feat: run container as none root

BREAKING CHANGE: This will drop all root privileges inside the container. Probably Migrations are required see `docs/migrate.md` Closes #170 Signed-off-by: solidnerd <niclas@mietz.io>
2020-04-10 12:50:00 +02:00 · 2020-04-10 12:50:00 +02:00 · 6763e153a4
commit 6763e153a4
parent 72e91d8e5a
4 changed files with 97 additions and 47 deletions
--- a/95
+++ b/95
@ -1,38 +1,81 @@
-FROM php:7.2-apache-stretch
+FROM alpine:3 as bookstack
+ENV BOOKSTACK_VERSION=0.27.5
+RUN apk add --no-cache curl tar
+RUN set -x; \
+    curl -SL -o bookstack.tar.gz https://github.com/BookStackApp/BookStack/archive/v${BOOKSTACK_VERSION}.tar.gz  \
+    && mkdir -p /bookstack \
+    && tar xvf bookstack.tar.gz -C /bookstack --strip-components=1 \
+    && rm bookstack.tar.gz

-ENV BOOKSTACK=BookStack \
-    BOOKSTACK_VERSION=0.27.5 \
-    BOOKSTACK_HOME="/var/www/bookstack"
-
-RUN apt-get update && apt-get install -y --no-install-recommends git zlib1g-dev libfreetype6-dev libjpeg62-turbo-dev libmcrypt-dev libpng-dev wget libldap2-dev libtidy-dev libxml2-dev fontconfig ttf-freefont wkhtmltopdf tar curl \
-   && docker-php-ext-install dom pdo pdo_mysql zip tidy  \
+FROM php:7.4-apache-buster as final
+RUN set -x; \
+    apt-get update \
+    && apt-get install -y --no-install-recommends \
+        git \
+        zlib1g-dev \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libmcrypt-dev \
+        libpng-dev  \
+        libldap2-dev  \
+        libtidy-dev  \
+        libxml2-dev  \
+        fontconfig  \
+        fonts-freefont-ttf   \
+        wkhtmltopdf  \
+        tar \
+        curl \
+        libzip-dev \
+        unzip \
+    \
+   && docker-php-ext-install -j$(nproc) dom pdo pdo_mysql zip tidy  \
   && docker-php-ext-configure ldap \
-   && docker-php-ext-install ldap \
-   && docker-php-ext-configure gd --with-freetype-dir=usr/include/ --with-jpeg-dir=/usr/include/ \
-   && docker-php-ext-install gd \
-   && cd /var/www && curl -sS https://getcomposer.org/installer | php \
-   && mv /var/www/composer.phar /usr/local/bin/composer \
-   && wget https://github.com/BookStackApp/BookStack/archive/v${BOOKSTACK_VERSION}.tar.gz -O ${BOOKSTACK}.tar.gz \
-   && tar -xf ${BOOKSTACK}.tar.gz && mv BookStack-${BOOKSTACK_VERSION} ${BOOKSTACK_HOME} && rm ${BOOKSTACK}.tar.gz  \
-   && cd $BOOKSTACK_HOME && composer install \
-   && chown -R www-data:www-data $BOOKSTACK_HOME \
-   && apt-get -y autoremove \
-   && apt-get clean \
-   && rm -rf /var/lib/apt/lists/* /var/tmp/* /etc/apache2/sites-enabled/000-*.conf
+   && docker-php-ext-install -j$(nproc) ldap \
+   && docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \
+   && docker-php-ext-install -j$(nproc) gd 
+
+RUN a2enmod rewrite remoteip; \
+    { \
+    echo RemoteIPHeader X-Real-IP ; \
+    echo RemoteIPTrustedProxy 10.0.0.0/8 ; \
+    echo RemoteIPTrustedProxy 172.16.0.0/12 ; \
+    echo RemoteIPTrustedProxy 192.168.0.0/16 ; \
+    } > /etc/apache2/conf-available/remoteip.conf; \
+    a2enconf remoteip
+
+RUN set -ex; \
+    sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf; \
+    sed -i "s/VirtualHost *:80/VirtualHost *:8080/" /etc/apache2/sites-available/*.conf 
+
+COPY bookstack.conf /etc/apache2/sites-available/000-default.conf
+
+COPY --from=bookstack --chown=33:33 /bookstack/ /var/www/bookstack/
+
+RUN set -x; \
+    cd /var/www/bookstack \
+    && curl -sS https://getcomposer.org/installer | php \
+    && /var/www/bookstack/composer.phar global -v require hirak/prestissimo \
+    && /var/www/bookstack/composer.phar install -v -d /var/www/bookstack/ \
+    && /var/www/bookstack/composer.phar global -v remove hirak/prestissimo \
+    && rm -rf /var/www/bookstack/composer.phar /root/.composer \
+    && chown -R www-data:www-data /var/www/bookstack

 COPY php.ini /usr/local/etc/php/php.ini
-COPY bookstack.conf /etc/apache2/sites-enabled/bookstack.conf
-RUN a2enmod rewrite
+COPY docker-entrypoint.sh /bin/docker-entrypoint.sh

-COPY docker-entrypoint.sh /
+WORKDIR /var/www/bookstack

-WORKDIR $BOOKSTACK_HOME
+# www-data
+USER 33

-EXPOSE 80
+VOLUME ["/var/www/bookstack/public/uploads","/var/www/bookstack/storage/uploads"]

-VOLUME ["$BOOKSTACK_HOME/public/uploads","$BOOKSTACK_HOME/storage/uploads"]
+ENV RUN_APACHE_USER=www-data \
+    RUN_APACHE_GROUP=www-data

-ENTRYPOINT ["/docker-entrypoint.sh"]
+EXPOSE 8080
+
+ENTRYPOINT ["/bin/docker-entrypoint.sh"]

 ARG BUILD_DATE
 ARG VCS_REF
--- a/bookstack.conf
+++ b/bookstack.conf
@ -1,10 +1,23 @@
-<VirtualHost *:80>
-    ServerName bookstack.dev
-    DocumentRoot "/var/www/bookstack/public/"
+<VirtualHost *:8080>
+        # The ServerName directive sets the request scheme, hostname and port that
+        # the server uses to identify itself. This is used when creating
+        # redirection URLs. In the context of virtual hosts, the ServerName
+        # specifies what hostname must appear in the request's Host: header to
+        # match this virtual host. For the default virtual host (this file) this
+        # value is not decisive as it is used as a last resort host regardless.
+        # However, you must set it for any further virtual host explicitly.
+        ServerName bookstack

-    <Directory "/var/www/bookstack/">
-        Options FollowSymLinks MultiViews
-        AllowOverride All
-        Require all granted
-    </Directory>
+        DocumentRoot /var/www/bookstack/public
+
+        <Directory "/var/www/bookstack/">
+            Options FollowSymLinks MultiViews
+            AllowOverride All
+            Require all granted
+        </Directory>
+        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+        # error, crit, alert, emerg.
+        # It is also possible to configure the loglevel for particular
+        # modules, e.g.
+        LogLevel info
 </VirtualHost>
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -23,7 +23,7 @@ services:
    - uploads:/var/www/bookstack/public/uploads
    - storage-uploads:/var/www/bookstack/storage/uploads
    ports:
-    - "8080:80"
+    - "8080:8080"

 volumes:
 mysql-data:
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -7,9 +7,9 @@ echoerr() { echo "$@" 1>&2; }
 IFS=":" read -r DB_HOST_NAME DB_PORT <<< "$DB_HOST"
 DB_PORT=${DB_PORT:-3306}

-if [ ! -f "$BOOKSTACK_HOME/.env" ]; then
+if [ ! -f ".env" ]; then
  if [[ "${DB_HOST}" ]]; then
-  cat > "$BOOKSTACK_HOME/.env" <<EOF
+  cat > ".env" <<EOF
      # Environment
      APP_ENV=production
      APP_DEBUG=${APP_DEBUG:-false}
@ -79,7 +79,6 @@ if [ ! -f "$BOOKSTACK_HOME/.env" ]; then
      MAIL_ENCRYPTION=${MAIL_ENCRYPTION:-null}
      # URL used for social login redirects, NO TRAILING SLASH
 EOF
-sed -ie "s/single/errorlog/g" app/Config/app.php
    else
        echo >&2 'error: missing DB_HOST environment variable'
        exit 1
@ -103,19 +102,14 @@ else
  echoerr "wait-for-db: timeout out after 15 seconds waiting for ${DB_HOST_NAME}:${DB_PORT}"
 fi

-composer install
-
-php artisan key:generate
+echo "Generating Key..."
+php artisan key:generate --show

+echo "Starting Migration..."
 php artisan migrate --force

-
-echo "Setting folder permissions for uploads"
-chown -R www-data:www-data public/uploads && chmod -R 775 public/uploads
-chown -R www-data:www-data storage/uploads && chmod -R 775 storage/uploads
-
+echo "Clearing caches..."
 php artisan cache:clear
-
 php artisan view:clear

 exec apache2-foreground