Docker-PHP/php/Dockerfile

# checkov:skip=CKV_DOCKER_3 user cannot be determined at this stage.
FROM marshall:build AS php-core
LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
      org.label-schema.vcs-url="https://github.com/benzine-framework/docker" \
      org.opencontainers.image.source="https://github.com/benzine-framework/docker"
ARG PHP_PACKAGES
ARG COMPOSER_VERSION
ENV COMPOSER_ALLOW_SUPERUSER=1
COPY core/install-report.sh /usr/bin/install-report
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN echo "Acquire::Retries \"5\";" > /etc/apt/apt.conf.d/80-retries && \
    echo "Acquire::http::No-Cache=true;" > /etc/apt/apt.conf.d/80-no-cache && \
    echo "Acquire::http::Pipeline-Depth=0;" > /etc/apt/apt.conf.d/80-no-pipeline && \
    apt-get -qq update && \
    apt-get -yqq upgrade && \
    apt-get -yqq install --no-install-recommends \
        python3-software-properties \
        software-properties-common \
        && \
    echo "PHP packages to install:" && echo $PHP_PACKAGES && \
    add-apt-repository -y ppa:ondrej/php && \
    apt-get -qq update && \
    apt-get -yqq install --no-install-recommends $PHP_PACKAGES  &&\
    apt-get remove -yqq \
        software-properties-common \
        python-apt-common \
        python3-software-properties \
        python3.5 python3.5-minimal libpython3.5-minimal \
        && \
    apt-get autoremove -yqq && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/lib/dpkg/status.old /var/cache/debconf/templates.dat /var/log/dpkg.log /var/log/lastlog /var/log/apt/*.log && \
    rm -rf  /usr/bin/mariabackup \
            /usr/bin/mysql_embedded \
            /usr/bin/mysql_find_rows \
            /usr/bin/mysql_fix_extensions \
            /usr/bin/mysql_waitpid \
            /usr/bin/mysqlaccess \
            /usr/bin/mysqlanalyze \
            /usr/bin/mysqlcheck \
            /usr/bin/mysqldump \
            /usr/bin/mysqldumpslow \
            /usr/bin/mysqlimport \
            /usr/bin/mysqloptimize \
            /usr/bin/mysqlrepair \
            /usr/bin/mysqlreport \
            /usr/bin/mysqlshow \
            /usr/bin/mysqlslap \
            /usr/bin/mytop

RUN chmod +x /usr/bin/install-report && \
    /usr/bin/install-report

RUN curl https://getcomposer.org/download/$COMPOSER_VERSION/composer.phar --output /usr/local/bin/composer && \
    chmod +x /usr/local/bin/composer /usr/bin/install-report && \
    composer self-update

# Healthcheck is nonsensical for this container.
HEALTHCHECK NONE

# checkov:skip=CKV_DOCKER_3 user cannot be determined at this stage.
FROM php-core AS php-cli
LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
      org.label-schema.vcs-url="https://github.com/benzine-framework/docker" \
      org.opencontainers.image.source="https://github.com/benzine-framework/docker"

# Install a funky cool repl.
RUN composer global require -q psy/psysh:@stable && \
    ln -s /root/.composer/vendor/psy/psysh/bin/psysh /usr/local/bin/repl && \
    /usr/local/bin/repl -v && \
    composer clear-cache

COPY cli/psysh-config.php /root/.config/psysh/config.php

RUN composer --version && \
    repl --version

# checkov:skip=CKV_DOCKER_3 user cannot be determined at this stage.
FROM php-cli AS php-nginx
LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
      org.label-schema.vcs-url="https://github.com/benzine-framework/docker" \
      org.opencontainers.image.source="https://github.com/benzine-framework/docker"
ARG PHP_VERSION
ARG PHP_MEMORY_LIMIT=128M
ARG PHP_DATA_MAX_SIZE=1024M
ENV PHPFPM_MAX_CHILDREN=25
COPY nginx /conf
COPY self-signed-certificates /certs

# ts:skip=AC_DOCKER_0002 Mis-detecting usage of apt instead of apt-get
RUN apt-get -qq update && \
    # Install pre-dependencies to use apt-key.
    apt-get -yqq install --no-install-recommends \
        lsb-core \
        gnupg \
        && \
    # Add nginx ppa
    sh -c 'echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu $(lsb_release -sc) main" \
            > /etc/apt/sources.list.d/nginx-stable.list' && \
    # Add nginx key
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C300EE8C && \
    apt-get -qq update && \
    apt-get -yqq install --no-install-recommends \
        nginx \
        php$PHP_VERSION-fpm \
        certbot \
        python3-certbot-nginx \
        && \
    apt-get remove -yqq \
        lsb-core \
        cups-common \
        && \
    apt-get autoremove -yqq && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/lib/dpkg/status.old /var/cache/debconf/templates.dat /var/log/dpkg.log /var/log/lastlog /var/log/apt/*.log && \
    # Configure FPM
    sed -i "s/cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/g" /etc/php/$PHP_VERSION/fpm/php.ini && \
    sed -i "s|memory_limit.*|memory_limit = $PHP_MEMORY_LIMIT|g" /etc/php/$PHP_VERSION/fpm/php.ini && \
    sed -i "s/upload_max_filesize.*/upload_max_filesize = $PHP_DATA_MAX_SIZE/g" /etc/php/$PHP_VERSION/fpm/php.ini && \
    sed -i "s/post_max_size.*/post_max_size = $PHP_DATA_MAX_SIZE/g" /etc/php/$PHP_VERSION/fpm/php.ini  && \
    sed -i "s/max_execution_time.*/max_execution_time = 0/g" /etc/php/$PHP_VERSION/fpm/php.ini && \
    sed -i "s/variables_order.*/variables_order = \"EGPCS\"/g" /etc/php/$PHP_VERSION/fpm/php.ini  && \
    sed -i "s/error_reporting.*/error_reporting = E_ALL \& \~E_DEPRECATED \& \~E_STRICT \& \~E_CORE_WARNING/g" /etc/php/$PHP_VERSION/fpm/php.ini && \
    # FPM logging to file
    sed -i "s|;catch_workers_output.*|catch_workers_output = yes|g" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf && \
    sed -i "s|;php_flag\[display_errors\].*|php_flag\[display_errors\] = on|g" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf && \
    sed -i "s|;php_admin_value\[error_log\].*|php_admin_value\[error_log\] = /var/log/fpm-php.log|g" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf && \
    sed -i "s|;php_admin_flag\[log_errors\].*|php_admin_flag\[log_errors\] = on|g" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf && \
    sed -i "s|;php_admin_value\[memory_limit\].*|php_admin_value\[memory_limit\] = $PHP_MEMORY_LIMIT|g" /etc/php/$PHP_VERSION/fpm/pool.d/www.conf && \
    # Symlink FPM config to CLI & PHPDBG
    rm -f /etc/php/$PHP_VERSION/cli/php.ini  && \
    ln -s /etc/php/$PHP_VERSION/fpm/php.ini /etc/php/$PHP_VERSION/cli/php.ini && \
    # Configuration step for clear_env=no
    echo "clear_env=no" >> /etc/php/$PHP_VERSION/fpm/php-fpm.conf; \
    echo "clear_env=no" >> /etc/php/$PHP_VERSION/fpm/pool.d/www.ini; \
    # Create run lock dir for php
    mkdir -p /run/php && \
    # Destroy default html root, and link /app in its place.
    rm -fr /var/www/html && \
    mkdir -p /var/www && \
    ln -s /app /var/www/html && \
    # Move nginx configuration into place
    mv /conf/NginxDefault /etc/nginx/sites-enabled/default && \
    mv /conf/NginxSSL /etc/nginx/sites-enabled/default-ssl && \
    # Generate self-signed certificates
    #mkdir /certs && \
    #openssl req -x509 -nodes -days 36500 -newkey rsa:2048 \
    #    -subj "/C=US/ST=Florida/L=Miami/O=Example Group/CN=example.org" \
    #    -keyout /certs/example.key \
    #    -out /certs/example.crt \
    #&& \
    # Create runit service directories
    mkdir -p /etc/service/nginx \
             /etc/service/php-fpm \
             /etc/service/letsencrypt \
             #/etc/service/logs-letsencrypt \
             /etc/service/logs-nginx-access \
             /etc/service/logs-nginx-error \
             /etc/service/logs-phpfpm-error && \
    # Copy our new service runits into location
    mv /conf/nginx.runit /etc/service/nginx/run && \
    mv /conf/php-fpm.runit /etc/service/php-fpm/run && \
    mv /conf/letsencrypt.runit /etc/service/letsencrypt/run && \
    #mv /conf/logs-letsencrypt.runit /etc/service/logs-letsencrypt/run && \
    #mv /conf/logs-letsencrypt.finish /etc/service/logs-letsencrypt/finish && \
    mv /conf/logs-nginx-access.runit /etc/service/logs-nginx-access/run && \
    mv /conf/logs-nginx-error.runit /etc/service/logs-nginx-error/run && \
    mv /conf/logs-phpfpm-error.runit /etc/service/logs-phpfpm-error/run && \
    mv /conf/logs-phpfpm-error.finish /etc/service/logs-phpfpm-error/finish && \
    # Make sure all our new services are using unix line endings
    dos2unix -q /etc/service/*/run /etc/service/*/finish && \
    # Make sure all our new services are executable
    chmod +x /etc/service/*/run /etc/service/*/finish && \
    # Cleanup the /conf dir
    rm -R /conf && \
    # Write the PHP version into some template locations
    sed -i "s/{{PHP}}/$PHP_VERSION/g" /etc/nginx/sites-enabled/default && \
    sed -i "s/{{PHP}}/$PHP_VERSION/g" /etc/nginx/sites-enabled/default-ssl && \
    sed -i "s/{{PHP}}/$PHP_VERSION/g" /etc/service/php-fpm/run && \
    sed -i "s/{{PHP}}/$PHP_VERSION/g" /etc/service/logs-phpfpm-error/run && \
    # Enable PHP-FPM status & PHP-FPM ping
    sed -i -e "s|;pm.status_path =.*|pm.status_path = /fpm-status|g" /etc/php/*/fpm/pool.d/www.conf && \
    sed -i -e "s|;ping.path =.*|ping.path = /fpm-ping|g" /etc/php/*/fpm/pool.d/www.conf && \
    # Using environment variables in config files works, it would seem. Neat!
    sed -i -e "s|pm.max_children = 5|pm.max_children = \${PHPFPM_MAX_CHILDREN}|g" /etc/php/*/fpm/pool.d/www.conf && \
    # Disable daemonising in nginx
    sed -i '1s;^;daemon off\;\n;' /etc/nginx/nginx.conf

# Expose ports.
EXPOSE 80/tcp
EXPOSE 443/tcp

# Make a volume for letsencrypt certs
VOLUME /etc/letsencrypt

# Create a healthcheck that makes sure our httpd is up
HEALTHCHECK --interval=30s --timeout=3s \
    CMD curl -f http://localhost/ || exit 1

# checkov:skip=CKV_DOCKER_3 user cannot be determined at this stage.
FROM php-cli AS php-apache
LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
      org.label-schema.vcs-url="https://github.com/benzine-framework/docker" \
      org.opencontainers.image.source="https://github.com/benzine-framework/docker"
ARG PHP_VERSION
# ts:skip=AC_DOCKER_0002 Mis-detecting usage of apt instead of apt-get
RUN apt-get -qq update && \
    apt-get -yqq install --no-install-recommends \
        apache2 \
        libapache2-mod-php$PHP_VERSION \
        && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/lib/dpkg/status.old /var/cache/debconf/templates.dat /var/log/dpkg.log /var/log/lastlog /var/log/apt/*.log && \
    sed -i "s/upload_max_filesize.*/upload_max_filesize = $PHP_DATA_MAX_SIZE/g" /etc/php/$PHP_VERSION/apache2/php.ini && \
    sed -i "s/post_max_size.*/post_max_size = $PHP_DATA_MAX_SIZE/g" /etc/php/$PHP_VERSION/apache2/php.ini && \
    sed -i "s/max_execution_time.*/max_execution_time = 0/g" /etc/php/$PHP_VERSION/apache2/php.ini && \
    sed -i "s/variables_order.*/variables_order = \"EGPCS\"/g" /etc/php/$PHP_VERSION/apache2/php.ini && \
    sed -i "s/error_reporting.*/error_reporting = E_ALL \& \~E_DEPRECATED \& \~E_STRICT \& \~E_CORE_WARNING/g" /etc/php/$PHP_VERSION/apache2/php.ini && \
    cp /etc/php/$PHP_VERSION/apache2/php.ini /etc/php/$PHP_VERSION/cli/php.ini && \
    sed -i "s/ServerSignature On/ServerSignature Off/g" /etc/apache2/conf-enabled/security.conf && \
    sed -i "s/ServerTokens OS/ServerTokens Prod/g" /etc/apache2/conf-enabled/security.conf

# Expose ports.
EXPOSE 80

# Create a healthcheck that makes sure our httpd is up
HEALTHCHECK --interval=30s --timeout=3s \
    CMD curl -f http://localhost/ || exit 1

COPY apache /conf
RUN rm -fr /var/www/html && \
    ln -s /app /var/www/html && \
    mv /conf/ApacheConfig.conf /etc/apache2/sites-enabled/000-default.conf && \
    mv /conf/envvars /etc/apache2/ && \
    mv /conf/apache2.conf /etc/apache2/ && \
    mkdir -p /etc/service/apache && \
    mkdir -p /etc/service/show_logs && \
    mv /conf/apache.runit /etc/service/apache/run && \
    mv /conf/show_logs.runit /etc/service/show_logs/run && \
    chmod +x /etc/service/*/run && \
    rm -Rf /conf && \
    a2enmod rewrite