From 22805f20a8f614817a952bd91ddc272896aed9e0 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 12 Jun 2019 01:39:40 +0200 Subject: [PATCH 1/9] making image source explicit --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cf6970c..634ff22 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM php:fpm-alpine +FROM php:7.3.6-fpm-alpine3.9 MAINTAINER PrivateBin From dba458cad96c2d0480289e4767f962c801605ec9 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 24 Jun 2019 21:19:09 +0200 Subject: [PATCH 2/9] with alpine 3.10 we have version parity with the php image, so a smaller image with minimal dependencies is possible --- Dockerfile | 28 ++------- etc/php7/conf.d/00-docker.ini | 60 +++++++++++++++++++ etc/php7/php-fpm.d/zz-docker.conf | 13 ++++ etc/supervisor.d/docker.ini | 4 +- usr/local/etc/php-fpm.d/50-clear-env.conf | 2 - usr/local/etc/php-fpm.d/50-no-access-log.conf | 2 - usr/local/etc/php-fpm.d/50-socket.conf | 5 -- .../etc/php/conf.d/00-best-practices.ini | 8 --- usr/local/etc/php/conf.d/00-performance.ini | 26 -------- usr/local/etc/php/conf.d/00-security.ini | 16 ----- 10 files changed, 81 insertions(+), 83 deletions(-) create mode 100644 etc/php7/conf.d/00-docker.ini create mode 100644 etc/php7/php-fpm.d/zz-docker.conf delete mode 100644 usr/local/etc/php-fpm.d/50-clear-env.conf delete mode 100644 usr/local/etc/php-fpm.d/50-no-access-log.conf delete mode 100644 usr/local/etc/php-fpm.d/50-socket.conf delete mode 100644 usr/local/etc/php/conf.d/00-best-practices.ini delete mode 100644 usr/local/etc/php/conf.d/00-performance.ini delete mode 100644 usr/local/etc/php/conf.d/00-security.ini diff --git a/Dockerfile b/Dockerfile index 634ff22..93b82ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM php:7.3.6-fpm-alpine3.9 +FROM alpine:3.10.0 MAINTAINER PrivateBin @@ -6,18 +6,8 @@ ENV RELEASE 1.2.1 RUN \ # Install dependencies - apk add --no-cache nginx supervisor \ -# Install PHP extension: opcache - && docker-php-ext-install -j$(nproc) opcache \ - && rm -f /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini \ -# Install PHP extension: gd - && apk add --no-cache freetype libpng libjpeg-turbo freetype-dev libpng-dev libjpeg-turbo-dev \ - && docker-php-ext-configure gd \ - --with-freetype-dir=/usr/include/ \ - --with-png-dir=/usr/include/ \ - --with-jpeg-dir=/usr/include/ \ - && docker-php-ext-install -j$(nproc) gd \ - && apk del --no-cache freetype-dev libpng-dev libjpeg-turbo-dev \ + apk add --no-cache supervisor nginx php7-fpm php7-json php7-gd php7-opcache \ + php7-pdo_mysql php7-pdo_pgsql \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf \ && rm -f /etc/nginx/conf.d/default.conf \ @@ -30,13 +20,8 @@ RUN \ # Create folder where the user hook into our default configs && mkdir -p /etc/nginx/server.d/ \ && mkdir -p /etc/nginx/location.d/ \ -# Bring php-fpm configs into a more controallable state - && rm /usr/local/etc/php-fpm.d/www.conf.default \ - && mv /usr/local/etc/php-fpm.d/docker.conf /usr/local/etc/php-fpm.d/00-docker.conf \ - && mv /usr/local/etc/php-fpm.d/www.conf /usr/local/etc/php-fpm.d/10-www.conf \ - && mv /usr/local/etc/php-fpm.d/zz-docker.conf /usr/local/etc/php-fpm.d/20-docker.conf \ # Install PrivateBin - && apk add --no-cache gnupg \ + && apk add --no-cache gnupg curl \ && export GNUPGHOME="$(mktemp -d)" \ && gpg2 --list-public-keys || /bin/true \ && curl -s https://privatebin.info/key/release.asc | gpg2 --import - \ @@ -54,14 +39,13 @@ RUN \ && mv vendor /srv \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ - && chown -R www-data.www-data /var/www /srv/* \ + && chown -R nobody.www-data /var/www /srv/* \ && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del --no-cache gnupg + && apk del --no-cache gnupg curl WORKDIR /var/www ADD etc/ /etc/ -ADD usr/ /usr/ # mark dirs as volumes that need to be writable, allows running the container --read-only VOLUME /srv/data /tmp /var/tmp /run /var/log diff --git a/etc/php7/conf.d/00-docker.ini b/etc/php7/conf.d/00-docker.ini new file mode 100644 index 0000000..7bb479d --- /dev/null +++ b/etc/php7/conf.d/00-docker.ini @@ -0,0 +1,60 @@ +; session.use_strict_mode specifies whether the module will use strict session id mode. If this +; mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID +; is sent from browser, new session ID is sent to browser. Applications are protected from session +; fixation via session adoption with strict mode. Defaults to 0 (disabled). +session.use_strict_mode=On + +; Enable assert() evaluation. +assert.active=Off + +; This determines whether errors should be printed to the screen as part of the output or if they +; should be hidden from the user. Value "stderr" sends the errors to stderr instead of stdout. +display_errors=Off + +; Tells whether script error messages should be logged to the server's error log or error_log. +; You're strongly advised to use error logging in place of error displaying on production web sites. +log_errors=On + + + +; best practices + +; Disable deprecated short open tags (" Date: Mon, 24 Jun 2019 22:26:00 +0200 Subject: [PATCH 3/9] clarify permissions required for data volume --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 610c8c7..e06e0be 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ The parameters in detail: - `-d` - launches the container in the background. You can use `docker ps` and `docker logs` to check if the container is alive and well. - `--restart="always"` - restart the container if it crashes, mainly useful for production setups +> Note that the volume mounted must be owned by UID 65534 / GID 82. If you run the container in a docker instance with "userns-remap" you need to add your subuid/subgid range to these numbers. + ### Custom configuration In case you want to use a customized [conf.php](https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php) file, for example one that has file uploads enabled or that uses a different template, add the file as a second volume: From ad8a4c184adaeecc76d76abc63c31ab8c667978f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 9 Jul 2019 19:09:46 +0200 Subject: [PATCH 4/9] new release 1.3 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 93b82ba..7cd9ec6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.10.0 MAINTAINER PrivateBin -ENV RELEASE 1.2.1 +ENV RELEASE 1.3 RUN \ # Install dependencies From a4a3f175a42b36fa37b448ad3a6a108c0481caac Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 24 Aug 2019 08:25:41 +0200 Subject: [PATCH 5/9] ensure latest alpine 3.10 is used, add tzdata to support timezone in nginx logs --- Dockerfile | 6 +++--- README.md | 9 +++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7cd9ec6..9c90c9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.10.0 +FROM alpine:3.10 MAINTAINER PrivateBin @@ -6,8 +6,8 @@ ENV RELEASE 1.3 RUN \ # Install dependencies - apk add --no-cache supervisor nginx php7-fpm php7-json php7-gd php7-opcache \ - php7-pdo_mysql php7-pdo_pgsql \ + apk add --no-cache supervisor tzdata nginx php7-fpm \ + php7-json php7-gd php7-opcache php7-pdo_mysql php7-pdo_pgsql \ # Remove (some of the) default nginx config && rm -f /etc/nginx.conf \ && rm -f /etc/nginx/conf.d/default.conf \ diff --git a/README.md b/README.md index e06e0be..23590f3 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,15 @@ docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/con Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL and SQLite, required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter. +### Timezone settings + +The image supports the use of the following two environment variables to adjust the timezone. This is most useful to ensure the logs show the correct local time. + +- `TZ` +- `PHP_TZ` + +Note: The application internally handles expiration of pastes based on a UNIX timestamp that is calculated based on the timezone set during its creation. Changing the PHP_TZ will affect this and leads to earlier (if the timezone is increased) or later (if it is decreased) expiration then expected. + ## Rolling your own image To reproduce the image, run: From a1d92a013ecc8aff86002cf4002f0f33af851735 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 23 Sep 2019 07:19:50 +0200 Subject: [PATCH 6/9] switching from supervisord to s6-overlay, less dependencies and lets us run as non-root --- Dockerfile | 54 +++++++++++++++++++------------ etc/nginx/nginx.conf | 3 -- etc/php7/conf.d/00-docker.ini | 2 -- etc/php7/php-fpm.d/zz-docker.conf | 13 ++++---- etc/services.d/nginx/run | 2 ++ etc/services.d/php-fpm7/run | 2 ++ etc/supervisor.d/docker.ini | 23 ------------- 7 files changed, 44 insertions(+), 55 deletions(-) create mode 100644 etc/services.d/nginx/run create mode 100644 etc/services.d/php-fpm7/run delete mode 100644 etc/supervisor.d/docker.ini diff --git a/Dockerfile b/Dockerfile index 9c90c9b..a25a442 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,33 +2,30 @@ FROM alpine:3.10 MAINTAINER PrivateBin -ENV RELEASE 1.3 +ENV RELEASE 1.3 +ENV PBURL https://github.com/PrivateBin/PrivateBin/ +ENV S6RELEASE v1.22.1.0 +ENV S6URL https://github.com/just-containers/s6-overlay/releases/download/ +ENV S6_READ_ONLY_ROOT 1 RUN \ # Install dependencies - apk add --no-cache supervisor tzdata nginx php7-fpm \ - php7-json php7-gd php7-opcache php7-pdo_mysql php7-pdo_pgsql \ + apk add --no-cache tzdata nginx php7-fpm php7-json php7-gd \ + php7-opcache php7-pdo_mysql php7-pdo_pgsql \ # Remove (some of the) default nginx config - && rm -f /etc/nginx.conf \ - && rm -f /etc/nginx/conf.d/default.conf \ + && rm -f /etc/nginx.conf /etc/nginx/conf.d/default.conf /etc/php7/php-fpm.d/www.conf \ && rm -rf /etc/nginx/sites-* \ - && rm -rf /var/log/nginx \ # Ensure nginx logs, even if the config has errors, are written to stderr - && rm /var/lib/nginx/logs \ - && mkdir -p /var/lib/nginx/logs \ - && ln -s /dev/stderr /var/lib/nginx/logs/error.log \ -# Create folder where the user hook into our default configs - && mkdir -p /etc/nginx/server.d/ \ - && mkdir -p /etc/nginx/location.d/ \ + && ln -s /dev/stderr /var/log/nginx/error.log \ # Install PrivateBin - && apk add --no-cache gnupg curl \ + && apk add --no-cache gnupg curl libcap \ && export GNUPGHOME="$(mktemp -d)" \ && gpg2 --list-public-keys || /bin/true \ && curl -s https://privatebin.info/key/release.asc | gpg2 --import - \ && rm -rf /var/www/* \ && cd /tmp \ - && curl -Ls https://github.com/PrivateBin/PrivateBin/releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc > PrivateBin-${RELEASE}.tar.gz.asc \ - && curl -Ls https://github.com/PrivateBin/PrivateBin/archive/${RELEASE}.tar.gz > PrivateBin-${RELEASE}.tar.gz \ + && curl -Ls ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc > PrivateBin-${RELEASE}.tar.gz.asc \ + && curl -Ls ${PBURL}archive/${RELEASE}.tar.gz > PrivateBin-${RELEASE}.tar.gz \ && gpg2 --verify PrivateBin-${RELEASE}.tar.gz.asc \ && cd /var/www \ && tar -xzf /tmp/PrivateBin-${RELEASE}.tar.gz --strip 1 \ @@ -39,17 +36,32 @@ RUN \ && mv vendor /srv \ && mkdir -p /srv/data \ && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \ - && chown -R nobody.www-data /var/www /srv/* \ +# Install s6 overlay for service management + && curl -s https://keybase.io/justcontainers/key.asc | gpg2 --import - \ + && cd /tmp \ + && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-amd64.tar.gz.sig > s6-overlay-amd64.tar.gz.sig \ + && curl -Ls ${S6URL}${S6RELEASE}/s6-overlay-amd64.tar.gz > s6-overlay-amd64.tar.gz \ + && gpg2 --verify s6-overlay-amd64.tar.gz.sig \ + && tar -xzf s6-overlay-amd64.tar.gz -C / \ +# Support running s6 under a non-root user + && mkdir -p /etc/services.d/nginx/supervise /etc/services.d/php-fpm7/supervise \ + && mkfifo /etc/services.d/nginx/supervise/control \ + && mkfifo /etc/services.d/php-fpm7/supervise/control \ + && mkfifo /etc/s6/services/s6-fdholderd/supervise/control \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && chown -R nginx.www-data /var/www /srv/* /etc/services.d /etc/s6 /run \ +# Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ - && apk del --no-cache gnupg curl + && apk del gnupg curl libcap -WORKDIR /var/www +COPY etc/ /etc/ -ADD etc/ /etc/ +WORKDIR /var/www +USER nginx:www-data # mark dirs as volumes that need to be writable, allows running the container --read-only -VOLUME /srv/data /tmp /var/tmp /run /var/log +VOLUME /srv/data /tmp /var/tmp/nginx /run /var/log EXPOSE 80 -ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"] +ENTRYPOINT ["/init"] diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index b46d5fd..4553a26 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -1,6 +1,3 @@ -# Run as a unique, less privileged user for security reasons. -user nginx www-data; - # Sets the worker threads to the number of CPU cores available in the system for best performance. # Should be > the number of CPU cores. # Maximum number of connections = worker_processes * worker_connections diff --git a/etc/php7/conf.d/00-docker.ini b/etc/php7/conf.d/00-docker.ini index 7bb479d..7d82970 100644 --- a/etc/php7/conf.d/00-docker.ini +++ b/etc/php7/conf.d/00-docker.ini @@ -32,8 +32,6 @@ error_reporting=-1 ; performance -zend_extension=opcache.so - ; we want fast cli scripts too opcache.enable_cli=On diff --git a/etc/php7/php-fpm.d/zz-docker.conf b/etc/php7/php-fpm.d/zz-docker.conf index 6238381..2817ad1 100644 --- a/etc/php7/php-fpm.d/zz-docker.conf +++ b/etc/php7/php-fpm.d/zz-docker.conf @@ -1,13 +1,14 @@ [global] -pid = ../run/php-fpm7.pid +pid = /run/php-fpm7.pid daemonize = no +error_log = /dev/stderr [www] listen = /run/php-fpm.sock -listen.owner = nobody -listen.group = www-data -listen.mode = 0660 - access.log = /dev/null - clear_env = On +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 diff --git a/etc/services.d/nginx/run b/etc/services.d/nginx/run new file mode 100644 index 0000000..3d184d6 --- /dev/null +++ b/etc/services.d/nginx/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +/usr/sbin/nginx diff --git a/etc/services.d/php-fpm7/run b/etc/services.d/php-fpm7/run new file mode 100644 index 0000000..395b320 --- /dev/null +++ b/etc/services.d/php-fpm7/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +/usr/sbin/php-fpm7 diff --git a/etc/supervisor.d/docker.ini b/etc/supervisor.d/docker.ini deleted file mode 100644 index 0189d59..0000000 --- a/etc/supervisor.d/docker.ini +++ /dev/null @@ -1,23 +0,0 @@ -[supervisord] -nodaemon=true -pidfile=/run/supervisord.pid - -[program:php-fpm] -command=/usr/sbin/php-fpm7 -autostart=true -autorestart=true -priority=10 -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 - -[program:nginx] -command=/usr/sbin/nginx -autostart=true -autorestart=true -priority=20 -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 From 09eff060ab75b4eabbce329b0390a47f40a479ff Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 23 Sep 2019 07:29:26 +0200 Subject: [PATCH 7/9] new release 1.3.1, correcting docs to work in a release agnostic way and add reference to included PostgreSQL module --- Dockerfile | 2 +- README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index a25a442..0c7afbe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.10 MAINTAINER PrivateBin -ENV RELEASE 1.3 +ENV RELEASE 1.3.1 ENV PBURL https://github.com/PrivateBin/PrivateBin/ ENV S6RELEASE v1.22.1.0 ENV S6URL https://github.com/just-containers/s6-overlay/releases/download/ diff --git a/README.md b/README.md index 23590f3..53f5479 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ This repository contains the Dockerfile and resources needed to create a docker Assuming you have docker successfully installed and internet access, you can fetch and run the image from the docker hub like this: ```bash -docker run -d --restart="always" --read-only -p 8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.2.1 +docker run -d --restart="always" --read-only -p 8080:80 -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine ``` The parameters in detail: @@ -27,10 +27,10 @@ The parameters in detail: In case you want to use a customized [conf.php](https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php) file, for example one that has file uploads enabled or that uses a different template, add the file as a second volume: ```bash -docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine:1.2.1 +docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/conf.php:ro -v privatebin-data:/srv/data privatebin/nginx-fpm-alpine ``` -Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL and SQLite, required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter. +Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL, PostgreSQL and SQLite, required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter. ### Timezone settings From d393fc5c89e225560e6bf0df23a227b8fc842f3f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 23 Sep 2019 07:42:14 +0200 Subject: [PATCH 8/9] increasing file upload support to 10 MiB, the new default in PrivateBin 1.3.1 and documenting how this can be increased further, fixes #7 --- README.md | 6 +++++- etc/nginx/nginx.conf | 4 ++-- etc/php7/conf.d/00-docker.ini | 6 ++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 53f5479..30678e9 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ **PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). -This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed PrivateBin instance in a secure default configuration. The images are based on the docker hub php:fpm-alpine image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded to docker logs. +This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed PrivateBin instance in a secure default configuration. The images are based on the docker hub alpine image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded to docker logs. ## Running the image @@ -32,6 +32,10 @@ docker run -d --restart="always" --read-only -p 8080:80 -v conf.php:/srv/cfg/con Note: The `Filesystem` data storage is supported out of the box. The image includes PDO modules for MySQL, PostgreSQL and SQLite, required for the `Database` one, but you still need to keep the /srv/data persisted for the server salt and the traffic limiter. +### Adjusting nginx or php-fpm settings + +You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php7/conf.d/` and `/etc/nginx/conf.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB. + ### Timezone settings The image supports the use of the following two environment variables to adjust the timezone. This is most useful to ensure the logs show the correct local time. diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 4553a26..279f76d 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -63,8 +63,8 @@ http { # since TCP frames are filled up before being sent out. tcp_nopush on; - # Allow up to 3 MiB payload, privatebin defaults to 2 MiB. - client_max_body_size 3M; + # Allow up to 15 MiB payload, privatebin defaults to 10 MiB. + client_max_body_size 15M; # Load even moar configs include /etc/nginx/conf.d/*.conf; diff --git a/etc/php7/conf.d/00-docker.ini b/etc/php7/conf.d/00-docker.ini index 7d82970..dc0c7c7 100644 --- a/etc/php7/conf.d/00-docker.ini +++ b/etc/php7/conf.d/00-docker.ini @@ -17,6 +17,12 @@ log_errors=On +; increase size limits +upload_max_filesize=15M +post_max_size=15M + + + ; best practices ; Disable deprecated short open tags (" Date: Mon, 23 Sep 2019 07:52:34 +0200 Subject: [PATCH 9/9] reverting user to nobody, to avoid having to change permissions of existing data directories --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0c7afbe..02895c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,7 +49,7 @@ RUN \ && mkfifo /etc/services.d/php-fpm7/supervise/control \ && mkfifo /etc/s6/services/s6-fdholderd/supervise/control \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ - && chown -R nginx.www-data /var/www /srv/* /etc/services.d /etc/s6 /run \ + && chown -R nobody.www-data /var/lib/nginx /var/tmp/nginx /var/www /srv/* /etc/services.d /etc/s6 /run \ # Clean up && rm -rf "${GNUPGHOME}" /tmp/* \ && apk del gnupg curl libcap @@ -57,7 +57,7 @@ RUN \ COPY etc/ /etc/ WORKDIR /var/www -USER nginx:www-data +USER nobody:www-data # mark dirs as volumes that need to be writable, allows running the container --read-only VOLUME /srv/data /tmp /var/tmp/nginx /run /var/log