Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fpm-alpine image and Docker secrets support #9313

Closed
Mateus-Romera opened this issue Mar 17, 2021 · 1 comment
Closed

fpm-alpine image and Docker secrets support #9313

Mateus-Romera opened this issue Mar 17, 2021 · 1 comment

Comments

@Mateus-Romera
Copy link
Contributor

Hello everyone,
Snipe-IT is great software, thank you all for your hard work!

I tried to create a production-ready php-fpm-alpine image following the best practices of wordpress and php-fpm official docker images. (does not make it perfect. Feel free to point anything wrong!)

Could this be useful for a PR?

I added easy-to-use support for development, but it’s worth saying that I haven’t tested this image extensively for this purpose. I also added support for docker secrets for some variables APP_KEY, DB_HOST, DB_PORT, DB_DATABASE, DB_USERNAME, DB_PASSWORD, MAIL_HOST, MAIL_PORT, MAIL_USERNAME and MAIL_PASSWORD, as I am going to deploy snipe-it in a docker swarm environment and the image is already using the scripts.
Also, there are some custom ARGs that can facilitate general use and image maintenance.

I read the contribution guidelines and realized that I need an open issue to be referenced in commits message.
Please bear with me because I have never contributed to any open source project yet.

What do you think? Should I proceed with this?

Below is the v5.1.3-fpm-alpine image:

ARG ENVIRONMENT=production
ARG SNIPEIT_RELEASE=5.1.3
ARG PHP_VERSION=7.4.16
ARG PHP_ALPINE_VERSION=3.13
ARG COMPOSER_VERSION=2.0.11

# Cannot use arguments with 'COPY --from' workaround
# https://github.com/moby/moby/issues/34482#issuecomment-454716952
FROM composer:${COMPOSER_VERSION} as composer

# Final stage
FROM php:${PHP_VERSION}-fpm-alpine${PHP_ALPINE_VERSION} AS source
LABEL maintainer="Mateus Villar <[email protected]>"

ARG PACKAGES="\
		mysql-client \
"
ARG DEV_PACKAGES="\
		git \
"
ARG ENVIRONMENT
ENV ENVIRONMENT ${ENVIRONMENT}
ARG SNIPEIT_RELEASE
ENV SNIPEIT_RELEASE ${SNIPEIT_RELEASE}

# Cribbed from wordpress-fpm-alpine image
# set recommended PHP.ini settings
# see https://secure.php.net/manual/en/opcache.installation.php
RUN set -eux; \
	docker-php-ext-enable opcache; \
	{ \
		echo 'opcache.memory_consumption=128'; \
		echo 'opcache.interned_strings_buffer=8'; \
		echo 'opcache.max_accelerated_files=4000'; \
		echo 'opcache.revalidate_freq=2'; \
		echo 'opcache.fast_shutdown=1'; \
	} > /usr/local/etc/php/conf.d/opcache-recommended.ini
# https://wordpress.org/support/article/editing-wp-config-php/#configure-error-logging
RUN { \
# https://www.php.net/manual/en/errorfunc.constants.php
# https://github.com/docker-library/wordpress/issues/420#issuecomment-517839670
		echo 'error_reporting = E_ERROR | E_WARNING | E_PARSE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_RECOVERABLE_ERROR'; \
		echo 'display_errors = Off'; \
		echo 'display_startup_errors = Off'; \
		echo 'log_errors = On'; \
		echo 'error_log = /dev/stderr'; \
		echo 'log_errors_max_len = 1024'; \
		echo 'ignore_repeated_errors = On'; \
		echo 'ignore_repeated_source = Off'; \
		echo 'html_errors = Off'; \
	} > /usr/local/etc/php/conf.d/error-logging.ini

# Install php extensions inside docker containers easily
# https://github.com/mlocati/docker-php-extension-installer
COPY --from=mlocati/php-extension-installer:1.2.19 /usr/bin/install-php-extensions /usr/local/bin/
RUN set -eux; \
    install-php-extensions \
        bcmath \
        gd \
        ldap \
        mysqli \
        pdo_mysql \
        zip; \
    rm -f /usr/local/bin/install-php-extensions; \
# Install prerequisites packages
    apk add --no-cache \
        ${PACKAGES};

COPY --from=composer /usr/bin/composer /usr/local/bin
ARG COMPOSER_ALLOW_SUPERUSER=1
RUN set -eux; \
# Download and extract snipeit tarball
	curl -o snipeit.tar.gz -fL "https://github.com/snipe/snipe-it/archive/v$SNIPEIT_RELEASE.tar.gz"; \
	tar -xzf snipeit.tar.gz --strip-components=1 -C /var/www/html/; \
	rm snipeit.tar.gz; \
# Install composer php dependencies
    if [ "$ENVIRONMENT" = "production" ]; then \
        echo "production enviroment detected!"; \
        composer update \
            --no-cache \
            --no-dev \
            --optimize-autoloader \
            --working-dir=/var/www/html; \
    else \
        echo "development enviroment detected!"; \
        apk add --no-cache \
            ${DEV_PACKAGES}; \
        composer update \
            --no-cache \
			--prefer-source \
            --optimize-autoloader \
            --working-dir=/var/www/html; \
    fi; \
	rm -f /usr/local/bin/composer; \
	chown -R www-data:www-data /var/www/html; \
# Directory configuration
	rm -rf \
		"/var/www/html/storage/private_uploads" \
		"/var/www/html/public/uploads" \
		"/var/www/html/storage/app/backups"; \
	mkdir -p \
		"/var/lib/snipeit/data/private_uploads" \
		"/var/lib/snipeit/data/uploads" \
		"/var/lib/snipeit/dumps" \
		"/var/lib/snipeit/keys"; \
	# maybe rm -rf above is not needed when using ln -fs
	ln -fs \
		"/var/lib/snipeit/data/private_uploads" "/var/www/html/storage/private_uploads" \
	&& ln -fs \	
		"/var/lib/snipeit/data/uploads" "/var/www/html/public/uploads" \
	&& ln -fs \	
		"/var/lib/snipeit/dumps" "/var/www/html/storage/app/backups" \
	&& ln -fs \	
		"/var/lib/snipeit/keys/oauth-private.key" "/var/www/html/storage/oauth-private.key"; \
    chown -R www-data:www-data "/var/lib/snipeit"

# Docker config files
COPY --chown=www-data:www-data docker/env-docker.php /var/www/html/config/
COPY --chown=www-data:www-data docker/app-docker.php /var/www/html/config/app.php
COPY --chown=www-data:www-data docker/database-docker.php /var/www/html/config/database.php
COPY --chown=www-data:www-data docker/mail-docker.php /var/www/html/config/mail.php
COPY --chown=www-data:www-data docker/docker.env /var/www/html/.env

VOLUME [ "/var/lib/snipeit" ]

COPY --chmod=655 docker/docker-entrypoint.sh /usr/local/bin/docker-snipeit-entrypoint
ENTRYPOINT [ "/usr/local/bin/docker-snipeit-entrypoint" ]
CMD [ "/usr/local/bin/docker-php-entrypoint", "php-fpm" ]

Below is a docker-compose.yml file using docker secrets. Bear in mind that I used the fpm-alpine image above as base to build my nginx + snipeit-fpm-alpine image:

version: "3.9"

secrets:
  snipeit-app-key:
    file: ./docker/snipeit-fpm_nginx/secrets/fake-snipeit-app-key
  mysql-root-pw:
    file: ./docker/mariadb/secrets/fake-mysql-root-pw
  mysql-db-name:
    file: ./docker/mariadb/secrets/fake-mysql-db-name
  mysql-db-user-name:
    file: ./docker/mariadb/secrets/fake-mysql-db-user-name
  mysql-db-user-pw:
    file: ./docker/mariadb/secrets/fake-mysql-db-user-pw

services:
  snipeit:
    build:
      context: .
      dockerfile: ./docker/snipeit-fpm_nginx/snipeit-fpm_nginx.dockerfile
    image: snipeit-fpm_nginx
    secrets:
      - snipeit-app-key
      - mysql-root-pw
      - mysql-db-name
      - mysql-db-user-name
      - mysql-db-user-pw
    env_file: .env
    environment:
      # SnipeIT settings
      APP_URL: localhost:${DEV_SNIPEIT_PORT}
      APP_KEY_FILE: /run/secrets/snipeit-app-key
      # Database settings
      DB_HOST: mariadb
      DB_PORT: 3306
      DB_DATABASE_FILE: /run/secrets/mysql-db-name
      DB_USERNAME_FILE: /run/secrets/mysql-db-user-name
      DB_PASSWORD_FILE: /run/secrets/mysql-db-user-pw
      # Mail settings
      # MAIL_HOST: 
      # MAIL_PORT: 587
      # MAIL_USERNAME: 
      # MAIL_PASSWORD: 
      # Session settings
      SECURE_COOKIES: "false"
      # Nginx settings
      NGINX_HOST: localhost
      NGINX_PORT: 8080
      NGINX_UPSTREAM_CONNECTION_TYPE: 'sock'
      NGINX_UPSTREAM: unix:/var/run/php-fpm.sock
      NGINX_UPSTREAM_PORT: ''
    ports:
      - "${DEV_SNIPEIT_PORT}:8080"
    volumes:
      # h5bp configs overwrite
      - "./docker/snipeit-fpm_nginx/nginx/h5bp-overwrite/nginx.conf:/etc/nginx/nginx.conf:ro"
      # Nginx default no-ssl config template
      - "./docker/snipeit-fpm_nginx/nginx/templates/no-ssl.conf.template:/etc/nginx/templates/default.conf.template:ro"
    security_opt:
      - no-new-privileges
    depends_on:
      - mariadb
    container_name: snipeit_snipeit-fpm_nginx
    restart: unless-stopped

  mariadb:
    build:
      context: .
      dockerfile: ./docker/mariadb/mariadb.dockerfile
    image: snipeit_mariadb
    secrets:
      - mysql-root-pw
      - mysql-db-name
      - mysql-db-user-name
      - mysql-db-user-pw
    environment:
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/mysql-root-pw
      MYSQL_DATABASE_FILE: /run/secrets/mysql-db-name
      MYSQL_USER_FILE: /run/secrets/mysql-db-user-name
      MYSQL_PASSWORD_FILE: /run/secrets/mysql-db-user-pw
    security_opt:
      - no-new-privileges
    container_name: snipeit_mariadb
    restart: unless-stopped
@welcome
Copy link

welcome bot commented Mar 17, 2021

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

snipe pushed a commit that referenced this issue Apr 21, 2021
…rt (#9331)

* Add docker secret support

* Add docker secret support to selected environment variables below:

- APP_KEY_FILE        -> APP_KEY;

- DB_HOST_FILE        -> DB_HOST;
- DB_PORT_FILE        -> DB_PORT;
- DB_DATABASE_FILE    -> DB_DATABASE;
- DB_USERNAME_FILE    -> DB_USERNAME;
- DB_PASSWORD_FILE    -> DB_PASSWORD;

- REDIS_HOST_FILE     -> REDIS_HOST;
- REDIS_PASSWORD_FILE -> REDIS_PASSWORD;
- REDIS_PORT_FILE     -> REDIS_PORT;

- MAIL_HOST_FILE      -> MAIL_HOST;
- MAIL_PORT_FILE      -> MAIL_PORT;
- MAIL_USERNAME_FILE  -> MAIL_USERNAME;
- MAIL_PASSWORD_FILE  -> MAIL_PASSWORD;

* Add env file for docker secrets

* Added #9313: add new fpm-image using docker secrets

* Fix broken symlinks

* Add docker secrets support using shell script

* Remove old docker config php files
This was referenced Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant