From a1d92a013ecc8aff86002cf4002f0f33af851735 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 23 Sep 2019 07:19:50 +0200
Subject: [PATCH] switching from supervisord to s6-overlay, less dependencies
 and lets us run as non-root

---
 Dockerfile                        | 54 +++++++++++++++++++------------
 etc/nginx/nginx.conf              |  3 --
 etc/php7/conf.d/00-docker.ini     |  2 --
 etc/php7/php-fpm.d/zz-docker.conf | 13 ++++----
 etc/services.d/nginx/run          |  2 ++
 etc/services.d/php-fpm7/run       |  2 ++
 etc/supervisor.d/docker.ini       | 23 -------------
 7 files changed, 44 insertions(+), 55 deletions(-)
 create mode 100644 etc/services.d/nginx/run
 create mode 100644 etc/services.d/php-fpm7/run
 delete mode 100644 etc/supervisor.d/docker.ini

diff --git a/Dockerfile b/Dockerfile
index 9c90c9b..a25a442 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,33 +2,30 @@ FROM alpine:3.10
 
 MAINTAINER PrivateBin <support@privatebin.org>
 
-ENV RELEASE 1.3
+ENV RELEASE   1.3
+ENV PBURL     https://github.com/PrivateBin/PrivateBin/
+ENV S6RELEASE v1.22.1.0
+ENV S6URL     https://github.com/just-containers/s6-overlay/releases/download/
+ENV S6_READ_ONLY_ROOT 1
 
 RUN \
 # Install dependencies
-    apk add --no-cache supervisor tzdata nginx php7-fpm \
-        php7-json php7-gd php7-opcache php7-pdo_mysql php7-pdo_pgsql \
+    apk add --no-cache tzdata nginx php7-fpm php7-json php7-gd \
+        php7-opcache php7-pdo_mysql php7-pdo_pgsql \
 # Remove (some of the) default nginx config
-    && rm -f /etc/nginx.conf \
-    && rm -f /etc/nginx/conf.d/default.conf \
+    && rm -f /etc/nginx.conf /etc/nginx/conf.d/default.conf /etc/php7/php-fpm.d/www.conf \
     && rm -rf /etc/nginx/sites-* \
-    && rm -rf /var/log/nginx \
 # Ensure nginx logs, even if the config has errors, are written to stderr
-    && rm /var/lib/nginx/logs \
-    && mkdir -p /var/lib/nginx/logs \
-    && ln -s /dev/stderr /var/lib/nginx/logs/error.log \
-# Create folder where the user hook into our default configs
-    && mkdir -p /etc/nginx/server.d/ \
-    && mkdir -p /etc/nginx/location.d/ \
+    && ln -s /dev/stderr /var/log/nginx/error.log \
 # Install PrivateBin
-    && apk add --no-cache gnupg curl \
+    && apk add --no-cache gnupg curl libcap \
     && export GNUPGHOME="$(mktemp -d)" \
     && gpg2 --list-public-keys || /bin/true \
     && curl -s https://privatebin.info/key/release.asc | gpg2 --import - \
     && rm -rf /var/www/* \
     && cd /tmp \
-    && curl -Ls https://github.com/PrivateBin/PrivateBin/releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc > PrivateBin-${RELEASE}.tar.gz.asc \
-    && curl -Ls https://github.com/PrivateBin/PrivateBin/archive/${RELEASE}.tar.gz > PrivateBin-${RELEASE}.tar.gz \
+    && curl -Ls ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc > PrivateBin-${RELEASE}.tar.gz.asc \
+    && curl -Ls ${PBURL}archive/${RELEASE}.tar.gz > PrivateBin-${RELEASE}.tar.gz \
     && gpg2 --verify PrivateBin-${RELEASE}.tar.gz.asc \
     && cd /var/www \
     && tar -xzf /tmp/PrivateBin-${RELEASE}.tar.gz --strip 1 \
@@ -39,17 +36,32 @@ RUN \
     && mv vendor /srv \
     && mkdir -p /srv/data \
     && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \
-    && chown -R nobody.www-data /var/www /srv/* \
+# Install s6 overlay for service management
+    && curl -s https://keybase.io/justcontainers/key.asc | gpg2 --import - \
+    && cd /tmp \
+    && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-amd64.tar.gz.sig > s6-overlay-amd64.tar.gz.sig \
+    && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-amd64.tar.gz > s6-overlay-amd64.tar.gz \
+    && gpg2 --verify s6-overlay-amd64.tar.gz.sig \
+    && tar -xzf s6-overlay-amd64.tar.gz -C / \
+# Support running s6 under a non-root user
+    && mkdir -p /etc/services.d/nginx/supervise /etc/services.d/php-fpm7/supervise \
+    && mkfifo /etc/services.d/nginx/supervise/control \
+    && mkfifo /etc/services.d/php-fpm7/supervise/control \
+    && mkfifo /etc/s6/services/s6-fdholderd/supervise/control \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && chown -R nginx.www-data /var/www /srv/* /etc/services.d /etc/s6 /run \
+# Clean up
     && rm -rf "${GNUPGHOME}" /tmp/* \
-    && apk del --no-cache gnupg curl
+    && apk del gnupg curl libcap
 
-WORKDIR /var/www
+COPY etc/ /etc/
 
-ADD etc/ /etc/
+WORKDIR /var/www
+USER nginx:www-data
 
 # mark dirs as volumes that need to be writable, allows running the container --read-only
-VOLUME /srv/data /tmp /var/tmp /run /var/log
+VOLUME /srv/data /tmp /var/tmp/nginx /run /var/log
 
 EXPOSE 80
 
-ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]
+ENTRYPOINT ["/init"]
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index b46d5fd..4553a26 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -1,6 +1,3 @@
-# Run as a unique, less privileged user for security reasons.
-user nginx www-data;
-
 # Sets the worker threads to the number of CPU cores available in the system for best performance.
 # Should be > the number of CPU cores.
 # Maximum number of connections = worker_processes * worker_connections
diff --git a/etc/php7/conf.d/00-docker.ini b/etc/php7/conf.d/00-docker.ini
index 7bb479d..7d82970 100644
--- a/etc/php7/conf.d/00-docker.ini
+++ b/etc/php7/conf.d/00-docker.ini
@@ -32,8 +32,6 @@ error_reporting=-1
 
 ; performance
 
-zend_extension=opcache.so
-
 ; we want fast cli scripts too
 opcache.enable_cli=On
 
diff --git a/etc/php7/php-fpm.d/zz-docker.conf b/etc/php7/php-fpm.d/zz-docker.conf
index 6238381..2817ad1 100644
--- a/etc/php7/php-fpm.d/zz-docker.conf
+++ b/etc/php7/php-fpm.d/zz-docker.conf
@@ -1,13 +1,14 @@
 [global]
-pid = ../run/php-fpm7.pid
+pid = /run/php-fpm7.pid
 daemonize = no
+error_log = /dev/stderr
 
 [www]
 listen = /run/php-fpm.sock
-listen.owner = nobody
-listen.group = www-data
-listen.mode = 0660
-
 access.log = /dev/null
-
 clear_env = On
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
diff --git a/etc/services.d/nginx/run b/etc/services.d/nginx/run
new file mode 100644
index 0000000..3d184d6
--- /dev/null
+++ b/etc/services.d/nginx/run
@@ -0,0 +1,2 @@
+#!/usr/bin/execlineb -P
+/usr/sbin/nginx
diff --git a/etc/services.d/php-fpm7/run b/etc/services.d/php-fpm7/run
new file mode 100644
index 0000000..395b320
--- /dev/null
+++ b/etc/services.d/php-fpm7/run
@@ -0,0 +1,2 @@
+#!/usr/bin/execlineb -P
+/usr/sbin/php-fpm7
diff --git a/etc/supervisor.d/docker.ini b/etc/supervisor.d/docker.ini
deleted file mode 100644
index 0189d59..0000000
--- a/etc/supervisor.d/docker.ini
+++ /dev/null
@@ -1,23 +0,0 @@
-[supervisord]
-nodaemon=true
-pidfile=/run/supervisord.pid
-
-[program:php-fpm]
-command=/usr/sbin/php-fpm7
-autostart=true
-autorestart=true
-priority=10
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-
-[program:nginx]
-command=/usr/sbin/nginx
-autostart=true
-autorestart=true
-priority=20
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0