From 3a6c690f469753bf42bd9b015d830bf6f91d9aa2 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sat, 28 Sep 2019 21:00:56 +0200 Subject: [PATCH] refactor: create a rootless image --- Dockerfile.linux.amd64 | 22 +- overlay/etc/crontabs/nginx | 2 + overlay/etc/nginx/nginx.conf | 76 ----- overlay/etc/nginx/vhost.conf | 52 +++ overlay/etc/php7/php-fpm.conf | 2 +- overlay/etc/php7/php.ini | 391 ----------------------- overlay/etc/services.d/.s6-svscan/crash | 4 - overlay/etc/services.d/.s6-svscan/finish | 2 - overlay/etc/services.d/cron/run | 2 - overlay/etc/services.d/nginx/run | 2 - overlay/etc/services.d/php/run | 2 - overlay/usr/local/bin/entrypoint.sh | 11 +- 12 files changed, 74 insertions(+), 494 deletions(-) delete mode 100644 overlay/etc/nginx/nginx.conf create mode 100644 overlay/etc/nginx/vhost.conf delete mode 100644 overlay/etc/php7/php.ini delete mode 100755 overlay/etc/services.d/.s6-svscan/crash delete mode 100755 overlay/etc/services.d/.s6-svscan/finish delete mode 100755 overlay/etc/services.d/cron/run delete mode 100755 overlay/etc/services.d/nginx/run delete mode 100755 overlay/etc/services.d/php/run diff --git a/Dockerfile.linux.amd64 b/Dockerfile.linux.amd64 index 34e677d..3cea0c6 100644 --- a/Dockerfile.linux.amd64 +++ b/Dockerfile.linux.amd64 @@ -1,4 +1,4 @@ -FROM alpine:3.10.0 +FROM xoxys/nginx:latest LABEL maintainer="Robert Kaussow " \ org.label-schema.name="Kanboard" \ @@ -10,32 +10,38 @@ ARG KANBOARD_VERSION=master ARG KANBOARD_TARBALL=https://github.com/kanboard/kanboard/archive/${KANBOARD_VERSION}.tar.gz RUN apk --update add --virtual .build-deps tar curl && \ - apk --update add nginx ca-certificates s6 ssmtp mailx php7 php7-phar php7-curl \ + apk --update add ssmtp mailx php7 php7-phar php7-curl \ php7-fpm php7-json php7-zlib php7-xml php7-dom php7-ctype php7-opcache php7-zip php7-iconv \ php7-pdo php7-pdo_mysql php7-pdo_sqlite php7-pdo_pgsql php7-mbstring php7-session php7-bcmath \ php7-gd php7-mcrypt php7-openssl php7-sockets php7-posix php7-ldap php7-simplexml && \ rm -rf /var/www/localhost && \ rm -f /etc/php7/php-fpm.d/www.conf && \ mkdir -p /var/www/app && \ - curl -SsL -o /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v3.5.0/gomplate_linux-amd64-slim && \ - chmod 755 /usr/local/bin/gomplate && \ curl -SsL ${KANBOARD_TARBALL} | tar xz -C /var/www/app/ --strip-components=1 && \ curl -SsL -o /etc/php7/browscap.ini https://browscap.org/stream?q=Lite_PHP_BrowsCapINI && \ + curl -SsL -o /usr/local/bin/supercronic https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64 && \ + chmod 755 /usr/local/bin/supercronic && \ apk del .build-deps && \ rm -rf /var/cache/apk/* && \ rm -rf /tmp/* && \ + mkdir -p /var/run/php && \ + chown -R nginx /var/run/php && \ mkdir -p /var/lib/php/tmp_upload && \ mkdir -p /var/lib/php/soap_cache && \ mkdir -p /var/lib/php/session && \ - chown -R nginx:nginx /var/lib/php/tmp_upload && \ - chown -R nginx:nginx /var/lib/php/soap_cache && \ - chown -R nginx:nginx /var/lib/php/session + chown -R nginx /var/lib/php && \ + chown nginx /etc/php7/php.ini && \ + chown -R nginx /var/www/app ADD overlay/ / VOLUME /var/www/app/plugins -EXPOSE 80 +EXPOSE 8080 + +USER nginx + +STOPSIGNAL SIGTERM ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD /usr/local/bin/healthcheck.sh diff --git a/overlay/etc/crontabs/nginx b/overlay/etc/crontabs/nginx index 9cc07ad..c0e2f93 100644 --- a/overlay/etc/crontabs/nginx +++ b/overlay/etc/crontabs/nginx @@ -1 +1,3 @@ +SHELL=/bin/sh 0 8 * * * cd /var/www/app && ./cli cronjob >/dev/null 2>&1 +* * * * * echo "XXXXX" diff --git a/overlay/etc/nginx/nginx.conf b/overlay/etc/nginx/nginx.conf deleted file mode 100644 index 4b24902..0000000 --- a/overlay/etc/nginx/nginx.conf +++ /dev/null @@ -1,76 +0,0 @@ -user nginx; -worker_processes 1; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - server_tokens off; - access_log off; - error_log /dev/stderr; - - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - - server { - listen 80; - server_name localhost; - index index.php; - root /var/www/app; - client_max_body_size 32M; - - location / { - try_files $uri $uri/ /index.php$is_args$args; - } - - location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_index index.php; - include fastcgi_params; - } - - location ~ /data { - return 404; - } - - location ~* ^.+\.(log|sqlite)$ { - return 404; - } - - location ~ /\.ht { - return 404; - } - - location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ { - log_not_found off; - expires 7d; - etag on; - } - - gzip on; - gzip_comp_level 3; - gzip_disable "msie6"; - gzip_vary on; - gzip_types - text/javascript - application/javascript - application/json - text/xml - application/xml - application/rss+xml - text/css - text/plain; - } -} diff --git a/overlay/etc/nginx/vhost.conf b/overlay/etc/nginx/vhost.conf new file mode 100644 index 0000000..0dbd10d --- /dev/null +++ b/overlay/etc/nginx/vhost.conf @@ -0,0 +1,52 @@ +server { + listen 8080; + server_name localhost; + index index.php; + root /var/www/app; + client_max_body_size 32M; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + } + + location ~ /data { + return 404; + } + + location ~* ^.+\.(log|sqlite)$ { + return 404; + } + + location ~ /\.ht { + return 404; + } + + location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ { + log_not_found off; + expires 7d; + etag on; + } + + gzip on; + gzip_comp_level 3; + gzip_disable "msie6"; + gzip_vary on; + gzip_types + text/javascript + application/javascript + application/json + text/xml + application/xml + application/rss+xml + text/css + text/plain; +} diff --git a/overlay/etc/php7/php-fpm.conf b/overlay/etc/php7/php-fpm.conf index 31caf98..c5f6603 100644 --- a/overlay/etc/php7/php-fpm.conf +++ b/overlay/etc/php7/php-fpm.conf @@ -11,7 +11,7 @@ group = nginx listen.owner = nginx listen.group = nginx -listen = /var/run/php-fpm.sock +listen = /var/run/php/php-fpm.sock pm = dynamic pm.max_children = 20 diff --git a/overlay/etc/php7/php.ini b/overlay/etc/php7/php.ini deleted file mode 100644 index 8721644..0000000 --- a/overlay/etc/php7/php.ini +++ /dev/null @@ -1,391 +0,0 @@ -[PHP] -user_ini.filename = ".user.ini" -user_ini.cache_ttl = 300 - -engine = On -short_open_tag = Off - -precision = 14 - -output_buffering = 0 -;output_handler = - -zlib.output_compression = Off -;zlib.output_compression_level = -1 -;zlib.output_handler = - -implicit_flush = Off - -unserialize_callback_func = -serialize_precision = 17 - -open_basedir = "/var/www/app:/var/lib/php/tmp_upload:/var/lib/php/session:/var/lib/php/soap_cache" - -disable_functions = system, exec, shell_exec, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, move_uploaded_file, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo -disable_classes = - -;highlight.string = #DD0000 -;highlight.comment = #FF9900 -;highlight.keyword = #007700 -;highlight.default = #0000BB -;highlight.html = #000000 - -;ignore_user_abort = On - -;realpath_cache_size = 16k -;realpath_cache_ttl = 120 - -zend.enable_gc = On -;zend.multibyte = Off -;zend.script_encoding = - -expose_php = Off - -max_execution_time = 30 -max_input_time = 60 -;max_input_nesting_level = 64 -max_input_vars = 100 -memory_limit = 50M - -error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT -display_errors = Off -display_startup_errors = Off -log_errors = On -log_errors_max_len = 1024 -ignore_repeated_errors = Off -ignore_repeated_source = Off -report_memleaks = On -;report_zend_debug = 0 -;xmlrpc_errors = 0 -;xmlrpc_error_number = 0 -html_errors = On -;docref_root = "/phpmanual/" -;docref_ext = .html -;error_prepend_string = "" -;error_append_string = "" -error_log = /proc/self/fd/2 -;windows.show_crt_warning - -;arg_separator.output = "&" -;arg_separator.input = ";&" - -variables_order = "GPCS" -request_order = "GP" - -register_argc_argv = Off -auto_globals_jit = On -;enable_post_data_reading = Off -post_max_size = 8M - -auto_prepend_file = -auto_append_file = - -default_mimetype = "text/html" -default_charset = "UTF-8" -;internal_encoding = -;input_encoding = -;output_encoding = - -;include_path = ".:/php7/includes" - -doc_root = -user_dir = - -extension_dir = "/usr/lib/php7/modules" -;sys_temp_dir = "/tmp" -enable_dl = Off - -cgi.force_redirect = 1 -;cgi.nph = 1 -;cgi.redirect_status_env = -cgi.fix_pathinfo = 0 -cgi.discard_path = 1 - -;fastcgi.impersonate = 1 -;fastcgi.logging = 0 -;cgi.rfc2616_headers = 0 -;cgi.check_shebang_line = 1 - -file_uploads = Off -upload_tmp_dir = /var/lib/php/tmp_upload -upload_max_filesize = 2M -max_file_uploads = 2 - -allow_url_fopen = On -allow_url_include = Off - -;from="john@doe.com" -;user_agent="PHP" - -default_socket_timeout = 60 -;auto_detect_line_endings = Off - -[CLI Server] -cli_server.color = On - -[Date] -date.timezone = Europe/Berlin -;date.default_latitude = 31.7667 -;date.default_longitude = 35.2333 -;date.sunrise_zenith = 90.583333 -;date.sunset_zenith = 90.583333 - -[filter] -;filter.default = unsafe_raw -;filter.default_flags = - -[iconv] -;iconv.input_encoding = -;iconv.internal_encoding = -;iconv.output_encoding = - -[intl] -;intl.default_locale = -;intl.error_level = E_WARNING -;intl.use_exceptions = 0 - -[sqlite3] -;sqlite3.extension_dir = - -[Pcre] -;pcre.backtrack_limit = 100000 -;pcre.recursion_limit = 100000 -;pcre.jit = 1 - -[Pdo] -;pdo_odbc.connection_pooling = strict -;pdo_odbc.db2_instance_name - -[Pdo_mysql] -pdo_mysql.cache_size = 2000 -pdo_mysql.default_socket = - -[Phar] -;phar.readonly = On -;phar.require_hash = On -;phar.cache_list = - -[mail function] -SMTP = localhost -smtp_port = 25 -;sendmail_path = - -;mail.force_extra_parameters = -mail.add_x_header = On -;mail.log = -;mail.log = syslog - -[SQL] -sql.safe_mode = On - -[ODBC] -;odbc.default_db = Not yet implemented -;odbc.default_user = Not yet implemented -;odbc.default_pw = Not yet implemented -;odbc.default_cursortype -odbc.allow_persistent = On -odbc.check_persistent = On -odbc.max_persistent = -1 -odbc.max_links = -1 -odbc.defaultlrl = 4096 -odbc.defaultbinmode = 1 -;birdstep.max_links = -1 - -[Interbase] -ibase.allow_persistent = 1 -ibase.max_persistent = -1 -ibase.max_links = -1 -;ibase.default_db = -;ibase.default_user = -;ibase.default_password = -;ibase.default_charset = -ibase.timestampformat = "%Y-%m-%d %H:%M:%S" -ibase.dateformat = "%Y-%m-%d" -ibase.timeformat = "%H:%M:%S" - -[MySQLi] -;mysqli.allow_local_infile = On -mysqli.max_persistent = -1 -mysqli.allow_persistent = On -mysqli.max_links = -1 -mysqli.cache_size = 2000 -mysqli.default_port = 3306 -mysqli.default_socket = -mysqli.default_host = -mysqli.default_user = -mysqli.default_pw = -mysqli.reconnect = Off - -[mysqlnd] -mysqlnd.collect_statistics = On -mysqlnd.collect_memory_statistics = Off -;mysqlnd.debug = -;mysqlnd.log_mask = 0 -;mysqlnd.mempool_default_size = 16000 -;mysqlnd.net_cmd_buffer_size = 2048 -;mysqlnd.net_read_buffer_size = 32768 -;mysqlnd.net_read_timeout = 31536000 -;mysqlnd.sha256_server_public_key = - -[OCI8] -;oci8.privileged_connect = Off -;oci8.max_persistent = -1 -;oci8.persistent_timeout = -1 -;oci8.ping_interval = 60 -;oci8.connection_class = -;oci8.events = Off -;oci8.statement_cache_size = 20 -;oci8.default_prefetch = 100 -;oci8.old_oci_close_semantics = Off - -[PostgreSQL] -pgsql.allow_persistent = On -pgsql.auto_reset_persistent = Off -pgsql.max_persistent = -1 -pgsql.max_links = -1 -pgsql.ignore_notice = 0 -pgsql.log_notice = 0 - -[bcmath] -bcmath.scale = 0 - -[browscap] -browscap = /etc/php7/browscap.ini - -[Session] -session.save_handler = files -session.save_path = "/var/lib/php/session" -session.use_strict_mode = 1 -session.use_cookies = 1 -session.cookie_secure = 0 -session.use_only_cookies = 1 -session.name = PHPSESSID -session.auto_start = Off -session.cookie_lifetime = 14400 -session.cookie_path = / -session.cookie_domain = -session.cookie_httponly = 1 -session.serialize_handler = php -session.gc_probability = 1 -session.gc_divisor = 1000 -session.gc_maxlifetime = 1440 -session.referer_check = -;session.entropy_length = 32 -;session.entropy_file = /dev/urandom -session.cache_limiter = nocache -session.cache_expire = 30 -session.use_trans_sid = 0 -session.hash_function = sha512 -session.hash_bits_per_character = 5 -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" -;session.upload_progress.enabled = On -;session.upload_progress.cleanup = On -;session.upload_progress.prefix = "upload_progress_" -;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" -;session.upload_progress.freq = "1%" -;session.upload_progress.min_freq = "1" -;session.lazy_write = On - -[Assertion] -zend.assertions = -1 -;assert.active = On -;assert.exception = On -;assert.warning = On -;assert.bail = Off -;assert.callback = 0 -;assert.quiet_eval = 0 - -[COM] -;com.typelib_file = -;com.allow_dcom = true -;com.autoregister_typelib = true -;com.autoregister_casesensitive = false -;com.autoregister_verbose = true -;com.code_page= - -[mbstring] -;mbstring.language = Japanese -;mbstring.internal_encoding = -;mbstring.http_input = -;mbstring.http_output = -;mbstring.encoding_translation = Off -;mbstring.detect_order = auto -;mbstring.substitute_character = none -;mbstring.func_overload = 0 -;mbstring.strict_detection = On -;mbstring.http_output_conv_mimetype = - -[gd] -;gd.jpeg_ignore_warning = 0 - -[exif] -;exif.encode_unicode = ISO-8859-15 -;exif.decode_unicode_motorola = UCS-2BE -;exif.decode_unicode_intel = UCS-2LE -;exif.encode_jis = -;exif.decode_jis_motorola = JIS -;exif.decode_jis_intel = JIS - -[Tidy] -;tidy.default_config = /usr/local/lib/php7/default.tcfg -tidy.clean_output = Off - -[soap] -soap.wsdl_cache_enabled = 1 -soap.wsdl_cache_dir = "/var/lib/php/soap_cache" -soap.wsdl_cache_ttl = 86400 -soap.wsdl_cache_limit = 5 - -[sysvshm] -;sysvshm.init_mem = 10000 - -[ldap] -ldap.max_links = -1 - -[mcrypt] -;mcrypt.algorithms_dir = -;mcrypt.modes_dir = - -[dba] -;dba.default_handler = - -[opcache] -;opcache.enable = 0 -;opcache.enable_cli = 0 -;opcache.memory_consumption = 64 -;opcache.interned_strings_buffer = 4 -;opcache.max_accelerated_files = 2000 -;opcache.max_wasted_percentage = 5 -;opcache.use_cwd = 1 -;opcache.validate_timestamps = 1 -;opcache.revalidate_freq = 2 -;opcache.revalidate_path = 0 -;opcache.save_comments = 1 -;opcache.fast_shutdown = 0 -;opcache.enable_file_override = 0 -;opcache.optimization_level = 0xffffffff -;opcache.dups_fix = 0 -;opcache.blacklist_filename = -;opcache.max_file_size = 0 -;opcache.consistency_checks = 0 -;opcache.force_restart_timeout = 180 -;opcache.error_log = -;opcache.log_verbosity_level = 1 -;opcache.preferred_memory_model = -;opcache.protect_memory = 0 -;opcache.restrict_api = -;opcache.mmap_base = -;opcache.file_cache = -;opcache.file_cache_only = 0 -;opcache.file_cache_consistency_checks = 1 -;opcache.file_cache_fallback = 1 -;opcache.huge_code_pages = 1 -;opcache.validate_permission = 0 -;opcache.validate_root = 0 - -[curl] -curl.cainfo = /etc/ssl/certs/ca-certificates.crt - -[openssl] -openssl.cafile = /etc/ssl/certs/ca-certificates.crt -openssl.capath = /etc/ssl/certs diff --git a/overlay/etc/services.d/.s6-svscan/crash b/overlay/etc/services.d/.s6-svscan/crash deleted file mode 100755 index 3c3a189..0000000 --- a/overlay/etc/services.d/.s6-svscan/crash +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -set -e -echo "Container crashed. Exiting..." -exit 1 diff --git a/overlay/etc/services.d/.s6-svscan/finish b/overlay/etc/services.d/.s6-svscan/finish deleted file mode 100755 index 039e4d0..0000000 --- a/overlay/etc/services.d/.s6-svscan/finish +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -exit 0 diff --git a/overlay/etc/services.d/cron/run b/overlay/etc/services.d/cron/run deleted file mode 100755 index 2cc28e5..0000000 --- a/overlay/etc/services.d/cron/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/execlineb -P -crond -f diff --git a/overlay/etc/services.d/nginx/run b/overlay/etc/services.d/nginx/run deleted file mode 100755 index 7bb9132..0000000 --- a/overlay/etc/services.d/nginx/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/execlineb -P -nginx -g "daemon off;" diff --git a/overlay/etc/services.d/php/run b/overlay/etc/services.d/php/run deleted file mode 100755 index 21dd010..0000000 --- a/overlay/etc/services.d/php/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/execlineb -P -php-fpm7 -F diff --git a/overlay/usr/local/bin/entrypoint.sh b/overlay/usr/local/bin/entrypoint.sh index 0439899..cb37f51 100755 --- a/overlay/usr/local/bin/entrypoint.sh +++ b/overlay/usr/local/bin/entrypoint.sh @@ -1,8 +1,7 @@ #!/bin/sh -/usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl -/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl +/usr/local/bin/gomplate -V -o /etc/php7/php.ini -f /etc/templates/php.ini.tmpl 1>/dev/null +/usr/local/bin/gomplate -V -o /var/www/app/config.php -f /etc/templates/config.php.tmpl 1>/dev/null -chown -R nginx:nginx /var/www/app/data -chown -R nginx:nginx /var/www/app/plugins - -exec /bin/s6-svscan /etc/services.d +exec supercronic -split-logs /etc/crontabs/nginx 1>/dev/null & +exec php-fpm7 -F & +exec nginx -g "daemon off;"