diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f548e260..089f7bef 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,13 +99,16 @@ jobs: - name: Spin up services run: docker-compose -f docker-compose.yml up -d - name: Wait - run: sleep 60 + run: sleep 70 - name: Check status run: docker ps -a - name: Test - run: curl http://localhost:8080/ -L --fail -s | grep 'Sign in' -q + run: curl http://localhost:8080/ -L --fail -vvv | grep 'Sign in' -q - name: Test Email run: docker-compose exec -T humhub php /var/www/localhost/htdocs/protected/yii test/email 'test@example.com' | grep 'Message successfully sent!' -q + - name: Collect logs + if: ${{ always() }} + run: docker-compose -f docker-compose.prod.yml logs test_prod: needs: build_variants runs-on: ubuntu-latest @@ -140,13 +143,16 @@ jobs: - name: Spin up services run: docker-compose -f docker-compose.prod.yml up -d - name: Wait - run: sleep 60 + run: sleep 70 - name: Check status run: docker ps -a - name: Test - run: curl http://localhost:8080/ -L --fail -s | grep 'Sign in' -q + run: curl http://localhost:8080/ -L --fail -vvv | grep 'Sign in' -q - name: Test Email run: docker-compose exec -T humhub php /var/www/localhost/htdocs/protected/yii test/email 'test@example.com' | grep 'Message successfully sent!' -q + - name: Collect logs + if: ${{ always() }} + run: docker-compose -f docker-compose.prod.yml logs push_ghcr: needs: ["test_aio", "test_prod"] runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index 27ac3557..c4470a6d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,7 +59,7 @@ ARG RUNTIME_DEPS="\ php7-xmlwriter \ php7-zip \ sqlite \ - supervisor \ + multirun \ tzdata \ " @@ -112,7 +112,8 @@ RUN apk add --no-cache --update $RUNTIME_DEPS && \ apk add --no-cache --virtual temp_pkgs gettext && \ cp /usr/bin/envsubst /usr/local/bin/envsubst && \ apk del temp_pkgs && \ - rm -rf /var/cache/apk/* + rm -rf /var/cache/apk/* && \ + chmod +x /usr/bin/multirun ENV PHP_POST_MAX_SIZE=16M ENV PHP_UPLOAD_MAX_FILESIZE=10M @@ -120,9 +121,6 @@ ENV PHP_MAX_EXECUTION_TIME=60 ENV PHP_MEMORY_LIMIT=1G ENV PHP_TIMEZONE=UTC -RUN touch /var/run/supervisor.sock && \ - chmod 777 /var/run/supervisor.sock - # 100=nginx 101=nginx (group) COPY --from=builder --chown=100:101 /usr/src/humhub /var/www/localhost/htdocs/ COPY --chown=100:101 humhub/ /var/www/localhost/htdocs/ @@ -132,10 +130,23 @@ RUN mkdir -p /usr/src/humhub/protected/config/ && \ rm -f var/www/localhost/htdocs/protected/config/common.php /usr/src/humhub/protected/config/common.php && \ echo "v${HUMHUB_VERSION}" > /usr/src/humhub/.version +# Non-root directories +RUN mkdir -p /var/www/localhost/htdocs/protected/runtime/logs && \ + mkdir -p /var/www/localhost/htdocs/uploads /var/www/localhost/htdocs/assets /var/www/localhost/htdocs/protected/modules /var/www/localhost/htdocs/themes /var/www/localhost/htdocs/protected/config && \ + mkdir -p /run/nginx /run/php-fpm && \ + touch /var/www/localhost/htdocs/protected/runtime/logs/app.log && \ + chown 100:101 -R /var/www/localhost/htdocs/protected/runtime/logs /run/nginx /run/php-fpm \ + /var/www/localhost/htdocs/uploads /var/www/localhost/htdocs/assets \ + /var/www/localhost/htdocs/protected/modules /var/www/localhost/htdocs/themes \ + /var/www/localhost/htdocs/protected/config + + COPY base/ / COPY docker-entrypoint.sh /docker-entrypoint.sh RUN chmod 600 /etc/crontabs/nginx && \ + chown 100:101 /etc/crontabs/nginx && \ + rm /etc/crontabs/root && \ chmod +x /docker-entrypoint.sh VOLUME /var/www/localhost/htdocs/uploads @@ -143,12 +154,16 @@ VOLUME /var/www/localhost/htdocs/protected/config VOLUME /var/www/localhost/htdocs/protected/modules ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["supervisord", "-n", "-c", "/etc/supervisord.conf"] + +#+----------- +# HumHub PHP +#+----------- FROM base as humhub_phponly LABEL variant="phponly" +USER root RUN apk add --no-cache fcgi COPY phponly/ / @@ -159,7 +174,13 @@ RUN chmod +x /usr/local/bin/php-fpm-healthcheck \ && adduser --uid 100 -g 101 -S nginx EXPOSE 9000 +USER nginx +CMD ["multirun", "/usr/sbin/php-fpm7 --fpm-config /etc/php-fpm.d/pool.conf -O -F", "tail -f /var/www/localhost/htdocs/protected/runtime/logs/app.log", "crond -f -L /proc/self/fd/2"] + +#+------------- +# HumHub NGINX +#+------------- FROM docker.io/library/nginx:1.23.3-alpine as humhub_nginx LABEL variant="nginx" @@ -168,16 +189,29 @@ ENV NGINX_CLIENT_MAX_BODY_SIZE=10m \ NGINX_KEEPALIVE_TIMEOUT=65 \ NGINX_UPSTREAM=humhub:9000 +USER root COPY nginx/ / COPY --from=builder --chown=nginx:nginx /usr/src/humhub/ /var/www/localhost/htdocs/ +RUN mkdir -p /var/cache/nginx /run/nginx && \ + chown nginx:nginx -R /etc/nginx /var/cache/nginx /run/nginx + +USER nginx +#+------------------ +# HumHub All-in-one +#+------------------ FROM base as humhub_allinone LABEL variant="allinone" +USER root RUN apk add --no-cache nginx && \ - chown -R nginx:nginx /var/lib/nginx/ + mkdir -p /etc/nginx && \ + chown -R nginx:nginx /var/lib/nginx/ /etc/nginx COPY nginx/ / +RUN chown nginx:nginx -R /etc/nginx EXPOSE 80 +USER nginx +CMD ["/usr/bin/multirun", "/usr/sbin/php-fpm7 --fpm-config /etc/php-fpm.d/pool.conf -O -F", "tail -f /var/www/localhost/htdocs/protected/runtime/logs/app.log", "crond -f -L /proc/self/fd/2", "/usr/sbin/nginx -g 'daemon off;'"] diff --git a/README.md b/README.md index ea8e1f39..37db9069 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,8 @@ > :warning: **Image Removal**: We have purged all registries from End-Of-Life images (1.4,1.5,1.6,1.7,1.8). These images were not maintained anymore and contained major security flaws. To protect the public we removed them. If you really want to use these images, you have to build them from source. +> :warning: **Default privileges change:** This container is no longer starting as root and then dropping the privileges. Supervisord (running previously as root) was changed to lighter alternative "multirun" that runs as "nginx" user directly. This change opens possibility to easily run on OpenShift and Kubernetes. + [HumHub](https://github.com/humhub/humhub) is a feature rich and highly flexible OpenSource Social Network Kit written in PHP. This container provides a quick, flexible and lightweight way to set up a proof-of-concept for detailed evaluation. Using this in production is possible, but please note that there is currently no official support available for this kind of setup. diff --git a/base/etc/php-fpm.d/listen.conf b/base/etc/php-fpm.d/listen.conf index fccb72ee..f812f5f0 100644 --- a/base/etc/php-fpm.d/listen.conf +++ b/base/etc/php-fpm.d/listen.conf @@ -1,3 +1,3 @@ -listen = /run/php-fpm.sock +listen = /run/nginx/php-fpm.sock listen.owner = nginx listen.group = nginx diff --git a/base/etc/supervisord.conf b/base/etc/supervisord.conf deleted file mode 100644 index 25b3ede1..00000000 --- a/base/etc/supervisord.conf +++ /dev/null @@ -1,17 +0,0 @@ -[supervisord] -user=root -nodaemon=true -loglevel=warn -pidfile=/var/run/supervisord.pid -logfile=/proc/self/fd/2 -stdout_logfile=/proc/self/fd/2 -stdout_logfile_maxbytes=0 - -[rpcinterface:supervisor] -supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - -[supervisorctl] -serverurl=unix:///var/run/supervisor.sock - -[include] -files=/etc/supervisord.conf.d/*.conf diff --git a/base/etc/supervisord.conf.d/cron.conf b/base/etc/supervisord.conf.d/cron.conf deleted file mode 100644 index 2f01ec34..00000000 --- a/base/etc/supervisord.conf.d/cron.conf +++ /dev/null @@ -1,5 +0,0 @@ -[program:cron] -command=crond -f -L /proc/self/fd/2 -user=root -autostart=true -autorestart=true diff --git a/base/etc/supervisord.conf.d/humhub-log.conf b/base/etc/supervisord.conf.d/humhub-log.conf deleted file mode 100644 index 8bf6a87e..00000000 --- a/base/etc/supervisord.conf.d/humhub-log.conf +++ /dev/null @@ -1,7 +0,0 @@ -[program:humhub-log] -command=tail -f /var/www/localhost/htdocs/protected/runtime/logs/app.log -autostart = true -stdout_logfile=/proc/self/fd/2 -stdout_logfile_maxbytes=0 -stderr_logfile=/proc/self/fd/2 -stderr_logfile_maxbytes=0 diff --git a/base/etc/supervisord.conf.d/php-fpm.conf b/base/etc/supervisord.conf.d/php-fpm.conf deleted file mode 100644 index 8788a729..00000000 --- a/base/etc/supervisord.conf.d/php-fpm.conf +++ /dev/null @@ -1,8 +0,0 @@ -[program:php-fpm] -command=/usr/sbin/php-fpm7 --fpm-config /etc/php-fpm.d/pool.conf -O -F -user=root -autostart = true -stdout_logfile=/proc/self/fd/2 -stdout_logfile_maxbytes=0 -stderr_logfile=/proc/self/fd/2 -stderr_logfile_maxbytes=0 diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 0e0ffc2d..7eae256d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -128,12 +128,6 @@ else mkdir -p /var/www/localhost/htdocs/protected/runtime/logs/ touch /var/www/localhost/htdocs/protected/runtime/logs/app.log - echo >&3 "$0: Setting permissions..." - chown -R nginx:nginx /var/www/localhost/htdocs/uploads - chown -R nginx:nginx /var/www/localhost/htdocs/protected/modules - chown -R nginx:nginx /var/www/localhost/htdocs/protected/config - chown -R nginx:nginx /var/www/localhost/htdocs/protected/runtime - wait_for_db echo >&3 "$0: Creating database..." @@ -191,9 +185,6 @@ else php yii 'settings/set' 'base' 'mailer.encryption' "${HUMHUB_MAILER_ENCRYPTION}" php yii 'settings/set' 'base' 'mailer.allowSelfSignedCerts' "${HUMHUB_MAILER_ALLOW_SELF_SIGNED_CERTS}" fi - - chown -R nginx:nginx /var/www/localhost/htdocs/protected/runtime - chown nginx:nginx /var/www/localhost/htdocs/protected/config/dynamic.php fi fi diff --git a/nginx/docker-entrypoint.d/60-nginx-config.sh b/nginx/docker-entrypoint.d/60-nginx-config.sh index 70c9677c..7f3eee65 100755 --- a/nginx/docker-entrypoint.d/60-nginx-config.sh +++ b/nginx/docker-entrypoint.d/60-nginx-config.sh @@ -2,7 +2,7 @@ set -e -export NGINX_UPSTREAM="${NGINX_UPSTREAM:-unix:/run/php-fpm.sock}" +export NGINX_UPSTREAM="${NGINX_UPSTREAM:-unix:/run/nginx/php-fpm.sock}" export NGINX_CLIENT_MAX_BODY_SIZE="${NGINX_CLIENT_MAX_BODY_SIZE:-10m}" export NGINX_KEEPALIVE_TIMEOUT="${NGINX_KEEPALIVE_TIMEOUT:-65}" diff --git a/nginx/etc/nginx/nginx.conf b/nginx/etc/nginx/nginx.conf index f2f2b684..b0fb7790 100644 --- a/nginx/etc/nginx/nginx.conf +++ b/nginx/etc/nginx/nginx.conf @@ -5,7 +5,7 @@ worker_processes 1; error_log /dev/stderr notice; #error_log logs/error.log info; -pid /run/nginx.pid; +pid /run/nginx/nginx.pid; events { diff --git a/nginx/etc/supervisord.conf.d/nginx.conf b/nginx/etc/supervisord.conf.d/nginx.conf deleted file mode 100644 index 75b9c7d8..00000000 --- a/nginx/etc/supervisord.conf.d/nginx.conf +++ /dev/null @@ -1,8 +0,0 @@ -[program:nginx] -command=/usr/sbin/nginx -g 'daemon off;' -user=root -autostart = true -stdout_logfile=/proc/self/fd/2 -stdout_logfile_maxbytes=0 -stderr_logfile=/proc/self/fd/2 -stderr_logfile_maxbytes=0