From f609cb33e428ce006bca63eb476ea305c30e67e0 Mon Sep 17 00:00:00 2001 From: SDKHISSI Date: Thu, 23 Jan 2025 17:42:48 +0100 Subject: [PATCH 1/3] switch from nonroot to www-data user --- docker/dockerfileGHA.prod/Dockerfile | 14 +- test.yml | 288 +++++++++++++++++++++++++++ 2 files changed, 293 insertions(+), 9 deletions(-) create mode 100755 test.yml diff --git a/docker/dockerfileGHA.prod/Dockerfile b/docker/dockerfileGHA.prod/Dockerfile index 80cab238..d4935c79 100755 --- a/docker/dockerfileGHA.prod/Dockerfile +++ b/docker/dockerfileGHA.prod/Dockerfile @@ -2,10 +2,6 @@ FROM php:8.2-apache-bookworm AS base -# Create a non-root user and group -RUN addgroup --system nonroot \ - && adduser --system --ingroup nonroot nonroot - # Set the working directory inside the container WORKDIR /var/www @@ -101,25 +97,25 @@ RUN \ # Move Symfony CLI to a global location && mv /root/.symfony5/bin/symfony /usr/local/bin/symfony \ # Change /var/www ownership - && chown -R nonroot:nonroot /var/www + && chown -R www-data:www-data /var/www # Switch to non-root user -USER nonroot +USER www-data # Building stage FROM base AS building # Switch to non-root user -USER nonroot +USER www-data RUN mkdir -p /var/www/building \ - && chown -R nonroot:nonroot /var/www/building + && chown -R www-data:www-data /var/www/building # Set working directory WORKDIR /var/www/building # Copy application code with correct ownership -COPY --chown=nonroot:nonroot --chmod=755 . /var/www/building +COPY --chown=www-data:www-data --chmod=755 . /var/www/building # Install dependencies and perform build steps RUN cp .env.test .env \ diff --git a/test.yml b/test.yml new file mode 100755 index 00000000..bc182673 --- /dev/null +++ b/test.yml @@ -0,0 +1,288 @@ +apiVersion: v1 +kind: Service +metadata: + name: docauposte-database-service +spec: + selector: + app: docauposte-database + ports: + - port: 3306 +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: docauposte-database-pod-limits-range + namespace: docauposte-database-pod-limits +spec: + limits: + - defaultRequest: + memory: 4000Mi + ephemeral-storage: 5000Mi + cpu: 4 + type: Container +--- +apiVersion: v1 +kind: Pod +metadata: + name: docauposte-database-pod + namespace: docauposte-database-pod-limits + labels: + app: docauposte-database +spec: + restartPolicy: Always + containers: + - name: database + image: docker.io/library/mariadb:latest + env: + - name: MARIADB_ROOT_PASSWORD_FILE + value: run/secrets/root_password + - name: MARIADB_DATABASE_FILE + value: run/secrets/database_name + - name: MARIADB_USER_FILE + value: run/secrets/database_user + - name: MARIADB_PASSWORD_FILE + value: run/secrets/database_password + ports: + - containerPort: 3306 + volumeMounts: + - mountPath: /run/secrets/root_password + readOnly: true + name: root_password + - mountPath: /run/secrets/database_name + readOnly: true + name: database_name + - mountPath: /run/secrets/database_user + readOnly: true + name: database_user + - mountPath: /run/secrets/database_password + readOnly: true + name: database_password + - mountPath: /var/lib/mysql + name: database-data + - mountPath: /etc/localtime + name: localtime-settings + readOnly: true + - mountPath: /etc/mysql/ssl/ca-cert.pem + name: ca-cert + readOnly: true + - mountPath: /etc/mysql/ssl/server-cert.pem + name: server-cert + readOnly: true + - mountPath: /etc/mysql/ssl/server-key.pem + name: server-key + readOnly: true + - mountPath: /etc/mysql/my.cnf + readOnly: true + name: mysql-config + resources: + limits: + memory: 4000Mi + ephemeral-storage: 5000Mi + requests: + cpu: 4 + dnsPolicy: Default + volumes: + - hostPath: + path: ./secrets/root_password + type: File + name: root_password + - hostPath: + path: ./secrets/database_name + type: File + name: database_name + - hostPath: + path: ./secrets/database_user + type: File + name: database_user + - hostPath: + path: ./secrets/database_password + type: File + name: database_password + - hostPath: + path: ./database_data + type: DirectoryOrCreate + name: database-data + - hostPath: + path: /etc/localtime + name: localtime-settings + - hostPath: + path: ./secrets/ssl/ca-cert.pem + type: File + name: ca-cert + - hostPath: + path: ./secrets/ssl/server-cert.pem + type: File + name: server-cert + - hostPath: + path: ./secrets/ssl/server-key.pem + type: File + name: server-key + - hostPath: + path: ./my.cnf + type: File + name: mysql-config +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: docauposte-phpmyadmin-pod-limits-range + namespace: docauposte-phpmyadmin-pod-limits +spec: + limits: + - defaultRequest: + memory: 1000Mi + ephemeral-storage: 500Mi + cpu: 1 + type: Container +--- +apiVersion: v1 +kind: Pod +metadata: + name: docauposte-phpmyadmin-pod + namespace: docauposte-phpmyadmin-pod-limits + labels: + app: docauposte-phpmyadmin + traefik.enable: true + traefik.http.routers.docauposte-phpmyadmin.rule: "Host(`sanclp0031`) && PathPrefix(`/dappma`)" + traefik.http.routers.docauposte-phpmyadmin.entrypoints: websecure + traefik.http.routers.docauposte-phpmyadmin.tls: true + # Remove or comment out the certresolver if using dedicated certificate files + traefik.http.routers.docauposte-phpmyadmin.tls.certresolver: myresolver + traefik.http.routers.docauposte-phpmyadmin.middlewares: strip-docauposte-phpmyadmin-prefix + traefik.http.services.docauposte-phpmyadmin.loadbalancer.server.port: 80 + traefik.http.middlewares.strip-docauposte-phpmyadmin-prefix.stripPrefix.prefixes: /dappma +spec: + restartPolicy: Always + containers: + - name: phpmyadmin + image: docker.io/phpmyadmin/phpmyadmin + env: + - name: PMA_HOST + value: database + - name: PMA_ABSOLUTE_URI + value: https://SANCLP0031/dappma + - name: PMA_SSL + value: "true" + - name: PMA_SSL_CA + value: /etc/phpmyadmin/ssl/ca-cert.pem + volumeMounts: + - mountPath: /etc/phpmyadmin/config.user.inc.php + name: phpmyadmin-config + readOnly: true + - mountPath: /etc/localtime + name: localtime-settings + readOnly: true + - mountPath: /etc/phpmyadmin/ssl/ca-cert.pem + name: ca-certificates + readOnly: true + resources: + limits: + memory: 1000Mi + ephemeral-storage: 500Mi + requests: + cpu: 1 + dnsPolicy: Default + volumes: + - hostPath: + path: ./config.user.inc.php + type: File + name: phpmyadmin-config + - hostPath: + path: /etc/localtime + name: localtime-settings + - hostPath: + path: ./secrets/ssl/ca-cert.pem + type: Directory + name: ca-certificates +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: docauposte-web-pod-limits-range + namespace: docauposte-web-pod-limits +spec: + limits: + - defaultRequest: + memory: 2000Mi + ephemeral-storage: 10000Mi + cpu: 4 + type: Container +--- +apiVersion: v1 +kind: Pod +metadata: + name: docauposte-web-pod + namespace: docauposte-web-pod-limits + labels: + app: docauposte-web + traefik.enable: true + traefik.http.routers.docauposte-web.rule: "Host(`sanclp0031`) && PathPrefix(`/docauposte`)" + traefik.http.routers.docauposte-web.entrypoints: websecure + traefik.http.routers.docauposte-web.tls: true + # Remove or comment out the certresolver if using dedicated certificate files + traefik.http.routers.docauposte-web.tls.certresolver: myresolver + traefik.http.routers.docauposte-web.middlewares: strip-docauposte-web-prefix + traefik.http.services.docauposte-web.loadbalancer.server.port: 80 + traefik.http.middlewares.strip-docauposte-web-prefix.stripPrefix.prefixes: /docauposte +spec: + restartPolicy: Always + containers: + - name: web + image: ghcr.io/kiloutyg/docauposte2:prod-latest + # command: ["./dev-entrypoint.sh"] + env: + - name: no_proxy + value: .ponet + - name: http_proxy + value: http://10.0.0.1:80 + - name: APP_TIMEZONE + value: Europe/Paris + - name: https_proxy + value: http://10.0.0.1:80 + volumeMounts: + - mountPath: /var/www/public/doc + name: web-data + - mountPath: /etc/localtime + name: localtime-settings + readOnly: true + - mountPath: /etc/ssl/certs/ca-cert.pem + name: ca-certificates + readOnly: true + - mountPath: /etc/ssl/certs/server-cert.pem + name: server-certificates + readOnly: true + - mountPath: /etc/ssl/certs/server-key.pem + name: server-key + readOnly: true + resources: + limits: + memory: 4000Mi + ephemeral-storage: 15000Mi + requests: + cpu: 4 + dnsPolicy: Default + volumes: + - hostPath: + path: ./public/doc + type: Directory + name: web-data + - hostPath: + path: .env + type: File + name: dotenv + - hostPath: + path: /etc/localtime + name: localtime-settings + readOnly: true + - hostPath: + path: ./secrets/ssl/ca-cert.pem + type: File + name: ca-certificates + - hostPath: + path: ./secrets/ssl/server-cert.pem + type: File + name: server-certificates + - hostPath: + path: ./secrets/ssl/server-key.pem + type: File + name: server-key From 169d74715196a84be405951e6b275cc897c1c9b1 Mon Sep 17 00:00:00 2001 From: SDKHISSI Date: Thu, 23 Jan 2025 17:43:50 +0100 Subject: [PATCH 2/3] typo copying stuff from dev directory --- docker/dockerfileGHA.prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/dockerfileGHA.prod/Dockerfile b/docker/dockerfileGHA.prod/Dockerfile index d4935c79..91491d5a 100755 --- a/docker/dockerfileGHA.prod/Dockerfile +++ b/docker/dockerfileGHA.prod/Dockerfile @@ -6,7 +6,7 @@ FROM php:8.2-apache-bookworm AS base WORKDIR /var/www # Copy custom php.ini configuration into the container -COPY ./docker/dockerfileGHA.dev/php.ini /usr/local/etc/php/php.ini +COPY ./docker/dockerfileGHA.prod/php.ini /usr/local/etc/php/php.ini # Configure system settings and install necessary packages and extensions RUN \ From eb8b19da364f24779cab64f6a0accc93d09e267e Mon Sep 17 00:00:00 2001 From: SDKHISSI Date: Thu, 23 Jan 2025 17:51:51 +0100 Subject: [PATCH 3/3] forgot to retire test file --- .gitignore | 3 + docker/dockerfileGHA.prod/Dockerfile | 2 +- test.yml | 288 --------------------------- 3 files changed, 4 insertions(+), 289 deletions(-) delete mode 100755 test.yml diff --git a/.gitignore b/.gitignore index c435d5e5..802ae9c5 100755 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,6 @@ symfony copy.lock .composer .cache .php-cs-fixer.dist.php + + +test.yml \ No newline at end of file diff --git a/docker/dockerfileGHA.prod/Dockerfile b/docker/dockerfileGHA.prod/Dockerfile index 91491d5a..46518bf5 100755 --- a/docker/dockerfileGHA.prod/Dockerfile +++ b/docker/dockerfileGHA.prod/Dockerfile @@ -130,4 +130,4 @@ RUN cp .env.test .env \ WORKDIR /var/www -CMD [ "exec apache2-foreground" ] \ No newline at end of file +CMD [ "apache2-foreground" ] \ No newline at end of file diff --git a/test.yml b/test.yml deleted file mode 100755 index bc182673..00000000 --- a/test.yml +++ /dev/null @@ -1,288 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: docauposte-database-service -spec: - selector: - app: docauposte-database - ports: - - port: 3306 ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: docauposte-database-pod-limits-range - namespace: docauposte-database-pod-limits -spec: - limits: - - defaultRequest: - memory: 4000Mi - ephemeral-storage: 5000Mi - cpu: 4 - type: Container ---- -apiVersion: v1 -kind: Pod -metadata: - name: docauposte-database-pod - namespace: docauposte-database-pod-limits - labels: - app: docauposte-database -spec: - restartPolicy: Always - containers: - - name: database - image: docker.io/library/mariadb:latest - env: - - name: MARIADB_ROOT_PASSWORD_FILE - value: run/secrets/root_password - - name: MARIADB_DATABASE_FILE - value: run/secrets/database_name - - name: MARIADB_USER_FILE - value: run/secrets/database_user - - name: MARIADB_PASSWORD_FILE - value: run/secrets/database_password - ports: - - containerPort: 3306 - volumeMounts: - - mountPath: /run/secrets/root_password - readOnly: true - name: root_password - - mountPath: /run/secrets/database_name - readOnly: true - name: database_name - - mountPath: /run/secrets/database_user - readOnly: true - name: database_user - - mountPath: /run/secrets/database_password - readOnly: true - name: database_password - - mountPath: /var/lib/mysql - name: database-data - - mountPath: /etc/localtime - name: localtime-settings - readOnly: true - - mountPath: /etc/mysql/ssl/ca-cert.pem - name: ca-cert - readOnly: true - - mountPath: /etc/mysql/ssl/server-cert.pem - name: server-cert - readOnly: true - - mountPath: /etc/mysql/ssl/server-key.pem - name: server-key - readOnly: true - - mountPath: /etc/mysql/my.cnf - readOnly: true - name: mysql-config - resources: - limits: - memory: 4000Mi - ephemeral-storage: 5000Mi - requests: - cpu: 4 - dnsPolicy: Default - volumes: - - hostPath: - path: ./secrets/root_password - type: File - name: root_password - - hostPath: - path: ./secrets/database_name - type: File - name: database_name - - hostPath: - path: ./secrets/database_user - type: File - name: database_user - - hostPath: - path: ./secrets/database_password - type: File - name: database_password - - hostPath: - path: ./database_data - type: DirectoryOrCreate - name: database-data - - hostPath: - path: /etc/localtime - name: localtime-settings - - hostPath: - path: ./secrets/ssl/ca-cert.pem - type: File - name: ca-cert - - hostPath: - path: ./secrets/ssl/server-cert.pem - type: File - name: server-cert - - hostPath: - path: ./secrets/ssl/server-key.pem - type: File - name: server-key - - hostPath: - path: ./my.cnf - type: File - name: mysql-config ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: docauposte-phpmyadmin-pod-limits-range - namespace: docauposte-phpmyadmin-pod-limits -spec: - limits: - - defaultRequest: - memory: 1000Mi - ephemeral-storage: 500Mi - cpu: 1 - type: Container ---- -apiVersion: v1 -kind: Pod -metadata: - name: docauposte-phpmyadmin-pod - namespace: docauposte-phpmyadmin-pod-limits - labels: - app: docauposte-phpmyadmin - traefik.enable: true - traefik.http.routers.docauposte-phpmyadmin.rule: "Host(`sanclp0031`) && PathPrefix(`/dappma`)" - traefik.http.routers.docauposte-phpmyadmin.entrypoints: websecure - traefik.http.routers.docauposte-phpmyadmin.tls: true - # Remove or comment out the certresolver if using dedicated certificate files - traefik.http.routers.docauposte-phpmyadmin.tls.certresolver: myresolver - traefik.http.routers.docauposte-phpmyadmin.middlewares: strip-docauposte-phpmyadmin-prefix - traefik.http.services.docauposte-phpmyadmin.loadbalancer.server.port: 80 - traefik.http.middlewares.strip-docauposte-phpmyadmin-prefix.stripPrefix.prefixes: /dappma -spec: - restartPolicy: Always - containers: - - name: phpmyadmin - image: docker.io/phpmyadmin/phpmyadmin - env: - - name: PMA_HOST - value: database - - name: PMA_ABSOLUTE_URI - value: https://SANCLP0031/dappma - - name: PMA_SSL - value: "true" - - name: PMA_SSL_CA - value: /etc/phpmyadmin/ssl/ca-cert.pem - volumeMounts: - - mountPath: /etc/phpmyadmin/config.user.inc.php - name: phpmyadmin-config - readOnly: true - - mountPath: /etc/localtime - name: localtime-settings - readOnly: true - - mountPath: /etc/phpmyadmin/ssl/ca-cert.pem - name: ca-certificates - readOnly: true - resources: - limits: - memory: 1000Mi - ephemeral-storage: 500Mi - requests: - cpu: 1 - dnsPolicy: Default - volumes: - - hostPath: - path: ./config.user.inc.php - type: File - name: phpmyadmin-config - - hostPath: - path: /etc/localtime - name: localtime-settings - - hostPath: - path: ./secrets/ssl/ca-cert.pem - type: Directory - name: ca-certificates ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: docauposte-web-pod-limits-range - namespace: docauposte-web-pod-limits -spec: - limits: - - defaultRequest: - memory: 2000Mi - ephemeral-storage: 10000Mi - cpu: 4 - type: Container ---- -apiVersion: v1 -kind: Pod -metadata: - name: docauposte-web-pod - namespace: docauposte-web-pod-limits - labels: - app: docauposte-web - traefik.enable: true - traefik.http.routers.docauposte-web.rule: "Host(`sanclp0031`) && PathPrefix(`/docauposte`)" - traefik.http.routers.docauposte-web.entrypoints: websecure - traefik.http.routers.docauposte-web.tls: true - # Remove or comment out the certresolver if using dedicated certificate files - traefik.http.routers.docauposte-web.tls.certresolver: myresolver - traefik.http.routers.docauposte-web.middlewares: strip-docauposte-web-prefix - traefik.http.services.docauposte-web.loadbalancer.server.port: 80 - traefik.http.middlewares.strip-docauposte-web-prefix.stripPrefix.prefixes: /docauposte -spec: - restartPolicy: Always - containers: - - name: web - image: ghcr.io/kiloutyg/docauposte2:prod-latest - # command: ["./dev-entrypoint.sh"] - env: - - name: no_proxy - value: .ponet - - name: http_proxy - value: http://10.0.0.1:80 - - name: APP_TIMEZONE - value: Europe/Paris - - name: https_proxy - value: http://10.0.0.1:80 - volumeMounts: - - mountPath: /var/www/public/doc - name: web-data - - mountPath: /etc/localtime - name: localtime-settings - readOnly: true - - mountPath: /etc/ssl/certs/ca-cert.pem - name: ca-certificates - readOnly: true - - mountPath: /etc/ssl/certs/server-cert.pem - name: server-certificates - readOnly: true - - mountPath: /etc/ssl/certs/server-key.pem - name: server-key - readOnly: true - resources: - limits: - memory: 4000Mi - ephemeral-storage: 15000Mi - requests: - cpu: 4 - dnsPolicy: Default - volumes: - - hostPath: - path: ./public/doc - type: Directory - name: web-data - - hostPath: - path: .env - type: File - name: dotenv - - hostPath: - path: /etc/localtime - name: localtime-settings - readOnly: true - - hostPath: - path: ./secrets/ssl/ca-cert.pem - type: File - name: ca-certificates - - hostPath: - path: ./secrets/ssl/server-cert.pem - type: File - name: server-certificates - - hostPath: - path: ./secrets/ssl/server-key.pem - type: File - name: server-key