wordpress-charmers team mailing list archive
-
wordpress-charmers team
-
Mailing list archive
-
Message #00803
Re: [Merge] ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening
replies inline.
Diff comments:
> diff --git a/Dockerfile b/Dockerfile
> index a338c56..9ad0b6b 100644
> --- a/Dockerfile
> +++ b/Dockerfile
> @@ -35,66 +46,63 @@ RUN apt-get update && apt-get -y dist-upgrade \
> php-xml \
> pwgen \
> python3 \
> + python3-urllib3 \
> python3-yaml \
> ssl-cert \
> - wget \
> - && sed -ri 's/^export ([^=]+)=(.*)$/: ${\1:=\2}\nexport \1/' "$APACHE_ENVVARS" \
> - && . "$APACHE_ENVVARS" \
> - && for dir in "$APACHE_LOCK_DIR" "$APACHE_RUN_DIR" "$APACHE_LOG_DIR"; do rm -rvf "$dir"; mkdir -p "$dir"; chown "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$dir"; chmod 777 "$dir"; done \
> - && ln -sfT /dev/stderr "$APACHE_LOG_DIR/error.log" \
> - && ln -sfT /dev/stdout "$APACHE_LOG_DIR/access.log" \
> - && ln -sfT /dev/stdout "$APACHE_LOG_DIR/other_vhosts_access.log" \
> - && chown -R --no-dereference "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$APACHE_LOG_DIR"
> + wget; \
> + sed -ri 's/^export ([^=]+)=(.*)$/: ${\1:=\2}\nexport \1/' "$APACHE_ENVVARS"; \
> + . "$APACHE_ENVVARS"; \
> + for dir in "$APACHE_LOCK_DIR" "$APACHE_RUN_DIR" "$APACHE_LOG_DIR"; do rm -rvf "$dir"; mkdir -p "$dir"; chown "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$dir"; chmod 777 "$dir"; done; \
> + ln -sfT /dev/stderr "$APACHE_LOG_DIR/error.log"; \
> + ln -sfT /dev/stdout "$APACHE_LOG_DIR/access.log"; \
> + ln -sfT /dev/stdout "$APACHE_LOG_DIR/other_vhosts_access.log"; \
> + chown -R --no-dereference "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$APACHE_LOG_DIR"
>
> # Configure PHP and apache2 - mod_php requires us to use mpm_prefork
> -COPY ./image-builder/files/docker-php.conf $APACHE_CONFDIR/conf-available/docker-php.conf
> -COPY ./image-builder/files/docker-php-swift-proxy.conf $APACHE_CONFDIR/conf-available/docker-php-swift-proxy.conf
> -RUN a2enconf docker-php \
> - && a2dismod mpm_event \
> - && a2enmod headers \
> - && a2enmod mpm_prefork \
> - && a2enmod proxy \
> - && a2enmod proxy_http \
> - && a2enmod rewrite \
> - && a2enmod ssl
> +ADD ./image-builder/files /files
> +RUN set -eux; \
> + cp /files/docker-php.conf $APACHE_CONFDIR/conf-available/docker-php.conf; \
> + cp /files/docker-php-swift-proxy.conf $APACHE_CONFDIR/conf-available/docker-php-swift-proxy.conf; \
> + a2enconf docker-php; \
> + a2dismod mpm_event; \
> + a2enmod headers; \
> + a2enmod mpm_prefork; \
> + a2enmod proxy; \
> + a2enmod proxy_http; \
> + a2enmod rewrite; \
> + a2enmod ssl
>
>
> FROM base as plugins
>
> # Download themes and plugins. This will eventually be separated into new container.
> -COPY ./image-builder/src/fetcher.py /
> +ADD ./image-builder/src/fetcher.py /fetcher.py
> +RUN bash -c 'set -eux; mkdir -p /var/www/html/wp-content/{themes,plugins}'
I used bash -c here for the brace expansion as regular RUN calls sh
> WORKDIR /var/www/html/wp-content/
> -RUN mkdir themes plugins && /fetcher.py
> +RUN set -xeu; \
WORKDIR actually creates the directory structure you specify so fetching (which would make files owned by root) then chowning after makes sense.
> + /fetcher.py && chown nobody:nogroup -R /var/www/html
> VOLUME /var/www/html/wp-content
>
> FROM base As install
> ARG VERSION
> -
> +ARG WORDPRESS_URL=https://wordpress.org/wordpress-${VERSION}.tar.gz
> # TODO: replace downloading the source wordpress code with copying it from the upstream wordpress container,
> # which should speed builds up:
> # COPY --from=wordpress-${VERSION}:fpm /usr/src/wordpress /usr/src/wordpress
> # Install the main Wordpress code, this will be our only site so /var/www/html is fine
> -RUN wget -O wordpress.tar.gz -t 3 -r "https://wordpress.org/wordpress-${VERSION}.tar.gz"; \
> - && tar -xzf wordpress.tar.gz -C /usr/src/ \
> - && rm wordpress.tar.gz \
> - && chown -R www-data:www-data /usr/src/wordpress \
> - && rm -rf /var/www/html \
> - && mv /usr/src/wordpress /var/www/html
> -
> -COPY ./image-builder/files/ /files/
> -# wp-info.php contains template variables which our ENTRYPOINT script will populate
> -RUN install -D /files/wp-info.php /var/www/html/wp-info.php
> -RUN install -D /files/wp-config.php /var/www/html/wp-config.php
> -RUN chown -R www-data:www-data /var/www/html
> -
> -# Copy our helper scripts and their wrapper into their own directory
> -RUN install /files/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
> -
> -RUN install -t /srv/wordpress-helpers/ -D /files/_add_option.php \
> - /files/_enable_plugin.php \
> - /files/_get_option.php \
> - /files/plugin_handler.py \
> - /files/ready.sh
> +RUN set -xeu; \
> + wget -O wordpress.tar.gz -t 3 -r "https://wordpress.org/wordpress-${VERSION}.tar.gz";; \
> + tar -xzf /wordpress.tar.gz --owner=nobody --group=wordpress --strip-components=1 -C /var/www/html; \
> + rm /wordpress.tar.gz
> +
> +RUN set -eux; \
> + install --owner wordpress --group wordpress -d /srv/wordpress-helpers; \
> + install --owner wordpress --group wordpress /files/wp-config.php /var/www/html/wp-config.php; \
> + install --owner wordpress --group wordpress -t /srv/wordpress-helpers/ -D /files/_add_option.php \
> + /files/_enable_plugin.php \
> + /files/_get_option.php \
> + /files/plugin_handler.py \
> + /files/ready.sh
>
> # Make the wrapper executable
> RUN chmod 0755 /srv/wordpress-helpers/plugin_handler.py
--
https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/414162
Your team Wordpress Charmers is requested to review the proposed merge of ~tcuthbert/charm-k8s-wordpress:container-hardening into charm-k8s-wordpress:container-hardening.
References
