Merge branch 'hypernext'

* hypernext: add in README what the cron is doing add /nginx-status small readme update disable access_log for /php-ping and /php-status add /php-status and /php-ping add a line saying the networks lines are important below the dev stuff add KEEPALIVE_TIMEOUT env for nginx add restart:always to keeex config add command example for keeex passphrase generation add keeex example
elabftw · Apr 23, 2023 · 105d1aa · 105d1aa
2 parents 4afbf8b + 480abef
commit 105d1aa
Show file tree

Hide file tree

Showing 8 changed files with 95 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Container image version
-# Note: the version here is from Dockerfile:ELABIMG_VERSION not the tagged one
+# Note: the version here is from `ELABIMG_VERSION` present in Dockerfile, not the tagged one
+
+# 4.1.0
+
+* Add /nginx-status for metrics about nginx process. This endpoint is password protected by `STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint.
+* Add /php-status to get metrics about php-fpm process. This endpoint is password protected by `STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint.
+* Add /php-ping to check if php is alive and well. Will reply with status code 200.
+* Add `keepalive_timeout` as ENV so we can modify the nginx value in nginx.conf. Note that the default is changed from `5` to `100s`. Might help to prevent 499 errors.
+* Add keeex container example in yml file.
 
 # 4.0.5
 
@@ -8,7 +16,7 @@
 
 # 4.0.4
 
-* Use single quotes in /etc/elabftw_env to allow special characters such as ";" in values
+* Use single quotes in `/etc/elabftw_env` to allow special characters such as ";" in values
 
 Note: having a single quote (') a password will fail. The recommandation is to use long passwords with only alpha numeric characters, or have "nice" special characters, that would not cause issues in different contexts (+ and - are pretty safe).
 
@@ -24,16 +32,16 @@ Note: having a single quote (') a password will fail. The recommandation is to u
 
 * Remove s6-overlay tarballs from /tmp
 * Don't use deprecated ENV without =
-* Add BUILD_ALL ENV to skip build in dev
+* Add `BUILD_ALL` ENV to skip build in dev
 
 # 4.0.0
 
 * Add env vars directly in php, don't create config.php anymore
-* Require ELABFTW_VERSION build argument
+* Require `ELABFTW_VERSION` build argument
 
 # 3.9.0
 
-* Use a random string as BUILD_ID to use for the v query string parameter for loading assets
+* Use a random string as `BUILD_ID` to use for the v query string parameter for loading assets
 
 # 3.8.0
 

diff --git a/Dockerfile b/Dockerfile
@@ -58,10 +58,10 @@ RUN ./configure \
         --with-http_v2_module \
         --with-http_realip_module \
         --with-http_gzip_static_module \
+        --with-http_stub_status_module \
         --add-module=/build/ngx_brotli \
         --add-module=/build/headers-more-nginx-module \
         --without-http_autoindex_module \
-        --without-http_auth_basic_module \
         --without-http_browser_module \
         --without-http_empty_gif_module \
         --without-http_geo_module \
@@ -108,7 +108,7 @@ RUN abuild-keygen -n -a && abuild && find /home/builder/packages -type f -name '
 FROM alpine:3.16
 
 # this is versioning for the container image
-ENV ELABIMG_VERSION=4.0.5
+ENV ELABIMG_VERSION=4.1.0
 
 # the target elabftw version is passed with --build-arg
 # it is a mandatory ARG

diff --git a/README.md b/README.md
@@ -1,14 +1,20 @@
 # Description
 
-This Docker image is for [eLabFTW](https://www.elabftw.net). It runs nginx + php + elabftw.
+This Docker image is for [eLabFTW](https://www.elabftw.net). It runs three services:
+
+* Nginx webserver
+* PHP-FPM service
+* Cron daemon to execute recurrent tasks (sending notifications)
+
+These services are managed by s6-overlay and are all customized for running eLabFTW.
 
 # Tags and branches
 
 The `hypernext` (dev) branch is built and pushed to Docker Hub on a "push" event as well as on a daily schedule.
 
 The `master` branch is built for the `latest` tag on Docker Hub and contains the latest eLabFTW version.
 
-A tag with the latest released eLabFTW version is also pushed. Example: elabftw/elabimg:4.0.11.
+A tag with the latest released eLabFTW version is also pushed. Example: elabftw/elabimg:4.6.0.
 
 # Building this image
 

diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE
@@ -104,6 +104,14 @@ services:
         # default value: 256M
         #- MAX_PHP_MEMORY=256M
 
+        # optional: set a password to get access to /php-status, which will display various metrics about the php-fpm processes
+        # also works for /nginx-status, for metrics about nginx process
+        # if this is not set, a random password will be generated but never displayed, effectively disabling access to this endpoint
+        # the enpdoint can be accessed with the "elabftw" user, and the password you set below
+        # example value: my-cool-password
+        # default value: not set
+        #- STATUS_PASSWORD=
+
         #########################
         # ELABFTW CONFIGURATION #
         #########################
@@ -201,6 +209,12 @@ services:
         # example value: Content-Type, Authorization
         #- ALLOW_HEADERS=
 
+        # optional: modify the keepalive_timeout value
+        # nginx doc: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
+        # default: 100s
+        # example value: 120s
+        #- KEEPALIVE_TIMEOUT=100s
+
         #######################
         # REDIS CONFIGURATION #
         #######################
@@ -350,8 +364,24 @@ services:
   #  networks:
   #    - elabftw-net
 
+  # example of a keeex container (experimental!)
+  #keeex:
+  #  image: repo.keeex.me/fkeeex_daemon:latest
+  #  container_name: keeex
+  #  restart: always
+  #  environment:
+  #    - [email protected]
+  #    - FKEEEX_CONFIG_PASSWORD=
+  #    # Set a random passphrase here. You can generate one with "openssl rand -base64 32".
+  #    - FKEEEX_CONFIG_PASSPHRASE=
+  #  expose:
+  #    - 8080
+  #  networks:
+  #    - elabftw-net
+
   ###############################################################
   # EVERYTHING BELOW THIS LINE IS FOR DEVELOPMENT PURPOSES ONLY #
+  # Except for the networks lines, so don't delete them!         #
   ###############################################################
 
   # PHPMYADMIN

diff --git a/src/init/prepare.sh b/src/init/prepare.sh
@@ -35,6 +35,7 @@ getEnv() {
     unset SECRET_KEY
     max_php_memory=${MAX_PHP_MEMORY:-256M}
     max_upload_size=${MAX_UPLOAD_SIZE:-100M}
+    keepalive_timeout=${KEEPALIVE_TIMEOUT:-100s}
     php_timezone=${PHP_TIMEZONE:-Europe/Paris}
     set_real_ip=${SET_REAL_IP:-false}
     set_real_ip_from=${SET_REAL_IP_FROM:-192.168.31.48}
@@ -66,6 +67,7 @@ getEnv() {
     allow_origin=${ALLOW_ORIGIN:-}
     allow_methods=${ALLOW_METHODS:-}
     allow_headers=${ALLOW_HEADERS:-}
+    status_password=${STATUS_PASSWORD:-}
 }
 
 # Create the user that will run nginx/php/cronjobs
@@ -141,6 +143,9 @@ nginxConf() {
     # here elabftw.conf is a symbolic link to either http.conf or https.conf
     sed -i -e "s/%SERVER_NAME%/${server_name}/" /etc/nginx/conf.d/elabftw.conf
 
+    # adjust keepalive_timeout
+    sed -i -e "s/%KEEPALIVE_TIMEOUT%/${keepalive_timeout}/" /etc/nginx/nginx.conf
+
     # adjust client_max_body_size
     sed -i -e "s/%CLIENT_MAX_BODY_SIZE%/${max_upload_size}/" /etc/nginx/nginx.conf
 
@@ -202,6 +207,16 @@ nginxConf() {
         acah_header="more_set_headers 'Access-Control-Allow-Headers: ${allow_headers}';"
     fi
     sed -i -e "s/%ACAH_HEADER%/${acah_header}/" /etc/nginx/common.conf
+
+    # create a password file for /php-status endpoint
+    if [ -z "$status_password" ]; then
+        # if no password is provided, instead of harcoding a default password, we generate one
+        status_password=$(echo $RANDOM | sha1sum)
+    fi
+    # instead of installing htpasswd, use openssl that is already here
+    printf "elabftw:%s\n" "$(openssl passwd -apr1 "$status_password")" > /etc/nginx/passwords
+    chown "${elabftw_user}":"${elabftw_group}" /etc/nginx/passwords
+    chmod 400 /etc/nginx/passwords
 }
 
 # PHP-FPM CONFIG

diff --git a/src/nginx/common.conf b/src/nginx/common.conf
@@ -43,6 +43,28 @@ location /healthcheck {
     access_log off;
     return 204;
 }
+# same for php: replies with 200
+location ~ ^/php-ping$ {
+    access_log off;
+    include        /etc/nginx/fastcgi.conf;
+    fastcgi_pass   unix:/run/php-fpm.sock;
+}
+# the php-status page is protected
+location ~ ^/php-status$ {
+    access_log off;
+    auth_basic "Show Me What You Got";
+    auth_basic_user_file /etc/nginx/passwords;
+    include        /etc/nginx/fastcgi.conf;
+    fastcgi_pass   unix:/run/php-fpm.sock;
+}
+# the nginx status page, protected with same credentials as php-status
+# https://nginx.org/en/docs/http/ngx_http_stub_status_module.html
+location = /nginx-status {
+    access_log off;
+    auth_basic "Show Me What You Got";
+    auth_basic_user_file /etc/nginx/passwords;
+    stub_status;
+}
 
 location / {
     try_files $uri $uri/ =404;

diff --git a/src/nginx/nginx.conf b/src/nginx/nginx.conf
@@ -17,7 +17,7 @@ http {
     sendfile on;
     # by default nginx will not allow them, but they are valid and useful in some contexts (OIDC)
     underscores_in_headers on;
-    keepalive_timeout 5;
+    keepalive_timeout %KEEPALIVE_TIMEOUT%;
     client_max_body_size %CLIENT_MAX_BODY_SIZE%;
     client_body_buffer_size 100m;
     include conf.d/*.conf;

diff --git a/src/php/elabpool.conf b/src/php/elabpool.conf
@@ -29,6 +29,10 @@ listen.owner = %ELABFTW_USER%
 listen.group = %ELABFTW_GROUP%
 ;listen.mode = 0660
 
+pm.status_path = /php-status
+ping.path = /php-ping
+ping.response = All systems nominal, Captain.
+
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;