encoding =
;input_encoding =
;output_encoding =
;include_path = ".:/php7/includes"
doc_root =
user_dir =
extension_dir = "/usr/lib/php7/modules"
;sys_temp_dir = "/tmp"
enable_dl = Off
cgi.force_redirect = 1
;cgi.nph = 1
;cgi.redirect_status_env =
cgi.fix_pathinfo = 0
cgi.discard_path = 1
;fastcgi.impersonate = 1
;fastcgi.logging = 0
;cgi.rfc2616_headers = 0
;cgi.check_shebang_line = 1
file_uploads = Off
upload_tmp_dir = /var/lib/php/tmp_upload
upload_max_filesize = 2M
max_file_uploads = 2
allow_url_fopen = On
allow_url_include = Off
;from="john@doe.com"
;user_agent="PHP"
default_socket_timeout = 60
;auto_detect_line_endings = Off
[CLI Server]
cli_server.color = On
[Date]
date.timezone = Europe/Berlin
;date.default_latitude = 31.7667
;date.default_longitude = 35.2333
;date.sunrise_zenith = 90.583333
;date.sunset_zenith = 90.583333
[filter]
;filter.default = unsafe_raw
;filter.default_flags =
[iconv]
;iconv.input_encoding =
;iconv.internal_encoding =
;iconv.output_encoding =
[intl]
;intl.default_locale =
;intl.error_level = E_WARNING
;intl.use_exceptions = 0
[sqlite3]
;sqlite3.extension_dir =
[Pcre]
;pcre.backtrack_limit = 100000
;pcre.recursion_limit = 100000
;pcre.jit = 1
[Pdo]
;pdo_odbc.connection_pooling = strict
;pdo_odbc.db2_instance_name
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket =
[Phar]
;phar.readonly = On
;phar.require_hash = On
;phar.cache_list =
[mail function]
SMTP = localhost
smtp_port = 25
;sendmail_path =
;mail.force_extra_parameters =
mail.add_x_header = On
;mail.log =
;mail.log = syslog
[SQL]
sql.safe_mode = On
[ODBC]
;odbc.default_db = Not yet implemented
;odbc.default_user = Not yet implemented
;odbc.default_pw = Not yet implemented
;odbc.default_cursortype
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
;birdstep.max_links = -1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
;ibase.default_db =
;ibase.default_user =
;ibase.default_password =
;ibase.default_charset =
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
;mysqli.allow_local_infile = On
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
;mysqlnd.debug =
;mysqlnd.log_mask = 0
;mysqlnd.mempool_default_size = 16000
;mysqlnd.net_cmd_buffer_size = 2048
;mysqlnd.net_read_buffer_size = 32768
;mysqlnd.net_read_timeout = 31536000
;mysqlnd.sha256_server_public_key =
[OCI8]
;oci8.privileged_connect = Off
;oci8.max_persistent = -1
;oci8.persistent_timeout = -1
;oci8.ping_interval = 60
;oci8.connection_class =
;oci8.events = Off
;oci8.statement_cache_size = 20
;oci8.default_prefetch = 100
;oci8.old_oci_close_semantics = Off
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
browscap = /etc/php7/browscap.ini
[Session]
session.save_handler = files
session.save_path = "/var/lib/php/session"
session.use_strict_mode = 1
session.use_cookies = 1
session.cookie_secure = 0
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = Off
session.cookie_lifetime = 14400
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
;session.entropy_length = 32
;session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 30
session.use_trans_sid = 0
session.hash_function = sha512
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
;session.upload_progress.enabled = On
;session.upload_progress.cleanup = On
;session.upload_progress.prefix = "upload_progress_"
;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
;session.upload_progress.freq = "1%"
;session.upload_progress.min_freq = "1"
;session.lazy_write = On
[Assertion]
zend.assertions = -1
;assert.active = On
;assert.exception = On
;assert.warning = On
;assert.bail = Off
;assert.callback = 0
;assert.quiet_eval = 0
[COM]
;com.typelib_file =
;com.allow_dcom = true
;com.autoregister_typelib = true
;com.autoregister_casesensitive = false
;com.autoregister_verbose = true
;com.code_page=
[mbstring]
;mbstring.language = Japanese
;mbstring.internal_encoding =
;mbstring.http_input =
;mbstring.http_output =
;mbstring.encoding_translation = Off
;mbstring.detect_order = auto
;mbstring.substitute_character = none
;mbstring.func_overload = 0
;mbstring.strict_detection = On
;mbstring.http_output_conv_mimetype =
[gd]
;gd.jpeg_ignore_warning = 0
[exif]
;exif.encode_unicode = ISO-8859-15
;exif.decode_unicode_motorola = UCS-2BE
;exif.decode_unicode_intel = UCS-2LE
;exif.encode_jis =
;exif.decode_jis_motorola = JIS
;exif.decode_jis_intel = JIS
[Tidy]
;tidy.default_config = /usr/local/lib/php7/default.tcfg
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled = 1
soap.wsdl_cache_dir = "/var/lib/php/soap_cache"
soap.wsdl_cache_ttl = 86400
soap.wsdl_cache_limit = 5
[sysvshm]
;sysvshm.init_mem = 10000
[ldap]
ldap.max_links = -1
[mcrypt]
;mcrypt.algorithms_dir =
;mcrypt.modes_dir =
[dba]
;dba.default_handler =
[opcache]
;opcache.enable = 0
;opcache.enable_cli = 0
;opcache.memory_consumption = 64
;opcache.interned_strings_buffer = 4
;opcache.max_accelerated_files = 2000
;opcache.max_wasted_percentage = 5
;opcache.use_cwd = 1
;opcache.validate_timestamps = 1
;opcache.revalidate_freq = 2
;opcache.revalidate_path = 0
;opcache.save_comments = 1
;opcache.fast_shutdown = 0
;opcache.enable_file_override = 0
;opcache.optimization_level = 0xffffffff
;opcache.dups_fix = 0
;opcache.blacklist_filename =
;opcache.max_file_size = 0
;opcache.consistency_checks = 0
;opcache.force_restart_timeout = 180
;opcache.error_log =
;opcache.log_verbosity_level = 1
;opcache.preferred_memory_model =
;opcache.protect_memory = 0
;opcache.restrict_api =
;opcache.mmap_base =
;opcache.file_cache =
;opcache.file_cache_only = 0
;opcache.file_cache_consistency_checks = 1
;opcache.file_cache_fallback = 1
;opcache.huge_code_pages = 1
;opcache.validate_permission = 0
;opcache.validate_root = 0
[curl]
curl.cainfo = /etc/ssl/certs/ca-certificates.crt
[openssl]
openssl.cafile = /etc/ssl/certs/ca-certificates.crt
openssl.capath = /etc/ssl/certs

View File

@ -1,4 +0,0 @@
#!/bin/sh
set -e
echo "Container crashed. Exiting..."
exit 1

View File

@ -1,2 +0,0 @@
#!/bin/sh
exit 0

View File

@ -1,2 +0,0 @@
#!/bin/execlineb -P
crond -f

View File

@ -1,2 +0,0 @@
#!/bin/execlineb -P
nginx -g "daemon off;"

View File

@ -1,2 +0,0 @@
#!/bin/execlineb -P
php-fpm7 -F

View File

@ -1,8 +1,7 @@
#!/bin/sh
/usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl
/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl
/usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl 1>/dev/null
/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl 1>/dev/null
chown -R nginx:nginx /var/www/app/data
chown -R nginx:nginx /var/www/app/plugins
exec /bin/s6-svscan /etc/services.d
exec supercronic -split-logs /etc/crontabs/nginx 1>/dev/null &
exec php-fpm7 -F &
exec nginx -g "daemon off;"