From 4ce1f4e8e406be13a6ad2bae929c206b0b9fddea Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Thu, 23 Mar 2023 18:11:26 +0100 Subject: [PATCH 01/10] add keeex example --- src/docker-compose.yml-EXAMPLE | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index 051819d..89bfe53 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -350,6 +350,20 @@ services: # networks: # - elabftw-net + # example of a keeex container (experimental!) + #keeex: + # image: repo.keeex.me/fkeeex_daemon:latest + # container_name: keeex + # environment: + # - FKEEEX_CONFIG_USER=user@example.org + # - FKEEEX_CONFIG_PASSWORD= + # # Set a random passphrase here + # - FKEEEX_CONFIG_PASSPHRASE= + # expose: + # - 8080 + # networks: + # - elabftw-net + ############################################################### # EVERYTHING BELOW THIS LINE IS FOR DEVELOPMENT PURPOSES ONLY # ############################################################### From 2d4c1f102c65924f74ec8e871b0b03b9b3f61ce2 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Fri, 24 Mar 2023 19:27:22 +0100 Subject: [PATCH 02/10] add command example for keeex passphrase generation --- src/docker-compose.yml-EXAMPLE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index 89bfe53..f4c1c41 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -357,7 +357,7 @@ services: # environment: # - FKEEEX_CONFIG_USER=user@example.org # - FKEEEX_CONFIG_PASSWORD= - # # Set a random passphrase here + # # Set a random passphrase here. You can generate one with "openssl rand -base64 32". # - FKEEEX_CONFIG_PASSPHRASE= # expose: # - 8080 From 60f8138494b30bb79c68a526996628447ac5d6a5 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Mon, 10 Apr 2023 17:01:19 +0200 Subject: [PATCH 03/10] add restart:always to keeex config --- src/docker-compose.yml-EXAMPLE | 1 + 1 file changed, 1 insertion(+) diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index f4c1c41..95ea3cc 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -354,6 +354,7 @@ services: #keeex: # image: repo.keeex.me/fkeeex_daemon:latest # container_name: keeex + # restart: always # environment: # - FKEEEX_CONFIG_USER=user@example.org # - FKEEEX_CONFIG_PASSWORD= From b94c3b3756f1d63d467699b908a7c11bbdf9993f Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Mon, 10 Apr 2023 17:13:34 +0200 Subject: [PATCH 04/10] add KEEPALIVE_TIMEOUT env for nginx --- CHANGELOG.md | 13 +++++++++---- Dockerfile | 2 +- src/docker-compose.yml-EXAMPLE | 6 ++++++ src/init/prepare.sh | 4 ++++ src/nginx/nginx.conf | 2 +- 5 files changed, 21 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf44a08..1357532 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Container image version # Note: the version here is from Dockerfile:ELABIMG_VERSION not the tagged one +# 4.1.0 + +* Add `keepalive_timeout` as ENV so we can modify the nginx value in nginx.conf. Note that the default is changed from `5` to `100s`. Might help to prevent 499 errors. +* Add keeex container example in yml file. + # 4.0.5 * nginx config: Allow underscores in headers. See elabftw/elabftw#4059. @@ -8,7 +13,7 @@ # 4.0.4 -* Use single quotes in /etc/elabftw_env to allow special characters such as ";" in values +* Use single quotes in `/etc/elabftw_env` to allow special characters such as ";" in values Note: having a single quote (') a password will fail. The recommandation is to use long passwords with only alpha numeric characters, or have "nice" special characters, that would not cause issues in different contexts (+ and - are pretty safe). @@ -24,16 +29,16 @@ Note: having a single quote (') a password will fail. The recommandation is to u * Remove s6-overlay tarballs from /tmp * Don't use deprecated ENV without = -* Add BUILD_ALL ENV to skip build in dev +* Add `BUILD_ALL` ENV to skip build in dev # 4.0.0 * Add env vars directly in php, don't create config.php anymore -* Require ELABFTW_VERSION build argument +* Require `ELABFTW_VERSION` build argument # 3.9.0 -* Use a random string as BUILD_ID to use for the v query string parameter for loading assets +* Use a random string as `BUILD_ID` to use for the v query string parameter for loading assets # 3.8.0 diff --git a/Dockerfile b/Dockerfile index 6ade6e4..1fbeef0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -108,7 +108,7 @@ RUN abuild-keygen -n -a && abuild && find /home/builder/packages -type f -name ' FROM alpine:3.16 # this is versioning for the container image -ENV ELABIMG_VERSION=4.0.5 +ENV ELABIMG_VERSION=4.1.0 # the target elabftw version is passed with --build-arg # it is a mandatory ARG diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index 95ea3cc..fe2115c 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -201,6 +201,12 @@ services: # example value: Content-Type, Authorization #- ALLOW_HEADERS= + # optional: modify the keepalive_timeout value + # nginx doc: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout + # default: 100s + # example value: 120s + #- KEEPALIVE_TIMEOUT=100s + ####################### # REDIS CONFIGURATION # ####################### diff --git a/src/init/prepare.sh b/src/init/prepare.sh index 2ea7e1b..c2bb76a 100755 --- a/src/init/prepare.sh +++ b/src/init/prepare.sh @@ -35,6 +35,7 @@ getEnv() { unset SECRET_KEY max_php_memory=${MAX_PHP_MEMORY:-256M} max_upload_size=${MAX_UPLOAD_SIZE:-100M} + keepalive_timeout=${KEEPALIVE_TIMEOUT:-100s} php_timezone=${PHP_TIMEZONE:-Europe/Paris} set_real_ip=${SET_REAL_IP:-false} set_real_ip_from=${SET_REAL_IP_FROM:-192.168.31.48} @@ -141,6 +142,9 @@ nginxConf() { # here elabftw.conf is a symbolic link to either http.conf or https.conf sed -i -e "s/%SERVER_NAME%/${server_name}/" /etc/nginx/conf.d/elabftw.conf + # adjust keepalive_timeout + sed -i -e "s/%KEEPALIVE_TIMEOUT%/${keepalive_timeout}/" /etc/nginx/nginx.conf + # adjust client_max_body_size sed -i -e "s/%CLIENT_MAX_BODY_SIZE%/${max_upload_size}/" /etc/nginx/nginx.conf diff --git a/src/nginx/nginx.conf b/src/nginx/nginx.conf index e4855e6..221766d 100644 --- a/src/nginx/nginx.conf +++ b/src/nginx/nginx.conf @@ -17,7 +17,7 @@ http { sendfile on; # by default nginx will not allow them, but they are valid and useful in some contexts (OIDC) underscores_in_headers on; - keepalive_timeout 5; + keepalive_timeout %KEEPALIVE_TIMEOUT%; client_max_body_size %CLIENT_MAX_BODY_SIZE%; client_body_buffer_size 100m; include conf.d/*.conf; From 0b32ae773470e492876a896c40f3026bd6e06c48 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Thu, 13 Apr 2023 23:49:40 +0200 Subject: [PATCH 05/10] add a line saying the networks lines are important below the dev stuff in docker-compose.yml-EXAMPLE --- src/docker-compose.yml-EXAMPLE | 1 + 1 file changed, 1 insertion(+) diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index fe2115c..2be611a 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -373,6 +373,7 @@ services: ############################################################### # EVERYTHING BELOW THIS LINE IS FOR DEVELOPMENT PURPOSES ONLY # + # Except for the networks lines, so don't delete them! # ############################################################### # PHPMYADMIN From d55e3aba94d8818d4163a1af3329059e81fc13ff Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Sat, 15 Apr 2023 00:15:54 +0200 Subject: [PATCH 06/10] add /php-status and /php-ping the /php-status endpoint is password protected with PHP_STATUS_PASSWORD, which is set to a random string if the env value is empty --- CHANGELOG.md | 4 +++- Dockerfile | 1 - src/docker-compose.yml-EXAMPLE | 7 +++++++ src/init/prepare.sh | 11 +++++++++++ src/nginx/common.conf | 13 +++++++++++++ src/php/elabpool.conf | 4 ++++ 6 files changed, 38 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1357532..743499e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,10 @@ # Container image version -# Note: the version here is from Dockerfile:ELABIMG_VERSION not the tagged one +# Note: the version here is from `ELABIMG_VERSION` present in Dockerfile, not the tagged one # 4.1.0 +* Add /php-status to get metrics about php-fpm process. This endpoint is password protected by `PHP_STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint. +* Add /php-ping to check if php is alive and well. Will reply with status code 200. * Add `keepalive_timeout` as ENV so we can modify the nginx value in nginx.conf. Note that the default is changed from `5` to `100s`. Might help to prevent 499 errors. * Add keeex container example in yml file. diff --git a/Dockerfile b/Dockerfile index 1fbeef0..e345e16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -61,7 +61,6 @@ RUN ./configure \ --add-module=/build/ngx_brotli \ --add-module=/build/headers-more-nginx-module \ --without-http_autoindex_module \ - --without-http_auth_basic_module \ --without-http_browser_module \ --without-http_empty_gif_module \ --without-http_geo_module \ diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index 2be611a..c9ecdd4 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -104,6 +104,13 @@ services: # default value: 256M #- MAX_PHP_MEMORY=256M + # optional: set a password to get access to /php-status, which will display various metrics about the php-fpm processes + # if this is not set, a random password will be generated but never displayed, effectively disabling access to this endpoint + # the enpdoint can be accessed with the "elabftw" user, and the password you set below + # example value: my-cool-password + # default value: not set + #- PHP_STATUS_PASSWORD= + ######################### # ELABFTW CONFIGURATION # ######################### diff --git a/src/init/prepare.sh b/src/init/prepare.sh index c2bb76a..8704d6a 100755 --- a/src/init/prepare.sh +++ b/src/init/prepare.sh @@ -67,6 +67,7 @@ getEnv() { allow_origin=${ALLOW_ORIGIN:-} allow_methods=${ALLOW_METHODS:-} allow_headers=${ALLOW_HEADERS:-} + php_status_password=${PHP_STATUS_PASSWORD:-} } # Create the user that will run nginx/php/cronjobs @@ -206,6 +207,16 @@ nginxConf() { acah_header="more_set_headers 'Access-Control-Allow-Headers: ${allow_headers}';" fi sed -i -e "s/%ACAH_HEADER%/${acah_header}/" /etc/nginx/common.conf + + # create a password file for /php-status endpoint + if [ -z "$php_status_password" ]; then + # if no password is provided, instead of harcoding a default password, we generate one + php_status_password=$(echo $RANDOM | sha1sum) + fi + # instead of installing htpasswd, use openssl that is already here + printf "elabftw:%s\n" "$(openssl passwd -apr1 "$php_status_password")" > /etc/nginx/passwords + chown "${elabftw_user}":"${elabftw_group}" /etc/nginx/passwords + chmod 400 /etc/nginx/passwords } # PHP-FPM CONFIG diff --git a/src/nginx/common.conf b/src/nginx/common.conf index 3d87aba..f17533f 100644 --- a/src/nginx/common.conf +++ b/src/nginx/common.conf @@ -43,6 +43,19 @@ location /healthcheck { access_log off; return 204; } +# same for php: replies with 200 +location ~ ^/php-ping$ { + include /etc/nginx/fastcgi.conf; + fastcgi_pass unix:/run/php-fpm.sock; +} +# the php-status page is protected +location ~ ^/php-status$ { + auth_basic "Show Me What You Got"; + auth_basic_user_file /etc/nginx/passwords; + include /etc/nginx/fastcgi.conf; + fastcgi_pass unix:/run/php-fpm.sock; +} + location / { try_files $uri $uri/ =404; diff --git a/src/php/elabpool.conf b/src/php/elabpool.conf index a8fa9f9..265bd92 100644 --- a/src/php/elabpool.conf +++ b/src/php/elabpool.conf @@ -29,6 +29,10 @@ listen.owner = %ELABFTW_USER% listen.group = %ELABFTW_GROUP% ;listen.mode = 0660 +pm.status_path = /php-status +ping.path = /php-ping +ping.response = All systems nominal, Captain. + ; Choose how the process manager will control the number of child processes. ; Possible Values: ; static - a fixed number (pm.max_children) of child processes; From 478f0b9834440b03b72607a96c9057289f23f1ca Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Sat, 15 Apr 2023 00:30:50 +0200 Subject: [PATCH 07/10] disable access_log for /php-ping and /php-status --- src/nginx/common.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/nginx/common.conf b/src/nginx/common.conf index f17533f..2a68a65 100644 --- a/src/nginx/common.conf +++ b/src/nginx/common.conf @@ -45,11 +45,13 @@ location /healthcheck { } # same for php: replies with 200 location ~ ^/php-ping$ { + access_log off; include /etc/nginx/fastcgi.conf; fastcgi_pass unix:/run/php-fpm.sock; } # the php-status page is protected location ~ ^/php-status$ { + access_log off; auth_basic "Show Me What You Got"; auth_basic_user_file /etc/nginx/passwords; include /etc/nginx/fastcgi.conf; From 4bd561ec145aa99afd654981f1914543bc13c631 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Mon, 17 Apr 2023 13:48:19 +0200 Subject: [PATCH 08/10] small readme update --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9c865a8..6a0e08b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,12 @@ # Description -This Docker image is for [eLabFTW](https://www.elabftw.net). It runs nginx + php + elabftw. +This Docker image is for [eLabFTW](https://www.elabftw.net). It runs three services: + +* Nginx webserver +* PHP-FPM service +* Cron daemon to execute recurrent tasks + +These services are managed by s6-overlay and are all customized for running eLabFTW. # Tags and branches @@ -8,7 +14,7 @@ The `hypernext` (dev) branch is built and pushed to Docker Hub on a "push" event The `master` branch is built for the `latest` tag on Docker Hub and contains the latest eLabFTW version. -A tag with the latest released eLabFTW version is also pushed. Example: elabftw/elabimg:4.0.11. +A tag with the latest released eLabFTW version is also pushed. Example: elabftw/elabimg:4.6.0. # Building this image From 9df083112f1a59f5e764228953638dba425d8002 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Tue, 18 Apr 2023 12:20:42 +0200 Subject: [PATCH 09/10] add /nginx-status --- CHANGELOG.md | 3 ++- Dockerfile | 1 + src/docker-compose.yml-EXAMPLE | 3 ++- src/init/prepare.sh | 8 ++++---- src/nginx/common.conf | 9 ++++++++- 5 files changed, 17 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 743499e..bac4dd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ # 4.1.0 -* Add /php-status to get metrics about php-fpm process. This endpoint is password protected by `PHP_STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint. +* Add /nginx-status for metrics about nginx process. This endpoint is password protected by `STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint. +* Add /php-status to get metrics about php-fpm process. This endpoint is password protected by `STATUS_PASSWORD`. If this variable is not set, a random password is generated, effectively disabling access to this endpoint. * Add /php-ping to check if php is alive and well. Will reply with status code 200. * Add `keepalive_timeout` as ENV so we can modify the nginx value in nginx.conf. Note that the default is changed from `5` to `100s`. Might help to prevent 499 errors. * Add keeex container example in yml file. diff --git a/Dockerfile b/Dockerfile index e345e16..796be87 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,6 +58,7 @@ RUN ./configure \ --with-http_v2_module \ --with-http_realip_module \ --with-http_gzip_static_module \ + --with-http_stub_status_module \ --add-module=/build/ngx_brotli \ --add-module=/build/headers-more-nginx-module \ --without-http_autoindex_module \ diff --git a/src/docker-compose.yml-EXAMPLE b/src/docker-compose.yml-EXAMPLE index c9ecdd4..be1f02d 100644 --- a/src/docker-compose.yml-EXAMPLE +++ b/src/docker-compose.yml-EXAMPLE @@ -105,11 +105,12 @@ services: #- MAX_PHP_MEMORY=256M # optional: set a password to get access to /php-status, which will display various metrics about the php-fpm processes + # also works for /nginx-status, for metrics about nginx process # if this is not set, a random password will be generated but never displayed, effectively disabling access to this endpoint # the enpdoint can be accessed with the "elabftw" user, and the password you set below # example value: my-cool-password # default value: not set - #- PHP_STATUS_PASSWORD= + #- STATUS_PASSWORD= ######################### # ELABFTW CONFIGURATION # diff --git a/src/init/prepare.sh b/src/init/prepare.sh index 8704d6a..abcb325 100755 --- a/src/init/prepare.sh +++ b/src/init/prepare.sh @@ -67,7 +67,7 @@ getEnv() { allow_origin=${ALLOW_ORIGIN:-} allow_methods=${ALLOW_METHODS:-} allow_headers=${ALLOW_HEADERS:-} - php_status_password=${PHP_STATUS_PASSWORD:-} + status_password=${STATUS_PASSWORD:-} } # Create the user that will run nginx/php/cronjobs @@ -209,12 +209,12 @@ nginxConf() { sed -i -e "s/%ACAH_HEADER%/${acah_header}/" /etc/nginx/common.conf # create a password file for /php-status endpoint - if [ -z "$php_status_password" ]; then + if [ -z "$status_password" ]; then # if no password is provided, instead of harcoding a default password, we generate one - php_status_password=$(echo $RANDOM | sha1sum) + status_password=$(echo $RANDOM | sha1sum) fi # instead of installing htpasswd, use openssl that is already here - printf "elabftw:%s\n" "$(openssl passwd -apr1 "$php_status_password")" > /etc/nginx/passwords + printf "elabftw:%s\n" "$(openssl passwd -apr1 "$status_password")" > /etc/nginx/passwords chown "${elabftw_user}":"${elabftw_group}" /etc/nginx/passwords chmod 400 /etc/nginx/passwords } diff --git a/src/nginx/common.conf b/src/nginx/common.conf index 2a68a65..4a937ea 100644 --- a/src/nginx/common.conf +++ b/src/nginx/common.conf @@ -57,7 +57,14 @@ location ~ ^/php-status$ { include /etc/nginx/fastcgi.conf; fastcgi_pass unix:/run/php-fpm.sock; } - +# the nginx status page, protected with same credentials as php-status +# https://nginx.org/en/docs/http/ngx_http_stub_status_module.html +location = /nginx-status { + access_log off; + auth_basic "Show Me What You Got"; + auth_basic_user_file /etc/nginx/passwords; + stub_status; +} location / { try_files $uri $uri/ =404; From 480abef580001f297510955e5ac917e5100c060b Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Fri, 21 Apr 2023 16:03:11 +0200 Subject: [PATCH 10/10] add in README what the cron is doing --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a0e08b..a981e9d 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This Docker image is for [eLabFTW](https://www.elabftw.net). It runs three servi * Nginx webserver * PHP-FPM service -* Cron daemon to execute recurrent tasks +* Cron daemon to execute recurrent tasks (sending notifications) These services are managed by s6-overlay and are all customized for running eLabFTW.