Update Dockerfile

upgrade to PHP 8.4 packages

.github/workflows/owasp.yml

@@ -35,7 +35,7 @@ jobs:
 
       # Run OWASP scan
       - name: OWASP ZAP Full Scan
-        uses: zaproxy/action-full-scan@v0.10.0
+        uses: zaproxy/action-full-scan@v0.12.0
         with:
           # GitHub Token to create issues in the repository
           #token: # optional, default is ${{ github.token }}

Dockerfile

@@ -1,9 +1,9 @@
-FROM alpine:3.19.1
+FROM alpine:3.21
 
-ARG ALPINE_PACKAGES="php83-iconv php83-pdo_mysql php83-pdo_pgsql php83-openssl php83-simplexml"
+ARG ALPINE_PACKAGES="php84-iconv php84-pdo_mysql php84-pdo_pgsql php84-openssl php84-simplexml"
 ARG COMPOSER_PACKAGES="aws/aws-sdk-php google/cloud-storage"
 ARG PBURL=https://github.com/PrivateBin/PrivateBin/
-ARG RELEASE=1.7.3
+ARG RELEASE=1.7.6
 ARG UID=65534
 ARG GID=82
 
@@ -24,6 +24,7 @@ RUN \
     ALPINE_PACKAGES="$(echo ${ALPINE_PACKAGES} | sed 's/,/ /g')" ;\
     ALPINE_COMPOSER_PACKAGES="" ;\
     if [ -n "${COMPOSER_PACKAGES}" ] ; then \
+        # we need these PHP 8.3 packages until composer gets updated to depend on PHP 8.4
         ALPINE_COMPOSER_PACKAGES="composer" ;\
         if [ -n "${ALPINE_PACKAGES##*php83-curl*}" ] ; then \
             ALPINE_COMPOSER_PACKAGES="php83-curl ${ALPINE_COMPOSER_PACKAGES}" ;\
@@ -31,18 +32,18 @@ RUN \
         if [ -n "${ALPINE_PACKAGES##*php83-mbstring*}" ] ; then \
             ALPINE_COMPOSER_PACKAGES="php83-mbstring ${ALPINE_COMPOSER_PACKAGES}" ;\
         fi ;\
-        if [ -z "${ALPINE_PACKAGES##*php83-simplexml*}" ] ; then \
-            ALPINE_COMPOSER_PACKAGES="php82-simplexml ${ALPINE_COMPOSER_PACKAGES}" ;\
+        if [ -z "${ALPINE_PACKAGES##*php84-simplexml*}" ] ; then \
+            ALPINE_COMPOSER_PACKAGES="php83-simplexml ${ALPINE_COMPOSER_PACKAGES}" ;\
         fi ;\
     fi \
 # Install dependencies
     && apk upgrade --no-cache \
-    && apk add --no-cache gnupg git nginx php83 php83-ctype php83-fpm php83-gd \
-        php83-opcache s6 tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \
+    && apk add --no-cache gnupg git nginx php84 php84-ctype php84-fpm php84-gd \
+        php84-opcache s6 tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \
 # Stabilize php config location
-    && mv /etc/php83 /etc/php \
-    && ln -s /etc/php /etc/php83 \
-    && ln -s $(which php83) /usr/local/bin/php \
+    && mv /etc/php84 /etc/php \
+    && ln -s /etc/php /etc/php84 \
+    && ln -s $(which php84) /usr/local/bin/php \
 # Remove (some of the) default nginx & php config
     && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php/php-fpm.d/www.conf \
     && rm -rf /etc/nginx/sites-* \
@@ -78,10 +79,10 @@ RUN \
     && mkdir -p /srv/data \
     && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \
 # Support running s6 under a non-root user
-    && mkdir -p /etc/s6/services/nginx/supervise /etc/s6/services/php-fpm83/supervise \
+    && mkdir -p /etc/s6/services/nginx/supervise /etc/s6/services/php-fpm84/supervise \
     && mkfifo \
         /etc/s6/services/nginx/supervise/control \
-        /etc/s6/services/php-fpm83/supervise/control \
+        /etc/s6/services/php-fpm84/supervise/control \
     && chown -R ${UID}:${GID} /etc/s6 /run /srv/* /var/lib/nginx /var/www \
     && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \
 # Clean up
@@ -96,7 +97,7 @@ WORKDIR /var/www
 USER ${UID}:${GID}
 
 # mark dirs as volumes that need to be writable, allows running the container --read-only
-VOLUME /run /srv/data /tmp /var/lib/nginx/tmp
+VOLUME /run /srv/data /srv/img /tmp /var/lib/nginx/tmp
 
 EXPOSE 8080
 

README.md

@@ -58,11 +58,46 @@ $ docker run -d --restart="always" --read-only -p 8080:8080 -v $PWD/conf.php:/sr
 
 Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL and PostgreSQL, required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter when using a release before 1.4.0.
 
-### Adjusting nginx or php-fpm settings
+#### Environment variables
 
-You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php/conf.d/` and `/etc/nginx/http.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB.
+The following variables do get passed down to the PHP application to support various scenarios. This allows changing some settings via the environment instead of a configuration file. Most of these relate to the storage backends:
 
-### Timezone settings
+##### Amazon Web Services variables used by the S3 backend
+
+- `AWS_ACCESS_KEY_ID`
+- `AWS_CONTAINER_AUTHORIZATION_TOKEN`
+- `AWS_CONTAINER_CREDENTIALS_FULL_URI`
+- `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`
+- `AWS_DEFAULT_REGION`
+- `AWS_PROFILE`
+- `AWS_ROLE_ARN`
+- `AWS_ROLE_SESSION_NAME`
+- `AWS_SECRET_ACCESS_KEY`
+- `AWS_SESSION_TOKEN`
+- `AWS_STS_REGIONAL_ENDPOINTS`
+- `AWS_WEB_IDENTITY_TOKEN_FILE`
+- `AWS_SHARED_CREDENTIALS_FILE`
+
+##### Google Cloud variables used by the GCS backend
+- `GCLOUD_PROJECT`
+- `GOOGLE_APPLICATION_CREDENTIALS`
+- `GOOGLE_CLOUD_PROJECT`
+- `PRIVATEBIN_GCS_BUCKET`
+
+##### Custom backend settings
+
+The following variables are not used by default, but can be [enabled in your custom configuration file](https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/196#issuecomment-2163331528), to keep sensitive information out of it:
+
+- `STORAGE_HOST`
+- `STORAGE_LOGIN`
+- `STORAGE_PASSWORD`
+- `STORAGE_CONTAINER`
+
+##### Configuration folder
+
+- `CONFIG_PATH`
+
+##### Timezone settings
 
 The image supports the use of the following two environment variables to adjust the timezone. This is most useful to ensure the logs show the correct local time.
 
@@ -71,6 +106,10 @@ The image supports the use of the following two environment variables to adjust
 
 Note: The application internally handles expiration of pastes based on a UNIX timestamp that is calculated based on the timezone set during its creation. Changing the PHP_TZ will affect this and leads to earlier (if the timezone is increased) or later (if it is decreased) expiration then expected.
 
+### Adjusting nginx or php-fpm settings
+
+You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php/conf.d/` and `/etc/nginx/http.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB.
+
 ### Kubernetes deployment
 
 Below is an example deployment for Kubernetes.
@@ -164,7 +203,7 @@ Options:
   -p, --purge       purge all expired pastes
   -s, --statistics  reads all stored pastes and comments and reports statistics
 
-docker exec -t privatebin migrate --help
+$ docker exec -t privatebin migrate --help
 migrate - Copy data between PrivateBin backends
 
 Usage:
@@ -182,9 +221,9 @@ Options:
   -h, --help       displays this help message
   -n               dry run, do not copy data
   -v               be verbose
-  <srcconfdir>     use storage backend configration from conf.php found in
+  <srcconfdir>     use storage backend configuration from conf.php found in
                    this directory as source
-  <dstconfdir>     optionally, use storage backend configration from conf.php
+  <dstconfdir>     optionally, use storage backend configuration from conf.php
                    found in this directory as destination; defaults to:
                    /srv/bin/../cfg/conf.php
 ```

buildx.sh

@@ -52,13 +52,13 @@ main() {
             BUILD_ARGS="--build-arg ALPINE_PACKAGES= --build-arg COMPOSER_PACKAGES="
             ;;
         gcs)
-            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php83-openssl --build-arg COMPOSER_PACKAGES=google/cloud-storage"
+            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php84-openssl --build-arg COMPOSER_PACKAGES=google/cloud-storage"
             ;;
         pdo)
-            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php83-pdo_mysql,php83-pdo_pgsql --build-arg COMPOSER_PACKAGES="
+            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php84-pdo_mysql,php84-pdo_pgsql --build-arg COMPOSER_PACKAGES="
             ;;
         s3)
-            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php83-curl,php83-mbstring,php83-openssl,php83-simplexml --build-arg COMPOSER_PACKAGES=aws/aws-sdk-php"
+            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php84-curl,php84-mbstring,php84-openssl,php84-simplexml --build-arg COMPOSER_PACKAGES=aws/aws-sdk-php"
             ;;
         *)
             BUILD_ARGS=""

etc/init.d/rc.local

@@ -1,3 +1,3 @@
 #!/bin/execlineb -P
 foreground { cp -r /etc/s6/services /run }
-/bin/s6-svscan /run/services
+s6-svscan /run/services

etc/php/php-fpm.d/zz-docker.conf

@@ -35,3 +35,9 @@ env[GCLOUD_PROJECT] = $GCLOUD_PROJECT
 env[GOOGLE_APPLICATION_CREDENTIALS] = $GOOGLE_APPLICATION_CREDENTIALS
 env[GOOGLE_CLOUD_PROJECT] = $GOOGLE_CLOUD_PROJECT
 env[PRIVATEBIN_GCS_BUCKET] = $PRIVATEBIN_GCS_BUCKET
+
+; allow using custom backend settings
+env[STORAGE_HOST] = $STORAGE_HOST
+env[STORAGE_LOGIN] = $STORAGE_LOGIN
+env[STORAGE_PASSWORD] = $STORAGE_PASSWORD
+env[STORAGE_CONTAINER] = $STORAGE_CONTAINER

etc/s6/services/php-fpm84/run

@@ -1,2 +1,2 @@
 #!/bin/execlineb -P
-/usr/sbin/php-fpm83
+/usr/sbin/php-fpm84