Merge pull request #120 from simplerisk/simplerisk-minimal-updates

Preparing for release + bug fix

Author: jsokol

simplerisk-minimal/Dockerfile

@@ -1,5 +1,5 @@
 # Dockerfile generated by script
-ARG php_version=8.3
+ARG php_version=8.4
 
 FROM alpine/curl:8.12.1 AS downloader
 
@@ -18,26 +18,27 @@ WORKDIR /var/www
 
 SHELL [ "/bin/bash", "-o", "pipefail", "-c" ]
 
-# Creating keyring env and installing apt dependencies
-RUN mkdir -p /etc/apt/keyrings && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends gnupg2 wget lsb-release && \
-    wget -qO - https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 | gpg --dearmor -o /etc/apt/keyrings/mysql.gpg && \
-    # FIXME: use $(lsb_release -cs) when trixie becomes available on MySQL repos
-    echo "deb [signed-by=/etc/apt/keyrings/mysql.gpg] http://repo.mysql.com/apt/debian/ bookworm mysql-8.0" | tee /etc/apt/sources.list.d/mysql.list && \
-    apt-get update && \
-    apt-get -y install --no-install-recommends libldap2-dev \
-                                               libicu-dev \
-                                               libcap2-bin \
-                                               libcurl4-gnutls-dev \
-                                               libpng-dev \
-                                               libzip-dev \
-                                               supervisor \
-                                               cron \
-                                               ca-certificates \
-                                               mysql-community-client && \
-    apt-get -y remove gnupg2 wget lsb-release && \
+#  Install required packages, including MySQL client from Debian repos
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        libldap2-dev \
+        libicu-dev \
+        libcap2-bin \
+        libcurl4-gnutls-dev \
+        libpng-dev \
+        libzip-dev \
+        supervisor \
+        cron \
+        ca-certificates \
+        rsyslog \
+        logrotate \
+        curl \
+        # This will install mariadb-client
+        default-mysql-client && \
+    apt-get -y autoremove && \
+    apt-get -y purge && \
     rm -rf /var/lib/apt/lists/*
+
 # Configure all PHP extensions
 RUN docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu && \
     docker-php-ext-install ldap \
@@ -47,13 +48,17 @@ RUN docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu && \
                            zip \
                            gd \
                            intl
+
 # Setting up setcap for port mapping without root and removing packages
 RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/apache2 && \
     chmod gu+s /usr/sbin/cron && \
     apt-get -y remove libcap2-bin && \
     apt-get -y autoremove && \
     apt-get -y purge
 
+RUN echo "0 0 * * * root /usr/sbin/logrotate /etc/logrotate.d/simplerisk.conf > /dev/null 2>&1" >> /etc/cron.d/logrotate-cron && \
+    chmod 0644 /etc/cron.d/logrotate-cron
+
 # Copying all files
 COPY common/ /
 COPY --from=downloader /var/www/simplerisk /var/www/simplerisk
@@ -88,12 +93,15 @@ RUN echo 'upload_max_filesize = 5M' >> /usr/local/etc/php/conf.d/docker-php-uplo
 # Cleanup /var/www/, creating Simplerisk user on www-data group and setting up ownerships
 RUN rm -rf /var/www/html && \
 	useradd -G www-data simplerisk && \
-	chown -R simplerisk:www-data /var/www/simplerisk /etc/apache2 /var/run/ /var/log/apache2 && \
-	chmod -R 770 /var/www/simplerisk /etc/apache2 /var/run/ /var/log/apache2 && \
-	chmod 755 /entrypoint.sh /etc/apache2/foreground.sh
+	mkdir -p /var/log/simplerisk && \
+	mkdir -p /var/log/supervisor && \
+	mkdir -p /var/run/supervisor && \
+	chmod -R 700 /etc/apache2 /var/log/simplerisk /var/run/ /var/www/simplerisk  && \
+	chmod 755 /entrypoint.sh /etc/apache2/foreground.sh && \
+	chown -R simplerisk:www-data /etc/apache2 /var/log/apache2 /var/log/simplerisk /var/log/supervisor /var/run/ /var/www/simplerisk
 
 # Data to save
-VOLUME [ "/var/log/apache2", "/etc/apache2/ssl", "/var/www/simplerisk" ]
+VOLUME [ "/var/log", "/etc/apache2/ssl", "/var/www/simplerisk" ]
 
 # Using simplerisk user from here
 USER simplerisk
@@ -109,4 +117,4 @@ HEALTHCHECK --interval=1m \
 	CMD curl --fail http://localhost || exit 1
 
 # Start Apache 
-CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
+CMD ["/usr/bin/supervisord", "-n", "-c", "/etc/supervisor/supervisord.conf"]

simplerisk-minimal/common/entrypoint.sh

@@ -108,7 +108,7 @@ delete_db(){
 	print_log "db_deletion: prepare" "Performing database deletion"
 
 	# Needed to separate the GRANT statement from the rest because it was providing a syntax error
-	exec_cmd "mysql -u $DB_SETUP_USER -p$DB_SETUP_PASS -h$SIMPLERISK_DB_HOSTNAME -P$SIMPLERISK_DB_PORT <<EOSQL
+	exec_cmd "mysql --skip-ssl -u $DB_SETUP_USER -p$DB_SETUP_PASS -h$SIMPLERISK_DB_HOSTNAME -P$SIMPLERISK_DB_PORT <<EOSQL
 	SET sql_mode = 'ANSI_QUOTES';
 	DROP DATABASE \"${SIMPLERISK_DB_DATABASE}\";
 	USE mysql;
@@ -138,15 +138,15 @@ db_setup(){
 
 	print_log "initial_setup:info" "Applying changes to MySQL database... (MySQL error will be printed to console as guidance)"
 	# Using sql_mode = ANSI_QUOTES to avoid using backticks
-	exec_cmd "mysql -u $DB_SETUP_USER -p$DB_SETUP_PASS -h$SIMPLERISK_DB_HOSTNAME -P$SIMPLERISK_DB_PORT <<EOSQL
+	exec_cmd "mysql --skip-ssl -u $DB_SETUP_USER -p$DB_SETUP_PASS -h$SIMPLERISK_DB_HOSTNAME -P$SIMPLERISK_DB_PORT <<EOSQL
 	SET sql_mode = 'ANSI_QUOTES';
 	CREATE DATABASE \"${SIMPLERISK_DB_DATABASE}\";
 	USE \"${SIMPLERISK_DB_DATABASE}\";
 	\. ${SCHEMA_FILE}
 	CREATE USER \"${SIMPLERISK_DB_USERNAME}\"@\"%\" IDENTIFIED BY \"${SIMPLERISK_DB_PASSWORD}\";
 EOSQL" "Was not able to apply settings on database. Check error above. Exiting."
 	# Needed to separate the GRANT statement from the rest because it was providing a syntax error
-	exec_cmd "mysql -u $DB_SETUP_USER -p$DB_SETUP_PASS -h$SIMPLERISK_DB_HOSTNAME -P$SIMPLERISK_DB_PORT <<EOSQL
+	exec_cmd "mysql --skip-ssl -u $DB_SETUP_USER -p$DB_SETUP_PASS -h$SIMPLERISK_DB_HOSTNAME -P$SIMPLERISK_DB_PORT <<EOSQL
 	SET sql_mode = 'ANSI_QUOTES';
 	GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER ON \"${SIMPLERISK_DB_DATABASE}\".* TO \"${SIMPLERISK_DB_USERNAME}\"@\"%\";
 EOSQL" "Was not able to apply settings on database. Check error above. Exiting."
@@ -194,7 +194,6 @@ _main() {
 	# shellcheck disable=SC2015
 	[[ "${DB_SETUP:-}" = automatic* ]] && db_setup || true
 	unset_variables
-	service cron start
 	exec "$@"
 }
 

simplerisk-minimal/common/etc/logrotate.d/simplerisk.conf

@@ -0,0 +1,16 @@
+/var/log/simplerisk/simplerisk.log {
+    daily
+    rotate 30
+    compress
+    missingok
+    notifempty
+    create 0640 www-data www-data
+    dateext
+    dateformat -%Y%m%d
+    sharedscripts
+    postrotate
+        # Optional: reload service if needed
+        # For example, if SimpleRisk had a daemon that needed to reopen the log:
+        # systemctl reload simplerisk.service >/dev/null 2>&1 || true
+    endscript
+}

simplerisk-minimal/common/etc/rsyslog.d/60-simplerisk.conf

@@ -0,0 +1,3 @@
+# /etc/rsyslog.d/60-simplerisk.conf
+# Dedicated log for SimpleRisk (LOCAL0)
+local0.*    /var/log/simplerisk/simplerisk.log

simplerisk-minimal/common/etc/supervisor/supervisord.conf

@@ -0,0 +1,41 @@
+[unix_http_server]
+file=/tmp/supervisor.sock                   ; (the path to the socket file)
+chmod=0700
+
+[supervisord]
+childlogdir=/var/log/supervisor
+logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
+logfile_maxbytes=50MB                       ; (max main logfile bytes b4 rotation;default 50MB)
+logfile_backups=10                          ; (num of main logfile rotation backups;default 10)
+loglevel=info                               ; (log level;default info; others: debug,warn,trace)
+pidfile=/var/run/supervisor/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+nodaemon=true                               ; (start in foreground if true;default false)
+minfds=1024                                 ; (min. avail startup file descriptors;default 1024)
+minprocs=200                                ; (min. avail process descriptors;default 200)
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
+
+[program:apache2]
+command=/usr/sbin/apache2ctl -D FOREGROUND
+stdout_logfile=/dev/stdout
+stderr_logfile=/dev/stderr
+autorestart=true
+
+[program:rsyslog]
+command=/usr/sbin/rsyslogd -n
+autorestart=true
+priority=10
+
+[program:cron]
+command=/usr/sbin/cron -f
+autostart=true
+autorestart=true
+priority=30
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

simplerisk-minimal/generate_dockerfile.sh

@@ -2,7 +2,6 @@
 
 set -euo pipefail
 
-readonly MYSQL_KEY_URL='https://repo.mysql.com/RPM-GPG-KEY-mysql-2023'
 SCRIPT_LOCATION="$(dirname "$(readlink -f "$0")")"
 readonly SCRIPT_LOCATION
 
@@ -14,7 +13,7 @@ fi
 
 cat << EOF > "${SCRIPT_LOCATION}/Dockerfile"
 # Dockerfile generated by script
-ARG php_version=8.3
+ARG php_version=8.4
 
 EOF
 
@@ -41,26 +40,27 @@ WORKDIR /var/www
 
 SHELL [ "/bin/bash", "-o", "pipefail", "-c" ]
 
-# Creating keyring env and installing apt dependencies
-RUN mkdir -p /etc/apt/keyrings && \\
-    apt-get update && \\
-    apt-get install -y --no-install-recommends gnupg2 wget lsb-release && \\
-    wget -qO - $MYSQL_KEY_URL | gpg --dearmor -o /etc/apt/keyrings/mysql.gpg && \\
-    # FIXME: use \$(lsb_release -cs) when trixie becomes available on MySQL repos
-    echo "deb [signed-by=/etc/apt/keyrings/mysql.gpg] http://repo.mysql.com/apt/debian/ bookworm mysql-8.0" | tee /etc/apt/sources.list.d/mysql.list && \\
-    apt-get update && \\
-    apt-get -y install --no-install-recommends libldap2-dev \\
-                                               libicu-dev \\
-                                               libcap2-bin \\
-                                               libcurl4-gnutls-dev \\
-                                               libpng-dev \\
-                                               libzip-dev \\
-                                               supervisor \\
-                                               cron \\
-                                               ca-certificates \\
-                                               mysql-community-client && \\
-    apt-get -y remove gnupg2 wget lsb-release && \\
+#  Install required packages, including MySQL client from Debian repos
+RUN apt-get update && \\
+    apt-get install -y --no-install-recommends \\
+        libldap2-dev \\
+        libicu-dev \\
+        libcap2-bin \\
+        libcurl4-gnutls-dev \\
+        libpng-dev \\
+        libzip-dev \\
+        supervisor \\
+        cron \\
+        ca-certificates \\
+        rsyslog \\
+        logrotate \\
+        curl \\
+        # This will install mariadb-client
+        default-mysql-client && \\
+    apt-get -y autoremove && \\
+    apt-get -y purge && \\
     rm -rf /var/lib/apt/lists/*
+
 # Configure all PHP extensions
 RUN docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu && \\
     docker-php-ext-install ldap \\
@@ -70,13 +70,17 @@ RUN docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu && \\
                            zip \\
                            gd \\
                            intl
+
 # Setting up setcap for port mapping without root and removing packages
 RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/apache2 && \\
     chmod gu+s /usr/sbin/cron && \\
     apt-get -y remove libcap2-bin && \\
     apt-get -y autoremove && \\
     apt-get -y purge
 
+RUN echo "0 0 * * * root /usr/sbin/logrotate /etc/logrotate.d/simplerisk.conf > /dev/null 2>&1" >> /etc/cron.d/logrotate-cron && \\
+    chmod 0644 /etc/cron.d/logrotate-cron
+
 # Copying all files
 COPY common/ /
 EOF
@@ -121,12 +125,15 @@ RUN echo 'upload_max_filesize = 5M' >> /usr/local/etc/php/conf.d/docker-php-uplo
 # Cleanup /var/www/, creating Simplerisk user on www-data group and setting up ownerships
 RUN rm -rf /var/www/html && \\
 	useradd -G www-data simplerisk && \\
-	chown -R simplerisk:www-data /var/www/simplerisk /etc/apache2 /var/run/ /var/log/apache2 && \\
-	chmod -R 770 /var/www/simplerisk /etc/apache2 /var/run/ /var/log/apache2 && \\
-	chmod 755 /entrypoint.sh /etc/apache2/foreground.sh
+	mkdir -p /var/log/simplerisk && \\
+	mkdir -p /var/log/supervisor && \\
+	mkdir -p /var/run/supervisor && \\
+	chmod -R 700 /etc/apache2 /var/log/simplerisk /var/run/ /var/www/simplerisk  && \\
+	chmod 755 /entrypoint.sh /etc/apache2/foreground.sh && \\
+	chown -R simplerisk:www-data /etc/apache2 /var/log/apache2 /var/log/simplerisk /var/log/supervisor /var/run/ /var/www/simplerisk
 
 # Data to save
-VOLUME [ "/var/log/apache2", "/etc/apache2/ssl", "/var/www/simplerisk" ]
+VOLUME [ "/var/log", "/etc/apache2/ssl", "/var/www/simplerisk" ]
 
 # Using simplerisk user from here
 USER simplerisk
@@ -142,5 +149,5 @@ HEALTHCHECK --interval=1m \\
 	CMD curl --fail http://localhost || exit 1
 
 # Start Apache 
-CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
+CMD ["/usr/bin/supervisord", "-n", "-c", "/etc/supervisor/supervisord.conf"]
 EOF