diff --git a/docker-compose.yml b/docker-compose.yml index 98a7ca4..27e0656 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,9 +1,14 @@ -version: "3.5" services: flashpaper: image: ghcr.io/andrewpaglusch/flashpaper:v2 container_name: flashpaper restart: always + read_only: true + tmpfs: + - /opt/flashpaper:noexec + - /var/log:noexec + security_opt: + - no-new-privileges:true volumes: - './data:/var/www/html/data' ports: @@ -30,4 +35,9 @@ services: PRUNE_ENABLED: "true" PRUNE_MIN_DAYS: 365 PRUNE_MAX_DAYS: 730 - + healthcheck: + test: curl --fail http://localhost:80 || exit 1 + interval: 10s + timeout: 5s + retries: 3 + start_period: 10s diff --git a/docker/Dockerfile b/docker/Dockerfile index 12be030..bb93be9 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -8,6 +8,7 @@ COPY . /var/www/html RUN chmod -R 775 /var/www/html && \ chown -R nginx:nginx /var/www/html +COPY docker/php.ini /etc/php83/conf.d/99_flashpaper.ini COPY docker/php-fpm.conf /etc/php83/php-fpm.conf COPY docker/nginx.conf /etc/nginx/nginx.conf COPY docker/entrypoint.sh /entrypoint.sh diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index df90fdd..ad02bfc 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,10 +1,26 @@ #!/usr/bin/env ash +# This function will handle graceful shutdown of the container +function StopContainer { + echo Gracefully stopping FlashPaper container + nginx -s stop + + exit 0 +} + +# # Define handlers for system traps: +# # - TERM or SIGTEM for a clean exit +trap StopContainer SIGTERM + +# Change owner of flashpaper tmpfs directory, mounted from docker +mkdir /opt/flashpaper +chown nginx: /opt/flashpaper + # Start php-fpm and nginx chown -R nginx: /var/www/html/data/ touch /var/www/html/data/index.php php-fpm83 -nginx -c /etc/nginx/nginx.conf +nginx -c /etc/nginx/nginx.conf -e stderr # Ready to serve? for i in 1 2 3; do @@ -18,5 +34,6 @@ for i in 1 2 3; do echo "FlashPaper is not ready." done -echo "Access logging is disabled for production use. Tailing error logs..." -tail -f /var/log/nginx/error.log /var/log/php83/error.log \ No newline at end of file +# Prevents 'entrypoint.sh' script from terminating, +# so it can receive the SIGTERM(15) trap and run the 'StopContainer' function +tail -f /dev/null & wait ${!} \ No newline at end of file diff --git a/docker/nginx.conf b/docker/nginx.conf index 41744eb..8782ff8 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -1,5 +1,16 @@ +pid /opt/flashpaper/nginx.pid; + events {} http { + + client_body_temp_path /opt/flashpaper/client_temp 1 2; + + fastcgi_temp_path /opt/flashpaper/fastcgi; + proxy_temp_path /opt/flashpaper/proxy; + + scgi_temp_path /opt/flashpaper/scgi; + uwsgi_temp_path /opt/flashpaper/uwsgi; + server { listen 80; @@ -14,7 +25,7 @@ http { location ~ \.php$ { try_files $uri =404; - fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + fastcgi_pass unix:/opt/flashpaper/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; @@ -22,4 +33,3 @@ http { } } } - diff --git a/docker/php-fpm.conf b/docker/php-fpm.conf index 3001724..bd60ffa 100644 --- a/docker/php-fpm.conf +++ b/docker/php-fpm.conf @@ -1,7 +1,9 @@ +error_log = /dev/stderr + [www] user = nginx group = nginx -listen = /var/run/php-fpm/php-fpm.sock +listen = /opt/flashpaper/php-fpm.sock listen.owner = nginx listen.group = nginx diff --git a/docker/php.ini b/docker/php.ini new file mode 100644 index 0000000..16d47a9 --- /dev/null +++ b/docker/php.ini @@ -0,0 +1,7 @@ +; This file will be copied to the container at build time to +; /etc/php83/conf.d/99_flashpaper.ini, this allows any setting +; defined in this file to override settings from other php initialization files +[PHP] + +; Redirect PHP error logs to stderr, to support a read-only container +error_log = stderr