1
- FROM jdeathe/centos-ssh-apache-php :1.13 .0
1
+ FROM jdeathe/centos-ssh:1.11 .0
2
2
3
- ARG RELEASE_VERSION="1.13.0"
3
+ # Use the form ([{fqdn}-]{package-name}|[{fqdn}-]{provider-name})
4
+ ARG PACKAGE_NAME="app"
5
+ ARG PACKAGE_PATH="/opt/${PACKAGE_NAME}"
6
+ ARG PACKAGE_RELEASE_VERSION="0.13.0"
7
+ ARG RELEASE_VERSION="1.13.1"
4
8
5
9
# ------------------------------------------------------------------------------
6
10
# Base install of required packages
7
11
# ------------------------------------------------------------------------------
8
- RUN yum -y erase \
9
- php-5.3.3-49.el6 \
10
- && yum -y install \
12
+ RUN yum -y install \
11
13
--setopt=tsflags=nodocs \
12
14
--disableplugin=fastestmirror \
15
+ elinks-0.12-0.21.pre5.el6_3 \
13
16
fcgi-2.4.0-12.el6 \
17
+ httpd-2.2.15-69.el6.centos \
14
18
mod_fcgid-2.3.9-1.el6 \
19
+ mod_ssl-2.2.15-69.el6.centos \
20
+ php-cli-5.3.3-49.el6 \
21
+ php-common-5.3.3-49.el6 \
22
+ php-zts-5.3.3-49.el6 \
23
+ php-pecl-apc-3.1.9-2.el6 \
24
+ php-pecl-memcached-1.0.0-1.el6 \
25
+ php-pecl-redis-2.2.8-1.el6 \
15
26
&& yum versionlock add \
27
+ elinks \
16
28
fcgi \
29
+ httpd \
17
30
mod_fcgid \
31
+ mod_ssl \
32
+ php* \
18
33
&& rm -rf /var/cache/yum/* \
19
34
&& yum clean all
20
35
@@ -25,33 +40,217 @@ ADD src /
25
40
26
41
# ------------------------------------------------------------------------------
27
42
# Provisioning
43
+ # - Add default system users
44
+ # - Limit threads for the application user
45
+ # - Disable Apache directory indexes and welcome page
46
+ # - Disable Apache language based content negotiation
47
+ # - Custom Apache configuration
48
+ # - Disable all Apache modules and enable the minimum
28
49
# - Disable Apache default fcgid configuration; replaced with 00-fcgid.conf
50
+ # - Disable the default SSL Virtual Host
51
+ # - Disable SSL
52
+ # - Add default PHP configuration overrides to 00-php.ini drop-in.
53
+ # - APC configuration
29
54
# - Replace placeholders with values in systemd service unit template
30
55
# - Set permissions
31
56
# ------------------------------------------------------------------------------
32
- RUN truncate -s 0 \
57
+ RUN useradd -r -M -d /var/www/app -s /sbin/nologin app \
58
+ && useradd -r -M -d /var/www/app -s /sbin/nologin -G apache,app app-www \
59
+ && usermod -a -G app-www app \
60
+ && usermod -a -G app-www,app apache \
61
+ && usermod -L app \
62
+ && usermod -L app-www \
63
+ && { printf -- \
64
+ '\n @apache\t soft\t nproc\t %s\n @apache\t hard\t nproc\t %s\n ' \
65
+ '85' \
66
+ '170' ; \
67
+ } >> /etc/security/limits.conf \
68
+ && cp -pf \
69
+ /etc/httpd/conf/httpd.conf \
70
+ /etc/httpd/conf/httpd.conf.default \
71
+ && sed -i \
72
+ -e 's~^KeepAlive .*$~KeepAlive On~g' \
73
+ -e 's~^MaxKeepAliveRequests .*$~MaxKeepAliveRequests 200~g' \
74
+ -e 's~^KeepAliveTimeout .*$~KeepAliveTimeout 2~g' \
75
+ -e 's~^ServerSignature On$~ServerSignature Off~g' \
76
+ -e 's~^ServerTokens OS$~ServerTokens Prod~g' \
77
+ -e 's~^NameVirtualHost \( .*\) $~#NameVirtualHost \1 ~g' \
78
+ -e 's~^User .*$~User ${APACHE_RUN_USER}~g' \
79
+ -e 's~^Group .*$~Group ${APACHE_RUN_GROUP}~g' \
80
+ -e 's~^DocumentRoot \( .*\) $~#DocumentRoot \1 ~g' \
81
+ -e 's~^IndexOptions \( .*\) $~#IndexOptions \1 ~g' \
82
+ -e 's~^IndexIgnore \( .*\) $~#IndexIgnore \1 ~g' \
83
+ -e 's~^AddIconByEncoding \( .*\) $~#AddIconByEncoding \1 ~g' \
84
+ -e 's~^AddIconByType \( .*\) $~#AddIconByType \1 ~g' \
85
+ -e 's~^AddIcon \( .*\) $~#AddIcon \1 ~g' \
86
+ -e 's~^DefaultIcon \( .*\) $~#DefaultIcon \1 ~g' \
87
+ -e 's~^ReadmeName \( .*\) $~#ReadmeName \1 ~g' \
88
+ -e 's~^HeaderName \( .*\) $~#HeaderName \1 ~g' \
89
+ -e 's~^LanguagePriority \( .*\) $~#LanguagePriority \1 ~g' \
90
+ -e 's~^ForceLanguagePriority \( .*\) $~#ForceLanguagePriority \1 ~g' \
91
+ -e 's~^AddLanguage \( .*\) $~#AddLanguage \1 ~g' \
92
+ -e '/#<Location \/ server-status>/,/#<\/ Location>/ s~^#~~' \
93
+ -e '/<Location \/ server-status>/,/<\/ Location>/ s~Allow from .example.com~Allow from localhost 127.0.0.1~' \
94
+ /etc/httpd/conf/httpd.conf \
95
+ && { printf -- \
96
+ '\n %s\n %s\n %s\n %s\\\n %s%s\\\n %s\n %s\n %s\n %s\n %s\n %s\n %s\n %s\n ' \
97
+ '#' \
98
+ '# Custom configuration' \
99
+ '#' \
100
+ 'LogFormat ' \
101
+ ' "%{X-Forwarded-For}i %l %u %t \" %r\" %>s %b' \
102
+ ' \" %{Referer}i\" \" %{User-Agent}i\" " ' \
103
+ ' forwarded_for_combined' \
104
+ 'Listen 8443' \
105
+ 'Options -Indexes' \
106
+ 'ServerSignature Off' \
107
+ 'ServerTokens Prod' \
108
+ 'TraceEnable Off' \
109
+ 'UseCanonicalName On' \
110
+ 'UseCanonicalPhysicalPort On' ; \
111
+ } >> /etc/httpd/conf/httpd.conf \
112
+ && sed -i \
113
+ -e 's~^\( LoadModule .*\) $~#\1 ~g' \
114
+ -e 's~^#\( LoadModule mime_module .*\) $~\1 ~' \
115
+ -e 's~^#\( LoadModule log_config_module .*\) $~\1 ~' \
116
+ -e 's~^#\( LoadModule setenvif_module .*\) $~\1 ~' \
117
+ -e 's~^#\( LoadModule status_module .*\) $~\1 ~' \
118
+ -e 's~^#\( LoadModule authz_host_module .*\) $~\1 ~' \
119
+ -e 's~^#\( LoadModule dir_module .*\) $~\1 ~' \
120
+ -e 's~^#\( LoadModule alias_module .*\) $~\1 ~' \
121
+ -e 's~^#\( LoadModule expires_module .*\) $~\1 ~' \
122
+ -e 's~^#\( LoadModule deflate_module .*\) $~\1 ~' \
123
+ -e 's~^#\( LoadModule headers_module .*\) $~\1 ~' \
124
+ -e 's~^#\( LoadModule alias_module .*\) $~\1 ~' \
125
+ -e 's~^#\( LoadModule version_module .*\) $~\1\n #LoadModule reqtimeout_module modules/mod_reqtimeout.so~g' \
126
+ /etc/httpd/conf/httpd.conf \
127
+ && truncate -s 0 \
33
128
/etc/httpd/conf.d/fcgid.conf \
34
129
&& chmod 444 \
35
130
/etc/httpd/conf.d/fcgid.conf \
131
+ && sed -i \
132
+ -e '/<VirtualHost _default_:443>/,/<\/ VirtualHost>/ s~^~#~' \
133
+ /etc/httpd/conf.d/ssl.conf \
134
+ && cat \
135
+ /etc/httpd/conf.d/ssl.conf \
136
+ > /etc/httpd/conf.d/ssl.conf.off \
137
+ && truncate -s 0 \
138
+ /etc/httpd/conf.d/ssl.conf \
139
+ && chmod 644 \
140
+ /etc/httpd/conf.d/ssl.conf \
141
+ && sed \
142
+ -e 's~^; .*$~~' \
143
+ -e 's~^;*$~~' \
144
+ -e '/^$/d' \
145
+ -e 's~^\[ ~\n\[ ~g' \
146
+ /etc/php.ini \
147
+ > /etc/php.d/00-php.ini.default \
148
+ && sed \
149
+ -e 's~^; .*$~~' \
150
+ -e 's~^;*$~~' \
151
+ -e '/^$/d' \
152
+ -e 's~^\[ ~\n\[ ~g' \
153
+ /etc/php.d/apc.ini \
154
+ > /etc/php.d/apc.ini.default \
155
+ && sed -r \
156
+ -e 's~^;?(cgi.fix_pathinfo( )?=).*$~\1\2 1~g' \
157
+ -e 's~^;?(date.timezone( )?=).*$~\1\2 "${PHP_OPTIONS_DATE_TIMEZONE:-UTC}"~g' \
158
+ -e 's~^;?(expose_php( )?=).*$~\1\2 Off~g' \
159
+ -e 's~^;?(realpath_cache_size( )?=).*$~\1\2 4096k~' \
160
+ -e 's~^;?(realpath_cache_ttl( )?=).*$~\1\2 600~' \
161
+ -e 's~^;?(session.cookie_httponly( )?=).*$~\1\2 1~' \
162
+ -e 's~^;?(session.name( )?=).*$~\1\2 "${PHP_OPTIONS_SESSION_NAME:-PHPSESSID}"~' \
163
+ -e 's~^;?(session.save_handler( )?=).*$~\1\2 "${PHP_OPTIONS_SESSION_SAVE_HANDLER:-files}"~' \
164
+ -e 's~^;?(session.save_path( )?=).*$~\1\2 "${PHP_OPTIONS_SESSION_SAVE_PATH:-/var/lib/php/session}"~' \
165
+ -e 's~^;?(session.sid_bits_per_character( )?=).*$~\1\2 5~' \
166
+ -e 's~^;?(session.sid_length( )?=).*$~\1\2 64~' \
167
+ -e 's~^;?(session.use_strict_mode( )?=).*$~\1\2 1~' \
168
+ -e 's~^;?(user_ini.filename( )?=).*$~\1 ~g' \
169
+ /etc/php.d/00-php.ini.default \
170
+ > /etc/php.d/00-php.ini \
171
+ && sed \
172
+ -e 's~^\( apc.stat=\) .*$~\1 0~g' \
173
+ -e 's~^\( apc.shm_size=\) .*$~\1 128M~g' \
174
+ -e 's~^\( apc.enable_cli=\) .*$~\1 1~g' \
175
+ -e 's~^\( apc.file_update_protection=\) .*$~\1 0~g' \
176
+ /etc/php.d/apc.ini.default \
177
+ > /etc/php.d/apc.ini \
178
+ && sed -i \
179
+ -e "s~'ADMIN_PASSWORD','password'~'ADMIN_PASSWORD','apc!123'~g" \
180
+ -e "s~'DATE_FORMAT', 'Y/m/d H:i:s'~'DATE_FORMAT', 'Y-m-d H:i:s'~g" \
181
+ -e "s~php_uname('n');~gethostname();~g" \
182
+ /usr/share/php-pecl-apc/apc.php \
36
183
&& sed -i \
37
184
-e "s~{{RELEASE_VERSION}}~${RELEASE_VERSION}~g" \
38
- /etc/systemd/system/centos-ssh-apache-php-fcgi@.service
185
+ /etc/systemd/system/centos-ssh-apache-php-fcgi@.service \
186
+ && chmod 644 \
187
+ /etc/supervisord.d/{20-httpd-bootstrap,70-httpd-wrapper}.conf \
188
+ && chmod 700 \
189
+ /usr/{bin/healthcheck,sbin/httpd-{bootstrap,wrapper}}
39
190
40
191
# ------------------------------------------------------------------------------
41
192
# Package installation
42
193
# ------------------------------------------------------------------------------
43
- RUN sed -i \
194
+ RUN mkdir -p -m 750 ${PACKAGE_PATH} \
195
+ && curl -Ls \
196
+ https://github.com/jdeathe/php-hello-world/archive/${PACKAGE_RELEASE_VERSION}.tar.gz \
197
+ | tar -xzpf - \
198
+ --strip-components=1 \
199
+ --exclude="*.gitkeep" \
200
+ -C ${PACKAGE_PATH} \
201
+ && sed -i \
44
202
-e 's~^description =.*$~description = "This CentOS / Apache / PHP-CGI (FastCGI) service is running in a container."~' \
45
203
${PACKAGE_PATH}/etc/views/index.ini \
46
- && rm -f \
47
- ${PACKAGE_PATH}/bin/php-wrapper \
48
- ${PACKAGE_PATH}/etc/httpd/conf.d/50-fcgid.conf
204
+ && mv \
205
+ ${PACKAGE_PATH}/public \
206
+ ${PACKAGE_PATH}/public_html \
207
+ && $(\
208
+ if [[ -f /usr/share/php-pecl-apc/apc.php ]]; then \
209
+ cp \
210
+ /usr/share/php-pecl-apc/apc.php \
211
+ ${PACKAGE_PATH}/public_html/_apc.php; \
212
+ fi \
213
+ ) \
214
+ && chown -R app:app-www ${PACKAGE_PATH} \
215
+ && find ${PACKAGE_PATH} -type d -exec chmod 750 {} + \
216
+ && find ${PACKAGE_PATH}/var -type d -exec chmod 770 {} + \
217
+ && find ${PACKAGE_PATH} -type f -exec chmod 640 {} +
218
+
219
+ EXPOSE 80 443 8443
49
220
50
221
# ------------------------------------------------------------------------------
51
222
# Set default environment variables used to configure the service container
52
223
# ------------------------------------------------------------------------------
53
224
ENV \
54
- APACHE_MPM="worker"
225
+ APACHE_CONTENT_ROOT="/var/www/${PACKAGE_NAME}" \
226
+ APACHE_CUSTOM_LOG_FORMAT="combined" \
227
+ APACHE_CUSTOM_LOG_LOCATION="var/log/apache_access_log" \
228
+ APACHE_ERROR_LOG_LOCATION="var/log/apache_error_log" \
229
+ APACHE_ERROR_LOG_LEVEL="warn" \
230
+ APACHE_EXTENDED_STATUS_ENABLED="false" \
231
+ APACHE_HEADER_X_SERVICE_UID="{{HOSTNAME}}" \
232
+ APACHE_LOAD_MODULES="" \
233
+ APACHE_MOD_SSL_ENABLED="false" \
234
+ APACHE_MPM="worker" \
235
+ APACHE_OPERATING_MODE="production" \
236
+ APACHE_PUBLIC_DIRECTORY="public_html" \
237
+ APACHE_RUN_GROUP="app-www" \
238
+ APACHE_RUN_USER="app-www" \
239
+ APACHE_SERVER_ALIAS="" \
240
+ APACHE_SERVER_NAME="" \
241
+ APACHE_SSL_CERTIFICATE="" \
242
+ APACHE_SSL_CIPHER_SUITE="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \
243
+ APACHE_SSL_PROTOCOL="All -SSLv2 -SSLv3" \
244
+ APACHE_SYSTEM_USER="app" \
245
+ ENABLE_HTTPD_BOOTSTRAP="true" \
246
+ ENABLE_HTTPD_WRAPPER="true" \
247
+ ENABLE_SSHD_BOOTSTRAP="false" \
248
+ ENABLE_SSHD_WRAPPER="false" \
249
+ PACKAGE_PATH="${PACKAGE_PATH}" \
250
+ PHP_OPTIONS_DATE_TIMEZONE="UTC" \
251
+ PHP_OPTIONS_SESSION_NAME="PHPSESSID" \
252
+ PHP_OPTIONS_SESSION_SAVE_HANDLER="files" \
253
+ PHP_OPTIONS_SESSION_SAVE_PATH="var/session"
55
254
56
255
# ------------------------------------------------------------------------------
57
256
# Set image metadata
0 commit comments