Merge pull request #101 from jdeathe/centos-6-develop

Release changes for 1.7.1

Author: jdeathe

.gitignore

@@ -1 +1,2 @@
-packages
+packages
+dist

Dockerfile

@@ -4,7 +4,7 @@
 # CentOS-6, Apache 2.2, PHP 5.3, PHP Memcached 1.0, PHP APC 3.1.
 # 
 # =============================================================================
-FROM jdeathe/centos-ssh-apache-php:centos-6-1.7.1
+FROM jdeathe/centos-ssh-apache-php:centos-6-1.7.2
 
 MAINTAINER James Deathe <james.deathe@gmail.com>
 
@@ -39,14 +39,14 @@ ENV APACHE_MPM="worker"
 # -----------------------------------------------------------------------------
 # Set image metadata
 # -----------------------------------------------------------------------------
-ARG RELEASE_VERSION="1.7.0"
+ARG RELEASE_VERSION="1.7.1"
 LABEL \
 	install="docker run \
 --rm \
 --privileged \
 --volume /:/media/root \
 jdeathe/centos-ssh-apache-php-fcgi:centos-6-${RELEASE_VERSION} \
-/sbin/scmi install \
+/usr/sbin/scmi install \
 --chroot=/media/root \
 --name=\${NAME} \
 --tag=centos-6-${RELEASE_VERSION}" \
@@ -55,7 +55,7 @@ jdeathe/centos-ssh-apache-php-fcgi:centos-6-${RELEASE_VERSION} \
 --privileged \
 --volume /:/media/root \
 jdeathe/centos-ssh-apache-php-fcgi:centos-6-${RELEASE_VERSION} \
-/sbin/scmi uninstall \
+/usr/sbin/scmi uninstall \
 --chroot=/media/root \
 --name=\${NAME} \
 --tag=centos-6-${RELEASE_VERSION}" \

Makefile

@@ -99,21 +99,21 @@ create: prerequisites require-docker-container-not
 		fi
 
 dist: prerequisites require-docker-release-tag require-package-path | pull
-	$(eval $@_package_path := $(realpath \
-		$(PACKAGE_PATH) \
+	$(eval $@_dist_path := $(realpath \
+		$(DIST_PATH) \
 	))
-	@ if [[ -s $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
+	@ if [[ -s $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
 			echo "$(PREFIX_STEP) Saving package"; \
-			echo "$(PREFIX_SUB_STEP) Package path: $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
+			echo "$(PREFIX_SUB_STEP) Package path: $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
 			echo "$(PREFIX_SUB_STEP_POSITIVE) Package already exists"; \
 		else \
 			echo "$(PREFIX_STEP) Saving package"; \
 			$(docker) save \
 				$(DOCKER_USER)/$(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) | \
 				$(xz) -9 > \
-					$($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz; \
+					$($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz; \
 				if [[ $${?} -eq 0 ]]; then \
-					echo "$(PREFIX_SUB_STEP) Package path: $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
+					echo "$(PREFIX_SUB_STEP) Package path: $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
 					echo "$(PREFIX_SUB_STEP_POSITIVE) Package saved"; \
 				else \
 					echo "$(PREFIX_SUB_STEP_NEGATIVE) Package save error"; \
@@ -122,16 +122,16 @@ dist: prerequisites require-docker-release-tag require-package-path | pull
 		fi
 
 distclean: prerequisites require-docker-release-tag require-package-path | clean
-	$(eval $@_package_path := $(realpath \
-		$(PACKAGE_PATH) \
+	$(eval $@_dist_path := $(realpath \
+		$(DIST_PATH) \
 	))
-	@ if [[ -e $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
+	@ if [[ -e $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
 			echo "$(PREFIX_STEP) Deleting package"; \
-			echo "$(PREFIX_SUB_STEP) Package path: $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
-			find $($@_package_path) \
+			echo "$(PREFIX_SUB_STEP) Package path: $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
+			find $($@_dist_path) \
 				-name $(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz \
 				-delete; \
-			if [[ ! -e $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
+			if [[ ! -e $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
 				echo "$(PREFIX_SUB_STEP_POSITIVE) Package cleanup complete"; \
 			else \
 				echo "$(PREFIX_SUB_STEP_NEGATIVE) Package cleanup failed"; \
@@ -159,17 +159,17 @@ logs-delayed: prerequisites
 	@ $(MAKE) logs
 
 load: prerequisites require-docker-release-tag require-package-path
-	$(eval $@_package_path := $(realpath \
-		$(PACKAGE_PATH) \
+	$(eval $@_dist_path := $(realpath \
+		$(DIST_PATH) \
 	))
 	@ echo "$(PREFIX_STEP) Loading image from package"; \
-		echo "$(PREFIX_SUB_STEP) Package path: $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
-		if [[ ! -s $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
+		echo "$(PREFIX_SUB_STEP) Package path: $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz"; \
+		if [[ ! -s $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz ]]; then \
 			echo "$(PREFIX_STEP_NEGATIVE) Package not found"; \
 			echo "$(PREFIX_SUB_STEP_NEGATIVE) To create a package try: DOCKER_IMAGE_TAG=\"$(DOCKER_IMAGE_TAG)\" make dist"; \
 			exit 1; \
 		else \
-			$(xz) -dc $($@_package_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz | \
+			$(xz) -dc $($@_dist_path)/$(DOCKER_IMAGE_NAME).$(DOCKER_IMAGE_TAG).tar.xz | \
 				$(docker) load; \
 			echo "$(PREFIX_SUB_STEP) $$( if [[ -n $$($(docker) images -q $(DOCKER_USER)/$(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)) ]]; then echo $$($(docker) images -q $(DOCKER_USER)/$(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)); else echo $$($(docker) images -q docker.io/$(DOCKER_USER)/$(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)); fi; )"; \
 			echo "$(PREFIX_SUB_STEP_POSITIVE) Image loaded"; \
@@ -271,15 +271,15 @@ require-docker-release-tag:
 		fi
 
 require-package-path:
-	@ if [[ -n $(PACKAGE_PATH) ]] && [[ ! -d $(PACKAGE_PATH) ]]; then \
+	@ if [[ -n $(DIST_PATH) ]] && [[ ! -d $(DIST_PATH) ]]; then \
 			echo "$(PREFIX_STEP) Creating package directory"; \
-			mkdir -p $(PACKAGE_PATH); \
+			mkdir -p $(DIST_PATH); \
 		fi; \
 		if [[ ! $${?} -eq 0 ]]; then \
-			echo "$(PREFIX_STEP_NEGATIVE) Failed to make package path: $(PACKAGE_PATH)"; \
+			echo "$(PREFIX_STEP_NEGATIVE) Failed to make package path: $(DIST_PATH)"; \
 			exit 1; \
-		elif [[ -z $(PACKAGE_PATH) ]]; then \
-			echo "$(PREFIX_STEP_NEGATIVE) Undefined PACKAGE_PATH"; \
+		elif [[ -z $(DIST_PATH) ]]; then \
+			echo "$(PREFIX_STEP_NEGATIVE) Undefined DIST_PATH"; \
 			exit 1; \
 		fi
 

README.md

@@ -72,7 +72,7 @@ $ docker exec -it apache-php.pool-1.1.1 apachectl -h
 
 ### Running
 
-To run the a docker container from this image you can use the standard docker commands. Alternatively, you can use the embedded (Service Container Manager Interface) [scmi](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-6/usr/sbin/scmi) that is included in the image since `centos-6-1.7.0` or, if you have a checkout of the [source repository](https://github.com/jdeathe/centos-ssh-apache-php-fcgi), and have make installed the Makefile provides targets to build, install, start, stop etc. where environment variables can be used to configure the container options and set custom docker run parameters.
+To run the a docker container from this image you can use the standard docker commands. Alternatively, you can use the embedded (Service Container Manager Interface) [scmi](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-6/usr/sbin/scmi) that is included in the image since `centos-6-1.7.1` or, if you have a checkout of the [source repository](https://github.com/jdeathe/centos-ssh-apache-php-fcgi), and have make installed the Makefile provides targets to build, install, start, stop etc. where environment variables can be used to configure the container options and set custom docker run parameters.
 
 #### SCMI Installation Examples
 
@@ -85,10 +85,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0 \
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1 \
   /sbin/scmi install \
     --chroot=/media/root \
-    --tag=centos-6-1.7.0 \
+    --tag=centos-6-1.7.1 \
     --name=apache-php.pool-1.1.1
 ```
 
@@ -101,10 +101,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0 \
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1 \
   /sbin/scmi uninstall \
     --chroot=/media/root \
-    --tag=centos-6-1.7.0 \
+    --tag=centos-6-1.7.1 \
     --name=apache-php.pool-1.1.1
 ```
 
@@ -117,10 +117,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0 \
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1 \
   /sbin/scmi install \
     --chroot=/media/root \
-    --tag=centos-6-1.7.0 \
+    --tag=centos-6-1.7.1 \
     --name=apache-php.pool-1.1.1 \
     --manager=systemd \
     --register \
@@ -134,15 +134,15 @@ If your docker host has systemd, fleetd (and optionally etcd) installed then `sc
 
 ##### SCMI Image Information
 
-Since release `centos-6-1.7.0` the install template has been added to the image metadata. Using docker inspect you can access `scmi` to simplify install/uninstall tasks.
+Since release `centos-6-1.7.1` the install template has been added to the image metadata. Using docker inspect you can access `scmi` to simplify install/uninstall tasks.
 
 To see detailed information about the image run `scmi` with the `--info` option. To see all available `scmi` options run with the `--help` option.
 
 ```
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.install}}" \
-    jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0
+    jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1
   ) --info"
 ```
 
@@ -152,7 +152,7 @@ To perform an installation using the docker name `apache-php.pool-1.2.1` simply
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.install}}" \
-    jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0
+    jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1
   ) --name=apache-php.pool-1.2.1"
 ```
 
@@ -162,7 +162,7 @@ To uninstall use the *same command* that was used to install but with the `unins
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.uninstall}}" \
-    jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0
+    jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1
   ) --name=apache-php.pool-1.2.1"
 ```
 
@@ -175,7 +175,7 @@ To see detailed information about the image run `scmi` with the `--info` option.
 ```
 $ sudo -E atomic install \
   -n apache-php.pool-1.3.1 \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0 \
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1 \
   --info
 ```
 
@@ -184,14 +184,14 @@ To perform an installation using the docker name `apache-php.pool-1.3.1` simply
 ```
 $ sudo -E atomic install \
   -n apache-php.pool-1.3.1 \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1
 ```
 
 Alternatively, you could use the `scmi` options `--name` or `-n` for naming the container.
 
 ```
 $ sudo -E atomic install \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0 \
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1 \
   --name apache-php.pool-1.3.1
 ```
 
@@ -200,7 +200,7 @@ To uninstall use the *same command* that was used to install but with the `unins
 ```
 $ sudo -E atomic uninstall \
   -n apache-php.pool-1.3.1 \
-  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.0
+  jdeathe/centos-ssh-apache-php-fcgi:centos-6-1.7.1
 ```
 
 #### Environment Variables
@@ -338,6 +338,58 @@ The public directory is relative to the `APACHE_CONTENT_ROOT` and together they
 ...
 ```
 
+##### APACHE_SSL_CERTIFICATE
+
+The `APACHE_SSL_CERTIFICATE` environment variable is used to define a PEM, (and optionally base64), encoded certificate bundle. Base64 encoding of the PEM file contents is recommended. To make a compatible certificate bundle use the `cat` command to combine the certificate files together.
+
+```
+$ cat /usr/share/private/server-key.pem \
+    /usr/share/certs/server-certificate.pem \
+    /usr/share/certs/intermediate-certificate.pem \
+  > /usr/share/certs/server-bundle.pem
+```
+
+*Note:* The `base64` command on Mac OSX will encode a file without line breaks by default but if using the command on Linux you need to include use the `-w` option to prevent wrapping lines at 80 characters. i.e. `base64 -w 0 -i {certificate-path}`.
+
+```
+...
+  --env "APACHE_SSL_CERTIFICATE=$(
+    base64 -i "/usr/share/certs/server-bundle.pem"
+  )" \
+...
+```
+
+##### APACHE_SSL_CIPHER_SUITE
+
+Use the `APACHE_SSL_CIPHER_SUITE` environment variable to define an appropriate Cipher Suite. The default "intermediate" selection should be suitable for most use-cases where support for a wide range browsers is necessary. 
+
+References:
+- [OpenSSL ciphers documentation](https://www.openssl.org/docs/manmaster/apps/ciphers.html).
+- [Mozilla Security/Server Side TLS guidance](https://wiki.mozilla.org/Security/Server_Side_TLS).
+
+*Note:* The value show is using space separated values to allow for readablity in the documentation; this is valid syntax however using the colon separator is the recommended form.
+
+```
+...
+  --env "APACHE_SSL_CIPHER_SUITE=ECDHE-ECDSA-AES256-GCM-SHA384 \
+ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 \
+ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 \
+ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 \
+ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 \
+ECDHE-RSA-AES128-SHA256" \
+...
+```
+
+##### APACHE_SSL_PROTOCOL
+
+Use the `APACHE_SSL_PROTOCOL` environment variable to define the supported protocols. The default protocols are suitable for most "intermediate" use-cases however you might want to restrict the TLS version support for example.
+
+```
+...
+  --env "APACHE_SSL_PROTOCOL=All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" \
+...
+```
+
 ##### APACHE_SYSTEM_USER
 
 Use the `APACHE_SYSTEM_USER` environment variable to define a custom service username.

default.mk

@@ -24,7 +24,7 @@ define DOCKER_CONTAINER_PARAMETERS
 endef
 
 DOCKER_PUBLISH := $(shell \
-	if [[ $(DOCKER_PORT_MAP_TCP_80) != NULL ]]; then printf -- '--publish %s%s:80\n' $(DOCKER_PORT_MAP_TCP_80); fi; \
-	if [[ $(DOCKER_PORT_MAP_TCP_443) != NULL ]] && [[ $(APACHE_MOD_SSL_ENABLED) == true ]]; then printf -- '--publish %s%s:443\n' $(DOCKER_PORT_MAP_TCP_443); fi; \
-	if [[ $(DOCKER_PORT_MAP_TCP_8443) != NULL ]]; then printf -- '--publish %s%s:8443\n' $(DOCKER_PORT_MAP_TCP_8443); fi; \
+	if [[ $(DOCKER_PORT_MAP_TCP_80) != NULL ]]; then printf -- '--publish %s:80\n' $(DOCKER_PORT_MAP_TCP_80); fi; \
+	if [[ $(DOCKER_PORT_MAP_TCP_443) != NULL ]] && [[ $(APACHE_MOD_SSL_ENABLED) == true ]]; then printf -- '--publish %s:443\n' $(DOCKER_PORT_MAP_TCP_443); fi; \
+	if [[ $(DOCKER_PORT_MAP_TCP_8443) != NULL ]]; then printf -- '--publish %s:8443\n' $(DOCKER_PORT_MAP_TCP_8443); fi; \
 )

etc/systemd/system/centos-ssh-apache-php-fcgi@.service

@@ -52,7 +52,7 @@ Environment="DOCKER_USER=jdeathe"
 Environment="DOCKER_CONTAINER_PARAMETERS_APPEND="
 Environment="DOCKER_IMAGE_PACKAGE_PATH=/var/opt/scmi/packages"
 Environment="DOCKER_IMAGE_NAME=centos-ssh-apache-php-fcgi"
-Environment="DOCKER_IMAGE_TAG=centos-6-1.7.0"
+Environment="DOCKER_IMAGE_TAG=centos-6-1.7.1"
 Environment="DOCKER_PORT_MAP_TCP_80=8080"
 Environment="DOCKER_PORT_MAP_TCP_443=9443"
 Environment="DOCKER_PORT_MAP_TCP_8443=NULL"