feat: run container as none root

solidnerd · solidnerd · commit 6763e153a434 · 2020-04-10T17:23:18.000+02:00
BREAKING CHANGE: This will drop all root privileges inside the container. Probably Migrations are required see `docs/migrate.md` Closes #170 Signed-off-by: solidnerd <niclas@mietz.io>
diff --git a/Dockerfile b/Dockerfile
@@ -1,38 +1,81 @@
-FROM php:7.2-apache-stretch
+FROM alpine:3 as bookstack
+ENV BOOKSTACK_VERSION=0.27.5
+RUN apk add --no-cache curl tar
+RUN set -x; \
+    curl -SL -o bookstack.tar.gz https://github.com/BookStackApp/BookStack/archive/v${BOOKSTACK_VERSION}.tar.gz  \
+    && mkdir -p /bookstack \
+    && tar xvf bookstack.tar.gz -C /bookstack --strip-components=1 \
+    && rm bookstack.tar.gz
 
-ENV BOOKSTACK=BookStack \
-    BOOKSTACK_VERSION=0.27.5 \
-    BOOKSTACK_HOME="/var/www/bookstack"
-
-RUN apt-get update && apt-get install -y --no-install-recommends git zlib1g-dev libfreetype6-dev libjpeg62-turbo-dev libmcrypt-dev libpng-dev wget libldap2-dev libtidy-dev libxml2-dev fontconfig ttf-freefont wkhtmltopdf tar curl \
-   && docker-php-ext-install dom pdo pdo_mysql zip tidy  \
+FROM php:7.4-apache-buster as final
+RUN set -x; \
+    apt-get update \
+    && apt-get install -y --no-install-recommends \
+        git \
+        zlib1g-dev \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libmcrypt-dev \
+        libpng-dev  \
+        libldap2-dev  \
+        libtidy-dev  \
+        libxml2-dev  \
+        fontconfig  \
+        fonts-freefont-ttf   \
+        wkhtmltopdf  \
+        tar \
+        curl \
+        libzip-dev \
+        unzip \
+    \
+   && docker-php-ext-install -j$(nproc) dom pdo pdo_mysql zip tidy  \
    && docker-php-ext-configure ldap \
-   && docker-php-ext-install ldap \
-   && docker-php-ext-configure gd --with-freetype-dir=usr/include/ --with-jpeg-dir=/usr/include/ \
-   && docker-php-ext-install gd \
-   && cd /var/www && curl -sS https://getcomposer.org/installer | php \
-   && mv /var/www/composer.phar /usr/local/bin/composer \
-   && wget https://github.com/BookStackApp/BookStack/archive/v${BOOKSTACK_VERSION}.tar.gz -O ${BOOKSTACK}.tar.gz \
-   && tar -xf ${BOOKSTACK}.tar.gz && mv BookStack-${BOOKSTACK_VERSION} ${BOOKSTACK_HOME} && rm ${BOOKSTACK}.tar.gz  \
-   && cd $BOOKSTACK_HOME && composer install \
-   && chown -R www-data:www-data $BOOKSTACK_HOME \
-   && apt-get -y autoremove \
-   && apt-get clean \
-   && rm -rf /var/lib/apt/lists/* /var/tmp/* /etc/apache2/sites-enabled/000-*.conf
+   && docker-php-ext-install -j$(nproc) ldap \
+   && docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ \
+   && docker-php-ext-install -j$(nproc) gd 
+
+RUN a2enmod rewrite remoteip; \
+    { \
+    echo RemoteIPHeader X-Real-IP ; \
+    echo RemoteIPTrustedProxy 10.0.0.0/8 ; \
+    echo RemoteIPTrustedProxy 172.16.0.0/12 ; \
+    echo RemoteIPTrustedProxy 192.168.0.0/16 ; \
+    } > /etc/apache2/conf-available/remoteip.conf; \
+    a2enconf remoteip
+
+RUN set -ex; \
+    sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf; \
+    sed -i "s/VirtualHost *:80/VirtualHost *:8080/" /etc/apache2/sites-available/*.conf 
+
+COPY bookstack.conf /etc/apache2/sites-available/000-default.conf
+
+COPY --from=bookstack --chown=33:33 /bookstack/ /var/www/bookstack/
+
+RUN set -x; \
+    cd /var/www/bookstack \
+    && curl -sS https://getcomposer.org/installer | php \
+    && /var/www/bookstack/composer.phar global -v require hirak/prestissimo \
+    && /var/www/bookstack/composer.phar install -v -d /var/www/bookstack/ \
+    && /var/www/bookstack/composer.phar global -v remove hirak/prestissimo \
+    && rm -rf /var/www/bookstack/composer.phar /root/.composer \
+    && chown -R www-data:www-data /var/www/bookstack
 
 COPY php.ini /usr/local/etc/php/php.ini
-COPY bookstack.conf /etc/apache2/sites-enabled/bookstack.conf
-RUN a2enmod rewrite
+COPY docker-entrypoint.sh /bin/docker-entrypoint.sh
+
+WORKDIR /var/www/bookstack
 
-COPY docker-entrypoint.sh /
+# www-data
+USER 33
 
-WORKDIR $BOOKSTACK_HOME
+VOLUME ["/var/www/bookstack/public/uploads","/var/www/bookstack/storage/uploads"]
 
-EXPOSE 80
+ENV RUN_APACHE_USER=www-data \
+    RUN_APACHE_GROUP=www-data
 
-VOLUME ["$BOOKSTACK_HOME/public/uploads","$BOOKSTACK_HOME/storage/uploads"]
+EXPOSE 8080
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+ENTRYPOINT ["/bin/docker-entrypoint.sh"]
 
 ARG BUILD_DATE
 ARG VCS_REF
diff --git a/bookstack.conf b/bookstack.conf
@@ -1,10 +1,23 @@
-<VirtualHost *:80>
-    ServerName bookstack.dev
-    DocumentRoot "/var/www/bookstack/public/"
+<VirtualHost *:8080>
+        # The ServerName directive sets the request scheme, hostname and port that
+        # the server uses to identify itself. This is used when creating
+        # redirection URLs. In the context of virtual hosts, the ServerName
+        # specifies what hostname must appear in the request's Host: header to
+        # match this virtual host. For the default virtual host (this file) this
+        # value is not decisive as it is used as a last resort host regardless.
+        # However, you must set it for any further virtual host explicitly.
+        ServerName bookstack
 
-    <Directory "/var/www/bookstack/">
-        Options FollowSymLinks MultiViews
-        AllowOverride All
-        Require all granted
-    </Directory>
+        DocumentRoot /var/www/bookstack/public
+
+        <Directory "/var/www/bookstack/">
+            Options FollowSymLinks MultiViews
+            AllowOverride All
+            Require all granted
+        </Directory>
+        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+        # error, crit, alert, emerg.
+        # It is also possible to configure the loglevel for particular
+        # modules, e.g.
+        LogLevel info
 </VirtualHost>
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -23,7 +23,7 @@ services:
     - uploads:/var/www/bookstack/public/uploads
     - storage-uploads:/var/www/bookstack/storage/uploads
     ports:
-    - "8080:80"
+    - "8080:8080"
 
 volumes:
  mysql-data:
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -7,9 +7,9 @@ echoerr() { echo "$@" 1>&2; }
 IFS=":" read -r DB_HOST_NAME DB_PORT <<< "$DB_HOST"
 DB_PORT=${DB_PORT:-3306}
 
-if [ ! -f "$BOOKSTACK_HOME/.env" ]; then
+if [ ! -f ".env" ]; then
   if [[ "${DB_HOST}" ]]; then
-  cat > "$BOOKSTACK_HOME/.env" <<EOF
+  cat > ".env" <<EOF
       # Environment
       APP_ENV=production
       APP_DEBUG=${APP_DEBUG:-false}
@@ -79,7 +79,6 @@ if [ ! -f "$BOOKSTACK_HOME/.env" ]; then
       MAIL_ENCRYPTION=${MAIL_ENCRYPTION:-null}
       # URL used for social login redirects, NO TRAILING SLASH
 EOF
-sed -ie "s/single/errorlog/g" app/Config/app.php
     else
         echo >&2 'error: missing DB_HOST environment variable'
         exit 1
@@ -103,19 +102,14 @@ else
   echoerr "wait-for-db: timeout out after 15 seconds waiting for ${DB_HOST_NAME}:${DB_PORT}"
 fi
 
-composer install
-
-php artisan key:generate
+echo "Generating Key..."
+php artisan key:generate --show
 
+echo "Starting Migration..."
 php artisan migrate --force
 
-
-echo "Setting folder permissions for uploads"
-chown -R www-data:www-data public/uploads && chmod -R 775 public/uploads
-chown -R www-data:www-data storage/uploads && chmod -R 775 storage/uploads
-
+echo "Clearing caches..."
 php artisan cache:clear
-
 php artisan view:clear
 
 exec apache2-foreground
