From 9b8aa78539f565275cd35bf456e413659ff9c42f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Fri, 4 Oct 2019 07:38:32 +0200 Subject: [PATCH 01/15] build architecture detection for choosing the correct s6 overlay #3 --- Dockerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 02895c7..aad0d4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,10 +39,15 @@ RUN \ # Install s6 overlay for service management && curl -s https://keybase.io/justcontainers/key.asc | gpg2 --import - \ && cd /tmp \ - && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-amd64.tar.gz.sig > s6-overlay-amd64.tar.gz.sig \ - && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-amd64.tar.gz > s6-overlay-amd64.tar.gz \ - && gpg2 --verify s6-overlay-amd64.tar.gz.sig \ - && tar -xzf s6-overlay-amd64.tar.gz -C / \ + && S6ARCH=$(uname -m) \ + && case ${S6ARCH} in \ + x86_64) S6ARCH=amd64;; \ + armv7l) S6ARCH=armhf;; \ + esac \ + && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz.sig > s6-overlay-${S6ARCH}.tar.gz.sig \ + && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz > s6-overlay-${S6ARCH}.tar.gz \ + && gpg2 --verify s6-overlay-${S6ARCH}.tar.gz.sig \ + && tar -xzf s6-overlay-${S6ARCH}.tar.gz -C / \ # Support running s6 under a non-root user && mkdir -p /etc/services.d/nginx/supervise /etc/services.d/php-fpm7/supervise \ && mkfifo /etc/services.d/nginx/supervise/control \ From 0160b8e0515f36b030ec1d014485f5ea2e3e1936 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 26 Oct 2019 18:06:38 +0200 Subject: [PATCH 02/15] bounce alpine image --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index aad0d4e..a3e7ee2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.10 +FROM alpine:3.10.3 MAINTAINER PrivateBin From 0c1a2e565cccbd459c768a942fd5ea9ecb2dbf84 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 7 Dec 2019 09:20:39 +0100 Subject: [PATCH 03/15] changing default port to 8080, keeping port 80 for backwards compatibility. updating documentation. ensure the image can be run as root user and services drop privileges, fixes #11 --- Dockerfile | 2 +- README.md | 15 +++++++++------ etc/nginx/nginx.conf | 3 +++ etc/nginx/sites-available/site.conf | 1 + etc/php7/php-fpm.d/zz-docker.conf | 4 ++++ 5 files changed, 18 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index a3e7ee2..b303643 100644 --- a/Dockerfile +++ b/Dockerfile @@ -67,6 +67,6 @@ USER nobody:www-data # mark dirs as volumes that need to be writable, allows running the container --read-only VOLUME /srv/data /tmp /var/tmp/nginx /run /var/log -EXPOSE 80 +EXPOSE 80 8080 ENTRYPOINT ["/init"] diff --git a/README.md b/README.md index 30678e9..797658f 100644 --- a/README.md +++ b/README.md @@ -9,25 +9,27 @@ This repository contains the Dockerfile and resources needed to create a docker Assuming you have docker successfully installed and internet access, you can fetch and run the image from the docker hub like this: ```bash -docker run -d --restart="always" --read-only -p 8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine +docker run -d --restart="always" --read-only -p 8080:8080 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine ``` The parameters in detail: - `-v privatebin-data:/srv/data` - replace `privatebin-data` with the path to the folder on your system, where the pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop and restart the image or when you replace it. May be skipped if you just want to test the image. -- `-p 8080:80` - The Nginx webserver inside the container listens on port 80, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it for production environments. +- `-p 8080:8080` - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it for production environments. - `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly, since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp, /var/run & /srv/data may be written into. - `-d` - launches the container in the background. You can use `docker ps` and `docker logs` to check if the container is alive and well. - `--restart="always"` - restart the container if it crashes, mainly useful for production setups > Note that the volume mounted must be owned by UID 65534 / GID 82. If you run the container in a docker instance with "userns-remap" you need to add your subuid/subgid range to these numbers. +> +> Note, too, that this image exposes the same service on port 80, for backwards compatibility with older versions of the image. To use port 80 with the current image, you either need to have a filesystem with extended attribute support so the nginx binary can be granted the capability to bind to ports below 1024 as non-root user or you need to start the image with user id 0 (root) using the parameter `-u 0`. ### Custom configuration In case you want to use a customized [conf.php](https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php) file, for example one that has file uploads enabled or that uses a different template, add the file as a second volume: ```bash -docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine +docker run -d --restart="always" --read-only -p 8080:8080 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine ``` Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL, PostgreSQL and SQLite, required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter. @@ -57,8 +59,9 @@ docker build -t privatebin/nginx-fpm-alpine . The two processes, Nginx and php-fpm, are started by supervisord, which will also try to restart the services in case they crash. -Nginx is required to serve static files and caches them, too. Requests to the index.php (which is the only PHP file exposed in the document root at /var/www) are passed on to php-fpm via fastCGI to port 9000. All other PHP files and the data are stored in /srv. +Nginx is required to serve static files and caches them, too. Requests to the index.php (which is the only PHP file exposed in the document root at /var/www) are passed on to php-fpm via a socket at /run/php-fpm.sock. All other PHP files and the data are stored under /srv. -The Nginx setup supports only HTTP, so make sure that you run another webserver as reverse proxy in front of this for HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip text content. +The Nginx setup supports only HTTP, so make sure that you run a reverse proxy in front of this for HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip text content. + +During the build of the image the PrivateBin release archive and the s6 overlay binaries are downloaded from Github. All the downloaded Alpine packages, s6 overlay binaries and the PrivateBin archive are validated using cryptographic signatures to ensure they have not been tempered with, before deploying them in the image. -During the build of the image, the opcache & GD PHP modules are compiled from source and the PrivateBin release archive is downloaded from Github. All the downloaded Alpine packages and the PrivateBin archive are validated using cryptographic signatures to ensure the have not been tempered with, before deploying them in the image. diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 279f76d..e465ee3 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -1,3 +1,6 @@ +# Run as a unique, less privileged user for security reasons. +user nobody www-data; + # Sets the worker threads to the number of CPU cores available in the system for best performance. # Should be > the number of CPU cores. # Maximum number of connections = worker_processes * worker_connections diff --git a/etc/nginx/sites-available/site.conf b/etc/nginx/sites-available/site.conf index d17ec18..e25789c 100644 --- a/etc/nginx/sites-available/site.conf +++ b/etc/nginx/sites-available/site.conf @@ -1,5 +1,6 @@ server { listen 80 default_server; + listen 8080 default_server; root /var/www; index index.php index.html index.htm; diff --git a/etc/php7/php-fpm.d/zz-docker.conf b/etc/php7/php-fpm.d/zz-docker.conf index 2817ad1..c0f3ca9 100644 --- a/etc/php7/php-fpm.d/zz-docker.conf +++ b/etc/php7/php-fpm.d/zz-docker.conf @@ -4,7 +4,11 @@ daemonize = no error_log = /dev/stderr [www] +user = nobody +group = www-data listen = /run/php-fpm.sock +listen.owner = nobody +listen.group = www-data access.log = /dev/null clear_env = On pm = dynamic From 2510616c8d408d0a50e86abb92ec8fcacfd44959 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 7 Dec 2019 09:23:15 +0100 Subject: [PATCH 04/15] improved wording of documentation --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 797658f..395bcbb 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ docker run -d --restart="always" --read-only -p 8080:8080 -v privatebin-data:/sr The parameters in detail: - `-v privatebin-data:/srv/data` - replace `privatebin-data` with the path to the folder on your system, where the pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop and restart the image or when you replace it. May be skipped if you just want to test the image. -- `-p 8080:8080` - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it for production environments. +- `-p 8080:8080` - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments. - `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly, since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp, /var/run & /srv/data may be written into. - `-d` - launches the container in the background. You can use `docker ps` and `docker logs` to check if the container is alive and well. - `--restart="always"` - restart the container if it crashes, mainly useful for production setups @@ -57,9 +57,9 @@ docker build -t privatebin/nginx-fpm-alpine . ### Behind the scenes -The two processes, Nginx and php-fpm, are started by supervisord, which will also try to restart the services in case they crash. +The two processes, Nginx and php-fpm, are started by s6 overlay. -Nginx is required to serve static files and caches them, too. Requests to the index.php (which is the only PHP file exposed in the document root at /var/www) are passed on to php-fpm via a socket at /run/php-fpm.sock. All other PHP files and the data are stored under /srv. +Nginx is required to serve static files and caches them, too. Requests to the index.php (which is the only PHP file exposed in the document root at /var/www) are passed to php-fpm via a socket at /run/php-fpm.sock. All other PHP files and the data are stored under /srv. The Nginx setup supports only HTTP, so make sure that you run a reverse proxy in front of this for HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip text content. From 5b6a042eb93134b7ff38481d3c3f2f8aa057075e Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 21 Dec 2019 07:38:01 +0100 Subject: [PATCH 05/15] update alpine --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b303643..9ef3b4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.10.3 +FROM alpine:3.11 MAINTAINER PrivateBin From fd564b47e1824a5f068ab940265759cec0031df5 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 21 Dec 2019 14:21:24 +0100 Subject: [PATCH 06/15] avoiding curl by using busybox' wget, deduplication of commands --- Dockerfile | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9ef3b4e..3c15b9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,54 +10,51 @@ ENV S6_READ_ONLY_ROOT 1 RUN \ # Install dependencies - apk add --no-cache tzdata nginx php7-fpm php7-json php7-gd \ - php7-opcache php7-pdo_mysql php7-pdo_pgsql \ + apk add --no-cache gnupg libcap nginx php7-fpm php7-json php7-gd \ + php7-opcache php7-pdo_mysql php7-pdo_pgsql tzdata \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/conf.d/default.conf /etc/php7/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ # Ensure nginx logs, even if the config has errors, are written to stderr && ln -s /dev/stderr /var/log/nginx/error.log \ # Install PrivateBin - && apk add --no-cache gnupg curl libcap \ && export GNUPGHOME="$(mktemp -d)" \ && gpg2 --list-public-keys || /bin/true \ - && curl -s https://privatebin.info/key/release.asc | gpg2 --import - \ + && wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \ && rm -rf /var/www/* \ && cd /tmp \ - && curl -Ls ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc > PrivateBin-${RELEASE}.tar.gz.asc \ - && curl -Ls ${PBURL}archive/${RELEASE}.tar.gz > PrivateBin-${RELEASE}.tar.gz \ - && gpg2 --verify PrivateBin-${RELEASE}.tar.gz.asc \ + && wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \ + && wget -q ${PBURL}archive/${RELEASE}.tar.gz \ + && gpg2 --verify ${RELEASE}.tar.gz.asc \ && cd /var/www \ - && tar -xzf /tmp/PrivateBin-${RELEASE}.tar.gz --strip 1 \ + && tar -xzf /tmp/${RELEASE}.tar.gz --strip 1 \ && rm *.md cfg/conf.sample.php \ - && mv cfg /srv \ - && mv lib /srv \ - && mv tpl /srv \ - && mv vendor /srv \ + && mv cfg lib tpl vendor /srv \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ # Install s6 overlay for service management - && curl -s https://keybase.io/justcontainers/key.asc | gpg2 --import - \ + && wget -qO - https://keybase.io/justcontainers/key.asc | gpg2 --import - \ && cd /tmp \ && S6ARCH=$(uname -m) \ && case ${S6ARCH} in \ x86_64) S6ARCH=amd64;; \ armv7l) S6ARCH=armhf;; \ esac \ - && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz.sig > s6-overlay-${S6ARCH}.tar.gz.sig \ - && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz > s6-overlay-${S6ARCH}.tar.gz \ + && wget -q ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz.sig \ + && wget -q ${S6URL}${S6RELEASE}/s6-overlay-${S6ARCH}.tar.gz \ && gpg2 --verify s6-overlay-${S6ARCH}.tar.gz.sig \ && tar -xzf s6-overlay-${S6ARCH}.tar.gz -C / \ # Support running s6 under a non-root user && mkdir -p /etc/services.d/nginx/supervise /etc/services.d/php-fpm7/supervise \ - && mkfifo /etc/services.d/nginx/supervise/control \ - && mkfifo /etc/services.d/php-fpm7/supervise/control \ - && mkfifo /etc/s6/services/s6-fdholderd/supervise/control \ + && mkfifo \ + /etc/services.d/nginx/supervise/control \ + /etc/services.d/php-fpm7/supervise/control \ + /etc/s6/services/s6-fdholderd/supervise/control \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && chown -R nobody.www-data /var/lib/nginx /var/tmp/nginx /var/www /srv/* /etc/services.d /etc/s6 /run \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg curl libcap + && apk del gnupg libcap COPY etc/ /etc/ From 79b2d68bf7c87ce842a2aeebad243c5789573c1c Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 21 Dec 2019 15:06:56 +0100 Subject: [PATCH 07/15] updating paths for Alpine 3.11 --- Dockerfile | 4 ++-- etc/nginx/nginx.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3c15b9b..881db9f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,7 +51,7 @@ RUN \ /etc/services.d/php-fpm7/supervise/control \ /etc/s6/services/s6-fdholderd/supervise/control \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ - && chown -R nobody.www-data /var/lib/nginx /var/tmp/nginx /var/www /srv/* /etc/services.d /etc/s6 /run \ + && chown -R nobody.www-data /etc/services.d /etc/s6 /run /srv/* /var/lib/nginx /var/www \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ && apk del gnupg libcap @@ -62,7 +62,7 @@ WORKDIR /var/www USER nobody:www-data # mark dirs as volumes that need to be writable, allows running the container --read-only -VOLUME /srv/data /tmp /var/tmp/nginx /run /var/log +VOLUME /run /srv/data /tmp /var/lib/nginx/tmp EXPOSE 80 8080 diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index e465ee3..8cb7dbc 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -22,7 +22,7 @@ events { error_log /dev/stderr warn; # The file storing the process ID of the main process -pid /var/run/nginx.pid; +pid /run/nginx.pid; # The process is managed in the docker-env daemon off; From c0e969be7dd0ee417e6dace220e60f40889e7404 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 11 Jan 2020 12:07:47 +0100 Subject: [PATCH 08/15] new release 1.3.2 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 881db9f..7ac370f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.11 MAINTAINER PrivateBin -ENV RELEASE 1.3.1 +ENV RELEASE 1.3.2 ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6RELEASE v1.22.1.0 ENV S6URL https://github.com/just-containers/s6-overlay/releases/download/ From f0aa6e51d458a51721876b2f83d5e2399fc6ae08 Mon Sep 17 00:00:00 2001 From: mattclegg Date: Thu, 9 Jan 2020 10:48:36 +0100 Subject: [PATCH 09/15] [BUGFIX] add nobody to www-data group to allow correct ownerships --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 7ac370f..b04c0ae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,6 +51,7 @@ RUN \ /etc/services.d/php-fpm7/supervise/control \ /etc/s6/services/s6-fdholderd/supervise/control \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && adduser nobody www-data \ && chown -R nobody.www-data /etc/services.d /etc/s6 /run /srv/* /var/lib/nginx /var/www \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ From 36fc8ff1348ab980c25fb808bf51a6395ecc2bdb Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 18 Jan 2020 06:40:18 +0100 Subject: [PATCH 10/15] provide a working example of a k8s deployment, fixes #8 --- README.md | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/README.md b/README.md index 395bcbb..7b3f292 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,61 @@ The image supports the use of the following two environment variables to adjust Note: The application internally handles expiration of pastes based on a UNIX timestamp that is calculated based on the timezone set during its creation. Changing the PHP_TZ will affect this and leads to earlier (if the timezone is increased) or later (if it is decreased) expiration then expected. +### Kubernetes deployment + +Below is an example deployment for Kubernetes. + +```yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: privatebin-deployment + labels: + app: privatebin +spec: + replicas: 3 + selector: + matchLabels: + run: privatebin + template: + metadata: + labels: + app: privatebin + spec: + initContainers: + - name: privatebin-volume-permissions + image: busybox + command: ['chown', '65534:82', '/mnt'] + securityContext: + runAsUser: 0 + readOnlyRootFilesystem: True + volumeMounts: + - mountPath: /mnt + name: privatebin-data + readOnly: False + containers: + - name: privatebin + image: privatebin/nginx-fpm-alpine:1.3.2 + ports: + - containerPort: 8080 + env: + - name: TZ + value: Antarctica/South_Pole + - name: PHP_TZ + value: Antarctica/South_Pole + securityContext: + runAsUser: 65534 + runAsGroup: 82 + readOnlyRootFilesystem: True + volumeMounts: + - mountPath: /srv/data + name: privatebin-data + readOnly: False +``` + +Note that the volume `privatebin-data` has to be a shared, persisted volume across all nodes, i.e. on an NFS share. It is required even when using a database, as some data is always stored in files (server salt, traffic limiters IP hashes, purge limiter time stamp). + ## Rolling your own image To reproduce the image, run: From f8edfbd00954454c431db375bdbb156903ef7ed8 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 16 Feb 2020 11:54:05 +0100 Subject: [PATCH 11/15] new release 1.3.3 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b04c0ae..fbe01c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.11 MAINTAINER PrivateBin -ENV RELEASE 1.3.2 +ENV RELEASE 1.3.3 ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6RELEASE v1.22.1.0 ENV S6URL https://github.com/just-containers/s6-overlay/releases/download/ diff --git a/README.md b/README.md index 7b3f292..286fc7b 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ spec: readOnly: False containers: - name: privatebin - image: privatebin/nginx-fpm-alpine:1.3.2 + image: privatebin/nginx-fpm-alpine:1.3.3 ports: - containerPort: 8080 env: From 770958fc7c872d94abe1bd414d814b63e0febc1e Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 22 Mar 2020 07:21:58 +0100 Subject: [PATCH 12/15] new release 1.3.4 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fbe01c9..07662ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.11 MAINTAINER PrivateBin -ENV RELEASE 1.3.3 +ENV RELEASE 1.3.4 ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6RELEASE v1.22.1.0 ENV S6URL https://github.com/just-containers/s6-overlay/releases/download/ From c11b91da26e7d90f0d8b3e960c8e35d489a6cb2f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 22 Apr 2020 20:01:16 +0200 Subject: [PATCH 13/15] update to openssl 1.1.1g --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 07662ca..80cccc3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ RUN \ # Install dependencies apk add --no-cache gnupg libcap nginx php7-fpm php7-json php7-gd \ php7-opcache php7-pdo_mysql php7-pdo_pgsql tzdata \ + && apk upgrade --no-cache \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf /etc/nginx/conf.d/default.conf /etc/php7/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ From d83d136f458b32de985773b3cbbc9e079541da9c Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 28 Apr 2020 07:10:27 +0200 Subject: [PATCH 14/15] remove backwards compatibility with port 80 to drop setcap use, closes #15 --- Dockerfile | 7 +++---- etc/nginx/sites-available/site.conf | 1 - 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 80cccc3..d93095d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV S6_READ_ONLY_ROOT 1 RUN \ # Install dependencies - apk add --no-cache gnupg libcap nginx php7-fpm php7-json php7-gd \ + apk add --no-cache gnupg nginx php7-fpm php7-json php7-gd \ php7-opcache php7-pdo_mysql php7-pdo_pgsql tzdata \ && apk upgrade --no-cache \ # Remove (some of the) default nginx config @@ -51,12 +51,11 @@ RUN \ /etc/services.d/nginx/supervise/control \ /etc/services.d/php-fpm7/supervise/control \ /etc/s6/services/s6-fdholderd/supervise/control \ - && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && adduser nobody www-data \ && chown -R nobody.www-data /etc/services.d /etc/s6 /run /srv/* /var/lib/nginx /var/www \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del gnupg libcap + && apk del gnupg COPY etc/ /etc/ @@ -66,6 +65,6 @@ USER nobody:www-data # mark dirs as volumes that need to be writable, allows running the container --read-only VOLUME /run /srv/data /tmp /var/lib/nginx/tmp -EXPOSE 80 8080 +EXPOSE 8080 ENTRYPOINT ["/init"] diff --git a/etc/nginx/sites-available/site.conf b/etc/nginx/sites-available/site.conf index e25789c..ece77a3 100644 --- a/etc/nginx/sites-available/site.conf +++ b/etc/nginx/sites-available/site.conf @@ -1,5 +1,4 @@ server { - listen 80 default_server; listen 8080 default_server; root /var/www; From 9582113c422c9a5c75621067824ab589dc3f3c72 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 28 Apr 2020 07:13:40 +0200 Subject: [PATCH 15/15] enable ipv6 listening --- etc/nginx/sites-available/site.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/nginx/sites-available/site.conf b/etc/nginx/sites-available/site.conf index ece77a3..4b8a7af 100644 --- a/etc/nginx/sites-available/site.conf +++ b/etc/nginx/sites-available/site.conf @@ -1,5 +1,6 @@ server { listen 8080 default_server; + listen [::]:8080 default_server; root /var/www; index index.php index.html index.htm;