From dba458cad96c2d0480289e4767f962c801605ec9 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 24 Jun 2019 21:19:09 +0200
Subject: [PATCH] with alpine 3.10 we have version parity with the php image,
 so a smaller image with minimal dependencies is possible

---
 Dockerfile                                    | 28 ++-------
 etc/php7/conf.d/00-docker.ini                 | 60 +++++++++++++++++++
 etc/php7/php-fpm.d/zz-docker.conf             | 13 ++++
 etc/supervisor.d/docker.ini                   |  4 +-
 usr/local/etc/php-fpm.d/50-clear-env.conf     |  2 -
 usr/local/etc/php-fpm.d/50-no-access-log.conf |  2 -
 usr/local/etc/php-fpm.d/50-socket.conf        |  5 --
 .../etc/php/conf.d/00-best-practices.ini      |  8 ---
 usr/local/etc/php/conf.d/00-performance.ini   | 26 --------
 usr/local/etc/php/conf.d/00-security.ini      | 16 -----
 10 files changed, 81 insertions(+), 83 deletions(-)
 create mode 100644 etc/php7/conf.d/00-docker.ini
 create mode 100644 etc/php7/php-fpm.d/zz-docker.conf
 delete mode 100644 usr/local/etc/php-fpm.d/50-clear-env.conf
 delete mode 100644 usr/local/etc/php-fpm.d/50-no-access-log.conf
 delete mode 100644 usr/local/etc/php-fpm.d/50-socket.conf
 delete mode 100644 usr/local/etc/php/conf.d/00-best-practices.ini
 delete mode 100644 usr/local/etc/php/conf.d/00-performance.ini
 delete mode 100644 usr/local/etc/php/conf.d/00-security.ini

diff --git a/Dockerfile b/Dockerfile
index 634ff22..93b82ba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM php:7.3.6-fpm-alpine3.9
+FROM alpine:3.10.0
 
 MAINTAINER PrivateBin <support@privatebin.org>
 
@@ -6,18 +6,8 @@ ENV RELEASE 1.2.1
 
 RUN \
 # Install dependencies
-    apk add --no-cache nginx supervisor \
-# Install PHP extension: opcache
-    && docker-php-ext-install -j$(nproc) opcache \
-    && rm -f /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini \
-# Install PHP extension: gd
-    && apk add --no-cache freetype libpng libjpeg-turbo freetype-dev libpng-dev libjpeg-turbo-dev \
-    && docker-php-ext-configure gd \
-        --with-freetype-dir=/usr/include/ \
-        --with-png-dir=/usr/include/ \
-        --with-jpeg-dir=/usr/include/ \
-    && docker-php-ext-install -j$(nproc) gd \
-    && apk del --no-cache freetype-dev libpng-dev libjpeg-turbo-dev \
+    apk add --no-cache supervisor nginx php7-fpm php7-json php7-gd php7-opcache \
+        php7-pdo_mysql php7-pdo_pgsql \
 # Remove (some of the) default nginx config
     && rm -f /etc/nginx.conf \
     && rm -f /etc/nginx/conf.d/default.conf \
@@ -30,13 +20,8 @@ RUN \
 # Create folder where the user hook into our default configs
     && mkdir -p /etc/nginx/server.d/ \
     && mkdir -p /etc/nginx/location.d/ \
-# Bring php-fpm configs into a more controallable state
-    && rm /usr/local/etc/php-fpm.d/www.conf.default \
-    && mv /usr/local/etc/php-fpm.d/docker.conf /usr/local/etc/php-fpm.d/00-docker.conf \
-    && mv /usr/local/etc/php-fpm.d/www.conf /usr/local/etc/php-fpm.d/10-www.conf \
-    && mv /usr/local/etc/php-fpm.d/zz-docker.conf /usr/local/etc/php-fpm.d/20-docker.conf \
 # Install PrivateBin
-    && apk add --no-cache gnupg \
+    && apk add --no-cache gnupg curl \
     && export GNUPGHOME="$(mktemp -d)" \
     && gpg2 --list-public-keys || /bin/true \
     && curl -s https://privatebin.info/key/release.asc | gpg2 --import - \
@@ -54,14 +39,13 @@ RUN \
     && mv vendor /srv \
     && mkdir -p /srv/data \
     && sed -i "s#define('PATH', '');#define('PATH', '/srv/');#" index.php \
-    && chown -R www-data.www-data /var/www /srv/* \
+    && chown -R nobody.www-data /var/www /srv/* \
     && rm -rf "${GNUPGHOME}" /tmp/* \
-    && apk del --no-cache gnupg
+    && apk del --no-cache gnupg curl
 
 WORKDIR /var/www
 
 ADD etc/ /etc/
-ADD usr/ /usr/
 
 # mark dirs as volumes that need to be writable, allows running the container --read-only
 VOLUME /srv/data /tmp /var/tmp /run /var/log
diff --git a/etc/php7/conf.d/00-docker.ini b/etc/php7/conf.d/00-docker.ini
new file mode 100644
index 0000000..7bb479d
--- /dev/null
+++ b/etc/php7/conf.d/00-docker.ini
@@ -0,0 +1,60 @@
+; session.use_strict_mode specifies whether the module will use strict session id mode. If this
+; mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID
+; is sent from browser, new session ID is sent to browser. Applications are protected from session
+; fixation via session adoption with strict mode. Defaults to 0 (disabled).
+session.use_strict_mode=On
+
+; Enable assert() evaluation.
+assert.active=Off
+
+; This determines whether errors should be printed to the screen as part of the output or if they
+; should be hidden from the user. Value "stderr" sends the errors to stderr instead of stdout.
+display_errors=Off
+
+; Tells whether script error messages should be logged to the server's error log or error_log.
+; You're strongly advised to use error logging in place of error displaying on production web sites.
+log_errors=On
+
+
+
+; best practices
+
+; Disable deprecated short open tags ("<?")
+short_open_tag=Off
+
+; Do not expose php version header
+expose_php=Off
+
+; -1 can be used (like E_ALL) to report all errors - including those coming in new php versions
+error_reporting=-1
+
+
+
+; performance
+
+zend_extension=opcache.so
+
+; we want fast cli scripts too
+opcache.enable_cli=On
+
+; fast shutdown because we skip free() calls
+opcache.fast_shutdown=On
+
+; The amount of memory used to store interned strings, in megabytes
+opcache.interned_strings_buffer=8
+
+; The maximum number of keys (and therefore scripts) in the OPcache hash table
+opcache.max_accelerated_files=20000
+
+; The size of the shared memory storage used by OPcache, in megabytes
+opcache.memory_consumption=128
+
+; If enabled, OPcache will check for updated scripts every opcache.revalidate_freq seconds. When
+; this directive is disabled, you must reset OPcache manually via opcache_reset(),
+; opcache_invalidate() or by restarting the Web server for changes to the filesystem to take effect.
+opcache.validate_timestamps=Off
+
+; Determines the size of the realpath cache to be used by PHP. This value
+; should be increased on systems where PHP opens many files, to reflect the
+; quantity of the file operations performed.
+realpath_cache_size=4096K
diff --git a/etc/php7/php-fpm.d/zz-docker.conf b/etc/php7/php-fpm.d/zz-docker.conf
new file mode 100644
index 0000000..6238381
--- /dev/null
+++ b/etc/php7/php-fpm.d/zz-docker.conf
@@ -0,0 +1,13 @@
+[global]
+pid = ../run/php-fpm7.pid
+daemonize = no
+
+[www]
+listen = /run/php-fpm.sock
+listen.owner = nobody
+listen.group = www-data
+listen.mode = 0660
+
+access.log = /dev/null
+
+clear_env = On
diff --git a/etc/supervisor.d/docker.ini b/etc/supervisor.d/docker.ini
index 633eae4..0189d59 100644
--- a/etc/supervisor.d/docker.ini
+++ b/etc/supervisor.d/docker.ini
@@ -1,9 +1,9 @@
 [supervisord]
 nodaemon=true
-pidfile=/var/run/supervisord.pid
+pidfile=/run/supervisord.pid
 
 [program:php-fpm]
-command=/usr/local/sbin/php-fpm
+command=/usr/sbin/php-fpm7
 autostart=true
 autorestart=true
 priority=10
diff --git a/usr/local/etc/php-fpm.d/50-clear-env.conf b/usr/local/etc/php-fpm.d/50-clear-env.conf
deleted file mode 100644
index 4f0d61c..0000000
--- a/usr/local/etc/php-fpm.d/50-clear-env.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[www]
-clear_env = On
diff --git a/usr/local/etc/php-fpm.d/50-no-access-log.conf b/usr/local/etc/php-fpm.d/50-no-access-log.conf
deleted file mode 100644
index 0aa7e1d..0000000
--- a/usr/local/etc/php-fpm.d/50-no-access-log.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[www]
-access.log = /dev/null
diff --git a/usr/local/etc/php-fpm.d/50-socket.conf b/usr/local/etc/php-fpm.d/50-socket.conf
deleted file mode 100644
index e30a82a..0000000
--- a/usr/local/etc/php-fpm.d/50-socket.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[www]
-listen = /run/php-fpm.sock
-listen.owner = nginx
-listen.group = www-data
-listen.mode = 0660
diff --git a/usr/local/etc/php/conf.d/00-best-practices.ini b/usr/local/etc/php/conf.d/00-best-practices.ini
deleted file mode 100644
index a872af6..0000000
--- a/usr/local/etc/php/conf.d/00-best-practices.ini
+++ /dev/null
@@ -1,8 +0,0 @@
-; Disable deprecated short open tags ("<?")
-short_open_tag=Off
-
-; Do not expose php version header
-expose_php=Off
-
-; -1 can be used (like E_ALL) to report all errors - including those coming in new php versions
-error_reporting=-1
diff --git a/usr/local/etc/php/conf.d/00-performance.ini b/usr/local/etc/php/conf.d/00-performance.ini
deleted file mode 100644
index 340ee03..0000000
--- a/usr/local/etc/php/conf.d/00-performance.ini
+++ /dev/null
@@ -1,26 +0,0 @@
-zend_extension=opcache.so
-
-; we want fast cli scripts too
-opcache.enable_cli=On
-
-; fast shutdown because we skip free() calls
-opcache.fast_shutdown=On
-
-; The amount of memory used to store interned strings, in megabytes
-opcache.interned_strings_buffer=8
-
-; The maximum number of keys (and therefore scripts) in the OPcache hash table
-opcache.max_accelerated_files=20000
-
-; The size of the shared memory storage used by OPcache, in megabytes
-opcache.memory_consumption=128
-
-; If enabled, OPcache will check for updated scripts every opcache.revalidate_freq seconds. When
-; this directive is disabled, you must reset OPcache manually via opcache_reset(),
-; opcache_invalidate() or by restarting the Web server for changes to the filesystem to take effect.
-opcache.validate_timestamps=Off
-
-; Determines the size of the realpath cache to be used by PHP. This value
-; should be increased on systems where PHP opens many files, to reflect the
-; quantity of the file operations performed.
-realpath_cache_size=4096K
diff --git a/usr/local/etc/php/conf.d/00-security.ini b/usr/local/etc/php/conf.d/00-security.ini
deleted file mode 100644
index 5f7d824..0000000
--- a/usr/local/etc/php/conf.d/00-security.ini
+++ /dev/null
@@ -1,16 +0,0 @@
-; session.use_strict_mode specifies whether the module will use strict session id mode. If this
-; mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID
-; is sent from browser, new session ID is sent to browser. Applications are protected from session
-; fixation via session adoption with strict mode. Defaults to 0 (disabled).
-session.use_strict_mode=On
-
-; Enable assert() evaluation.
-assert.active=Off
-
-; This determines whether errors should be printed to the screen as part of the output or if they
-; should be hidden from the user. Value "stderr" sends the errors to stderr instead of stdout.
-display_errors=Off
-
-; Tells whether script error messages should be logged to the server's error log or error_log.
-; You're strongly advised to use error logging in place of error displaying on production web sites.
-log_errors=On