diff --git a/.github/actions/docker/action.yml b/.github/actions/docker/action.yml index 5700975..a8ad809 100644 --- a/.github/actions/docker/action.yml +++ b/.github/actions/docker/action.yml @@ -32,6 +32,9 @@ runs: vcs_ref=$(git rev-parse --short HEAD) image_name=$(cd $(dirname ${{ inputs.dockerfile }}) && echo "${PWD##*/}") tags=bdossantos/${image_name}:latest,bdossantos/${image_name}:${version},bdossantos/${image_name}:${version}-${vcs_ref},bdossantos/${image_name}:${version%.*} + if [[ -f "$(dirname ${{ inputs.dockerfile }})/.rootless" ]]; then + tags=${tags},bdossantos/${image_name}:latest-rootless,bdossantos/${image_name}:${version}-rootless,bdossantos/${image_name}:${version%.*}-rootless + fi cache_image=bdossantos/${image_name}:buildcache echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT echo "cache_image=${cache_image}" >> $GITHUB_OUTPUT diff --git a/dockerfiles/php-lol/.rootless b/dockerfiles/php-lol/.rootless new file mode 100644 index 0000000..e69de29 diff --git a/dockerfiles/php-lol/Dockerfile.8.1 b/dockerfiles/php-lol/Dockerfile.8.1 index 8edd347..9a95a7b 100644 --- a/dockerfiles/php-lol/Dockerfile.8.1 +++ b/dockerfiles/php-lol/Dockerfile.8.1 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -181,7 +181,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -247,7 +247,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/Dockerfile.8.2 b/dockerfiles/php-lol/Dockerfile.8.2 index 96a7aff..51cad9a 100644 --- a/dockerfiles/php-lol/Dockerfile.8.2 +++ b/dockerfiles/php-lol/Dockerfile.8.2 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -181,7 +181,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -247,7 +247,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/Dockerfile.8.3 b/dockerfiles/php-lol/Dockerfile.8.3 index 56b5e07..ebbdf5c 100644 --- a/dockerfiles/php-lol/Dockerfile.8.3 +++ b/dockerfiles/php-lol/Dockerfile.8.3 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -181,7 +181,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -247,7 +247,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/Dockerfile.8.4 b/dockerfiles/php-lol/Dockerfile.8.4 index b951728..b69df6d 100644 --- a/dockerfiles/php-lol/Dockerfile.8.4 +++ b/dockerfiles/php-lol/Dockerfile.8.4 @@ -65,7 +65,7 @@ RUN set -eux \ && curl -L -o /usr/local/bin/pickle https://github.com/FriendsOfPHP/pickle/releases/latest/download/pickle.phar \ && chmod +x /usr/local/bin/pickle \ && mkdir -p /var/lib/php/session \ - && chown -R www-data.www-data /var/lib/php/session \ + && chown -R 65534:65534 /var/lib/php/session \ && pickle install amqp@2.2.0 \ && pickle install --no-interaction apcu@5.1.28 \ && pickle install igbinary@3.2.16 \ @@ -179,7 +179,7 @@ RUN set -eux \ && make \ && make install \ && mkdir -p /var/cache/nginx \ - && chown -R www-data.www-data /var/cache/nginx \ + && chown -R 65534:65534 /var/cache/nginx \ && chsh -s /usr/sbin/nologin www-data \ && apt-get purge -y $BUILD_DEPENDENCIES \ && docker-php-source delete \ @@ -245,7 +245,9 @@ LABEL org.label-schema.build-date="$BUILD_DATE" \ WORKDIR /usr/src/app -EXPOSE 80/tcp 443/tcp +EXPOSE 8080/tcp + +USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] diff --git a/dockerfiles/php-lol/app.conf b/dockerfiles/php-lol/app.conf index 0e136dd..8de8267 100644 --- a/dockerfiles/php-lol/app.conf +++ b/dockerfiles/php-lol/app.conf @@ -3,7 +3,6 @@ command = /usr/local/sbin/php-fpm -F -y /usr/local/etc/php-fpm.conf stdout_logfile = /dev/stdout stdout_logfile_maxbytes = 0 redirect_stderr = true -user = root autostart = true autorestart = true priority = 5 @@ -13,7 +12,6 @@ command = /usr/sbin/nginx -g "daemon off;" stdout_logfile = /dev/stdout stdout_logfile_maxbytes = 0 redirect_stderr = true -user = root autostart = true autorestart = true priority = 10 diff --git a/dockerfiles/php-lol/nginx.conf b/dockerfiles/php-lol/nginx.conf index ba196c4..2c66bd2 100644 --- a/dockerfiles/php-lol/nginx.conf +++ b/dockerfiles/php-lol/nginx.conf @@ -1,4 +1,4 @@ -user www-data www-data; +# Run as non-root (no user directive needed) pid /dev/shm/nginx.pid; @@ -76,8 +76,8 @@ http { open_file_cache_errors on; server { - listen [::]:80 default_server; - listen 80 default_server; + listen [::]:8080 default_server; + listen 8080 default_server; # PHP fpm status location ~ ^/(php-fpm-status|php-fpm-ping)$ { diff --git a/dockerfiles/php-lol/supervisord.conf b/dockerfiles/php-lol/supervisord.conf index c72ea90..cb08ece 100644 --- a/dockerfiles/php-lol/supervisord.conf +++ b/dockerfiles/php-lol/supervisord.conf @@ -9,7 +9,6 @@ logfile_maxbytes = 0 loglevel = error nodaemon = true pidfile = /dev/shm/supervisord.pid -user = root [supervisorctl] serverurl=unix:///dev/shm/supervisord.sock diff --git a/dockerfiles/php-lol/zzz-php-fpm-tuning.conf b/dockerfiles/php-lol/zzz-php-fpm-tuning.conf index a79eb83..a926111 100644 --- a/dockerfiles/php-lol/zzz-php-fpm-tuning.conf +++ b/dockerfiles/php-lol/zzz-php-fpm-tuning.conf @@ -4,6 +4,8 @@ log_level = warning pid = /dev/shm/php-fpm.pid [www] +user = nobody +group = nogroup access.log = /dev/null catch_workers_output = yes clear_env = no diff --git a/tests/php-lol.yaml b/tests/php-lol.yaml index b4062cc..e00657e 100644 --- a/tests/php-lol.yaml +++ b/tests/php-lol.yaml @@ -112,7 +112,7 @@ commandTests: command: 'sha256sum' args: ['/usr/local/etc/php-fpm.d/zzz-php-fpm-tuning.conf'] expectedOutput: - - 'e3772ca736903a1a4c27a715adae6c2ef35059119b527cefb30bac50af94ffef' + - '0d66730a9658f8c8553e73878b214a5c96084248a406660f593299f8dc8940ab' - name: 'php hardening config checksum' command: 'sha256sum' @@ -124,7 +124,7 @@ commandTests: command: 'sha256sum' args: ['/etc/nginx/nginx.conf'] expectedOutput: - - '0c21ca2a7522fee98b6d5a0f28e0f6b1840d3df4d23b0b182b5c45c9d8b5ff8f' + - 'bc8b1c9ca19a7e588b19bf9677c29b25a9112a103bc7be786756a2f05cde76d2' - name: 'nginx mime.types checksum' command: 'sha256sum' @@ -136,13 +136,13 @@ commandTests: command: 'sha256sum' args: ['/etc/supervisor/supervisord.conf'] expectedOutput: - - 'cbf3f7370b1fd9f24360c20cc9e909f3298635d456fa76d97f531af0136a390c' + - '7c1b6af616372d69f9beb279834b4b9bab0deb31ed454a21193b563817bf9304' - name: 'supervisor app.conf checksum' command: 'sha256sum' args: ['/etc/supervisor/conf.d/app.conf'] expectedOutput: - - 'bbdd21d87a9b30770de6b434673caf6594eb67bc4ff5c124f8c0ccb453c62d6b' + - 'ffaca82839725c81b62f59a5da6fc941f2643eee5e649654725e01c80b28b1b4' - name: 'php-fpm config test' command: '/usr/local/sbin/php-fpm'