From 611ac8ef61821f88d8e3a37e4ace1654b8fcfc9e Mon Sep 17 00:00:00 2001 From: Andrey Arapov Date: Sun, 17 May 2020 12:44:39 +0200 Subject: [PATCH] refactor, cleanup and strip off the nginx --- .drone.sh | 39 ---- .drone.yml | 28 --- DRONE.md | 42 ---- Dockerfile | 50 ++--- Jenkinsfile | 64 ------ LICENSE | 2 +- Makefile | 20 -- README.md | 93 +++++--- docker-compose.yml | 13 -- k8s/deployment.yaml | 26 --- k8s/ingress.yml | 22 -- k8s/service.yaml | 11 - k8s/storage.yaml | 12 - nginx.conf | 25 --- php-fpm.conf | 533 +------------------------------------------- rainloop.conf | 12 +- start | 8 + 17 files changed, 92 insertions(+), 908 deletions(-) delete mode 100755 .drone.sh delete mode 100644 .drone.yml delete mode 100644 DRONE.md delete mode 100644 Jenkinsfile delete mode 100644 Makefile delete mode 100644 docker-compose.yml delete mode 100644 k8s/deployment.yaml delete mode 100644 k8s/ingress.yml delete mode 100644 k8s/service.yaml delete mode 100644 k8s/storage.yaml delete mode 100644 nginx.conf create mode 100644 start diff --git a/.drone.sh b/.drone.sh deleted file mode 100755 index 575651b..0000000 --- a/.drone.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -set -e -# set -x - -# echo "--------------------------" -# echo "--- export ---" -# export -# echo "--- env ---" -# env -# echo "--- set ---" -# set -# echo "--------------------------" - -# only execute this script as part of the pipeline. -[ -z "$CI" ] && ( echo "I am not running in Drone CI"; exit 2; ) - -# only execute the script when the client key and certificate exist. -[ -z "$KUB_KEY" ] && ( echo "I need kub_key secret"; exit 3; ) -[ -z "$KUB_CRT" ] && ( echo "I need kub_crt secret"; exit 4; ) - -# only execute the script when the CA certificate is present. -[ -z "$KUB_CA" ] && ( echo "I need kub_ca"; exit 5; ) - -# write the client key and the certificate -echo -n "$KUB_KEY" > /root/kub.key -chmod 600 /root/kub.key -echo -n "$KUB_CRT" > /root/kub.crt - -# write the Kubernetes CA -echo -n "$KUB_CA" > /root/ca.crt - -# check whether the certificate is signed by the CA -# TODO: (install openssl ? ) openssl verify -CAfile /root/ca.crt /root/kub.crt && ( echo "kub_crt is not signed by kub_ca"; exit 6; ) - -# Configure the cluster and the context -kubectl config set-credentials arno --client-certificate=/root/kub.crt --client-key=/root/kub.key -kubectl config set-cluster kubernetes --server=https://k8s.nixaid.com:6443 --certificate-authority=/root/ca.crt -kubectl config set-context kub-context --cluster=kubernetes --namespace=arno --user=arno diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index ee7f4f1..0000000 --- a/.drone.yml +++ /dev/null @@ -1,28 +0,0 @@ -pipeline: - publish: - # image: plugins/docker:17.10 - image: docker.nixaid.com:5010/plugins/docker:17.12 - # privileged: true -- rather pass DRONE_ESCALATE=docker.nixaid.com:5010/plugins/docker:17.12 to a Drone server - registry: docker.nixaid.com:5010 - repo: docker.nixaid.com:5010/andrey01/rainloop - # repo: andrey01/rainloop - tag: - - 1.11.3 - - latest - dockerfile: Dockerfile - secrets: [ docker_username, docker_password ] - when: - event: [ push, tag ] - - kubectl: - image: docker.nixaid.com:5010/andrey01/kubectl:1.9.1 - pull: true # always pull the image - secrets: [ kub_key, kub_crt, kub_ca ] - commands: - - "sh .drone.sh" - - "kubectl --context=kub-context version" - - "kubectl --context=kub-context get pods" - - "kubectl --context=kub-context replace --force -f k8s/" - - "sleep 3" - - "kubectl --context=kub-context get pods" - # XXX - kubectl --context=kub-context patch deployment testapp1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"testapp1","image":"andrey01/testapp1:latest"}]}}}}' diff --git a/DRONE.md b/DRONE.md deleted file mode 100644 index 73b79bc..0000000 --- a/DRONE.md +++ /dev/null @@ -1,42 +0,0 @@ -# Drone CI - -- Registry cannot be removed if it has https:// in its name #2341 - -https://github.com/drone/drone/issues/2341 - -https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943 - -## Limitations - -- Drone DIND would always reuse cached docker images which could lead to the image leak across the private repos; - -- Drone runs plugins/drone in privileged mode despite the repo does not have Trusted: true nor privileged: true [ref](https://github.com/drone-plugins/drone-docker/issues/170) - -- Registry cannot be removed if it has https:// in its name #2341 - https://github.com/drone/drone/issues/2341 - https://discourse.drone.io/t/unable-to-delete-registry-from-repository/943 - -- Builds history cannot be removed (could lead to info leaks) - -## Troubleshooting - -- Set the Registry creds in your Drone repo - -``` -Error response from daemon: Get https://docker.nixaid.com:5010/v2/plugins/docker/manifests/17.12: no basic auth credentials -``` - -- Make sure plugins/drone is running in a privileged mode, by passing DRONE_ESCALATE=custom-docker-registry.com:5010/plugins/docker to the Drone server installation. - -- https://discourse.drone.io/t/plugins-docker-cannot-pull-when-image-repo-set-to-the-same-custom-docker-registry/1748 -- https://github.com/drone-plugins/drone-docker/issues/170 - -``` -environment: - DOCKER_LAUNCH_DEBUG: 'true' -``` - -``` -+ /usr/local/bin/dockerd -g /var/lib/docker -time="2018-02-11T21:13:26Z" level=fatal msg="Error authenticating: exit status 1" -``` diff --git a/Dockerfile b/Dockerfile index ed01319..21d3c39 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,17 @@ # http://product_installation_URL/?admin # Default login is "admin", password is "12345". -FROM alpine:3.7 +FROM alpine:3.11 MAINTAINER Andrey Arapov # Install the dependencies RUN apk update && \ - apk add tzdata wget unzip gnupg1 nginx php7-fpm \ + apk add tzdata wget unzip gnupg1 php7-fpm \ php7-curl php7-json php7-dom php7-zlib php7-iconv php7-openssl \ php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql -# Create the application user so that PHP-FPM can run -ENV USER rainloop -ENV UID 7008 +# Create the application user under which PHP-FPM will run +ENV USER user +ENV UID 1000 ENV HOME /home/$USER ENV DATA /opt/rainloop RUN adduser -D -u $UID -h $HOME -s /bin/true $USER && \ @@ -19,44 +19,24 @@ RUN adduser -D -u $UID -h $HOME -s /bin/true $USER && \ touch /var/log/php-fpm.log && \ chown -Rh $USER:$USER $DATA /var/log/php-fpm.log -# Prepare the environment so that nginx can run as non-root -RUN mkdir -p /var/log/rainloop /var/lib/nginx/tmp && \ - ( cd /var/lib/nginx/tmp && \ - for i in client_body proxy fastcgi uwsgi scgi; do mkdir $i; done ) && \ - ( cd /var/log/nginx && \ - touch error.log access.log ) && \ - touch /var/run/nginx.pid && \ - chown -Rh nginx:nginx /var/log/nginx /var/lib/nginx /var/run/nginx.pid /var/log/rainloop /var/tmp/nginx - -# Obtain the latest version of the RainLoop Webmail Community edition, +# Obtain RainLoop Webmail Community edition, # verify its integrity using GnuPG and then decompress it USER $USER -ENV RLFILE rainloop-1.11.3.zip -ENV RLFILESIG rainloop-1.11.3.zip.asc +ENV RLFILE rainloop-1.14.0.zip +ENV RLFILESIG rainloop-1.14.0.zip.asc ENV FINGERPRINT "3B797ECE694F3B7B70F311A4ED7C49D987DA4591" WORKDIR $DATA -RUN wget --progress=bar:force:noscroll -O $RLFILE https://github.com/RainLoop/rainloop-webmail/releases/download/v1.11.3/$RLFILE && \ - wget --progress=bar:force:noscroll -O $RLFILESIG https://github.com/RainLoop/rainloop-webmail/releases/download/v1.11.3/$RLFILESIG && \ +RUN wget --progress=bar:force:noscroll -O $RLFILE https://github.com/RainLoop/rainloop-webmail/releases/download/v1.14.0/$RLFILE && \ + wget --progress=bar:force:noscroll -O $RLFILESIG https://github.com/RainLoop/rainloop-webmail/releases/download/v1.14.0/$RLFILESIG && \ export GNUPGHOME="$(mktemp -d)" && \ - gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$FINGERPRINT" && \ + gpg --keyserver keyserver.ubuntu.com --recv-keys "$FINGERPRINT" && \ gpg --batch --verify $RLFILESIG $RLFILE && \ unzip $RLFILE && \ rm -rf "$GNUPGHOME" $RLFILE -# Copy the nginx configs and then launch the PHP-FPM and Nginx -USER root -COPY rainloop.conf /etc/nginx/conf.d/rainloop.conf -COPY nginx.conf /etc/nginx/nginx.conf +# Copy the php-fpm & nginx configs COPY php-fpm.conf /etc/php7/php-fpm.conf +COPY rainloop.conf /etc/nginx/conf.d/rainloop.conf -# Set correct permissions and ownership -RUN find $DATA -xdev -type d -exec chmod u=rwx,g=rx,o= '{}' \; && \ - find $DATA -xdev -type f -exec chmod u=rw,g=r,o= '{}' \; && \ - chown -Rh $USER:nginx /opt/rainloop /var/lib/nginx/tmp && \ - chgrp -Rh nginx /etc/nginx - -CMD /bin/sh -c "su -s /bin/sh $USER -c php-fpm7 && \ - su -s /bin/sh nginx -c nginx" - -VOLUME [ "/opt/rainloop/data", "/var/log/rainloop" ] -EXPOSE 80/tcp +USER $USER +CMD php-fpm7 -F diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 556acf3..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,64 +0,0 @@ -// https://jenkins.io/doc/book/pipeline/ -// Inspired by Lachlan Evenson https://github.com/lachie83/croc-hunter/blob/master/Jenkinsfile - -//Lets define a unique label for this build. -def label = "buildpod.${env.JOB_NAME}.${env.BUILD_NUMBER}".replace('-', '_').replace('/', '_') - -podTemplate(label: label, containers: [ - containerTemplate(name: 'jnlp', image: 'jenkins/jnlp-slave:alpine', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '200m', resourceRequestMemory: '256Mi', resourceLimitMemory: '256Mi'), - containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), - containerTemplate(name: 'make', image: 'andrey01/make:0.2', command: 'cat', ttyEnabled: true), - ], - volumes:[ - hostPathVolume(mountPath: '/var/run/docker.sock', hostPath: '/var/run/docker.sock'), - ],) -{ - - node (label) { - - stage ('Checkout repo') { - checkout scm - } - - sh 'git rev-parse HEAD > git_commit_id.txt' - try { - env.GIT_COMMIT_ID = readFile('git_commit_id.txt').trim() - env.GIT_SHA = env.GIT_COMMIT_ID.substring(0, 7) - } catch (e) { - error "${e}" - } - println "env.GIT_COMMIT_ID ==> ${env.GIT_COMMIT_ID}" - - container('make') { - stage ('Build') { - sh "VERSION=${env.GIT_SHA} make" - } - - stage ('Test') { - sh "VERSION=${env.GIT_SHA} make check" - } - - if (env.BRANCH_NAME == 'master') { - // perform docker login to Docker Hub as the docker-pipeline-plugin doesn't work with the next auth json format - // withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: config.container_repo.jenkins_creds_id, - // sh "docker login -e ${config.container_repo.dockeremail} -u ${env.USERNAME} -p ${env.PASSWORD}" - withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'my-dockerhub-creds', - usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { - sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD}" - } - - stage ('Deploy') { - sh "VERSION=${env.GIT_SHA} make publish" - } - - sh 'docker logout' - - } else { - println "Current branch ${env.BRANCH_NAME}" - } - - } // node - - } // PodTemplate - -} diff --git a/LICENSE b/LICENSE index 11239ec..9258b90 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2016, Andrey Arapov +Copyright (c) 2020, Andrey Arapov Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/Makefile b/Makefile deleted file mode 100644 index e3b40a2..0000000 --- a/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -NS ?= andrey01 -NAME ?= rainloop -VERSION ?= 1.11.3 - -default: build - -build: - docker build --pull -t $(NS)/$(NAME):$(VERSION) -f Dockerfile . - -publish: - docker push $(NS)/$(NAME):$(VERSION) - -check: - docker run --rm -i $(NS)/$(NAME):$(VERSION) sh -c "set -x; exit 0" - -console: - docker run --rm -ti --entrypoint sh $(NS)/$(NAME):$(VERSION) - -clean: - docker rmi $(NS)/$(NAME):$(VERSION) diff --git a/README.md b/README.md index 3b952e0..5568db5 100644 --- a/README.md +++ b/README.md @@ -1,56 +1,77 @@ -# RainLoop webmail client +# Rainloop in docker -[RainLoop](http://www.rainloop.net/) is a Simple, modern & fast web-based email client. +## docker-compose.yml example +This will automatically populate the data under the /srv/data/rainloop/html and /srv/data/rainloop/nginx directories. -## Run the container +Make sure to create these directories first. -There are two ways of running the container, it could be either using the -Docker Compose or a classic docker command. - -**Docker Compose way** -``` -docker-compose up webmail ``` +version: '3.3' + +services: + rainloop-fpm: + image: yourrepo/rainloop:1.14.0 + restart: always + networks: + - backend + volumes: + - rainloop_html:/opt/rainloop + - rainloop_nginx:/etc/nginx/conf.d + + rainloop-nginx: + image: nginx:mainline-alpine + restart: always + networks: + - backend + volumes: + - rainloop_html:/opt/rainloop + - rainloop_nginx:/etc/nginx/conf.d + depends_on: + - rainloop-fpm + # add whatever lables/directives you need to expose your nginx container + +volumes: + rainloop_html: + driver: local + driver_opts: + type: none + device: /srv/data/rainloop/html + o: bind + + rainloop_nginx: + driver: local + driver_opts: + type: none + device: /srv/data/rainloop/nginx + o: bind -**Classic way** -``` -docker run -d --name webmail -p 80:8080/tcp -v rainloop_data:/opt/rainloop/data andrey01/rainloop ``` -## Accessing the container +## updating the Rainloop -First, access the RainLoop admin page in order to set the admin password, your -domains and configure the rest. +1. Backup the data -The default user is **admin** and a password is **12345** - -**RainLoop admin page** ``` -http://hostip/?admin +cp -pr /srv/data/rainloop /srv/data/rainloop-1.13.0-bkp ``` -## Stopping the container - -**Docker Compose way** -``` -docker-compose stop webmail -``` +2. Update and reset the containers -**Classic way** ``` -docker stop webmail +docker-compose stop rainloop-fpm rainloop-nginx +docker-compose rm -f rainloop-fpm rainloop-nginx +docker volume rm srv_rainloop_html srv_rainloop_nginx +rm -rf -- /srv/data/rainloop/nginx/* /srv/data/rainloop/html/* +docker pull yourrepo/rainloop:1.14.0 +docker-compose up -d ``` -## Building the image - -If you wish, you can build the image by yourself. +3. Restore the backup ``` -docker build -t andrey01/rainloop . +cd /srv/data +cp -pvi rainloop-1.13.0-bkp/html/data/_data_/_default_/configs/application.ini rainloop/html/data/_data_/_default_/configs/ +cp -pvi rainloop-1.13.0-bkp/html/data/_data_/_default_/domains/yourdomain.com.ini rainloop/html/data/_data_/_default_/domains/ +chown --reference rainloop/html/data/_data_ rainloop/html/data/_data_/_default_/configs/application.ini rainloop/html/data/_data_/_default_/domains/yourdomain.com.ini ``` - -## Additional notes - -The persistent data will be kept in the `rainloop_data` Docker's volume. -So before you delete it, keep in mind that you may want to [back it up](https://docs.docker.com/engine/userguide/containers/dockervolumes/#backup-restore-or-migrate-data-volumes) at the first. diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 70cdaae..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,13 +0,0 @@ -version: '2' - -volumes: - rainloop_data: {} - -services: - webmail: - image: andrey01/rainloop - network_mode: bridge - ports: - - "80:8080/tcp" - volumes: - - rainloop_data:/opt/rainloop/data diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml deleted file mode 100644 index a4d753d..0000000 --- a/k8s/deployment.yaml +++ /dev/null @@ -1,26 +0,0 @@ -kind: Deployment -apiVersion: extensions/v1beta1 -metadata: - name: rainloop -spec: - replicas: 1 - template: - metadata: - labels: - app: rainloop - spec: - imagePullSecrets: - - name: regsecret - containers: - - name: rainloop - # command: ["sleep", "3600"] - image: docker.nixaid.com:5010/andrey01/rainloop:1.11.3 - imagePullPolicy: Always - volumeMounts: - - mountPath: /opt/rainloop/data - name: rainloop - # rainloop also mounts /var/log/rainloop to a docker volume - volumes: - - name: rainloop - persistentVolumeClaim: - claimName: rainloop diff --git a/k8s/ingress.yml b/k8s/ingress.yml deleted file mode 100644 index dfa0872..0000000 --- a/k8s/ingress.yml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: rainloop - annotations: - ingress.kubernetes.io/rewrite-target: / - kubernetes.io/ingress.class: "nginx" - kubernetes.io/tls-acme: "true" - ingress.kubernetes.io/proxy-body-size: 2g -spec: - rules: - - host: "webmail.nixaid.com" - http: - paths: - - backend: - serviceName: rainloop - servicePort: 80 - path: / - tls: - - hosts: - - webmail.nixaid.com - secretName: webmail-nixaid-com-tls diff --git a/k8s/service.yaml b/k8s/service.yaml deleted file mode 100644 index 83731c3..0000000 --- a/k8s/service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: rainloop -spec: - selector: - app: rainloop - ports: - - protocol: TCP - port: 80 - targetPort: 8080 diff --git a/k8s/storage.yaml b/k8s/storage.yaml deleted file mode 100644 index 2380a75..0000000 --- a/k8s/storage.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: rainloop -spec: - storageClassName: cinder - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - volumeName: rainloop diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index d07b5a8..0000000 --- a/nginx.conf +++ /dev/null @@ -1,25 +0,0 @@ -daemon off; -error_log stderr info; -user nginx; -worker_processes 1; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; - - sendfile on; - keepalive_timeout 65; - gzip on; - server_tokens off; - include conf.d/rainloop.conf; -} diff --git a/php-fpm.conf b/php-fpm.conf index 74ffc6a..f498fe0 100644 --- a/php-fpm.conf +++ b/php-fpm.conf @@ -1,542 +1,15 @@ -;;;;;;;;;;;;;;;;;;;;; -; FPM Configuration ; -;;;;;;;;;;;;;;;;;;;;; - -; All relative paths in this configuration file are relative to PHP's install -; prefix (/usr). This prefix can be dynamically changed by using the -; '-p' argument from the command line. - -; Include one or more files. If glob(3) exists, it is used to include a bunch of -; files from a glob(3) pattern. This directive can be used everywhere in the -; file. -; Relative path can also be used. They will be prefixed by: -; - the global prefix if it's been set (-p argument) -; - /usr otherwise -;include=etc/fpm.d/*.conf - -;;;;;;;;;;;;;;;;;; -; Global Options ; -;;;;;;;;;;;;;;;;;; - [global] -; Pid file -; Note: the default prefix is /var -; Default Value: none -;pid = run/php-fpm.pid - -; Error log file -; If it's set to "syslog", log is sent to syslogd instead of being written -; in a local file. -; Note: the default prefix is /var -; Default Value: log/php-fpm.log error_log = /var/log/php-fpm.log -; syslog_facility is used to specify what type of program is logging the -; message. This lets syslogd specify that messages from different facilities -; will be handled differently. -; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) -; Default Value: daemon -;syslog.facility = daemon - -; syslog_ident is prepended to every message. If you have multiple FPM -; instances running on the same server, you can change the default value -; which must suit common needs. -; Default Value: php-fpm -;syslog.ident = php-fpm - -; Log level -; Possible Values: alert, error, warning, notice, debug -; Default Value: notice -;log_level = notice - -; If this number of child processes exit with SIGSEGV or SIGBUS within the time -; interval set by emergency_restart_interval then FPM will restart. A value -; of '0' means 'Off'. -; Default Value: 0 -;emergency_restart_threshold = 0 - -; Interval of time used by emergency_restart_interval to determine when -; a graceful restart will be initiated. This can be useful to work around -; accidental corruptions in an accelerator's shared memory. -; Available Units: s(econds), m(inutes), h(ours), or d(ays) -; Default Unit: seconds -; Default Value: 0 -;emergency_restart_interval = 0 - -; Time limit for child processes to wait for a reaction on signals from master. -; Available units: s(econds), m(inutes), h(ours), or d(ays) -; Default Unit: seconds -; Default Value: 0 -;process_control_timeout = 0 - -; The maximum number of processes FPM will fork. This has been design to control -; the global number of processes when using dynamic PM within a lot of pools. -; Use it with caution. -; Note: A value of 0 indicates no limit -; Default Value: 0 -; process.max = 128 - -; Specify the nice(2) priority to apply to the master process (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool process will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 - -; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. -; Default Value: yes -;daemonize = yes - -; Set open file descriptor rlimit for the master process. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit for the master process. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Specify the event mechanism FPM will use. The following is available: -; - select (any POSIX os) -; - poll (any POSIX os) -; - epoll (linux >= 2.5.44) -; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) -; - /dev/poll (Solaris >= 7) -; - port (Solaris >= 10) -; Default Value: not set (auto detection) -;events.mechanism = epoll - -; When FPM is build with systemd integration, specify the interval, -; in second, between health report notification to systemd. -; Set to 0 to disable. -; Available Units: s(econds), m(inutes), h(ours) -; Default Unit: seconds -; Default value: 10 -;systemd_interval = 10 - -;;;;;;;;;;;;;;;;;;;; -; Pool Definitions ; -;;;;;;;;;;;;;;;;;;;; - -; Multiple pools of child processes may be started with different listening -; ports and different management options. The name of the pool will be -; used in logs and stats. There is no limitation on the number of pools which -; FPM can handle. Your system will tell you anyway :) - -; Start a new pool named 'www'. -; the variable $pool can we used in any directive and will be replaced by the -; pool name ('www' here) [www] - -; Per pool prefix -; It only applies on the following directives: -; - 'access.log' -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = nobody -group = nobody - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all IPv4 addresses on a -; specific port; -; '[::]:port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = 127.0.0.1:9000 - -; Set listen(2) backlog. -; Default Value: 65535 (-1 on FreeBSD and OpenBSD) -;listen.backlog = 65535 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0660 -;listen.owner = nobody -;listen.group = nobody -;listen.mode = 0660 -; When POSIX Access Control Lists are supported you can set them using -; these options, value is a comma separated list of user/group names. -; When set, listen.owner and listen.group are ignored -;listen.acl_users = -;listen.acl_groups = - -; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -;listen.allowed_clients = 127.0.0.1 - -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. +user = user +group = user +listen = 0.0.0.0:9000 pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. pm.max_children = 5 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' pm.max_spare_servers = 3 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: /usr/share/php/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: output header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -;slowlog = log/$pool.log.slow - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Clear environment in FPM workers -; Prevents arbitrary environment variables from reaching FPM worker processes -; by clearing the environment in workers before env vars specified in this -; pool configuration are added. -; Setting to "no" will make all environment variables available to PHP code -; via getenv(), $_ENV and $_SERVER. -; Default Value: yes -;clear_env = no - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or /usr) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/fpm-php.www.log -;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M - php_admin_value[upload_max_filesize] = 80M php_admin_value[post_max_size] = 90M php_admin_value[output_buffering] = 0 -;php_admin_value[upload_tmp_dir] = /tmp diff --git a/rainloop.conf b/rainloop.conf index 1ccc8a6..9c915b5 100644 --- a/rainloop.conf +++ b/rainloop.conf @@ -1,9 +1,9 @@ server { - listen 8080 default_server; + listen 80 default_server; server_name _; - access_log /var/log/rainloop/access.log; - error_log /var/log/rainloop/error.log; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; large_client_header_buffers 4 32k; client_max_body_size 200M; @@ -26,12 +26,16 @@ server { try_files $uri $uri/ /index.php?$query_string; } + # since I am running in Docker + resolver 127.0.0.11 ipv6=off; + set $rainloop rainloop-fpm:9000; + location ~ \.php$ { fastcgi_index index.php; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_keep_conn on; include fastcgi_params; - fastcgi_pass 127.0.0.1:9000; + fastcgi_pass $rainloop; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } diff --git a/start b/start new file mode 100644 index 0000000..9ece7fd --- /dev/null +++ b/start @@ -0,0 +1,8 @@ +#!/usr/bin/env sh + +# Set correct permissions and ownership +find $DATA -xdev -type d -exec chmod u=rwx,g=rx,o= '{}' \; +find $DATA -xdev -type f -exec chmod u=rw,g=r,o= '{}' \; +chown -Rh $USER:nginx /opt/rainloop /var/lib/nginx/tmp +chgrp -Rh nginx /etc/nginx +