Swap out base docker container for dunglas/frankenphp, enabling us to run as non-root, addressing #271.
By default the container web address is now port 8080, so port mapping of -p 80:8080 will now be required
This commit is contained in:
parent
bd62897e80
commit
bfe71edc44
@ -1,10 +1,18 @@
|
|||||||
.dockerignore
|
.dockerignore
|
||||||
.editorconfig
|
.editorconfig
|
||||||
.env.testing
|
.env.testing
|
||||||
|
.idea
|
||||||
.git*
|
.git*
|
||||||
docker/
|
docker/
|
||||||
|
node_modules/
|
||||||
|
storage/debugbar
|
||||||
|
storage/framework/cache/data
|
||||||
|
storage/framework/sessions
|
||||||
|
storage/framework/views
|
||||||
|
storage/logs
|
||||||
package.json
|
package.json
|
||||||
package-lock.json
|
package-lock.json
|
||||||
phpunit.xml
|
phpunit.xml
|
||||||
|
vendor/
|
||||||
webpack.mix.js
|
webpack.mix.js
|
||||||
yarn.lock
|
yarn.lock
|
||||||
|
@ -1,10 +1,37 @@
|
|||||||
FROM registry.dege.au/leenooks/php:8.3-fpm-ldap
|
FROM dunglas/frankenphp:latest-php8.3-alpine
|
||||||
|
|
||||||
|
# Base
|
||||||
|
RUN apk add --no-cache bash
|
||||||
|
|
||||||
|
# Additional extensions:
|
||||||
|
RUN install-php-extensions \
|
||||||
|
ldap \
|
||||||
|
memcached
|
||||||
|
|
||||||
|
RUN curl -4 https://getcomposer.org/installer|php -- --install-dir=/usr/local/bin --filename=composer
|
||||||
|
ENV COMPOSER_HOME=/var/cache/composer
|
||||||
|
|
||||||
|
ENV SITE_USER=www-data
|
||||||
|
|
||||||
|
COPY init-docker /sbin/init-docker
|
||||||
|
RUN chmod 550 /sbin/init-docker && chown ${SITE_USER}:0 /sbin/init-docker
|
||||||
|
|
||||||
COPY . /var/www/html/
|
COPY . /var/www/html/
|
||||||
|
WORKDIR /var/www/html
|
||||||
|
|
||||||
RUN mkdir -p ${COMPOSER_HOME} && \
|
RUN mkdir -p ${COMPOSER_HOME} \
|
||||||
([ -r auth.json ] && mv auth.json ${COMPOSER_HOME}) || true && \
|
&& ([ -r auth.json ] && mv auth.json ${COMPOSER_HOME}) || true \
|
||||||
touch .composer.refresh && \
|
&& touch .composer.refresh \
|
||||||
mv .env.example .env && \
|
&& mv .env.example .env \
|
||||||
FORCE_PERMS=1 NGINX_START=FALSE /sbin/init && \
|
&& FORCE_PERMS=1 /sbin/init-docker \
|
||||||
rm -rf ${COMPOSER_HOME}/* composer.lock
|
&& rm -rf ${COMPOSER_HOME}/* composer.lock
|
||||||
|
|
||||||
|
# Fix start up items
|
||||||
|
RUN sed -i -e 's/^{$CADDY_EXTRA_CONFIG}$/{$CADDY_EXTRA_CONFIG} /' /etc/caddy/Caddyfile
|
||||||
|
RUN chown ${SITE_USER} /config/caddy /data/caddy
|
||||||
|
|
||||||
|
USER ${SITE_USER}
|
||||||
|
|
||||||
|
# Control which port to open
|
||||||
|
ENV SERVER_NAME=:8080
|
||||||
|
EXPOSE 8080
|
||||||
|
172
docker/init-docker
Executable file
172
docker/init-docker
Executable file
@ -0,0 +1,172 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
role=${CONTAINER_ROLE:-app}
|
||||||
|
env=${APP_ENV:-production}
|
||||||
|
php=${PHP_DIR:-/var/www/html}
|
||||||
|
composer=${COMPOSER_HOME:-/var/cache/composer}
|
||||||
|
|
||||||
|
SITE_USER=${SITE_USER:-www-data}
|
||||||
|
MEMCACHED_START=${MEMCACHED_START:-FALSE}
|
||||||
|
|
||||||
|
# To run a local queue, running jobs from the queue "hostname"
|
||||||
|
LOCAL_QUEUE=${LOCAL_QUEUE:-FALSE}
|
||||||
|
# Optional additional queues to run for
|
||||||
|
#LOCAL_QUEUES=
|
||||||
|
|
||||||
|
function mp() {
|
||||||
|
set +e
|
||||||
|
mountpoint -q $1
|
||||||
|
local mp=$?
|
||||||
|
set -e
|
||||||
|
echo ${mp}
|
||||||
|
}
|
||||||
|
|
||||||
|
function wait_for_db() {
|
||||||
|
# Wait for DB to be active
|
||||||
|
if [ -n "${DB_HOST}" -a -n "${DB_PORT}" ]; then
|
||||||
|
while ! wait-for-it -h ${DB_HOST} -p ${DB_PORT} -t 5 -q; do
|
||||||
|
echo "? Waiting for database at ${DB_HOST}:${DB_PORT}"
|
||||||
|
sleep 1;
|
||||||
|
done
|
||||||
|
echo "- DB is active on ${DB_HOST}:${DB_PORT}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Run any container setup
|
||||||
|
[ -x /sbin/init-container ] && /sbin/init-container
|
||||||
|
|
||||||
|
# General Setup
|
||||||
|
if [ -x /usr/bin/memcached -a "${MEMCACHED_START}" == "TRUE" ]; then
|
||||||
|
echo "* Starting MEMCACHED..."
|
||||||
|
/usr/bin/memcached -d -P /run/memcached/memcached.pid -u memcached
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Laravel Specific
|
||||||
|
if [ -r artisan -a -e ${php}/.env ]; then
|
||||||
|
echo "* Laravel Setup..."
|
||||||
|
mp=$(mp ${php})
|
||||||
|
echo " - [${php}] is a mount point [${mp}]"
|
||||||
|
|
||||||
|
# Only adjust perms if this is an external mountpoint
|
||||||
|
if [ -n "${FORCE_PERMS}" -o ${mp} -eq 0 ]; then
|
||||||
|
if [ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ]; then
|
||||||
|
echo " - Setting Permissions..."
|
||||||
|
# Make sure our permissions are appropraite
|
||||||
|
find ${php} -type f -exec chmod 640 {} \;
|
||||||
|
find ${php} -type d -exec chmod 750 {} \;
|
||||||
|
find ${php}/public -type f -exec chmod 644 {} \;
|
||||||
|
find ${php}/public -type d -exec chmod 755 {} \;
|
||||||
|
chmod o+rx ${php}
|
||||||
|
chmod a+rx ${php}/artisan
|
||||||
|
chown -R ${SITE_USER}:www-data ${php}
|
||||||
|
|
||||||
|
#if [ "${SITE_USER}" -ne "www-data" ]; then
|
||||||
|
# echo " - Extended Permissions for ${SITE_USER}..."
|
||||||
|
# chown -R www-data:www-data ${php}/storage ${php}/bootstrap ${php}/composer.*
|
||||||
|
# [ -e ${php}/vendor ] && chown -R www-data:www-data ${php}/vendor
|
||||||
|
#fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# See if we need to refresh our dependancies (only need if web dir is externally mounted)
|
||||||
|
if [[ -r composer.json && ( -e .composer.refresh || ! -d vendor ) ]]; then
|
||||||
|
echo " - Composer installing dependancies..."
|
||||||
|
|
||||||
|
rm -f ${php}/bootstrap/cache/*.php
|
||||||
|
if [ "${env}" != "local" ]; then
|
||||||
|
NODEV="--no-dev"
|
||||||
|
fi
|
||||||
|
|
||||||
|
mp=$(mp ${composer})
|
||||||
|
echo " - [${composer}] is a mount point [${mp}]"
|
||||||
|
|
||||||
|
if [ -n "${FORCE_PERMS}" -o ${mp} -eq 0 ]; then
|
||||||
|
[ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ] && chown -R ${SITE_USER}:www-data ${composer}
|
||||||
|
[ ! -d ${php}/vendor ] && mkdir -m 750 ${php}/vendor && chown ${SITE_USER}:www-data ${php}/vendor
|
||||||
|
[ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ] && chmod g+w ${php}
|
||||||
|
fi
|
||||||
|
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "composer install --optimize-autoloader ${NODEV}" && ( test -e .composer.refresh && rm -f .composer.refresh )
|
||||||
|
[ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ] && [ ${mp} -eq 0 ] && chmod g-w ${php}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# We only check for non mount points, in case this container has the app inside
|
||||||
|
mp=$(mp ${php})
|
||||||
|
if [ ${mp} -eq 1 ]; then
|
||||||
|
echo " - Caching configuration..."
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "(php artisan optimize)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${role}" = "app" ]; then
|
||||||
|
if [ "${env}" != "local" ]; then
|
||||||
|
if [ -z "${IGNORE_MIGRATION}" ]; then
|
||||||
|
if [ -r .migrate ]; then
|
||||||
|
echo " - Running migration..."
|
||||||
|
# If DB_HOST not set, source the env file
|
||||||
|
[ -z "${DB_HOST}" -a -r .env ] && . .env
|
||||||
|
|
||||||
|
wait_for_db
|
||||||
|
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "php artisan migrate" && rm -f .migrate
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
[ -r .migrate ] && echo "! NOTE: Migration ignored due to IGNORE_MIGRATION"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If passport is installed
|
||||||
|
if [ -d ${php}/vendor/laravel/passport ]; then
|
||||||
|
echo " - Generating OAUTH keys ..."
|
||||||
|
set +e
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "php artisan passport:keys"
|
||||||
|
set -e
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${LOCAL_QUEUE}" = "TRUE" ]; then
|
||||||
|
echo " - Starting local queue for [$(hostname)${LOCAL_QUEUES:+,${LOCAL_QUEUES}}] with job timeout of [${WORK_TIMEOUT:-90}], trying [${WORK_TRIES:-1}] times..."
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "
|
||||||
|
(while true; do php ${PHP_OPTIONS} artisan queue:work --verbose --tries=${WORK_TRIES:-1} --timeout=${WORK_TIMEOUT:-90} --queue=$(hostname)${LOCAL_QUEUES:+,${LOCAL_QUEUES}} ${WORK_MEMORY:+--memory=${WORK_MEMORY}} ${WORK_ONCE:+--once}; done) &
|
||||||
|
"
|
||||||
|
fi
|
||||||
|
|
||||||
|
set +e
|
||||||
|
[ -x init-php.sh ] && su ${SITE_USER} -s /bin/sh "init-php.sh" &
|
||||||
|
|
||||||
|
exec /usr/local/bin/docker-php-entrypoint "$@"
|
||||||
|
|
||||||
|
elif [ "$role" = "queue" ]; then
|
||||||
|
QUEUE_CMD=work
|
||||||
|
|
||||||
|
if [ "${env}" == "local" ]; then
|
||||||
|
QUEUE_CMD=listen
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo " - Running the queue..."
|
||||||
|
# We'll delay starting in case the app is caching
|
||||||
|
sleep 15
|
||||||
|
|
||||||
|
wait_for_db
|
||||||
|
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "
|
||||||
|
while true; do
|
||||||
|
php ${PHP_OPTIONS} artisan queue:${QUEUE_CMD} --verbose --tries=${WORK_TRIES:-1} --timeout=${WORK_TIMEOUT:-90} ${WORK_QUEUES:+--queue=${WORK_QUEUES}} ${WORK_MEMORY:+--memory=${WORK_MEMORY}} ${WORK_ONCE:+--once}
|
||||||
|
done
|
||||||
|
"
|
||||||
|
|
||||||
|
elif [ "$role" = "scheduler" ]; then
|
||||||
|
echo " - Running the scheduler..."
|
||||||
|
# We'll delay starting in case the app is caching
|
||||||
|
sleep 15
|
||||||
|
|
||||||
|
su ${SITE_USER} -s /bin/sh -c "
|
||||||
|
while true; do
|
||||||
|
php ${PHP_OPTIONS} artisan schedule:work --verbose --no-interaction
|
||||||
|
done
|
||||||
|
"
|
||||||
|
fi
|
||||||
|
|
||||||
|
else
|
||||||
|
echo "? NO container role \"${role}\", AND/OR no laravel install, just starting php-fpm"
|
||||||
|
exec /usr/local/bin/docker-php-entrypoint "$@"
|
||||||
|
fi
|
Loading…
x
Reference in New Issue
Block a user