From be11f9b1b2a47aeb7eefebafb81e4adde3f93ebd Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Mon, 24 May 2021 15:05:05 +0200 Subject: [PATCH 01/67] pass in GoogleCloudStorage required environment variables --- etc/php8/php-fpm.d/zz-docker.conf | 6 ++++++ etc/s6/services/php-fpm8/run | 1 + 2 files changed, 7 insertions(+) diff --git a/etc/php8/php-fpm.d/zz-docker.conf b/etc/php8/php-fpm.d/zz-docker.conf index a280b73..9e6df63 100644 --- a/etc/php8/php-fpm.d/zz-docker.conf +++ b/etc/php8/php-fpm.d/zz-docker.conf @@ -11,3 +11,9 @@ pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 + +env[PRIVATEBIN_GCS_BUCKET] = $PRIVATEBIN_GCS_BUCKET +env[GOOGLE_APPLICATION_CREDENTIALS] = $GOOGLE_APPLICATION_CREDENTIALS +env[GOOGLE_CLOUD_PROJECT] = $GOOGLE_CLOUD_PROJECT +env[GCLOUD_PROJECT] = $GCLOUD_PROJECT +env[CONFIG_PATH] = $CONFIG_PATH diff --git a/etc/s6/services/php-fpm8/run b/etc/s6/services/php-fpm8/run index 44715e9..113c517 100755 --- a/etc/s6/services/php-fpm8/run +++ b/etc/s6/services/php-fpm8/run @@ -1,2 +1,3 @@ #!/usr/bin/execlineb -P +with-contenv /usr/sbin/php-fpm8 From bcb52002aa4c4ef323ce2fefb6d1a9f0491321c5 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Fri, 4 Jun 2021 22:12:52 +0200 Subject: [PATCH 02/67] do not start nginx until /var/run/php-fpm.sock is available --- etc/s6/services/nginx/run | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/s6/services/nginx/run b/etc/s6/services/nginx/run index 3d184d6..8d56d8f 100755 --- a/etc/s6/services/nginx/run +++ b/etc/s6/services/nginx/run @@ -1,2 +1,3 @@ #!/usr/bin/execlineb -P +if { test -S /var/run/php-fpm.sock } /usr/sbin/nginx From aab06e6a369a95f8d2eb783e21b14e0af6b5ca77 Mon Sep 17 00:00:00 2001 From: rugk Date: Fri, 4 Jun 2021 23:36:36 +0200 Subject: [PATCH 03/67] Add snyk container scanning CI Another GitHub action that looked useful. I've had to login with my GitHub account at https://app.snyk.io to get a free API token (saved as a secret in this repo) though. --- .github/workflows/snyk-container-analysis.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/snyk-container-analysis.yml diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml new file mode 100644 index 0000000..00b45cf --- /dev/null +++ b/.github/workflows/snyk-container-analysis.yml @@ -0,0 +1,43 @@ +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '23 7 * * 5' + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build a Docker image + run: docker build -t privatebin/nginx-fpm-alpine . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@master + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: privatebin/nginx-fpm-alpine + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif From 136f2ce32ef07f6646980411b5bff13dc4a4fe91 Mon Sep 17 00:00:00 2001 From: rugk Date: Sat, 5 Jun 2021 00:44:39 +0200 Subject: [PATCH 04/67] Add Trivy analysis MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Oh I'm sorry, but here is another analysis tool :sweat_smile: The cool thing here it says it only needs 10s at most. So let's test that for real… https://github.com/aquasecurity/trivy#features --- trivy-analysis.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 trivy-analysis.yml diff --git a/trivy-analysis.yml b/trivy-analysis.yml new file mode 100644 index 0000000..bd237bc --- /dev/null +++ b/trivy-analysis.yml @@ -0,0 +1,36 @@ +name: build + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '20 13 * * 3' + +jobs: + build: + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build an image from Dockerfile + run: | + docker build -t privatebin/nginx-fpm-alpine:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'privatebin/nginx-fpm-alpine:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' From 379c73aef9054526c6da4c557de6b43adda60477 Mon Sep 17 00:00:00 2001 From: rugk Date: Sat, 5 Jun 2021 00:50:05 +0200 Subject: [PATCH 05/67] better naming --- trivy-analysis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/trivy-analysis.yml b/trivy-analysis.yml index bd237bc..65c1496 100644 --- a/trivy-analysis.yml +++ b/trivy-analysis.yml @@ -1,5 +1,4 @@ name: build - on: push: branches: [ master ] @@ -11,7 +10,7 @@ on: jobs: build: - name: Build + name: Trivy analysis runs-on: "ubuntu-18.04" steps: - name: Checkout code From 8539ee0e6e88a4e89cc587cb817ecaffe8ed164e Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 5 Jun 2021 07:43:21 +0200 Subject: [PATCH 06/67] wait for up to 10 seconds on the php-fpm socket to come up, before starting nginx --- etc/s6/services/nginx/run | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/etc/s6/services/nginx/run b/etc/s6/services/nginx/run index 8d56d8f..04f7412 100755 --- a/etc/s6/services/nginx/run +++ b/etc/s6/services/nginx/run @@ -1,3 +1,9 @@ #!/usr/bin/execlineb -P -if { test -S /var/run/php-fpm.sock } -/usr/sbin/nginx +forx -o 127 timer { 0 1 2 3 4 5 6 7 8 9 } + ifelse { + test -S /var/run/php-fpm.sock + } { + /usr/sbin/nginx + } + foreground { sleep 1 } + exit 127 From 742b03ba2f65691bf13214bf09ac6ff3dc0e1bdc Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 09:31:07 +0200 Subject: [PATCH 07/67] update reference to php8 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a0671c8..e48955f 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Note: The `Filesystem` data storage is supported out of the box. The image inclu ### Adjusting nginx or php-fpm settings -You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php7/conf.d/` and `/etc/nginx/conf.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB. +You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php8/conf.d/` and `/etc/nginx/conf.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB. ### Timezone settings From ff4b815893247c00399c059467cc070cbd4e55ca Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 10:41:52 +0200 Subject: [PATCH 08/67] install google/cloud-storage library and dependencies #41 --- Dockerfile | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e7d6a02..459635b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,9 @@ ENV S6_READ_ONLY_ROOT 1 RUN \ # Install dependencies - apk add --no-cache gnupg nginx php8-fpm php8-json php8-gd \ - php8-opcache php8-pdo_mysql php8-pdo_pgsql s6-overlay tzdata \ + apk add --no-cache gnupg nginx php8 php8-curl php8-fpm php8-json php8-gd \ + php8-mbstring php8-opcache php8-pdo_mysql php8-pdo_pgsql php8-phar \ + s6-overlay tzdata \ && apk upgrade --no-cache \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ @@ -25,9 +26,17 @@ RUN \ && wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ && gpg2 --verify ${RELEASE}.tar.gz.asc \ + && wget -qO composer-setup.php https://getcomposer.org/installer \ + && ln -s $(which php8) /usr/local/bin/php \ + && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \ && cd /var/www \ && tar -xzf /tmp/${RELEASE}.tar.gz --strip 1 \ - && rm *.md cfg/conf.sample.php \ + && wget -q $(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)${RELEASE}/composer.json \ + && wget -q $(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)${RELEASE}/composer.lock \ + && composer remove --dev --no-update phpunit/phpunit \ + && composer require --no-update google/cloud-storage \ + && composer update --no-dev --optimize-autoloader \ + && rm *.md cfg/conf.sample.php composer.* /usr/local/bin/* \ && mv cfg lib tpl vendor /srv \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ @@ -40,7 +49,7 @@ RUN \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg + && apk del gnupg php8 php8-curl php8-mbstring php8-phar COPY etc/ /etc/ From 63ad058a513f31e77ef6397976fc0c4f9d07bbbc Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 11:14:30 +0200 Subject: [PATCH 09/67] move github build into script for easier maintenance --- .dockerignore | 2 ++ .github/workflows/build-images.yml | 40 +++--------------------------- buildx.sh | 32 ++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 37 deletions(-) create mode 100755 buildx.sh diff --git a/.dockerignore b/.dockerignore index 3eabb63..8140350 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,6 +3,8 @@ README.md # Git .git/ +.github/ +buildx.sh # OSX .DS_Store diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index 1267ab4..27b432a 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -15,50 +15,16 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 - - name: Prepare - id: prepare - run: | - IMAGE=privatebin/nginx-fpm-alpine - QEMU_PLATFORMS=linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le - VERSION=${GITHUB_REF##*/} - [ "${{ github.event_name }}" = "schedule" ] && VERSION=nightly - echo ::set-output name=buildx_args::--tag ${IMAGE}:latest \ - --tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \ - --platform linux/amd64,linux/386,${QEMU_PLATFORMS} . - echo ::set-output name=buildx_edge_args::--tag ${IMAGE}:edge \ - --platform linux/amd64,linux/386,${QEMU_PLATFORMS} -f Dockerfile-edge . - echo ::set-output name=qemu_platforms::${QEMU_PLATFORMS} - name: Set up QEMU uses: docker/setup-qemu-action@v1 with: - platforms: ${{ steps.prepare.outputs.qemu_platforms }} + platforms: linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 with: install: true - - name: Docker Build (latest) - run: | - docker build --no-cache --pull --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }} - - name: Docker Build (edge) - run: | - sed 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile-edge - docker build --no-cache --pull --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_edge_args }} - - name: Docker Login - if: success() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule') + - name: Docker Build env: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - run: | - printenv DOCKER_PASSWORD | docker login --username "${DOCKER_USERNAME}" --password-stdin - - name: Docker Push (latest) - if: success() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule') - run: | - docker build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }} - - name: Docker Push (edge) - if: success() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule') - run: | - docker build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_edge_args }} - - name: Cleanup - if: always() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule') - run: | - rm -f ${HOME}/.docker/config.json + run: ./buildx.sh ${{ github.event_name }} diff --git a/buildx.sh b/buildx.sh new file mode 100755 index 0000000..e49e694 --- /dev/null +++ b/buildx.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# exit immediately on non-zero return code, including during a pipe stage or on +# accessing an uninitialized variable and print commands before executing them +set -euxo pipefail + +IMAGE=privatebin/nginx-fpm-alpine +QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le +VERSION=${GITHUB_REF##*/} +EVENT=$1 +[ "${EVENT}" = "schedule" ] && VERSION=nightly + +BUILDX_ARGS=--tag ${IMAGE}:latest \ +--tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \ +--platform ${QEMU_PLATFORMS} . +BUILDX_EDGE_ARGS=--tag ${IMAGE}:edge \ +--platform ${QEMU_PLATFORMS} -f Dockerfile-edge . + +# build images +docker build --no-cache --pull --output "type=image,push=false" ${BUILDX_ARGS} +sed 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile-edge +docker build --no-cache --pull --output "type=image,push=false" ${BUILDX_EDGE_ARGS} + +# push cached images +if [ "${EVENT}" != "pull_request"] && ([ "${GITHUB_REF}" != "refs/heads/master" ] || [ "${EVENT}" = "schedule"]) +then + printenv DOCKER_PASSWORD | docker login --username "${DOCKER_USERNAME}" --password-stdin + docker build --output "type=image,push=true" ${BUILDX_ARGS} + docker build --output "type=image,push=true" ${BUILDX_EDGE_ARGS} + rm -f ${HOME}/.docker/config.json +fi + From 2cc183223e36abb49a99de689db4516aa8a2b2ab Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 11:21:14 +0200 Subject: [PATCH 10/67] trying to workaround github action redaction mechanism --- .github/workflows/build-images.yml | 1 + buildx.sh | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index 27b432a..a39ae00 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -25,6 +25,7 @@ jobs: install: true - name: Docker Build env: + IMAGE: privatebin/nginx-fpm-alpine DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} run: ./buildx.sh ${{ github.event_name }} diff --git a/buildx.sh b/buildx.sh index e49e694..7c48be3 100755 --- a/buildx.sh +++ b/buildx.sh @@ -4,7 +4,6 @@ # accessing an uninitialized variable and print commands before executing them set -euxo pipefail -IMAGE=privatebin/nginx-fpm-alpine QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le VERSION=${GITHUB_REF##*/} EVENT=$1 From 9b0301e2ee7a1dc8f708d429848c3bce5e7dd18c Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 11:22:44 +0200 Subject: [PATCH 11/67] Revert "trying to workaround github action redaction mechanism" This reverts commit 2cc183223e36abb49a99de689db4516aa8a2b2ab. --- .github/workflows/build-images.yml | 1 - buildx.sh | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index a39ae00..27b432a 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -25,7 +25,6 @@ jobs: install: true - name: Docker Build env: - IMAGE: privatebin/nginx-fpm-alpine DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} run: ./buildx.sh ${{ github.event_name }} diff --git a/buildx.sh b/buildx.sh index 7c48be3..e49e694 100755 --- a/buildx.sh +++ b/buildx.sh @@ -4,6 +4,7 @@ # accessing an uninitialized variable and print commands before executing them set -euxo pipefail +IMAGE=privatebin/nginx-fpm-alpine QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le VERSION=${GITHUB_REF##*/} EVENT=$1 From de2c135fef5adbf51f337d17b2afbc85e9d8c22b Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 11:27:16 +0200 Subject: [PATCH 12/67] proper quoting --- buildx.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/buildx.sh b/buildx.sh index e49e694..8823068 100755 --- a/buildx.sh +++ b/buildx.sh @@ -10,11 +10,11 @@ VERSION=${GITHUB_REF##*/} EVENT=$1 [ "${EVENT}" = "schedule" ] && VERSION=nightly -BUILDX_ARGS=--tag ${IMAGE}:latest \ +BUILDX_ARGS="--tag ${IMAGE}:latest \ --tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \ ---platform ${QEMU_PLATFORMS} . -BUILDX_EDGE_ARGS=--tag ${IMAGE}:edge \ ---platform ${QEMU_PLATFORMS} -f Dockerfile-edge . +--platform ${QEMU_PLATFORMS} ." +BUILDX_EDGE_ARGS="--tag ${IMAGE}:edge \ +--platform ${QEMU_PLATFORMS} -f Dockerfile-edge ." # build images docker build --no-cache --pull --output "type=image,push=false" ${BUILDX_ARGS} From 5742021b207fc3181f794ebe160b82f3a5c92831 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 6 Jun 2021 11:31:26 +0200 Subject: [PATCH 13/67] correct spacing of conditional --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 8823068..782a8dc 100755 --- a/buildx.sh +++ b/buildx.sh @@ -22,7 +22,7 @@ sed 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile-edge docker build --no-cache --pull --output "type=image,push=false" ${BUILDX_EDGE_ARGS} # push cached images -if [ "${EVENT}" != "pull_request"] && ([ "${GITHUB_REF}" != "refs/heads/master" ] || [ "${EVENT}" = "schedule"]) +if [ "${EVENT}" != "pull_request" ] && ([ "${GITHUB_REF}" != "refs/heads/master" ] || [ "${EVENT}" = "schedule" ]) then printenv DOCKER_PASSWORD | docker login --username "${DOCKER_USERNAME}" --password-stdin docker build --output "type=image,push=true" ${BUILDX_ARGS} From 41f31bb6e7849cd8221664bf0ece12a376156b16 Mon Sep 17 00:00:00 2001 From: rugk Date: Sun, 6 Jun 2021 17:27:33 +0200 Subject: [PATCH 14/67] Rename trivy-analysis.yml to .github/workflows/trivy-analysis.yml --- trivy-analysis.yml => .github/workflows/trivy-analysis.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename trivy-analysis.yml => .github/workflows/trivy-analysis.yml (100%) diff --git a/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml similarity index 100% rename from trivy-analysis.yml rename to .github/workflows/trivy-analysis.yml From 2a7793e43dd35984c71626af982095d1f88ec983 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 19 Jun 2021 05:59:14 +0200 Subject: [PATCH 15/67] upgrade to alpine 3.14 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 459635b..09918cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.13 +FROM alpine:3.14 MAINTAINER PrivateBin From 1ae3716721c93d3a91d3e982f9cb6231453a95ad Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 19 Jun 2021 06:18:55 +0200 Subject: [PATCH 16/67] remove (temporarily) ppc64le build to allow the other architecture's images to be produced #48 --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 782a8dc..2b52ffb 100755 --- a/buildx.sh +++ b/buildx.sh @@ -5,7 +5,7 @@ set -euxo pipefail IMAGE=privatebin/nginx-fpm-alpine -QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le +QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64 VERSION=${GITHUB_REF##*/} EVENT=$1 [ "${EVENT}" = "schedule" ] && VERSION=nightly From edc857a9f3e78fd9e47d53ef2248cacd1ea2cb80 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 26 Jun 2021 06:46:17 +0200 Subject: [PATCH 17/67] ignore false positive in ZAP report #29 --- .github/rules.tsv | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/rules.tsv b/.github/rules.tsv index d47ab03..3f0e1d4 100644 --- a/.github/rules.tsv +++ b/.github/rules.tsv @@ -26,3 +26,4 @@ 10053 IGNORE (Apache Range Header DoS (CVE-2011-3192)) # again we return 200 to some strange URL 90034 IGNORE (Cloud Metadata Potentially Exposed) +40035 IGNORE (Hidden File Found) From 7d3ae98198160eb85d064dd2124c298f0416e8d2 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 26 Jun 2021 06:49:45 +0200 Subject: [PATCH 18/67] Revert temporarily removed ppc64le build, fixes #48" This reverts commit 1ae3716721c93d3a91d3e982f9cb6231453a95ad. --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 2b52ffb..782a8dc 100755 --- a/buildx.sh +++ b/buildx.sh @@ -5,7 +5,7 @@ set -euxo pipefail IMAGE=privatebin/nginx-fpm-alpine -QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64 +QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le VERSION=${GITHUB_REF##*/} EVENT=$1 [ "${EVENT}" = "schedule" ] && VERSION=nightly From 827f2c3ef608adcc6848c639f1ba3e159b721508 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 6 Jul 2021 06:26:18 +0200 Subject: [PATCH 19/67] set default CONFIG_PATH, fixes #50 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 09918cc..8710108 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ MAINTAINER PrivateBin ENV RELEASE 1.3.5 ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6_READ_ONLY_ROOT 1 +ENV CONFIG_PATH /srv/cfg RUN \ # Install dependencies From e99aff19077e54b75c5ebc898737bfa9f21478d4 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Tue, 6 Jul 2021 19:11:10 +0200 Subject: [PATCH 20/67] build nightly from the scheduled branch --- Dockerfile | 15 +++++++++++---- buildx.sh | 12 ++++++++---- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8710108..7d1f56a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,9 @@ FROM alpine:3.14 +ARG RELEASE=1.3.5 MAINTAINER PrivateBin -ENV RELEASE 1.3.5 +ENV RELEASE ${RELEASE} ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6_READ_ONLY_ROOT 1 ENV CONFIG_PATH /srv/cfg @@ -24,9 +25,15 @@ RUN \ && wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \ && rm -rf /var/www/* \ && cd /tmp \ - && wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ - && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ - && gpg2 --verify ${RELEASE}.tar.gz.asc \ + && if expr "${RELEASE}" : '[0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]\{1,\}$' >/dev/null ; then \ + echo "getting release ${RELEASE}"; \ + wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ + && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ + && gpg2 --verify ${RELEASE}.tar.gz.asc ; \ + else \ + echo "getting tarball for ${RELEASE}"; \ + wget -qO ${RELEASE}.tar.gz ${PBURL}tarball/${RELEASE}; \ + fi \ && wget -qO composer-setup.php https://getcomposer.org/installer \ && ln -s $(which php8) /usr/local/bin/php \ && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \ diff --git a/buildx.sh b/buildx.sh index 782a8dc..31ed225 100755 --- a/buildx.sh +++ b/buildx.sh @@ -8,12 +8,17 @@ IMAGE=privatebin/nginx-fpm-alpine QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le VERSION=${GITHUB_REF##*/} EVENT=$1 -[ "${EVENT}" = "schedule" ] && VERSION=nightly +if [ "${EVENT}" = "schedule" ]; then + VERSION=nightly + RELEASE_ARG="--build-arg RELEASE=$VERSION" +else + RELEASE_ARG="" +fi -BUILDX_ARGS="--tag ${IMAGE}:latest \ +BUILDX_ARGS="${RELEASE_ARG} --tag ${IMAGE}:latest \ --tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \ --platform ${QEMU_PLATFORMS} ." -BUILDX_EDGE_ARGS="--tag ${IMAGE}:edge \ +BUILDX_EDGE_ARGS="${RELEASE_ARG} --tag ${IMAGE}:edge \ --platform ${QEMU_PLATFORMS} -f Dockerfile-edge ." # build images @@ -29,4 +34,3 @@ then docker build --output "type=image,push=true" ${BUILDX_EDGE_ARGS} rm -f ${HOME}/.docker/config.json fi - From d51ef912a8bdae51e579c80ab3b1e9277cfced11 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Tue, 6 Jul 2021 21:17:55 +0200 Subject: [PATCH 21/67] use git archive instead of curl to get the tarball --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7d1f56a..a8eb621 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ RUN \ # Install dependencies apk add --no-cache gnupg nginx php8 php8-curl php8-fpm php8-json php8-gd \ php8-mbstring php8-opcache php8-pdo_mysql php8-pdo_pgsql php8-phar \ - s6-overlay tzdata \ + s6-overlay tzdata git \ && apk upgrade --no-cache \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ @@ -32,7 +32,8 @@ RUN \ && gpg2 --verify ${RELEASE}.tar.gz.asc ; \ else \ echo "getting tarball for ${RELEASE}"; \ - wget -qO ${RELEASE}.tar.gz ${PBURL}tarball/${RELEASE}; \ + git clone ${PBURL%%/}.git -b ${RELEASE}; \ + (cd $(basename ${PBURL}) && git archive --prefix ${RELEASE}/ --format tgz ${RELEASE} > /tmp/${RELEASE}.tar.gz); \ fi \ && wget -qO composer-setup.php https://getcomposer.org/installer \ && ln -s $(which php8) /usr/local/bin/php \ @@ -57,7 +58,7 @@ RUN \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg php8 php8-curl php8-mbstring php8-phar + && apk del gnupg php8 php8-curl php8-mbstring php8-phar git COPY etc/ /etc/ From acbd5d016023260e5e50b6040f815b64367066b3 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Tue, 6 Jul 2021 21:21:19 +0200 Subject: [PATCH 22/67] set the RELEASE to the git ref first, before naming the tag --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 31ed225..9624df6 100755 --- a/buildx.sh +++ b/buildx.sh @@ -9,8 +9,8 @@ QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux VERSION=${GITHUB_REF##*/} EVENT=$1 if [ "${EVENT}" = "schedule" ]; then - VERSION=nightly RELEASE_ARG="--build-arg RELEASE=$VERSION" + VERSION=nightly else RELEASE_ARG="" fi From 725a0006291cec9c4ffb2df51b1959de98d31e8f Mon Sep 17 00:00:00 2001 From: rugk Date: Tue, 6 Jul 2021 22:25:25 +0200 Subject: [PATCH 23/67] Disable Sync for PRs --- .github/workflows/snyk-container-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index 00b45cf..5a743a9 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -13,7 +13,7 @@ on: branches: [ master ] pull_request: # The branches below must be a subset of the branches above - branches: [ master ] + #branches: [ master ] schedule: - cron: '23 7 * * 5' From 57343384590e93a229eb33bb48defea121071736 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 7 Jul 2021 08:24:29 +0200 Subject: [PATCH 24/67] remove section completly instead of just commenting part of it - git history will preserve it all if we want to go back #53 --- .github/workflows/snyk-container-analysis.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index 5a743a9..8acbf58 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -11,9 +11,6 @@ name: Snyk Container on: push: branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - #branches: [ master ] schedule: - cron: '23 7 * * 5' From 28a2d30e9b6ef0038c0a1ee13e015e331342b859 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Wed, 7 Jul 2021 09:11:26 +0200 Subject: [PATCH 25/67] revert buildx.sh to keep nightly and edge build on signed releases --- buildx.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/buildx.sh b/buildx.sh index 9624df6..782a8dc 100755 --- a/buildx.sh +++ b/buildx.sh @@ -8,17 +8,12 @@ IMAGE=privatebin/nginx-fpm-alpine QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le VERSION=${GITHUB_REF##*/} EVENT=$1 -if [ "${EVENT}" = "schedule" ]; then - RELEASE_ARG="--build-arg RELEASE=$VERSION" - VERSION=nightly -else - RELEASE_ARG="" -fi +[ "${EVENT}" = "schedule" ] && VERSION=nightly -BUILDX_ARGS="${RELEASE_ARG} --tag ${IMAGE}:latest \ +BUILDX_ARGS="--tag ${IMAGE}:latest \ --tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \ --platform ${QEMU_PLATFORMS} ." -BUILDX_EDGE_ARGS="${RELEASE_ARG} --tag ${IMAGE}:edge \ +BUILDX_EDGE_ARGS="--tag ${IMAGE}:edge \ --platform ${QEMU_PLATFORMS} -f Dockerfile-edge ." # build images @@ -34,3 +29,4 @@ then docker build --output "type=image,push=true" ${BUILDX_EDGE_ARGS} rm -f ${HOME}/.docker/config.json fi + From 0a39c4075b7f52f3c436bd6d275069d08a75c426 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Sun, 11 Jul 2021 19:40:47 +0200 Subject: [PATCH 26/67] create separate images for fs, pdo and gcs - modified buildx.sh to build privatebin/fs, privatebin/pdo, privatebin/gcs and privatebin/nginx-fpm-alpine - default build of privatebin/nginx-fpm-alpine contains everything --- .gitignore | 1 + Dockerfile | 13 +++++---- buildx.sh | 81 ++++++++++++++++++++++++++++++++++++++++-------------- 3 files changed, 69 insertions(+), 26 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..34cdb35 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +Dockerfile.edge diff --git a/Dockerfile b/Dockerfile index 8710108..c10e1ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,16 +2,19 @@ FROM alpine:3.14 MAINTAINER PrivateBin -ENV RELEASE 1.3.5 -ENV PBURL https://github.com/PrivateBin/PrivateBin/ +ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql" +ARG COMPOSER_PACKAGES="google/cloud-storage" + +ENV RELEASE 1.3.5 +ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6_READ_ONLY_ROOT 1 ENV CONFIG_PATH /srv/cfg RUN \ # Install dependencies apk add --no-cache gnupg nginx php8 php8-curl php8-fpm php8-json php8-gd \ - php8-mbstring php8-opcache php8-pdo_mysql php8-pdo_pgsql php8-phar \ - s6-overlay tzdata \ + php8-mbstring php8-opcache php8-phar \ + s6-overlay tzdata php8-openssl $ALPINE_PACKAGES \ && apk upgrade --no-cache \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ @@ -35,7 +38,7 @@ RUN \ && wget -q $(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)${RELEASE}/composer.json \ && wget -q $(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)${RELEASE}/composer.lock \ && composer remove --dev --no-update phpunit/phpunit \ - && composer require --no-update google/cloud-storage \ + && ([ -z "$COMPOSER_PACKAGES"] || composer require --no-update $COMPOSER_PACKAGES) \ && composer update --no-dev --optimize-autoloader \ && rm *.md cfg/conf.sample.php composer.* /usr/local/bin/* \ && mv cfg lib tpl vendor /srv \ diff --git a/buildx.sh b/buildx.sh index 782a8dc..3a10302 100755 --- a/buildx.sh +++ b/buildx.sh @@ -4,29 +4,68 @@ # accessing an uninitialized variable and print commands before executing them set -euxo pipefail -IMAGE=privatebin/nginx-fpm-alpine -QEMU_PLATFORMS=linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le -VERSION=${GITHUB_REF##*/} EVENT=$1 -[ "${EVENT}" = "schedule" ] && VERSION=nightly +VERSION=${GITHUB_REF##*/} -BUILDX_ARGS="--tag ${IMAGE}:latest \ ---tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \ ---platform ${QEMU_PLATFORMS} ." -BUILDX_EDGE_ARGS="--tag ${IMAGE}:edge \ ---platform ${QEMU_PLATFORMS} -f Dockerfile-edge ." -# build images -docker build --no-cache --pull --output "type=image,push=false" ${BUILDX_ARGS} -sed 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile-edge -docker build --no-cache --pull --output "type=image,push=false" ${BUILDX_EDGE_ARGS} +build_image() { + local push build_args + push=$1; shift 1; + build_args="$@" -# push cached images -if [ "${EVENT}" != "pull_request" ] && ([ "${GITHUB_REF}" != "refs/heads/master" ] || [ "${EVENT}" = "schedule" ]) -then - printenv DOCKER_PASSWORD | docker login --username "${DOCKER_USERNAME}" --password-stdin - docker build --output "type=image,push=true" ${BUILDX_ARGS} - docker build --output "type=image,push=true" ${BUILDX_EDGE_ARGS} - rm -f ${HOME}/.docker/config.json -fi + docker buildx build \ + --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ + --output type=image,push=$push \ + --pull \ + --no-cache \ + --progress plain \ + $build_args \ + . +} +image_build_arguments() { + cat< Dockerfile.edge + + image_build_arguments | while read image build_args ; do + build_image $push -f Dockerfile.edge --tag $image:edge "$build_args" + done + + rm -f Dockerfile.edge + + rm -f "$HOME/.docker/config.json" +} + +main From 09912939fe8c3434075a78eb2fdd000afb86e518 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 13 Jul 2021 21:05:43 +0200 Subject: [PATCH 27/67] be more OCI compliant, avoid unnecessary work --- Dockerfile | 53 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index c10e1ff..82a1ae3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,30 @@ FROM alpine:3.14 -MAINTAINER PrivateBin +ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql php8-openssl" +ARG COMPOSER_PACKAGES=google/cloud-storage +ARG PBURL=https://github.com/PrivateBin/PrivateBin/ +ARG RELEASE=1.3.5 -ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql" -ARG COMPOSER_PACKAGES="google/cloud-storage" +ENV CONFIG_PATH=/srv/cfg S6_READ_ONLY_ROOT=1 -ENV RELEASE 1.3.5 -ENV PBURL https://github.com/PrivateBin/PrivateBin/ -ENV S6_READ_ONLY_ROOT 1 -ENV CONFIG_PATH /srv/cfg +LABEL org.opencontainers.image.authors=support@privatebin.org \ + org.opencontainers.image.vendor=PrivateBin \ + org.opencontainers.image.documentation=https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/README.md \ + org.opencontainers.image.source=https://github.com/PrivateBin/docker-nginx-fpm-alpine \ + org.opencontainers.image.licenses=zlib-acknowledgement \ + org.opencontainers.image.version=${RELEASE} RUN \ +# Prepare composer dependencies + ALPINE_COMPOSER_PACKAGES="" ;\ + if [ -n "${COMPOSER_PACKAGES}" ] ; then \ + ALPINE_COMPOSER_PACKAGES="php8 php8-curl php8-mbstring php8-phar" ;\ + RAWURL="$(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)" ;\ + fi \ # Install dependencies - apk add --no-cache gnupg nginx php8 php8-curl php8-fpm php8-json php8-gd \ - php8-mbstring php8-opcache php8-phar \ - s6-overlay tzdata php8-openssl $ALPINE_PACKAGES \ && apk upgrade --no-cache \ + && apk add --no-cache gnupg nginx php8-fpm php8-json php8-gd php8-opcache \ + s6-overlay tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ @@ -27,19 +36,23 @@ RUN \ && wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \ && rm -rf /var/www/* \ && cd /tmp \ - && wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ + && wget -qO $RELEASE.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ && gpg2 --verify ${RELEASE}.tar.gz.asc \ - && wget -qO composer-setup.php https://getcomposer.org/installer \ - && ln -s $(which php8) /usr/local/bin/php \ - && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \ + && if [ -n "${COMPOSER_PACKAGES}" ] ; then \ + wget -qO composer-installer.php https://getcomposer.org/installer \ + && ln -s $(which php8) /usr/local/bin/php \ + && php composer-installer.php --install-dir=/usr/local/bin --filename=composer ;\ + fi \ && cd /var/www \ && tar -xzf /tmp/${RELEASE}.tar.gz --strip 1 \ - && wget -q $(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)${RELEASE}/composer.json \ - && wget -q $(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)${RELEASE}/composer.lock \ - && composer remove --dev --no-update phpunit/phpunit \ - && ([ -z "$COMPOSER_PACKAGES"] || composer require --no-update $COMPOSER_PACKAGES) \ - && composer update --no-dev --optimize-autoloader \ + && if [ -n "${COMPOSER_PACKAGES}" ] ; then \ + wget -q ${RAWURL}${RELEASE}/composer.json \ + && wget -q ${RAWURL}${RELEASE}/composer.lock \ + && composer remove --dev --no-update phpunit/phpunit \ + && composer require --no-update ${COMPOSER_PACKAGES} \ + && composer update --no-dev --optimize-autoloader ;\ + fi \ && rm *.md cfg/conf.sample.php composer.* /usr/local/bin/* \ && mv cfg lib tpl vendor /srv \ && mkdir -p /srv/data \ @@ -53,7 +66,7 @@ RUN \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg php8 php8-curl php8-mbstring php8-phar + && apk del gnupg ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ From c2ff69021dd08aefa2bbfb4efd1dff93e944a94a Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 14 Jul 2021 20:24:07 +0200 Subject: [PATCH 28/67] take shellcheck to town --- buildx.sh | 78 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 37 deletions(-) diff --git a/buildx.sh b/buildx.sh index 3a10302..68687da 100755 --- a/buildx.sh +++ b/buildx.sh @@ -5,67 +5,71 @@ set -euxo pipefail EVENT=$1 -VERSION=${GITHUB_REF##*/} - build_image() { - local push build_args - push=$1; shift 1; - build_args="$@" + local PUSH + PUSH=$1 + shift 1 - docker buildx build \ - --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ - --output type=image,push=$push \ - --pull \ - --no-cache \ - --progress plain \ - $build_args \ - . + docker buildx build \ + --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ + --output type=image,push="$PUSH" \ + --pull \ + --no-cache \ + --progress plain \ + $@ \ + . +} + +docker_login() { + printenv DOCKER_PASSWORD | docker login \ + --username "$DOCKER_USERNAME" \ + --password-stdin } image_build_arguments() { cat< Dockerfile.edge - image_build_arguments | while read image build_args ; do - build_image $push -f Dockerfile.edge --tag $image:edge "$build_args" + image_build_arguments | while read -r IMAGE BUILD_ARGS + do + build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" $BUILD_ARGS + build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" $BUILD_ARGS done - rm -f Dockerfile.edge - - rm -f "$HOME/.docker/config.json" + rm -f Dockerfile.edge "$HOME/.docker/config.json" } -main +[ "$(basename "$0")" = 'buildx.sh' ] && main From 11917f03b70cea4595a91d3036370e943ef3f00e Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 14 Jul 2021 21:04:27 +0200 Subject: [PATCH 29/67] document image variants and tags, fixes #40 --- README.fs.md | 7 +++++++ README.gcs.md | 7 +++++++ README.md | 27 ++++++++++++++++++++++----- README.pdo.md | 7 +++++++ 4 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 README.fs.md create mode 100644 README.gcs.md create mode 100644 README.pdo.md diff --git a/README.fs.md b/README.fs.md new file mode 100644 index 0000000..f88dbcf --- /dev/null +++ b/README.fs.md @@ -0,0 +1,7 @@ +# PrivateBin on Nginx, php-fpm & Alpine with file based storage backend + +**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). + +## Image variants + +This is an image optimized for the file based storage backend. Please see the [generic image](https://hub.docker.com/r/privatebin/nginx-fpm-alpine) for details on how to use this image, other images variants and the different tags. \ No newline at end of file diff --git a/README.gcs.md b/README.gcs.md new file mode 100644 index 0000000..204c912 --- /dev/null +++ b/README.gcs.md @@ -0,0 +1,7 @@ +# PrivateBin on Nginx, php-fpm & Alpine with Google Cloud Storage backend + +**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). + +## Image variants + +This is an image optimized for the Google Cloud Storage backend. Please see the [generic image](https://hub.docker.com/r/privatebin/nginx-fpm-alpine) for details on how to use this image, other images variants and the different tags. \ No newline at end of file diff --git a/README.md b/README.md index e48955f..489219a 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,26 @@ -# PrivateBin on nginx, php-fpm & alpine +# PrivateBin on Nginx, php-fpm & Alpine **PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). -This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed PrivateBin instance in a secure default configuration. The images are based on the docker hub alpine image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded to docker logs. +This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed PrivateBin instance in a secure default configuration. The images are based on the docker hub Alpine image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded to docker logs. + +## Image variants + +This is the all-in-one image that can be used with any storage backend supported by PrivateBin: File based storage, database or Google Cloud Storage. We also offer dedicated images for each backend: +- [Image for file based storage](https://hub.docker.com/r/privatebin/fs) +- [Image for PostgreSQL, MariaDB & MySQL](https://hub.docker.com/r/privatebin/pdo) +- [Image for Google Cloud Storage](https://hub.docker.com/r/privatebin/gcs) + +## Image tags + +All images contain a release version of PrivateBin and are offered with the following tags: +- `latest` is an alias of the latest pushed image, usually the same as `nightly`, but excluding `edge` +- `nightly` is the latest released PrivateBin version on an upgraded Alpine release image, including the latest changes from the docker image repository +- `edge` is the latest released PrivateBin version on an upgraded Alpine edge image +- `1.3.5` contains PrivateBin version 1.3.5 on the latest tagged release of the docker image repository - gets updated when important security fixes are released for Alpine or upon new Alpine releases +- `1.3.5-...` are provided for selecting specific, immutable images + +If you update your images automatically via pulls, the `nightly` or `latest` are recommended. If you prefer to have control and reproducability or use a form of orchestration, the numeric tags are probably preferable. The `edge` tag offers a preview of software in future Alpine releases and as an early warning system to detect image build issues in these. ## Running the image @@ -14,14 +32,14 @@ docker run -d --restart="always" --read-only -p 8080:8080 -v $PWD/privatebin-dat The parameters in detail: -- `-v $PWD/privatebin-data:/srv/data` - replace `$PWD/privatebin-data` with the path to the folder on your system, where the pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop and restart the image or when you replace it. May be skipped if you just want to test the image. +- `-v $PWD/privatebin-data:/srv/data` - replace `$PWD/privatebin-data` with the path to the folder on your system, where the pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop and restart the image or when you replace it. May be skipped if you just want to test the image or use database or Google Cloud Storage backend. - `-p 8080:8080` - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments. - `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly, since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp, /var/run & /srv/data may be written into. - `-d` - launches the container in the background. You can use `docker ps` and `docker logs` to check if the container is alive and well. - `--restart="always"` - restart the container if it crashes, mainly useful for production setups > Note that the volume mounted must be owned by UID 65534 / GID 82. If you run the container in a docker instance with "userns-remap" you need to add your subuid/subgid range to these numbers. -> +> > Note, too, that this image exposes the same service on port 80, for backwards compatibility with older versions of the image. To use port 80 with the current image, you either need to have a filesystem with extended attribute support so the nginx binary can be granted the capability to bind to ports below 1024 as non-root user or you need to start the image with user id 0 (root) using the parameter `-u 0`. ### Custom configuration @@ -129,4 +147,3 @@ Nginx is required to serve static files and caches them, too. Requests to the in The Nginx setup supports only HTTP, so make sure that you run a reverse proxy in front of this for HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip text content. During the build of the image the PrivateBin release archive and the s6 overlay binaries are downloaded from Github. All the downloaded Alpine packages, s6 overlay binaries and the PrivateBin archive are validated using cryptographic signatures to ensure they have not been tempered with, before deploying them in the image. - diff --git a/README.pdo.md b/README.pdo.md new file mode 100644 index 0000000..469e4b8 --- /dev/null +++ b/README.pdo.md @@ -0,0 +1,7 @@ +# PrivateBin on Nginx, php-fpm & Alpine with PostgreSQL, MariaDB & MySQL backend + +**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). + +## Image variants + +This is an image optimized for PostgreSQL, MariaDB & MySQL storage backends. Please see the [generic image](https://hub.docker.com/r/privatebin/nginx-fpm-alpine) for details on how to use this image, other images variants and the different tags. \ No newline at end of file From ade60b7e1c838bf4f79a141063065fcf015c74c1 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 14 Jul 2021 21:12:09 +0200 Subject: [PATCH 30/67] fix non-composer build --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 82a1ae3..71824a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,9 +51,10 @@ RUN \ && wget -q ${RAWURL}${RELEASE}/composer.lock \ && composer remove --dev --no-update phpunit/phpunit \ && composer require --no-update ${COMPOSER_PACKAGES} \ - && composer update --no-dev --optimize-autoloader ;\ + && composer update --no-dev --optimize-autoloader \ + rm composer.* /usr/local/bin/* ;\ fi \ - && rm *.md cfg/conf.sample.php composer.* /usr/local/bin/* \ + && rm *.md cfg/conf.sample.php \ && mv cfg lib tpl vendor /srv \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ From d372a1792f21299cc31eb27c73a64a6539716322 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 14 Jul 2021 21:21:12 +0200 Subject: [PATCH 31/67] fix build arguments --- buildx.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/buildx.sh b/buildx.sh index 68687da..a8ff4a8 100755 --- a/buildx.sh +++ b/buildx.sh @@ -30,7 +30,7 @@ docker_login() { image_build_arguments() { cat< Date: Wed, 14 Jul 2021 21:29:37 +0200 Subject: [PATCH 32/67] prevent premature argument expansion --- Dockerfile | 1 + buildx.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 71824a0..cf78a60 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ LABEL org.opencontainers.image.authors=support@privatebin.org \ RUN \ # Prepare composer dependencies + ALPINE_PACKAGES="$(echo ${ALPINE_PACKAGES} | sed 's/,/ /g')" ALPINE_COMPOSER_PACKAGES="" ;\ if [ -n "${COMPOSER_PACKAGES}" ] ; then \ ALPINE_COMPOSER_PACKAGES="php8 php8-curl php8-mbstring php8-phar" ;\ diff --git a/buildx.sh b/buildx.sh index a8ff4a8..d26e20a 100755 --- a/buildx.sh +++ b/buildx.sh @@ -30,7 +30,7 @@ docker_login() { image_build_arguments() { cat< Date: Wed, 14 Jul 2021 21:32:17 +0200 Subject: [PATCH 33/67] stick to one convention --- Dockerfile | 2 +- buildx.sh | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index cf78a60..4c267cd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ LABEL org.opencontainers.image.authors=support@privatebin.org \ RUN \ # Prepare composer dependencies - ALPINE_PACKAGES="$(echo ${ALPINE_PACKAGES} | sed 's/,/ /g')" + ALPINE_PACKAGES="$(echo ${ALPINE_PACKAGES} | sed 's/,/ /g')" ;\ ALPINE_COMPOSER_PACKAGES="" ;\ if [ -n "${COMPOSER_PACKAGES}" ] ; then \ ALPINE_COMPOSER_PACKAGES="php8 php8-curl php8-mbstring php8-phar" ;\ diff --git a/buildx.sh b/buildx.sh index d26e20a..a0e597e 100755 --- a/buildx.sh +++ b/buildx.sh @@ -46,15 +46,13 @@ is_image_push_required() { main() { local PUSH TAG IMAGE BUILD_ARGS - if [ "$EVENT" = schedule ] - then + if [ "$EVENT" = schedule ] ; then TAG=nightly else TAG=${GITHUB_REF##*/} fi - if is_image_push_required - then + if is_image_push_required ; then PUSH=true docker_login else @@ -63,8 +61,7 @@ main() { sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge - image_build_arguments | while read -r IMAGE BUILD_ARGS - do + image_build_arguments | while read -r IMAGE BUILD_ARGS ; do build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" "$BUILD_ARGS" build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" done From f9ccd67ff6d0c311886f3b9fc55bbe3208a353db Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 14 Jul 2021 21:50:09 +0200 Subject: [PATCH 34/67] readd short-tag --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index a0e597e..03cb62d 100755 --- a/buildx.sh +++ b/buildx.sh @@ -62,7 +62,7 @@ main() { sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge image_build_arguments | while read -r IMAGE BUILD_ARGS ; do - build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" "$BUILD_ARGS" + build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" done From 2a42122e6efb49a677aab9d13f9084e34aa4c505 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Sat, 17 Jul 2021 20:57:55 +0200 Subject: [PATCH 35/67] alternatively build from git repository branch - by default, the dockerfile builds a released version of privatebin indicated by RELEASE - if RELEASE is not a semantic version, it is assumed to be a branch name and privatebin will be build from head. --- Dockerfile | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4786f27..80f88a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ FROM alpine:3.14 -ARG RELEASE=1.3.5 ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql php8-openssl" ARG COMPOSER_PACKAGES=google/cloud-storage @@ -25,7 +24,7 @@ RUN \ fi \ # Install dependencies && apk upgrade --no-cache \ - && apk add --no-cache gnupg nginx php8-fpm php8-json php8-gd php8-opcache \ + && apk add --no-cache gnupg git nginx php8-fpm php8-json php8-gd php8-opcache \ s6-overlay tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ @@ -38,9 +37,16 @@ RUN \ && wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \ && rm -rf /var/www/* \ && cd /tmp \ - && wget -qO $RELEASE.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ - && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ - && gpg2 --verify ${RELEASE}.tar.gz.asc \ + && if expr "${RELEASE}" : '[0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]\{1,\}$' >/dev/null ; then \ + echo "getting release ${RELEASE}"; \ + wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ + && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ + && gpg2 --verify ${RELEASE}.tar.gz.asc ; \ + else \ + echo "getting tarball for ${RELEASE}"; \ + git clone ${PBURL%%/}.git -b ${RELEASE}; \ + (cd $(basename ${PBURL}) && git archive --prefix ${RELEASE}/ --format tgz ${RELEASE} > /tmp/${RELEASE}.tar.gz); \ + fi \ && if [ -n "${COMPOSER_PACKAGES}" ] ; then \ wget -qO composer-installer.php https://getcomposer.org/installer \ && ln -s $(which php8) /usr/local/bin/php \ @@ -69,7 +75,7 @@ RUN \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg ${ALPINE_COMPOSER_PACKAGES} + && apk del gnupg git ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ From 0591d10e1671556064a59772d9be249ad62b06d9 Mon Sep 17 00:00:00 2001 From: Gabriel Suarez Date: Wed, 4 Aug 2021 17:37:26 +0100 Subject: [PATCH 36/67] Fix reference to port on liveness and readiness probes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 489219a..73e56b1 100644 --- a/README.md +++ b/README.md @@ -117,11 +117,11 @@ spec: livenessProbe: httpGet: path: / - port: http + port: 8080 readinessProbe: httpGet: path: / - port: http + port: 8080 volumeMounts: - mountPath: /srv/data name: privatebin-data From 861a91f0b6854756ff4a72f27797e1ef6eacfa43 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 9 Aug 2021 21:12:16 +0200 Subject: [PATCH 37/67] switch from s6-overlay to s6-rc, fixes #57 --- Dockerfile | 15 +++++++++------ etc/s6-linux-init/skel/rc.init | 6 ++++++ etc/s6/services/default/contents | 2 ++ etc/s6/services/default/type | 1 + etc/s6/services/nginx/dependencies | 1 + etc/s6/services/nginx/run | 2 +- etc/s6/services/nginx/type | 1 + etc/s6/services/php-fpm8/run | 3 +-- etc/s6/services/php-fpm8/type | 1 + 9 files changed, 23 insertions(+), 9 deletions(-) create mode 100755 etc/s6-linux-init/skel/rc.init create mode 100644 etc/s6/services/default/contents create mode 100644 etc/s6/services/default/type create mode 100644 etc/s6/services/nginx/dependencies create mode 100644 etc/s6/services/nginx/type create mode 100644 etc/s6/services/php-fpm8/type diff --git a/Dockerfile b/Dockerfile index 80f88a6..f4ab39d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ ARG COMPOSER_PACKAGES=google/cloud-storage ARG PBURL=https://github.com/PrivateBin/PrivateBin/ ARG RELEASE=1.3.5 -ENV CONFIG_PATH=/srv/cfg S6_READ_ONLY_ROOT=1 +ENV CONFIG_PATH=/srv/cfg LABEL org.opencontainers.image.authors=support@privatebin.org \ org.opencontainers.image.vendor=PrivateBin \ @@ -25,7 +25,7 @@ RUN \ # Install dependencies && apk upgrade --no-cache \ && apk add --no-cache gnupg git nginx php8-fpm php8-json php8-gd php8-opcache \ - s6-overlay tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ + s6-linux-init s6-rc tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ @@ -67,18 +67,21 @@ RUN \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ # Support running s6 under a non-root user - && mkdir -p /etc/s6/services/nginx/supervise /etc/s6/services/php-fpm8/supervise \ + && mkdir -p /etc/s6/services/nginx/supervise /etc/s6/services/php-fpm8/supervise /etc/s6-rc \ && mkfifo \ /etc/s6/services/nginx/supervise/control \ /etc/s6/services/php-fpm8/supervise/control \ && chown -R 65534:82 /etc/s6 /run /srv/* /var/lib/nginx /var/www \ - && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ + && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp /usr/bin/s6-linux-init* \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg git ${ALPINE_COMPOSER_PACKAGES} + && apk del --no-cache gnupg git ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ +RUN s6-rc-compile /etc/s6-rc/compiled /etc/s6/services \ + && s6-linux-init-maker -C -N -B /etc/s6-linux-init/current + WORKDIR /var/www # user nobody, group www-data USER 65534:82 @@ -88,4 +91,4 @@ VOLUME /run /srv/data /tmp /var/lib/nginx/tmp EXPOSE 8080 -ENTRYPOINT ["/init"] +ENTRYPOINT ["/etc/s6-linux-init/current/bin/init"] diff --git a/etc/s6-linux-init/skel/rc.init b/etc/s6-linux-init/skel/rc.init new file mode 100755 index 0000000..44a44da --- /dev/null +++ b/etc/s6-linux-init/skel/rc.init @@ -0,0 +1,6 @@ +#!/bin/sh -e +rl="$1" +shift + +s6-rc-init /run/service +s6-rc -v2 -u change default diff --git a/etc/s6/services/default/contents b/etc/s6/services/default/contents new file mode 100644 index 0000000..8126d15 --- /dev/null +++ b/etc/s6/services/default/contents @@ -0,0 +1,2 @@ +nginx +php-fpm8 diff --git a/etc/s6/services/default/type b/etc/s6/services/default/type new file mode 100644 index 0000000..757b422 --- /dev/null +++ b/etc/s6/services/default/type @@ -0,0 +1 @@ +bundle diff --git a/etc/s6/services/nginx/dependencies b/etc/s6/services/nginx/dependencies new file mode 100644 index 0000000..ea810df --- /dev/null +++ b/etc/s6/services/nginx/dependencies @@ -0,0 +1 @@ +php-fpm8 diff --git a/etc/s6/services/nginx/run b/etc/s6/services/nginx/run index 04f7412..167c417 100755 --- a/etc/s6/services/nginx/run +++ b/etc/s6/services/nginx/run @@ -1,4 +1,4 @@ -#!/usr/bin/execlineb -P +#!/bin/execlineb -P forx -o 127 timer { 0 1 2 3 4 5 6 7 8 9 } ifelse { test -S /var/run/php-fpm.sock diff --git a/etc/s6/services/nginx/type b/etc/s6/services/nginx/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/etc/s6/services/nginx/type @@ -0,0 +1 @@ +longrun diff --git a/etc/s6/services/php-fpm8/run b/etc/s6/services/php-fpm8/run index 113c517..95289f6 100755 --- a/etc/s6/services/php-fpm8/run +++ b/etc/s6/services/php-fpm8/run @@ -1,3 +1,2 @@ -#!/usr/bin/execlineb -P -with-contenv +#!/bin/execlineb -P /usr/sbin/php-fpm8 diff --git a/etc/s6/services/php-fpm8/type b/etc/s6/services/php-fpm8/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/etc/s6/services/php-fpm8/type @@ -0,0 +1 @@ +longrun From 48ef77a7aa2e6e1197b43f3c280038e3b67e74e8 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 11 Aug 2021 20:26:32 +0200 Subject: [PATCH 38/67] fix s6-rc database permissions, required for running with read-write root fs, fixes #59 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index f4ab39d..60049ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -80,6 +80,7 @@ RUN \ COPY etc/ /etc/ RUN s6-rc-compile /etc/s6-rc/compiled /etc/s6/services \ + && chown -R 65534:82 /etc/s6-rc/compiled \ && s6-linux-init-maker -C -N -B /etc/s6-linux-init/current WORKDIR /var/www From 9e7cc388b770a5a7f6e508bbec5048630508f7be Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 14 Aug 2021 10:42:42 +0200 Subject: [PATCH 39/67] remove obsolete note reg. port 80 --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 73e56b1..9cd3dc1 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,6 @@ The parameters in detail: - `--restart="always"` - restart the container if it crashes, mainly useful for production setups > Note that the volume mounted must be owned by UID 65534 / GID 82. If you run the container in a docker instance with "userns-remap" you need to add your subuid/subgid range to these numbers. -> -> Note, too, that this image exposes the same service on port 80, for backwards compatibility with older versions of the image. To use port 80 with the current image, you either need to have a filesystem with extended attribute support so the nginx binary can be granted the capability to bind to ports below 1024 as non-root user or you need to start the image with user id 0 (root) using the parameter `-u 0`. ### Custom configuration From fcfa332495521f20299d0770039a4ed1412d69ea Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 19 Aug 2021 10:15:52 +0200 Subject: [PATCH 40/67] preserve environment for PHP, adresses regression reported in #62 --- Dockerfile | 2 +- etc/s6/services/php-fpm8/run | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 60049ad..b12b859 100644 --- a/Dockerfile +++ b/Dockerfile @@ -81,7 +81,7 @@ COPY etc/ /etc/ RUN s6-rc-compile /etc/s6-rc/compiled /etc/s6/services \ && chown -R 65534:82 /etc/s6-rc/compiled \ - && s6-linux-init-maker -C -N -B /etc/s6-linux-init/current + && s6-linux-init-maker -C -N -B -s /run/env /etc/s6-linux-init/current WORKDIR /var/www # user nobody, group www-data diff --git a/etc/s6/services/php-fpm8/run b/etc/s6/services/php-fpm8/run index 95289f6..d6761d4 100755 --- a/etc/s6/services/php-fpm8/run +++ b/etc/s6/services/php-fpm8/run @@ -1,2 +1,3 @@ #!/bin/execlineb -P +s6-envdir /run/env /usr/sbin/php-fpm8 From 390d7cb50f6ba70e8c381e105c213ebfdd2fa7b7 Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 25 Aug 2021 23:10:39 +0200 Subject: [PATCH 41/67] =?UTF-8?q?Let's=20properly=20name=20things=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Of course this is less of a build and more of a build for analysis with Trivy… --- .github/workflows/trivy-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml index 65c1496..f1bf369 100644 --- a/.github/workflows/trivy-analysis.yml +++ b/.github/workflows/trivy-analysis.yml @@ -1,4 +1,4 @@ -name: build +name: trivy-analysis on: push: branches: [ master ] From c851b020836ec3c86b83eb049b1cc125b65becce Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 1 Sep 2021 01:25:09 +0200 Subject: [PATCH 42/67] Enable Dependabot for Docker and GitHub Actions AFAIK (and this was new to me) Dependabot is not active by default. This enables it for all dependencies here (Github Actions and Docker), so it scans and suggests updates. --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1cb3000 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "daily" + # Maintain dependencies for GitHub Actions + # src: https://github.com/marketplace/actions/build-and-push-docker-images#keep-up-to-date-with-github-dependabot + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" From 1f998aab8a0802a4884a564b0073d779d835644d Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 7 Sep 2021 07:16:02 +0200 Subject: [PATCH 43/67] remove s6-linux-init & s6-rc from stack --- Dockerfile | 18 ++++++++---------- etc/init.d/rc.local | 3 +++ etc/s6-linux-init/skel/rc.init | 6 ------ etc/s6/services/default/contents | 2 -- etc/s6/services/default/type | 1 - etc/s6/services/nginx/dependencies | 1 - etc/s6/services/nginx/type | 1 - etc/s6/services/php-fpm8/run | 1 - etc/s6/services/php-fpm8/type | 1 - 9 files changed, 11 insertions(+), 23 deletions(-) create mode 100755 etc/init.d/rc.local delete mode 100755 etc/s6-linux-init/skel/rc.init delete mode 100644 etc/s6/services/default/contents delete mode 100644 etc/s6/services/default/type delete mode 100644 etc/s6/services/nginx/dependencies delete mode 100644 etc/s6/services/nginx/type delete mode 100644 etc/s6/services/php-fpm8/type diff --git a/Dockerfile b/Dockerfile index b12b859..d58094b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,8 @@ ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql php8-openssl" ARG COMPOSER_PACKAGES=google/cloud-storage ARG PBURL=https://github.com/PrivateBin/PrivateBin/ ARG RELEASE=1.3.5 +ARG UID=65534 +ARG GID=82 ENV CONFIG_PATH=/srv/cfg @@ -25,7 +27,7 @@ RUN \ # Install dependencies && apk upgrade --no-cache \ && apk add --no-cache gnupg git nginx php8-fpm php8-json php8-gd php8-opcache \ - s6-linux-init s6-rc tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ + s6 tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ @@ -67,29 +69,25 @@ RUN \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ # Support running s6 under a non-root user - && mkdir -p /etc/s6/services/nginx/supervise /etc/s6/services/php-fpm8/supervise /etc/s6-rc \ + && mkdir -p /etc/s6/services/nginx/supervise /etc/s6/services/php-fpm8/supervise \ && mkfifo \ /etc/s6/services/nginx/supervise/control \ /etc/s6/services/php-fpm8/supervise/control \ - && chown -R 65534:82 /etc/s6 /run /srv/* /var/lib/nginx /var/www \ - && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp /usr/bin/s6-linux-init* \ + && chown -R ${UID}:${GID} /etc/s6 /run /srv/* /var/lib/nginx /var/www \ + && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ && apk del --no-cache gnupg git ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ -RUN s6-rc-compile /etc/s6-rc/compiled /etc/s6/services \ - && chown -R 65534:82 /etc/s6-rc/compiled \ - && s6-linux-init-maker -C -N -B -s /run/env /etc/s6-linux-init/current - WORKDIR /var/www # user nobody, group www-data -USER 65534:82 +USER ${UID}:${GID} # mark dirs as volumes that need to be writable, allows running the container --read-only VOLUME /run /srv/data /tmp /var/lib/nginx/tmp EXPOSE 8080 -ENTRYPOINT ["/etc/s6-linux-init/current/bin/init"] +ENTRYPOINT ["/etc/init.d/rc.local"] diff --git a/etc/init.d/rc.local b/etc/init.d/rc.local new file mode 100755 index 0000000..b9a94ce --- /dev/null +++ b/etc/init.d/rc.local @@ -0,0 +1,3 @@ +#!/bin/execlineb -P +foreground { cp -r /etc/s6/services /run } +/bin/s6-svscan /run/services \ No newline at end of file diff --git a/etc/s6-linux-init/skel/rc.init b/etc/s6-linux-init/skel/rc.init deleted file mode 100755 index 44a44da..0000000 --- a/etc/s6-linux-init/skel/rc.init +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -e -rl="$1" -shift - -s6-rc-init /run/service -s6-rc -v2 -u change default diff --git a/etc/s6/services/default/contents b/etc/s6/services/default/contents deleted file mode 100644 index 8126d15..0000000 --- a/etc/s6/services/default/contents +++ /dev/null @@ -1,2 +0,0 @@ -nginx -php-fpm8 diff --git a/etc/s6/services/default/type b/etc/s6/services/default/type deleted file mode 100644 index 757b422..0000000 --- a/etc/s6/services/default/type +++ /dev/null @@ -1 +0,0 @@ -bundle diff --git a/etc/s6/services/nginx/dependencies b/etc/s6/services/nginx/dependencies deleted file mode 100644 index ea810df..0000000 --- a/etc/s6/services/nginx/dependencies +++ /dev/null @@ -1 +0,0 @@ -php-fpm8 diff --git a/etc/s6/services/nginx/type b/etc/s6/services/nginx/type deleted file mode 100644 index 5883cff..0000000 --- a/etc/s6/services/nginx/type +++ /dev/null @@ -1 +0,0 @@ -longrun diff --git a/etc/s6/services/php-fpm8/run b/etc/s6/services/php-fpm8/run index d6761d4..95289f6 100755 --- a/etc/s6/services/php-fpm8/run +++ b/etc/s6/services/php-fpm8/run @@ -1,3 +1,2 @@ #!/bin/execlineb -P -s6-envdir /run/env /usr/sbin/php-fpm8 diff --git a/etc/s6/services/php-fpm8/type b/etc/s6/services/php-fpm8/type deleted file mode 100644 index 5883cff..0000000 --- a/etc/s6/services/php-fpm8/type +++ /dev/null @@ -1 +0,0 @@ -longrun From 6ea584c3911506663b83a42e841d8c933275f471 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Sep 2021 05:15:31 +0000 Subject: [PATCH 44/67] Bump zaproxy/action-full-scan from 0.2.0 to 0.3.0 Bumps [zaproxy/action-full-scan](https://github.com/zaproxy/action-full-scan) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/zaproxy/action-full-scan/releases) - [Changelog](https://github.com/zaproxy/action-full-scan/blob/master/CHANGELOG.md) - [Commits](https://github.com/zaproxy/action-full-scan/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: zaproxy/action-full-scan dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/owasp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml index 99afa3a..d0ebc4d 100644 --- a/.github/workflows/owasp.yml +++ b/.github/workflows/owasp.yml @@ -35,7 +35,7 @@ jobs: # Run OWASP scan - name: OWASP ZAP Full Scan - uses: zaproxy/action-full-scan@v0.2.0 + uses: zaproxy/action-full-scan@v0.3.0 with: # GitHub Token to create issues in the repository #token: # optional, default is ${{ github.token }} From b737f81c4f5da850ce46e05850bef37ffd4e9a55 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 15 Sep 2021 19:18:20 +0200 Subject: [PATCH 45/67] work around corner case with deletion of temporary files using busybox rm --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d58094b..e57e3ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN \ # Ensure nginx logs, even if the config has errors, are written to stderr && ln -s /dev/stderr /var/log/nginx/error.log \ # Install PrivateBin - && export GNUPGHOME="$(mktemp -d)" \ + && export GNUPGHOME="$(mktemp -d -p /tmp)" \ && gpg2 --list-public-keys || /bin/true \ && wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \ && rm -rf /var/www/* \ @@ -76,7 +76,7 @@ RUN \ && chown -R ${UID}:${GID} /etc/s6 /run /srv/* /var/lib/nginx /var/www \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up - && rm -rf "${GNUPGHOME}" /tmp/* \ + && rm -rf /tmp/* \ && apk del --no-cache gnupg git ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ From 85a24618b098112c9d58aa97fdd036cb5b52d450 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 26 Sep 2021 10:28:06 +0200 Subject: [PATCH 46/67] ssl_client will become obsolete when busybox gets migrated to openssl 3, for now we need to still add it explicitly for current alpine edge, while this is being worked on --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e57e3ac..395cb91 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,7 @@ RUN \ # Install dependencies && apk upgrade --no-cache \ && apk add --no-cache gnupg git nginx php8-fpm php8-json php8-gd php8-opcache \ - s6 tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ + s6 ssl_client tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ @@ -77,7 +77,7 @@ RUN \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up && rm -rf /tmp/* \ - && apk del --no-cache gnupg git ${ALPINE_COMPOSER_PACKAGES} + && apk del --no-cache gnupg git ssl_client ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ From 58ece9ae1a3dff76d5eb788d1b6a10cb1663dc87 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 29 Sep 2021 05:43:58 +0200 Subject: [PATCH 47/67] ensure gpg-agent is dead, before deleting the $GNUPGHOME --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 395cb91..2770a75 100644 --- a/Dockerfile +++ b/Dockerfile @@ -76,6 +76,7 @@ RUN \ && chown -R ${UID}:${GID} /etc/s6 /run /srv/* /var/lib/nginx /var/www \ && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \ # Clean up + && gpgconf --kill gpg-agent \ && rm -rf /tmp/* \ && apk del --no-cache gnupg git ssl_client ${ALPINE_COMPOSER_PACKAGES} From 0309527d8861ab219b50332cad7b293bcb35e4a2 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 29 Sep 2021 06:02:14 +0200 Subject: [PATCH 48/67] run the edge builds in a separate loop --- buildx.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/buildx.sh b/buildx.sh index 03cb62d..78007de 100755 --- a/buildx.sh +++ b/buildx.sh @@ -59,10 +59,14 @@ main() { PUSH=false fi - sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge - image_build_arguments | while read -r IMAGE BUILD_ARGS ; do build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" + done + + # run the edge builds in a separate loop, to avoid issues in them from + # preventing the stable image builds and pushes to conclude + sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge + image_build_arguments | while read -r IMAGE BUILD_ARGS ; do build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" done From 76234b4a1e64dbd079f1e52fb07eb9c6f6c38c0f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 29 Sep 2021 19:41:07 +0200 Subject: [PATCH 49/67] split stable & edge builds, for parallelization & avoiding failures in one to prevent the other images to build --- .github/workflows/build-images.yml | 7 ++++++- buildx.sh | 18 ++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index 27b432a..4fef474 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -12,6 +12,11 @@ on: jobs: buildx: runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + image: [stable, edge] + name: Build images based on ${{ matrix.image }} Alpine release steps: - name: Checkout uses: actions/checkout@v2 @@ -27,4 +32,4 @@ jobs: env: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - run: ./buildx.sh ${{ github.event_name }} + run: ./buildx.sh ${{ github.event_name }} ${{ matrix.image }} diff --git a/buildx.sh b/buildx.sh index 78007de..5f722e5 100755 --- a/buildx.sh +++ b/buildx.sh @@ -5,6 +5,8 @@ set -euxo pipefail EVENT=$1 +EDGE=false +[ "$2" = edge ] && EDGE=true build_image() { local PUSH @@ -59,15 +61,15 @@ main() { PUSH=false fi + if [ "$EDGE" = true ] ; then + sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge + fi image_build_arguments | while read -r IMAGE BUILD_ARGS ; do - build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" - done - - # run the edge builds in a separate loop, to avoid issues in them from - # preventing the stable image builds and pushes to conclude - sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge - image_build_arguments | while read -r IMAGE BUILD_ARGS ; do - build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" + if [ "$EDGE" = false ] ; then + build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" + else + build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" + fi done rm -f Dockerfile.edge "$HOME/.docker/config.json" From c841e76c7e4c87d0fbde88ee7b75cd645d12666f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 29 Sep 2021 20:03:42 +0200 Subject: [PATCH 50/67] fully unwind & parallelize loop --- .github/workflows/build-images.yml | 9 ++++--- buildx.sh | 42 ++++++++++++++++-------------- 2 files changed, 28 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index 4fef474..f944a21 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -1,4 +1,4 @@ -name: Deploy multi-architecture Docker images for privatebin with buildx +name: Build & Deploy container image on: schedule: @@ -15,8 +15,9 @@ jobs: strategy: fail-fast: false matrix: - image: [stable, edge] - name: Build images based on ${{ matrix.image }} Alpine release + base-image: [stable, edge] + destination-image: [nginx-fpm-alpine, fs, pdo, gcs] + name: ${{ matrix.destination-image }} image / ${{ matrix.base-image }} release steps: - name: Checkout uses: actions/checkout@v2 @@ -32,4 +33,4 @@ jobs: env: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - run: ./buildx.sh ${{ github.event_name }} ${{ matrix.image }} + run: ./buildx.sh ${{ github.event_name }} ${{ matrix.destination-image }} ${{ matrix.base-image }} diff --git a/buildx.sh b/buildx.sh index 5f722e5..6da2ae1 100755 --- a/buildx.sh +++ b/buildx.sh @@ -5,8 +5,9 @@ set -euxo pipefail EVENT=$1 +IMAGE=$2 EDGE=false -[ "$2" = edge ] && EDGE=true +[ "$3" = edge ] && EDGE=true build_image() { local PUSH @@ -29,15 +30,6 @@ docker_login() { --password-stdin } -image_build_arguments() { - cat< Dockerfile.edge + build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" fi - image_build_arguments | while read -r IMAGE BUILD_ARGS ; do - if [ "$EDGE" = false ] ; then - build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" - else - build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" - fi - done rm -f Dockerfile.edge "$HOME/.docker/config.json" } From 93fe705e7d0f355d878a25f528b4e2b9f2857cda Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 30 Sep 2021 05:11:53 +0200 Subject: [PATCH 51/67] invert edge logic, for consistency --- buildx.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/buildx.sh b/buildx.sh index 6da2ae1..e2a6b0c 100755 --- a/buildx.sh +++ b/buildx.sh @@ -69,11 +69,11 @@ main() { esac IMAGE="privatebin/$IMAGE" - if [ "$EDGE" = false ] ; then - build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" - else + if [ "$EDGE" = true ] ; then sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" + else + build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" fi rm -f Dockerfile.edge "$HOME/.docker/config.json" From 90b0271bf23e2ba8aa05f9210e4438a15376e97f Mon Sep 17 00:00:00 2001 From: Sylvain Rabot Date: Fri, 8 Oct 2021 13:38:44 +0200 Subject: [PATCH 52/67] Add Cache-Control header with no-transform directive This should avoid that proxies like Cloudflare and others break SRI. Signed-off-by: Sylvain Rabot --- etc/nginx/http.d/site.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/nginx/http.d/site.conf b/etc/nginx/http.d/site.conf index e02e172..e05fe16 100644 --- a/etc/nginx/http.d/site.conf +++ b/etc/nginx/http.d/site.conf @@ -18,6 +18,14 @@ server { try_files $uri $uri/ /index.php$is_args$args; } + location ~ \.js$ { + # no-transform tells Cloudflare and others to not change the content of + # the file and thus breaking SRI. + # https://developers.cloudflare.com/cache/about/cache-control#other + add header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; + try_files $uri $uri/ =404; + } + location ~ \.php$ { include /etc/nginx/location.d/*.conf; fastcgi_pass unix:/run/php-fpm.sock; From df4436b7980b839f7ef04f153519128a19c93c3a Mon Sep 17 00:00:00 2001 From: rugk Date: Sat, 9 Oct 2021 17:24:10 +0200 Subject: [PATCH 53/67] Fix syntax error in nginx config This prevented the startup of the nginx server and thus the container. Fixes https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/75 --- etc/nginx/http.d/site.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nginx/http.d/site.conf b/etc/nginx/http.d/site.conf index e05fe16..27d0fe1 100644 --- a/etc/nginx/http.d/site.conf +++ b/etc/nginx/http.d/site.conf @@ -22,7 +22,7 @@ server { # no-transform tells Cloudflare and others to not change the content of # the file and thus breaking SRI. # https://developers.cloudflare.com/cache/about/cache-control#other - add header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; + add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; try_files $uri $uri/ =404; } From 25abb55cd0cb6602b354ae9f4ebd47e4350cc9df Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 13 Oct 2021 19:55:02 +0200 Subject: [PATCH 54/67] move Cache-Control header to server block, making js location unnecessary --- etc/nginx/http.d/site.conf | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/etc/nginx/http.d/site.conf b/etc/nginx/http.d/site.conf index 27d0fe1..5892175 100644 --- a/etc/nginx/http.d/site.conf +++ b/etc/nginx/http.d/site.conf @@ -5,6 +5,10 @@ server { root /var/www; index index.php index.html index.htm; + # no-transform tells Cloudflare and others to not change the content of + # the file and thus breaking SRI. + # https://developers.cloudflare.com/cache/about/cache-control#other + add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; add_header Cross-Origin-Embedder-Policy require-corp; add_header Cross-Origin-Resource-Policy same-origin; add_header Cross-Origin-Opener-Policy same-origin; @@ -18,14 +22,6 @@ server { try_files $uri $uri/ /index.php$is_args$args; } - location ~ \.js$ { - # no-transform tells Cloudflare and others to not change the content of - # the file and thus breaking SRI. - # https://developers.cloudflare.com/cache/about/cache-control#other - add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; - try_files $uri $uri/ =404; - } - location ~ \.php$ { include /etc/nginx/location.d/*.conf; fastcgi_pass unix:/run/php-fpm.sock; @@ -33,6 +29,7 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; + fastcgi_hide_header Cache-Control; fastcgi_hide_header Cross-Origin-Embedder-Policy; fastcgi_hide_header Cross-Origin-Resource-Policy; fastcgi_hide_header Cross-Origin-Opener-Policy; From 4afa86cb3e3e8898453b60754f99012264f25222 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 19:27:04 +0200 Subject: [PATCH 55/67] move headers to static location block, makes fastcgi_hide_header unnecessary --- etc/nginx/http.d/site.conf | 36 +++++++++++++++--------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/etc/nginx/http.d/site.conf b/etc/nginx/http.d/site.conf index 5892175..d419a98 100644 --- a/etc/nginx/http.d/site.conf +++ b/etc/nginx/http.d/site.conf @@ -5,19 +5,22 @@ server { root /var/www; index index.php index.html index.htm; - # no-transform tells Cloudflare and others to not change the content of - # the file and thus breaking SRI. - # https://developers.cloudflare.com/cache/about/cache-control#other - add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; - add_header Cross-Origin-Embedder-Policy require-corp; - add_header Cross-Origin-Resource-Policy same-origin; - add_header Cross-Origin-Opener-Policy same-origin; - add_header Referrer-Policy no-referrer; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options deny; - add_header X-XSS-Protection "1; mode=block"; - location / { + # no-transform tells Cloudflare and others to not change the content of + # the file and thus breaking SRI. + # https://developers.cloudflare.com/cache/about/cache-control#other + add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform"; + add_header Cross-Origin-Embedder-Policy require-corp; + add_header Cross-Origin-Opener-Policy same-origin; + add_header Cross-Origin-Resource-Policy same-origin; + # opt-out of Google FloC + # https://developer.chrome.com/blog/floc/#how-can-websites-opt-out-of-the-floc-computation + add_header Permissions-Policy interest-cohort=(); + add_header Referrer-Policy no-referrer; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options deny; + add_header X-XSS-Protection "1; mode=block"; + include /etc/nginx/location.d/*.conf; try_files $uri $uri/ /index.php$is_args$args; } @@ -29,15 +32,6 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; - fastcgi_hide_header Cache-Control; - fastcgi_hide_header Cross-Origin-Embedder-Policy; - fastcgi_hide_header Cross-Origin-Resource-Policy; - fastcgi_hide_header Cross-Origin-Opener-Policy; - fastcgi_hide_header Referrer-Policy; - fastcgi_hide_header X-Content-Type-Options; - fastcgi_hide_header X-Frame-Options; - fastcgi_hide_header X-XSS-Protection; - # Prevent exposing nginx + version to $_SERVER fastcgi_param SERVER_SOFTWARE ""; } From 0fa6605d918ab11e8e385510780571eb78d82b79 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 20:44:53 +0200 Subject: [PATCH 56/67] add a smoketest of the amd64 image, before pushing all archs --- buildx.sh | 48 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/buildx.sh b/buildx.sh index e2a6b0c..d9fd415 100755 --- a/buildx.sh +++ b/buildx.sh @@ -10,17 +10,22 @@ EDGE=false [ "$3" = edge ] && EDGE=true build_image() { - local PUSH - PUSH=$1 - shift 1 - docker buildx build \ --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ - --output type=image,push="$PUSH" \ + --progress plain \ + --output type=image \ --pull \ --no-cache \ + "$@" \ + . +} + +push_image() { + docker buildx build \ + --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ --progress plain \ - $@ \ + --push \ + "$@" \ . } @@ -38,7 +43,7 @@ is_image_push_required() { } main() { - local PUSH TAG BUILD_ARGS + local TAG BUILD_ARGS if [ "$EVENT" = schedule ] ; then TAG=nightly @@ -46,13 +51,6 @@ main() { TAG=${GITHUB_REF##*/} fi - if is_image_push_required ; then - PUSH=true - docker_login - else - PUSH=false - fi - case "$IMAGE" in fs) BUILD_ARGS="--build-arg ALPINE_PACKAGES= --build-arg COMPOSER_PACKAGES=" @@ -71,9 +69,27 @@ main() { if [ "$EDGE" = true ] ; then sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge - build_image $PUSH -f Dockerfile.edge --tag "$IMAGE:edge" "$BUILD_ARGS" + BUILD_ARGS="-f Dockerfile.edge --tag $IMAGE:edge $BUILD_ARGS" + IMAGE="$IMAGE:edge" else - build_image $PUSH --tag "$IMAGE:latest" --tag "$IMAGE:$TAG" --tag "${IMAGE}:${TAG%%-*}" "$BUILD_ARGS" + BUILD_ARGS="--tag $IMAGE:latest --tag $IMAGE:$TAG --tag ${IMAGE}:${TAG%%-*} $BUILD_ARGS" + IMAGE="$IMAGE:latest" + fi + build_image "$BUILD_ARGS" + + docker run -d --rm -p 127.0.0.1:8080:8080 --read-only --name smoketest "$IMAGE" + sleep 5 # give the services time to start up and the log to collect any errors that might occur + test "$(docker inspect --format="{{.State.Running}}" smoketest)" = true + curl --silent --show-error -o /dev/null http://127.0.0.1:8080/ + if docker logs smoketest 2>&1 | grep -E "warn|emerg|fatal|panic" + then + exit 1 + fi + docker stop smoketest + + if is_image_push_required ; then + docker_login + push_image "$BUILD_ARGS" fi rm -f Dockerfile.edge "$HOME/.docker/config.json" From 10af547866694023fa8067dad36999da6c9a8048 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 20:56:14 +0200 Subject: [PATCH 57/67] need these arguments to get split --- buildx.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/buildx.sh b/buildx.sh index d9fd415..84877b4 100755 --- a/buildx.sh +++ b/buildx.sh @@ -16,7 +16,7 @@ build_image() { --output type=image \ --pull \ --no-cache \ - "$@" \ + $@ \ . } @@ -25,7 +25,7 @@ push_image() { --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ --progress plain \ --push \ - "$@" \ + $@ \ . } From 561165c05512ebf6e0e3a37f80a18d4e26f1ebc0 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 21:05:30 +0200 Subject: [PATCH 58/67] buildx build doesn't store image in local docker image cache, so we need to build it traditionally for the smoketest --- buildx.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/buildx.sh b/buildx.sh index 84877b4..715e0c8 100755 --- a/buildx.sh +++ b/buildx.sh @@ -10,10 +10,8 @@ EDGE=false [ "$3" = edge ] && EDGE=true build_image() { - docker buildx build \ - --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ - --progress plain \ - --output type=image \ + # shellcheck disable=SC2068 + docker build \ --pull \ --no-cache \ $@ \ @@ -21,9 +19,12 @@ build_image() { } push_image() { + # shellcheck disable=SC2068 docker buildx build \ --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ --progress plain \ + --pull \ + --no-cache \ --push \ $@ \ . From 64d5ae244b608f010765c752034ebfc3b8946026 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 21:13:11 +0200 Subject: [PATCH 59/67] still doesn't use the local image --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 715e0c8..9aa0735 100755 --- a/buildx.sh +++ b/buildx.sh @@ -73,7 +73,7 @@ main() { BUILD_ARGS="-f Dockerfile.edge --tag $IMAGE:edge $BUILD_ARGS" IMAGE="$IMAGE:edge" else - BUILD_ARGS="--tag $IMAGE:latest --tag $IMAGE:$TAG --tag ${IMAGE}:${TAG%%-*} $BUILD_ARGS" + BUILD_ARGS="--tag $IMAGE:$TAG --tag ${IMAGE}:${TAG%%-*} --tag $IMAGE:latest $BUILD_ARGS" IMAGE="$IMAGE:latest" fi build_image "$BUILD_ARGS" From d9772d452cd27aa41cd4bb413902ecd2b73d3c37 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 21:15:56 +0200 Subject: [PATCH 60/67] still doesn't use the local image --- buildx.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/buildx.sh b/buildx.sh index 9aa0735..019d2c1 100755 --- a/buildx.sh +++ b/buildx.sh @@ -13,7 +13,6 @@ build_image() { # shellcheck disable=SC2068 docker build \ --pull \ - --no-cache \ $@ \ . } @@ -73,7 +72,7 @@ main() { BUILD_ARGS="-f Dockerfile.edge --tag $IMAGE:edge $BUILD_ARGS" IMAGE="$IMAGE:edge" else - BUILD_ARGS="--tag $IMAGE:$TAG --tag ${IMAGE}:${TAG%%-*} --tag $IMAGE:latest $BUILD_ARGS" + BUILD_ARGS="--tag $IMAGE:latest --tag $IMAGE:$TAG --tag ${IMAGE}:${TAG%%-*} $BUILD_ARGS" IMAGE="$IMAGE:latest" fi build_image "$BUILD_ARGS" From eaa44f6aeed442fa86a87ea54e7b8bb55e9f7b12 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 21:26:14 +0200 Subject: [PATCH 61/67] still doesn't use the local image --- buildx.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/buildx.sh b/buildx.sh index 019d2c1..bc8fddf 100755 --- a/buildx.sh +++ b/buildx.sh @@ -13,8 +13,10 @@ build_image() { # shellcheck disable=SC2068 docker build \ --pull \ + --no-cache \ $@ \ . + docker images } push_image() { From a9c18233c8a37d63a16ede53d715369d30f55c97 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 21:30:50 +0200 Subject: [PATCH 62/67] still doesn't use the local image --- buildx.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/buildx.sh b/buildx.sh index bc8fddf..8520c50 100755 --- a/buildx.sh +++ b/buildx.sh @@ -12,20 +12,18 @@ EDGE=false build_image() { # shellcheck disable=SC2068 docker build \ + --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ --pull \ --no-cache \ + --load \ $@ \ . - docker images } push_image() { # shellcheck disable=SC2068 docker buildx build \ --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ - --progress plain \ - --pull \ - --no-cache \ --push \ $@ \ . From 541efff0cf2089b606bedfbf3665302285d45969 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 14 Oct 2021 21:32:23 +0200 Subject: [PATCH 63/67] still doesn't use the local image --- buildx.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 8520c50..42398a3 100755 --- a/buildx.sh +++ b/buildx.sh @@ -12,7 +12,6 @@ EDGE=false build_image() { # shellcheck disable=SC2068 docker build \ - --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ --pull \ --no-cache \ --load \ @@ -24,6 +23,8 @@ push_image() { # shellcheck disable=SC2068 docker buildx build \ --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \ + --pull \ + --no-cache \ --push \ $@ \ . From bd0b6ae841ec18eaabe0d5972c5183fb5449fc46 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 10 Nov 2021 07:14:26 +0100 Subject: [PATCH 64/67] replace init container with fsGroup security context in example k8s deployment --- README.md | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9cd3dc1..1ad9661 100644 --- a/README.md +++ b/README.md @@ -85,17 +85,10 @@ spec: labels: app: privatebin spec: - initContainers: - - name: privatebin-volume-permissions - image: privatebin/chown:1.33.0-musl-1.2.2-r0 - args: ['65534:82', '/mnt'] - securityContext: - runAsUser: 0 - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /mnt - name: privatebin-data - readOnly: False + securityContext: + runAsUser: 65534 + runAsGroup: 82 + fsGroup: 82 containers: - name: privatebin image: privatebin/nginx-fpm-alpine:1.3.5 @@ -107,8 +100,6 @@ spec: - name: PHP_TZ value: Antarctica/South_Pole securityContext: - runAsUser: 65534 - runAsGroup: 82 readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false From d045e0da99210dfc23492bdc88bdf5a00da91872 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Nov 2021 05:18:41 +0000 Subject: [PATCH 65/67] Bump alpine from 3.14 to 3.15.0 Bumps alpine from 3.14 to 3.15.0. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2770a75..a39f36a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.14 +FROM alpine:3.15.0 ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql php8-openssl" ARG COMPOSER_PACKAGES=google/cloud-storage From 6e7cf3c019052128d9c9c1eec2dc43ce7490199f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 13 Feb 2022 09:51:26 +0100 Subject: [PATCH 66/67] Revert "ssl_client will become obsolete when busybox gets migrated to openssl 3, for now we need to still add it explicitly for current alpine edge, while this is being worked on" This has since occurred and we no longer need this workaround for alpine edge. This reverts commit 85a24618b098112c9d58aa97fdd036cb5b52d450. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a39f36a..5df5d94 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,7 @@ RUN \ # Install dependencies && apk upgrade --no-cache \ && apk add --no-cache gnupg git nginx php8-fpm php8-json php8-gd php8-opcache \ - s6 ssl_client tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ + s6 tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ @@ -78,7 +78,7 @@ RUN \ # Clean up && gpgconf --kill gpg-agent \ && rm -rf /tmp/* \ - && apk del --no-cache gnupg git ssl_client ${ALPINE_COMPOSER_PACKAGES} + && apk del --no-cache gnupg git ${ALPINE_COMPOSER_PACKAGES} COPY etc/ /etc/ From 4eb4fc201ed79694e47803e8545d345dc5872340 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 13 Feb 2022 09:53:42 +0100 Subject: [PATCH 67/67] make smoke test more robust php-fpm logs ERROR in uppercase, which wasn't detected by the previous grep --- buildx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildx.sh b/buildx.sh index 42398a3..b5bcb1a 100755 --- a/buildx.sh +++ b/buildx.sh @@ -82,7 +82,7 @@ main() { sleep 5 # give the services time to start up and the log to collect any errors that might occur test "$(docker inspect --format="{{.State.Running}}" smoketest)" = true curl --silent --show-error -o /dev/null http://127.0.0.1:8080/ - if docker logs smoketest 2>&1 | grep -E "warn|emerg|fatal|panic" + if docker logs smoketest 2>&1 | grep -i -E "warn|emerg|fatal|panic|error" then exit 1 fi