Implementing read-only

docker-compose.yml

@@ -1,9 +1,14 @@
-version: "3.5"
 services:
   flashpaper:
     image: ghcr.io/andrewpaglusch/flashpaper:v2
     container_name: flashpaper
     restart: always
+    read_only: true
+    tmpfs:
+      - /opt/flashpaper:noexec
+      - /var/log:noexec
+    security_opt:
+      - no-new-privileges:true
     volumes:
       - './data:/var/www/html/data'
     ports:
@@ -30,4 +35,9 @@ services:
       PRUNE_ENABLED: "true"
       PRUNE_MIN_DAYS: 365
       PRUNE_MAX_DAYS: 730
-
+    healthcheck:
+      test: curl --fail http://localhost:80 || exit 1
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s

docker/Dockerfile

@@ -8,6 +8,7 @@ COPY . /var/www/html
 RUN chmod -R 775 /var/www/html && \
     chown -R nginx:nginx /var/www/html
 
+COPY docker/php.ini /etc/php83/conf.d/99_flashpaper.ini
 COPY docker/php-fpm.conf /etc/php83/php-fpm.conf
 COPY docker/nginx.conf /etc/nginx/nginx.conf
 COPY docker/entrypoint.sh /entrypoint.sh

docker/entrypoint.sh

@@ -1,10 +1,26 @@
 #!/usr/bin/env ash
 
+# This function will handle graceful shutdown of the container
+function StopContainer {
+  echo Gracefully stopping FlashPaper container
+  nginx -s stop
+
+  exit 0
+}
+
+# # Define handlers for system traps:
+# # - TERM or SIGTEM for a clean exit
+trap StopContainer SIGTERM
+
+# Change owner of flashpaper tmpfs directory, mounted from docker
+mkdir /opt/flashpaper
+chown nginx: /opt/flashpaper
+
 # Start php-fpm and nginx
 chown -R nginx: /var/www/html/data/
 touch /var/www/html/data/index.php
 php-fpm83
-nginx -c /etc/nginx/nginx.conf
+nginx -c /etc/nginx/nginx.conf -e stderr
 
 # Ready to serve?
 for i in 1 2 3; do
@@ -18,5 +34,6 @@ for i in 1 2 3; do
   echo "FlashPaper is not ready."
 done
 
-echo "Access logging is disabled for production use. Tailing error logs..."
-tail -f /var/log/nginx/error.log /var/log/php83/error.log
+# Prevents 'entrypoint.sh' script from terminating,
+# so it can receive the SIGTERM(15) trap and run the 'StopContainer' function
+tail -f /dev/null & wait ${!}

docker/nginx.conf

@@ -1,5 +1,16 @@
+pid /opt/flashpaper/nginx.pid;
+
 events {}
 http {
+
+  client_body_temp_path /opt/flashpaper/client_temp 1 2;
+
+  fastcgi_temp_path /opt/flashpaper/fastcgi;
+  proxy_temp_path /opt/flashpaper/proxy;
+
+  scgi_temp_path /opt/flashpaper/scgi;
+  uwsgi_temp_path /opt/flashpaper/uwsgi;
+
   server {
       listen 80;
 
@@ -14,12 +25,11 @@ http {
 
       location ~ \.php$ {
         try_files $uri =404;
-        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+        fastcgi_pass unix:/opt/flashpaper/php-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
         fastcgi_param REQUEST_SCHEME $http_x_forwarded_proto if_not_empty;
       }
   }
 }
-

docker/php-fpm.conf

@@ -1,7 +1,9 @@
+error_log = /dev/stderr
+
 [www]
 user = nginx
 group = nginx
-listen = /var/run/php-fpm/php-fpm.sock
+listen = /opt/flashpaper/php-fpm.sock
 listen.owner = nginx
 listen.group = nginx
 

docker/php.ini

@@ -0,0 +1,7 @@
+; This file will be copied to the container at build time to
+; /etc/php83/conf.d/99_flashpaper.ini, this allows any setting
+; defined in this file to override settings from other php initialization files
+[PHP]
+
+; Redirect PHP error logs to stderr, to support a read-only container
+error_log = stderr