wordpress-charmers team mailing list archive
-
wordpress-charmers team
-
Mailing list archive
-
Message #00901
[Merge] ~tcuthbert/charm-k8s-wordpress:master into charm-k8s-wordpress:master
Thomas Cuthbert has proposed merging ~tcuthbert/charm-k8s-wordpress:master into charm-k8s-wordpress:master.
Requested reviews:
Wordpress Charmers (wordpress-charmers)
For more details, see:
https://code.launchpad.net/~tcuthbert/charm-k8s-wordpress/+git/charm-k8s-wordpress-1/+merge/427197
--
Your team Wordpress Charmers is requested to review the proposed merge of ~tcuthbert/charm-k8s-wordpress:master into charm-k8s-wordpress:master.
diff --git a/Dockerfile b/Dockerfile
index a394f4d..325ed05 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,12 @@
ARG DIST_RELEASE
FROM ubuntu:${DIST_RELEASE} as base
+ARG USERNAME=wordpress
+ARG GROUPNAME=${USERNAME}
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+RUN groupadd --system --gid $USER_GID $GROUPNAME \
+ && useradd --system --uid $USER_UID --gid $USER_GID $USERNAME
# HTTPS_PROXY used when we RUN curl to download Wordpress itself
ARG BUILD_DATE
@@ -12,16 +19,21 @@ ARG HTTPS_PROXY
ENV APACHE_CONFDIR=/etc/apache2
ENV APACHE_ENVVARS=/etc/apache2/envvars
+ENV APACHE_RUN_USER=$USERNAME
+ENV APACHE_RUN_GROUP=$GROUPNAME
+ENV PYTHONUNBUFFERED="1"
# Avoid interactive prompts
RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
# Update all packages, remove cruft, install required packages, configure apache
-RUN apt-get update && apt-get -y dist-upgrade \
- && apt-get --purge autoremove -y \
- && apt-get install -y apache2 \
+RUN set -eux; \
+ apt-get update; apt-get -y dist-upgrade; \
+ apt-get install -y \
+ apache2 \
bzr \
curl \
+ gettext-base \
git \
libapache2-mod-php \
libgmp-dev \
@@ -35,85 +47,125 @@ RUN apt-get update && apt-get -y dist-upgrade \
php-xml \
pwgen \
python3 \
+ python3-urllib3 \
python3-yaml \
ssl-cert \
- wget \
- && sed -ri 's/^export ([^=]+)=(.*)$/: ${\1:=\2}\nexport \1/' "$APACHE_ENVVARS" \
- && . "$APACHE_ENVVARS" \
- && for dir in "$APACHE_LOCK_DIR" "$APACHE_RUN_DIR" "$APACHE_LOG_DIR"; do rm -rvf "$dir"; mkdir -p "$dir"; chown "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$dir"; chmod 777 "$dir"; done \
- && ln -sfT /dev/stderr "$APACHE_LOG_DIR/error.log" \
- && ln -sfT /dev/stdout "$APACHE_LOG_DIR/access.log" \
- && ln -sfT /dev/stdout "$APACHE_LOG_DIR/other_vhosts_access.log" \
- && chown -R --no-dereference "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$APACHE_LOG_DIR"
+ wget; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ rm -rf /var/lib/apt/lists/* /var/cache/apt/**/*||true;
+
+# Reconfigure apache so it can be run as non-root
+RUN set -eux; \
+ sed -ri 's/^export ([^=]+)=(.*)$/: ${\1:=\2}\nexport \1/' "$APACHE_ENVVARS"; \
+ . "$APACHE_ENVVARS"; \
+ sed -i \
+ -e 's/Listen 80/Listen 8000/' \
+ -e 's/Listen 443/Listen 8433/' \
+ -e 's/:80>$/:8000>/' \
+ -e 's/:443>$/:8443>/' \
+ /etc/apache2/ports.conf \
+ /etc/apache2/sites-available/000-default.conf; \
+ for dir in "$APACHE_LOCK_DIR" "$APACHE_RUN_DIR" "$APACHE_LOG_DIR"; do \
+ chmod 2770 "$dir"; \
+ chown -R "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$dir"; \
+ done; \
+ ln -sfT /dev/stdout "$APACHE_LOG_DIR/access.log"; \
+ ln -sfT /dev/stderr "$APACHE_LOG_DIR/error.log"; \
+ ln -sfT /dev/stdout "$APACHE_LOG_DIR/other_vhosts_access.log";
+
+# Test apache configuration works
+RUN set -eux; /usr/sbin/apache2ctl -S;
# Configure PHP and apache2 - mod_php requires us to use mpm_prefork
-COPY ./image-builder/files/docker-php.conf $APACHE_CONFDIR/conf-available/docker-php.conf
-COPY ./image-builder/files/docker-php-swift-proxy.conf $APACHE_CONFDIR/conf-available/docker-php-swift-proxy.conf
-RUN a2enconf docker-php \
- && a2dismod mpm_event \
- && a2enmod headers \
- && a2enmod mpm_prefork \
- && a2enmod proxy \
- && a2enmod proxy_http \
- && a2enmod rewrite \
- && a2enmod ssl
+ADD ./image-builder/files /files
+RUN set -eux; \
+ cp /files/docker-php.conf $APACHE_CONFDIR/conf-available/docker-php.conf; \
+ cp /files/docker-php-swift-proxy.conf $APACHE_CONFDIR/conf-available/docker-php-swift-proxy.conf; \
+ a2enconf docker-php; \
+ a2dismod mpm_event; \
+ a2enmod headers; \
+ a2enmod mpm_prefork; \
+ a2enmod proxy; \
+ a2enmod proxy_http; \
+ a2enmod rewrite; \
+ a2enmod ssl
FROM base as plugins
-
+ARG USERNAME=wordpress
+ARG GROUPNAME=${USERNAME}
# Download themes and plugins. This will eventually be separated into new container.
-COPY ./image-builder/src/fetcher.py /
+ADD ./image-builder/src/fetcher.py /fetcher.py
+RUN bash -c 'set -eux; mkdir -p /var/www/html/wp-content/{themes,plugins}'
WORKDIR /var/www/html/wp-content/
-RUN mkdir themes plugins && /fetcher.py
+RUN set -eux; \
+ /fetcher.py && chown "$USERNAME:$GROUPNAME" -R /var/www/html
VOLUME /var/www/html/wp-content
FROM base As install
-ARG VERSION
-
+ARG USERNAME=wordpress
+ARG GROUPNAME=${USERNAME}
+ARG VERSION=latest
+ARG WORDPRESS_URL=https://wordpress.org/wordpress-${VERSION}.tar.gz
# TODO: replace downloading the source wordpress code with copying it from the upstream wordpress container,
# which should speed builds up:
# COPY --from=wordpress-${VERSION}:fpm /usr/src/wordpress /usr/src/wordpress
# Install the main Wordpress code, this will be our only site so /var/www/html is fine
-RUN wget -O wordpress.tar.gz -t 3 -r "https://wordpress.org/wordpress-${VERSION}.tar.gz"; \
- && tar -xzf wordpress.tar.gz -C /usr/src/ \
- && rm wordpress.tar.gz \
- && chown -R www-data:www-data /usr/src/wordpress \
- && rm -rf /var/www/html \
- && mv /usr/src/wordpress /var/www/html
-
-COPY ./image-builder/files/ /files/
-# wp-info.php contains template variables which our ENTRYPOINT script will populate
-RUN install -D /files/wp-info.php /var/www/html/wp-info.php
-RUN install -D /files/wp-config.php /var/www/html/wp-config.php
-RUN chown -R www-data:www-data /var/www/html
-
-# Copy our helper scripts and their wrapper into their own directory
-RUN install /files/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-
-RUN install -t /srv/wordpress-helpers/ -D /files/_add_option.php \
- /files/_enable_plugin.php \
- /files/_get_option.php \
- /files/plugin_handler.py \
- /files/ready.sh
-
-# Make the wrapper executable
-RUN chmod 0755 /srv/wordpress-helpers/plugin_handler.py
-RUN chmod 0755 /srv/wordpress-helpers/ready.sh
-RUN chmod 0755 /usr/local/bin/docker-entrypoint.sh
+RUN set -eux; \
+ wget -O wordpress.tar.gz -t 3 -r "https://wordpress.org/wordpress-${VERSION}.tar.gz";; \
+ tar -xzf /wordpress.tar.gz --owner=$USERNAME --group="$GROUPNAME" --strip-components=1 -C /var/www/html; \
+ rm /wordpress.tar.gz
+
+RUN set -eux; \
+ install --mode="770" --owner="$USERNAME" --group="$GROUPNAME" -d /srv/wordpress-helpers; \
+ install --mode="550" --owner="$USERNAME" --group="$GROUPNAME" -t /srv/wordpress-helpers/ -D \
+ /files/_add_option.php \
+ /files/_enable_plugin.php \
+ /files/_get_option.php \
+ /files/plugin_handler.py \
+ /files/ready.sh
FROM install as wordpress
+ARG USERNAME=wordpress
+ARG GROUPNAME=${USERNAME}
ARG VERSION
LABEL maintainer="wordpress-charmers@xxxxxxxxxxxxxxxxxxx"
# Used by Launchpad OCI Recipe to tag version
LABEL org.label-schema.version=${VERSION:-5.9.3}
-# Port 80 only, TLS will terminate elsewhere
-EXPOSE 80
-
# Copy plugins from the plugin stage into the WordPress content directory.
-COPY ./image-builder/src/fetcher.py /
-COPY --chown=www-data:www-data --from=plugins /var/www/html/wp-content/plugins/ /var/www/html/wp-content/plugins/
-COPY --chown=www-data:www-data --from=plugins /var/www/html/wp-content/themes/ /var/www/html/wp-content/themes/
+COPY --chown="$USERNAME":"$GROUPNAME" --from=plugins /var/www/html/wp-content/plugins/ /var/www/html/wp-content/plugins/
+COPY --chown="$USERNAME":"$GROUPNAME" --from=plugins /var/www/html/wp-content/themes/ /var/www/html/wp-content/themes/
+
+# Copy our helper scripts and their wrapper into their own directory
+COPY --chown="$USERNAME":"$GROUPNAME" ./image-builder/files/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+COPY --chown="$USERNAME":"$GROUPNAME" ./image-builder/files/wp-config.php /var/www/html/wp-config.php
+COPY --chown="$USERNAME":"$GROUPNAME" ./image-builder/files/wp-info.php /var/www/html/wp-info.php
+
+RUN set -eux; \
+ bash -c "chmod ug=rx /usr/local/bin/docker-entrypoint.sh; chown $USERNAME:$GROUPNAME \$_"\
+ sed -i -e 's/max_execution_time = 30/max_execution_time = 300/' \
+ -i -e 's/upload_max_filesize = 2M/upload_max_filesize = 10M/' \
+ /etc/php/7.[24]/apache2/php.ini; \
+ install --owner=$USERNAME --group=$GROUPNAME --mode=600 /dev/null /var/log/wordpress-plugin-handler.log;
+
+# Ensure remote users are unable to upload potentially malicious content into the container
+RUN set -eux; \
+ find /var/www/html \
+ -exec chown $USERNAME:$GROUPNAME {} \; \
+ -exec chmod a-rwx,ug+rX {} \; \
+ ;
+
+RUN set -eux; \
+ chmod ug+rw /var/www/html/wp-includes/functions.php /var/www/html/wp-info.php; \
+ chown -R :$GROUPNAME /etc/apache2 /var/lib/apache2; chmod -R g+rwX /etc/apache2/conf* /var/lib/apache2/conf*
+
+STOPSIGNAL SIGWINCH
+
+# Unprivileged port 8000 only, TLS will terminate elsewhere
+EXPOSE 8000
+USER ${USERNAME}:${GROUPNAME}
+WORKDIR /var/www/html
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
-CMD apachectl -D FOREGROUND
+CMD /usr/sbin/apache2ctl -D FOREGROUND
diff --git a/config.yaml b/config.yaml
index fadc47f..0b3a70f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -2,7 +2,7 @@ options:
image:
type: string
description: "The docker image to install. Required."
- default: "wordpresscharmers/wordpress:v5.9.3-20.04_edge"
+ default: "wordpresscharmers/wordpress:v5.9.4-20.04"
image_user:
type: string
description: "Username to use for the configured image registry, if required"
@@ -15,8 +15,8 @@ options:
type: string
description: >
Ports to expose, space separated list in name:8000 format. Names are alphanumeric + hyphen.
- e.g. "http:80 metrics:7127"
- default: "http:80"
+ e.g. "http:8000 metrics:7127"
+ default: "http:8000"
tls_secret_name:
type: string
description: "The Kubernetes TLS secret resource name."
diff --git a/image-builder/files/_get_option.php b/image-builder/files/_get_option.php
index 4168301..fb9938d 100644
--- a/image-builder/files/_get_option.php
+++ b/image-builder/files/_get_option.php
@@ -5,6 +5,7 @@
# Example use:
# php ./_get_option.php akismet_strictness
+@include "wp-info.php";
@include "wp-config.php";
@include_once "wp-includes/option.php";
@include_once "/usr/share/php/Symfony/Component/Yaml/autoload.php";
diff --git a/image-builder/files/docker-entrypoint.sh b/image-builder/files/docker-entrypoint.sh
index 8b9630f..2938af4 100644
--- a/image-builder/files/docker-entrypoint.sh
+++ b/image-builder/files/docker-entrypoint.sh
@@ -1,34 +1,32 @@
#!/bin/bash
set -eu
+: "${APACHE_RUN_USER:=wordpress}"
+: "${APACHE_RUN_GROUP:=wordpress}"
printf "remove_filter('template_redirect', 'redirect_canonical');" >> /var/www/html/wp-includes/functions.php
-sed -i -e "s/%%%WORDPRESS_DB_HOST%%%/$WORDPRESS_DB_HOST/" /var/www/html/wp-info.php
-sed -i -e "s/%%%WORDPRESS_DB_NAME%%%/$WORDPRESS_DB_NAME/" /var/www/html/wp-info.php
-sed -i -e "s/%%%WORDPRESS_DB_USER%%%/$WORDPRESS_DB_USER/" /var/www/html/wp-info.php
-sed -i -e "s/%%%WORDPRESS_DB_PASSWORD%%%/$WORDPRESS_DB_PASSWORD/" /var/www/html/wp-info.php
-
-for key in AUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT SECURE_AUTH_SALT LOGGED_IN_SALT NONCE_SALT;
-do
- sed -i -e "s/%%%${key}%%%/$(printenv ${key})/" /var/www/html/wp-info.php
-done
+envsubst "$(printf "'$%s'" $(printenv|grep -P 'WORD|_KEY|_AUTH'))" < /files/wp-info.php > /var/www/html/wp-info.php
# If we have passed in SWIFT_URL, then append swift proxy config.
[ -z "${SWIFT_URL-}" ] || a2enconf docker-php-swift-proxy
-# TODO: this will eventually be called directly by the charm.
-(
- cd /tmp
- /fetcher.py
- find /tmp -type f \( -path '/tmp/plugins/*' -o -path '/tmp/themes/*' \) -printf "%p\0/var/www/html/wp-content/%P\0" |
- xargs -rn2 -0 install -DT && rm -fr /tmp/* &&
- rm -fr /tmp/*
-)
+nohup bash -c "/srv/wordpress-helpers/plugin_handler.py &" > /dev/null
-nohup bash -c "/srv/wordpress-helpers/plugin_handler.py &"
+# Fix apache2 logging issues: https://github.com/bitnami/bitnami-docker-wordpress/blob/master/6/debian-11/rootfs/opt/bitnami/scripts/apache/setup.sh#L63
+chmod o+w "$(readlink /dev/stdout)" "$(readlink /dev/stderr)"
-# Match against either php 7.2 (bionic) or 7.4 (focal).
-sed -i 's/max_execution_time = 30/max_execution_time = 300/' /etc/php/7.[24]/apache2/php.ini
-sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 10M/' /etc/php/7.[24]/apache2/php.ini
+: "${APACHE_CONFDIR:=/etc/apache2}"
+: "${APACHE_ENVVARS:=$APACHE_CONFDIR/envvars}"
+if [ -f "$APACHE_ENVVARS" ]; then
+ . "$APACHE_ENVVARS"
+fi
+
+# Apache gets grumpy about PID files pre-existing
+: "${APACHE_RUN_DIR:=/var/run/apache2}"
+: "${APACHE_LOCK_DIR:=/var/lock/apache2}"
+for dir in "$APACHE_LOCK_DIR"/* "$APACHE_RUN_DIR"/*; do
+ echo "cleaning ${dir}..."
+ rm -rvf "${dir}"/*;
+done
exec "$@"
diff --git a/image-builder/files/docker-php.conf b/image-builder/files/docker-php.conf
index 00d1f36..eda1448 100644
--- a/image-builder/files/docker-php.conf
+++ b/image-builder/files/docker-php.conf
@@ -2,9 +2,11 @@
SetHandler application/x-httpd-php
</FilesMatch>
-<Location "/wp-admin">
- Header Set Cache-Control "max-age=0, no-store"
-</Location>
+<LocationMatch "^/?(wp-admin|wp-login)">
+ Header Unset ETag
+ Header Set Pragma "no-cache"
+ Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
+</LocationMatch>
DirectoryIndex disabled
DirectoryIndex index.php index.html
diff --git a/image-builder/files/plugin_handler.py b/image-builder/files/plugin_handler.py
index 94403ec..05c5818 100644
--- a/image-builder/files/plugin_handler.py
+++ b/image-builder/files/plugin_handler.py
@@ -89,8 +89,12 @@ def enable_swift(swift_config):
add_option("object_storage_{}".format(k), v)
-def configure_wordpress():
- url = "http://localhost";
+def configure_wordpress(hostname="localhost", http_port=8000, schema="http"):
+ url = "{schema}://{hostname}:{http_port}".format(**{
+ "schema": schema,
+ "hostname": hostname,
+ "http_port": http_port,
+ })
sleep_time = 10
total_sleep_time = 0
max_sleep_time = 600
diff --git a/image-builder/files/ready.sh b/image-builder/files/ready.sh
index a676bc2..28afbd6 100644
--- a/image-builder/files/ready.sh
+++ b/image-builder/files/ready.sh
@@ -8,7 +8,7 @@ READY=/srv/wordpress-helpers/.ready
# return a failure, replace the shell with whatever curl
# returns for checking that the website is alive.
if [ -f "$READY" ]; then
- exec /usr/bin/curl --silent http://localhost
+ exec /usr/bin/curl --silent http://localhost:8000
fi
exit 1
diff --git a/image-builder/files/wp-info.php b/image-builder/files/wp-info.php
index 5a891a2..339f5dc 100644
--- a/image-builder/files/wp-info.php
+++ b/image-builder/files/wp-info.php
@@ -33,21 +33,21 @@ else {
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST']);
}
-define('DB_NAME', '%%%WORDPRESS_DB_NAME%%%');
-define('DB_USER', '%%%WORDPRESS_DB_USER%%%');
-define('DB_HOST', '%%%WORDPRESS_DB_HOST%%%');
+define('DB_NAME', '$WORDPRESS_DB_NAME');
+define('DB_USER', '$WORDPRESS_DB_USER');
+define('DB_HOST', '$WORDPRESS_DB_HOST');
-define('DB_PASSWORD', '%%%WORDPRESS_DB_PASSWORD%%%');
+define('DB_PASSWORD', '$WORDPRESS_DB_PASSWORD');
define('WP_CACHE', true);
-define('AUTH_KEY', '%%%AUTH_KEY%%%');
-define('SECURE_AUTH_KEY', '%%%SECURE_AUTH_KEY%%%');
-define('LOGGED_IN_KEY', '%%%LOGGED_IN_KEY%%%');
-define('NONCE_KEY', '%%%NONCE_KEY%%%');
-define('AUTH_SALT', '%%%AUTH_SALT%%%');
-define('SECURE_AUTH_SALT', '%%%SECURE_AUTH_SALT%%%');
-define('LOGGED_IN_SALT', '%%%LOGGED_IN_SALT%%%');
-define('NONCE_SALT', '%%%NONCE_SALT%%%');
+define('AUTH_KEY', '$AUTH_KEY');
+define('SECURE_AUTH_KEY', '$SECURE_AUTH_KEY');
+define('LOGGED_IN_KEY', '$LOGGED_IN_KEY');
+define('NONCE_KEY', '$NONCE_KEY');
+define('AUTH_SALT', '$AUTH_SALT');
+define('SECURE_AUTH_SALT', '$SECURE_AUTH_SALT');
+define('LOGGED_IN_SALT', '$LOGGED_IN_SALT');
+define('NONCE_SALT', '$NONCE_SALT');
$table_prefix = 'wp_';
diff --git a/src/charm.py b/src/charm.py
index a7234e0..c450da9 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -252,7 +252,7 @@ class WordpressCharm(CharmBase):
"host": self.model.config["blog_hostname"],
"http": {
"paths": [
- {"path": "/", "backend": {"serviceName": self.app.name, "servicePort": 80}}
+ {"path": "/", "backend": {"serviceName": self.app.name, "servicePort": 8000}} # noqa: E501
]
},
}
@@ -281,7 +281,7 @@ class WordpressCharm(CharmBase):
"host": hostname,
"http": {
"paths": [
- {"path": "/", "backend": {"serviceName": self.app.name, "servicePort": 80}}
+ {"path": "/", "backend": {"serviceName": self.app.name, "servicePort": 8000}}
]
},
}
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
index 89221a1..511d651 100644
--- a/tests/unit/test_charm.py
+++ b/tests/unit/test_charm.py
@@ -150,7 +150,7 @@ class TestWordpressCharm(unittest.TestCase):
'paths': [
{
'path': '/',
- 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 80},
+ 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 8000},
}
]
},
@@ -161,7 +161,7 @@ class TestWordpressCharm(unittest.TestCase):
'paths': [
{
'path': '/',
- 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 80},
+ 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 8000},
}
]
},
@@ -172,7 +172,7 @@ class TestWordpressCharm(unittest.TestCase):
'paths': [
{
'path': '/',
- 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 80},
+ 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 8000},
}
]
},
@@ -213,7 +213,7 @@ class TestWordpressCharm(unittest.TestCase):
'paths': [
{
'path': '/',
- 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 80},
+ 'backend': {'serviceName': 'wordpress-k8s', 'servicePort': 8000},
}
]
},
@@ -262,7 +262,7 @@ class TestWordpressCharm(unittest.TestCase):
},
'name': 'wordpress-k8s',
'ports': [{
- 'containerPort': 80,
+ 'containerPort': 8000,
'name': 'http',
'protocol': 'TCP',
}]}
@@ -309,7 +309,7 @@ class TestWordpressCharm(unittest.TestCase):
},
'name': 'wordpress-k8s',
'ports': [{
- 'containerPort': 80,
+ 'containerPort': 8000,
'name': 'http',
'protocol': 'TCP',
}]}
Follow ups
