From 07716fe8b0cc0e30d5ad84c7ef3e186dbb644fda Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 17:44:30 -0400 Subject: [PATCH 01/57] Initial commit (WIP) --- .dockerignore | 17 +++++ Dockerfile | 167 +++++++++++++++++++++++++++++++++++++++++++ docker/entrypoint.sh | 28 ++++++++ docker/nginx.conf | 38 ++++++++++ 4 files changed, 250 insertions(+) create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 docker/entrypoint.sh create mode 100644 docker/nginx.conf diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..22f96ea7 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,17 @@ +.git +.github +tests +.dockerignore +.editorconfig +.env.example +.env.testing +.env.travis +.gitattributes +.gitignore +.styleci.yml +.travis.yml +changelog.md +Dockerfile +LICENSE +phpunit.xml +README.md diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..1bd99e06 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,167 @@ +ARG DEBIAN_VERSION=buster-slim +ARG COMPOSER_VERSION=2.1 + +FROM composer:${COMPOSER_VERSION} AS composer + +FROM debian:${DEBIAN_VERSION} +ENV DEBIAN_FRONTEND=noninteractive + +# Install PHP and PHP system dependencies +RUN apt-get update && \ + apt-get install -y \ + php7.3 \ + php7.3-sqlite3 php7.3-mysql \ + php-xml && \ + apt-get clean && \ + rm -rf /var/cache/* /var/lib/apt/lists/* + +# Composer +RUN apt-get update && \ + apt-get install -y unzip composer && \ + apt-get clean && \ + rm -rf /var/cache/* /var/lib/apt/lists/* /usr/bin/composer +# Use composer 2 instead of composer 1 +COPY --from=composer --chown=www-data /usr/bin/composer /usr/bin/composer + +# PHP FPM +RUN apt-get update && \ + apt-get install -y php7.3-fpm && \ + apt-get clean && \ + rm -rf /var/cache/* /var/lib/apt/lists/* +# Sudo to start PHP-FPM without root +RUN apt-get update && \ + apt-get install -y sudo && \ + apt-get clean && \ + rm -rf /var/cache/* /var/lib/apt/lists/* +RUN echo "www-data ALL = NOPASSWD: /usr/sbin/service php7.3-fpm start, /usr/sbin/service php7.3-fpm status, /usr/sbin/service php7.3-fpm stop" > /etc/sudoers.d/www-data && \ + chmod 0440 /etc/sudoers.d/www-data +# Pre-create directories with the correct permissions +RUN mkdir /run/php && \ + chown www-data /run/php && \ + chmod 700 /run/php + +# NGINX +EXPOSE 8000/tcp +RUN apt-get update && \ + apt-get install -y nginx && \ + apt-get clean && \ + rm -rf /var/cache/* /var/lib/apt/lists/* \ + /etc/nginx/nginx.conf && \ + chown -R www-data /var/log/nginx /var/lib/nginx/ +RUN touch /run/nginx.pid && \ + chown -R www-data /run/nginx.pid +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log +COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf + +# Create end user directory +RUN mkdir -p /2fauth && \ + chown -R www-data /2fauth && \ + chmod 700 /2fauth + +# Create /srv internal directory +WORKDIR /srv +RUN chown -R www-data /srv && \ + chmod 700 /srv + +# Fix ownership for /var/www +RUN chown -R www-data /var/www && \ + chmod 700 /var/www + +# Run without root +USER www-data + +# Dependencies +COPY --chown=www-data artisan composer.json composer.lock ./ +# Disable xdebug +RUN phpdismod xdebug +COPY --chown=www-data database ./database +RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader && \ + rm -rf /var/www/.composer + +# Copy the rest of the code +COPY --chown=www-data . . +RUN composer dump-autoload --no-scripts --no-dev --optimize + +# Nginx +EXPOSE 8000/tcp +COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +# Entrypoint +# ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] +ENTRYPOINT [ "/bin/bash" ] +COPY --chown=www-data docker/entrypoint.sh /usr/local/bin/entrypoint.sh + +ENV \ + # You can change the name of the app + APP_NAME=2FAuth \ + # You can leave this on "local". If you change it to production most console commands will ask for extra confirmation. + # Never set it to "testing". + APP_ENV=local \ + # Set to true if you want to see debug information in error screens. + APP_DEBUG=false \ + # This should be your email address + SITE_OWNER=mail@example.com \ + # The encryption key for our database and sessions. Keep this very secure. + # If you generate a new one all existing data must be considered LOST. + # Change it to a string of exactly 32 chars or use command `php artisan key:generate` to generate it + APP_KEY=SomeRandomStringOf32CharsExactly \ + # This variable must match your installation's external address but keep in mind that + # it's only used on the command line as a fallback value. + APP_URL=http://localhost \ + # Turn this to true if you want your app to react like a demo. + # The Demo mode reset the app content every hours and set a generic demo user. + IS_DEMO_APP=false \ + # The log channel defines where your log entries go to. + # 'daily' is the default logging mode giving you 5 daily rotated log files in /storage/logs/. + # Several other options exist. You can use 'single' for one big fat error log (not recommended). + # Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself. + LOG_CHANNEL=daily \ + # Log level. You can set this from least severe to most severe: + # debug, info, notice, warning, error, critical, alert, emergency + # If you set it to debug your logs will grow large, and fast. If you set it to emergency probably + # nothing will get logged, ever. + APP_LOG_LEVEL=notice \ + # Database config & credentials + # DB_CONNECTION can be mysql + DB_CONNECTION=sqlite \ + DB_DATABASE="/srv/database/.sqlite" \ + # if you want to use MySQL: + DB_HOST=127.0.0.1 \ + DB_PORT=3306 \ + DB_USERNAME=homestead \ + DB_PASSWORD=secret \ + # If you're looking for performance improvements, you could install memcached. + CACHE_DRIVER=file \ + SESSION_DRIVER=file \ + # Mail settings + # Refer your email provider documentation to configure your mail settings + # Set a value for every available setting to avoid issue + MAIL_DRIVER=log \ + MAIL_HOST=smtp.mailtrap.io \ + MAIL_PORT=2525 \ + MAIL_FROM=changeme@example.com \ + MAIL_USERNAME=null \ + MAIL_PASSWORD=null \ + MAIL_ENCRYPTION=null \ + MAIL_FROM_NAME=null \ + MAIL_FROM_ADDRESS=null \ + # Leave the following configuration vars as is. + # Unless you like to tinker and know what you're doing. + BROADCAST_DRIVER=log \ + QUEUE_DRIVER=sync \ + SESSION_LIFETIME=12 \ + REDIS_HOST=127.0.0.1 \ + REDIS_PASSWORD=null \ + REDIS_PORT=6379 \ + PUSHER_APP_ID= \ + PUSHER_APP_KEY= \ + PUSHER_APP_SECRET= \ + PUSHER_APP_CLUSTER=mt1 \ + MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" \ + MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" \ + MIX_ENV=local + + diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh new file mode 100644 index 00000000..5197e0a3 --- /dev/null +++ b/docker/entrypoint.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# TODO fail on any error + +if [ "${DB_CONNECTION}" = "sqlite" ]; then + if [ ! -f /2fauth/.sqlite ]; then + touch /2fauth/.sqlite + fi + rm -f /srv/database/.sqlite + ln -sF /2fauth/.sqlite /srv/database/.sqlite +fi + +sudo service php7.3-fpm start +sudo service php7.3-fpm status + +if [ -f /2fauth/installed ]; then + php artisan migrate + php artisan config:clear +else + php artisan migrate:refresh + php artisan passport:install + php artisan storage:link + php artisan config:cache + echo "" > /2fauth/installed +fi + +nginx +sudo service php7.3-fpm stop diff --git a/docker/nginx.conf b/docker/nginx.conf new file mode 100644 index 00000000..f2d9bfbe --- /dev/null +++ b/docker/nginx.conf @@ -0,0 +1,38 @@ +daemon off; +# user www-data www-data; +events {} +http { + include mime.types; + + server { + listen 8000; + server_name 2fAuth; + root /srv/public; + + # add_header X-Frame-Options "SAMEORIGIN"; + # add_header X-Content-Type-Options "nosniff"; + + index index.php; + + charset utf-8; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + error_page 404 /index.php; + + location ~ \.php$ { + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + include fastcgi_params; + } + + location ~ /\.(?!well-known).* { + deny all; + } + } +} From 8f6c9e2433882c40ab2cbb75fd34d99e80586e91 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 17:51:16 -0400 Subject: [PATCH 02/57] Change entrypoint to actual entrypoint script --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1bd99e06..09d77579 100644 --- a/Dockerfile +++ b/Dockerfile @@ -90,8 +90,7 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ ln -sf /dev/stderr /var/log/nginx/error.log # Entrypoint -# ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] -ENTRYPOINT [ "/bin/bash" ] +ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] COPY --chown=www-data docker/entrypoint.sh /usr/local/bin/entrypoint.sh ENV \ From 1da1fa0fed0e010d3e957dd66a9662d98263cb29 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 17:52:11 -0400 Subject: [PATCH 03/57] Entrypoint fails on any error --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 5197e0a3..a1777bdf 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -# TODO fail on any error +set -e if [ "${DB_CONNECTION}" = "sqlite" ]; then if [ ! -f /2fauth/.sqlite ]; then From bfc7ca9bbe661e4e9a02916c956ed5b3c08948dc Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 17:52:34 -0400 Subject: [PATCH 04/57] Entrypoint cleanup routine --- docker/entrypoint.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index a1777bdf..e719677f 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,11 @@ #!/bin/bash +cleanup() { + set +e + echo "Stopping php7.3-fpm service..." + sudo service php7.3-fpm stop +} +trap cleanup 0 set -e if [ "${DB_CONNECTION}" = "sqlite" ]; then @@ -25,4 +31,4 @@ else fi nginx -sudo service php7.3-fpm stop + From 94222e505d7652ec23583a7a396fa4bdf9d0a3a8 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 17:52:51 -0400 Subject: [PATCH 05/57] Add log about Nginx listening --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index e719677f..1d1f31b8 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -30,5 +30,5 @@ else echo "" > /2fauth/installed fi +echo "Nginx listening on :8000" nginx - From dcc3c2310d479874907b7838da8edec7deb3c23a Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 17:59:11 -0400 Subject: [PATCH 06/57] Minor changes --- Dockerfile | 2 +- docker/nginx.conf | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 09d77579..f75ca176 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,7 +49,7 @@ RUN apt-get update && \ /etc/nginx/nginx.conf && \ chown -R www-data /var/log/nginx /var/lib/nginx/ RUN touch /run/nginx.pid && \ - chown -R www-data /run/nginx.pid + chown www-data /run/nginx.pid RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ ln -sf /dev/stderr /var/log/nginx/error.log COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf diff --git a/docker/nginx.conf b/docker/nginx.conf index f2d9bfbe..fe0eac9b 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -1,5 +1,4 @@ daemon off; -# user www-data www-data; events {} http { include mime.types; From 22d7013406792c4d692d50243d15219154ca1367 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Thu, 29 Jul 2021 18:26:58 -0400 Subject: [PATCH 07/57] Fix ownership for php-fpm logs --- Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index f75ca176..eac774bb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,10 +35,12 @@ RUN apt-get update && \ rm -rf /var/cache/* /var/lib/apt/lists/* RUN echo "www-data ALL = NOPASSWD: /usr/sbin/service php7.3-fpm start, /usr/sbin/service php7.3-fpm status, /usr/sbin/service php7.3-fpm stop" > /etc/sudoers.d/www-data && \ chmod 0440 /etc/sudoers.d/www-data -# Pre-create directories with the correct permissions +# Pre-create files with the correct permissions RUN mkdir /run/php && \ - chown www-data /run/php && \ - chmod 700 /run/php + touch /var/log/php7.3-fpm.log && \ + chown www-data /run/php /var/log/php7.3-fpm.log && \ + chmod 700 /run/php /var/log/php7.3-fpm.log && \ + ln -sf /dev/stdout /var/log/php7.3-fpm.log # NGINX EXPOSE 8000/tcp From 1e1244a52f670eda712ec531c18797c1b3d37000 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Sat, 31 Jul 2021 13:24:57 -0400 Subject: [PATCH 08/57] Remove Nginx duplicate setup block --- Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index eac774bb..f4d521b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -85,12 +85,6 @@ RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader && \ COPY --chown=www-data . . RUN composer dump-autoload --no-scripts --no-dev --optimize -# Nginx -EXPOSE 8000/tcp -COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log - # Entrypoint ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] COPY --chown=www-data docker/entrypoint.sh /usr/local/bin/entrypoint.sh From f5f16f3ee753b183fef4064851d813992315fbf1 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Sat, 31 Jul 2021 13:30:37 -0400 Subject: [PATCH 09/57] Rework Dockerfile: - Fix: install php7.3-gd extension - Do not install composer 1 and only 2 - Install php7.3-mbstring extension - Group apt installs together for better caching --- Dockerfile | 54 ++++++++++++++++++++++++------------------------------ 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4d521b8..fcd65309 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,33 +6,33 @@ FROM composer:${COMPOSER_VERSION} AS composer FROM debian:${DEBIAN_VERSION} ENV DEBIAN_FRONTEND=noninteractive -# Install PHP and PHP system dependencies -RUN apt-get update && \ - apt-get install -y \ - php7.3 \ - php7.3-sqlite3 php7.3-mysql \ - php-xml && \ - apt-get clean && \ - rm -rf /var/cache/* /var/lib/apt/lists/* - -# Composer -RUN apt-get update && \ - apt-get install -y unzip composer && \ - apt-get clean && \ - rm -rf /var/cache/* /var/lib/apt/lists/* /usr/bin/composer -# Use composer 2 instead of composer 1 +# Composer 2 COPY --from=composer --chown=www-data /usr/bin/composer /usr/bin/composer -# PHP FPM +# Install PHP and PHP system dependencies RUN apt-get update && \ - apt-get install -y php7.3-fpm && \ + apt-get install -y --no-install-recommends \ + # PHP + php7.3 \ + # PHP SQL drivers + php7.3-sqlite3 php7.3-mysql \ + # PHP extensions + php-xml php7.3-gd php7.3-mbstring \ + # Unzip for composer + unzip \ + # PHP FPM and sudo to run PHP-FPM without root + php7.3-fpm sudo \ + # Nginx to serve HTTP and communicate with PHP-FPM + nginx \ + && \ + # Clean up apt-get clean && \ - rm -rf /var/cache/* /var/lib/apt/lists/* -# Sudo to start PHP-FPM without root -RUN apt-get update && \ - apt-get install -y sudo && \ - apt-get clean && \ - rm -rf /var/cache/* /var/lib/apt/lists/* + rm -rf /var/cache/* /var/lib/apt/lists/* /etc/nginx/nginx.conf && \ + # Fix ownership to www-data + chown -R www-data /var/log/nginx /var/lib/nginx/ + +# PHP FPM configuration +# Allow to run it with sudo from user www-data RUN echo "www-data ALL = NOPASSWD: /usr/sbin/service php7.3-fpm start, /usr/sbin/service php7.3-fpm status, /usr/sbin/service php7.3-fpm stop" > /etc/sudoers.d/www-data && \ chmod 0440 /etc/sudoers.d/www-data # Pre-create files with the correct permissions @@ -42,14 +42,8 @@ RUN mkdir /run/php && \ chmod 700 /run/php /var/log/php7.3-fpm.log && \ ln -sf /dev/stdout /var/log/php7.3-fpm.log -# NGINX +# Nginx configuration EXPOSE 8000/tcp -RUN apt-get update && \ - apt-get install -y nginx && \ - apt-get clean && \ - rm -rf /var/cache/* /var/lib/apt/lists/* \ - /etc/nginx/nginx.conf && \ - chown -R www-data /var/log/nginx /var/lib/nginx/ RUN touch /run/nginx.pid && \ chown www-data /run/nginx.pid RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ From c89aa757bede93ae3f420e045851399ed7d34843 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 09:04:31 -0400 Subject: [PATCH 10/57] Add docker-compose.yml --- docker/docker-compose.yml | 78 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 docker/docker-compose.yml diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100644 index 00000000..17edb7a7 --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,78 @@ +version: "3" +services: + 2fauth: + image: qmcgaw/2fauth + container_name: 2fauth + volumes: + - ./2fauth:/2fauth + ports: + - 8000:8000/tcp + environment: + # You can change the name of the app + - APP_NAME=2FAuth + # You can leave this on "local". If you change it to production most console commands will ask for extra confirmation. + # Never set it to "testing". + - APP_ENV=local + # Set to true if you want to see debug information in error screens. + - APP_DEBUG=false + # This should be your email address + - SITE_OWNER=mail@example.com + # The encryption key for our database and sessions. Keep this very secure. + # If you generate a new one all existing data must be considered LOST. + # Change it to a string of exactly 32 chars or use command `php artisan key:generate` to generate it + - APP_KEY=SomeRandomStringOf32CharsExactly + # This variable must match your installation's external address but keep in mind that + # it's only used on the command line as a fallback value. + - APP_URL=http://localhost + # Turn this to true if you want your app to react like a demo. + # The Demo mode reset the app content every hours and set a generic demo user. + - IS_DEMO_APP=false + # The log channel defines where your log entries go to. + # 'daily' is the default logging mode giving you 5 daily rotated log files in /storage/logs/. + # Several other options exist. You can use 'single' for one big fat error log (not recommended). + # Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself. + - LOG_CHANNEL=daily + # Log level. You can set this from least severe to most severe: + # debug, info, notice, warning, error, critical, alert, emergency + # If you set it to debug your logs will grow large, and fast. If you set it to emergency probably + # nothing will get logged, ever. + - APP_LOG_LEVEL=notice + # Database config & credentials + # DB_CONNECTION can be mysql + - DB_CONNECTION=sqlite + - DB_DATABASE="/srv/database/.sqlite" + # if you want to use MySQL: + - DB_HOST=mysql + - DB_PORT=3306 + - DB_USERNAME=homestead + - DB_PASSWORD=secret + # If you're looking for performance improvements, you could install memcached. + - CACHE_DRIVER=file + - SESSION_DRIVER=file + # Mail settings + # Refer your email provider documentation to configure your mail settings + # Set a value for every available setting to avoid issue + - MAIL_DRIVER=log + - MAIL_HOST=smtp.mailtrap.io + - MAIL_PORT=2525 + - MAIL_FROM=changeme@example.com + - MAIL_USERNAME=null + - MAIL_PASSWORD=null + - MAIL_ENCRYPTION=null + - MAIL_FROM_NAME=null + - MAIL_FROM_ADDRESS=null + # Leave the following configuration vars as is. + # Unless you like to tinker and know what you're doing. + - BROADCAST_DRIVER=log + - QUEUE_DRIVER=sync + - SESSION_LIFETIME=12 + - REDIS_HOST=127.0.0.1 + - REDIS_PASSWORD=null + - REDIS_PORT=6379 + - PUSHER_APP_ID= + - PUSHER_APP_KEY= + - PUSHER_APP_SECRET= + - PUSHER_APP_CLUSTER=mt1 + - MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" + - MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" + - MIX_ENV=local From d20a326d445ab7249879d6f9a7477ab38c30e788 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 09:31:49 -0400 Subject: [PATCH 11/57] Add 'do not remove me' to installed file --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 1d1f31b8..ff271d5b 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -27,7 +27,7 @@ else php artisan passport:install php artisan storage:link php artisan config:cache - echo "" > /2fauth/installed + echo "do not remove me" > /2fauth/installed fi echo "Nginx listening on :8000" From 404345add18db6c6290f0b4901b3d8dcc81ce45a Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 09:43:00 -0400 Subject: [PATCH 12/57] Change .sqlite to database.sqlite --- Dockerfile | 2 +- docker/docker-compose.yml | 2 +- docker/entrypoint.sh | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index fcd65309..27f46b2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -116,7 +116,7 @@ ENV \ # Database config & credentials # DB_CONNECTION can be mysql DB_CONNECTION=sqlite \ - DB_DATABASE="/srv/database/.sqlite" \ + DB_DATABASE="/srv/database/database.sqlite" \ # if you want to use MySQL: DB_HOST=127.0.0.1 \ DB_PORT=3306 \ diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 17edb7a7..9e20b47a 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -40,7 +40,7 @@ services: # Database config & credentials # DB_CONNECTION can be mysql - DB_CONNECTION=sqlite - - DB_DATABASE="/srv/database/.sqlite" + - DB_DATABASE="/srv/database/database.sqlite" # if you want to use MySQL: - DB_HOST=mysql - DB_PORT=3306 diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index ff271d5b..23a995e9 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -9,11 +9,11 @@ trap cleanup 0 set -e if [ "${DB_CONNECTION}" = "sqlite" ]; then - if [ ! -f /2fauth/.sqlite ]; then - touch /2fauth/.sqlite + if [ ! -f /2fauth/database.sqlite ]; then + touch /2fauth/database.sqlite fi - rm -f /srv/database/.sqlite - ln -sF /2fauth/.sqlite /srv/database/.sqlite + rm -f /srv/database/database.sqlite + ln -sF /2fauth/database.sqlite /srv/database/database.sqlite fi sudo service php7.3-fpm start From 165668f1e52dfa36fedfc677b62a05a5a0626971 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 09:51:44 -0400 Subject: [PATCH 13/57] Symlink storage --- docker/entrypoint.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 23a995e9..296c103b 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -16,6 +16,14 @@ if [ "${DB_CONNECTION}" = "sqlite" ]; then ln -sF /2fauth/database.sqlite /srv/database/database.sqlite fi +# Inject storage in /2fauth and use it with a symlink +if [ ! -d /2fauth/storage ]; then + mv /srv/storage /2fauth/storage +else + rm -r /srv/storage +fi +ln -sF /2fauth/storage /srv/storage + sudo service php7.3-fpm start sudo service php7.3-fpm status From 44d21c714189401db2120c755773f175317a75b6 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 09:54:48 -0400 Subject: [PATCH 14/57] Add docker/README.md --- docker/README.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 docker/README.md diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 00000000..bf06cef0 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,64 @@ +# Docker + +You can run 2fauth in a single Docker container. + +## Features + +- Runs without root as user `www-data` +- Only **182MB** (uncompressed amd64 image) +- Compatible with `amd64` only for now + +## Setup + +1. Create a directory on your host `2fauth`: + + ```sh + mkdir 2fauth + ``` + +1. **If your host is not Windows**: since the container runs without root as user `www-data` (`uid=33(www-data) gid=33(www-data) groups=33(www-data)`), you need to fix the ownership and permissions of that directory: + + ```sh + chown 33:33 2fauth + chmod 700 2fauth + ``` + +1. Run the container interactively: + + ```sh + docker run -it --rm -p 8000:8000/tcp \ + -v /yourpath/2fauth:/2fauth qmcgaw/2fauth + ``` + +1. Access it at [http://localhost:8000](http://localhost:8000) + +You can stop it with `CTRL+C`. + +- You can also run it in the background by replacing `-it --rm` with `-d`. +- You can set environment variables available (see the [.env.example](.env.example)) with `-e`, for example `-e APP_NAME=2FAuth`. +- You can also use the [docker-compose.yml](docker-compose.yml) with `docker-compose` and modify it as you wish. + +### Use an existing SQLite file + +If you already have an SQLite file, move it to `/yourpath/2fauth/database.sqlite` on your host before starting the container. Don't forget to fix its ownership and permissions if you run on *nix: + +```sh +chown 33:33 /yourpath/2fauth/database.sqlite +chmod 700 /yourpath/2fauth/database.sqlite +``` + +The container will automagically pick it up. + +## Implementation details + +- The container is based on `debian:buster-slim` +- The container runs an Nginx server together with PHP-FPM as a system service. +- The `/srv` directory holds the repository data and PHP code. +- The `/2fauth` directory is targeted for the container end users. +- By default the container logs the Nginx logs and the PHP-FPM logs. The application logs can be found in `/2fauth/storage/logs`. + +## TODOs + +- Base image (or other image) on Alpine. +- Setup CI to build image on push to master +- Change Dockerfile and CI to cross build for all architectures. From 92029c4aff65de2b0924109475ff512043d3ce90 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 10:50:32 -0400 Subject: [PATCH 15/57] Fix permission for entrypoint for build on Linux --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 27f46b2c..e02dd7d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -82,6 +82,7 @@ RUN composer dump-autoload --no-scripts --no-dev --optimize # Entrypoint ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] COPY --chown=www-data docker/entrypoint.sh /usr/local/bin/entrypoint.sh +RUN chmod 500 /usr/local/bin/entrypoint.sh ENV \ # You can change the name of the app From 9310b2871428fcac683bc1fcb30270c64c0621f7 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 10:51:03 -0400 Subject: [PATCH 16/57] Fix restart of container --- docker/entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 296c103b..48426a6b 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -30,6 +30,8 @@ sudo service php7.3-fpm status if [ -f /2fauth/installed ]; then php artisan migrate php artisan config:clear + php artisan storage:link + php artisan config:cache else php artisan migrate:refresh php artisan passport:install From 9d40eab1a499415e437f925156b3c25fd26c5c1e Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sat, 31 Jul 2021 10:53:33 -0400 Subject: [PATCH 17/57] Update TODOs --- docker/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/README.md b/docker/README.md index bf06cef0..4127f680 100644 --- a/docker/README.md +++ b/docker/README.md @@ -59,6 +59,7 @@ The container will automagically pick it up. ## TODOs +- Write short commit hash to installed file to only migrate on commit change - Base image (or other image) on Alpine. - Setup CI to build image on push to master - Change Dockerfile and CI to cross build for all architectures. From 6d674eb7fdde873d309c114e560646ca93448a5d Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sun, 1 Aug 2021 15:04:56 -0400 Subject: [PATCH 18/57] Add dockeri.co dynamic image --- docker/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/README.md b/docker/README.md index 4127f680..7c8f0c2a 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,5 +1,7 @@ # Docker +[![dockeri.co](https://dockeri.co/image/2fauth/2fauth)](https://hub.docker.com/r/2fauth/2fauth) + You can run 2fauth in a single Docker container. ## Features From fd9a24ef504f511803b5a96a182c8c712b444de0 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sun, 1 Aug 2021 15:06:54 -0400 Subject: [PATCH 19/57] Doc: change image size text to badge --- docker/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/README.md b/docker/README.md index 7c8f0c2a..51cdcbda 100644 --- a/docker/README.md +++ b/docker/README.md @@ -7,7 +7,7 @@ You can run 2fauth in a single Docker container. ## Features - Runs without root as user `www-data` -- Only **182MB** (uncompressed amd64 image) +- [![Latest size](https://img.shields.io/docker/image-size/2fauth/2fauth/latest?label=Image%20size)](https://hub.docker.com/r/2fauth/2fauth/tags) - Compatible with `amd64` only for now ## Setup @@ -29,7 +29,7 @@ You can run 2fauth in a single Docker container. ```sh docker run -it --rm -p 8000:8000/tcp \ - -v /yourpath/2fauth:/2fauth qmcgaw/2fauth + -v /yourpath/2fauth:/2fauth 2fauth/2fauth ``` 1. Access it at [http://localhost:8000](http://localhost:8000) From 2141f2cce0e9445eb7d75b55c3ed0c7e9a197fc5 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sun, 1 Aug 2021 15:13:41 -0400 Subject: [PATCH 20/57] Doc: add reference to Docker document in main readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1c76a1a5..73c9d7ab 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,8 @@ A web app to manage your Two-Factor Authentication (2FA) accounts and generate t [**2FAuth Demo**](https://demo.2fauth.app/) +[**Use it with Docker**](docker) + Credentials (login - password) : *demo@2fauth.app* - *demo* ## Purpose From ced2aeb954a847478655cba56c02afe2e15c8a7c Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sun, 1 Aug 2021 15:14:34 -0400 Subject: [PATCH 21/57] Change qmcgaw/2fauth to 2fauth/2fauth --- docker/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 9e20b47a..fc18161a 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -1,7 +1,7 @@ version: "3" services: 2fauth: - image: qmcgaw/2fauth + image: 2fauth/2fauth container_name: 2fauth volumes: - ./2fauth:/2fauth From b7f63889497c5417f62f9da19a622f00a9c392b4 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sun, 1 Aug 2021 15:19:30 -0400 Subject: [PATCH 22/57] Doc: add Update section with docker pull --- docker/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker/README.md b/docker/README.md index 51cdcbda..797496f4 100644 --- a/docker/README.md +++ b/docker/README.md @@ -51,6 +51,12 @@ chmod 700 /yourpath/2fauth/database.sqlite The container will automagically pick it up. +## Update + +The Docker image `2fauth/2fauth` is built on every commit pushed to the `master` branch. + +You can therefore pull the image with `docker pull 2fauth/2fauth` and restart the container to update it. + ## Implementation details - The container is based on `debian:buster-slim` From 1f4aac8dc22657299e8b6550cd0ae859a1a976fd Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (laptop)" Date: Sun, 1 Aug 2021 15:19:45 -0400 Subject: [PATCH 23/57] Doc: build the image section --- docker/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docker/README.md b/docker/README.md index 797496f4..81f9e3ed 100644 --- a/docker/README.md +++ b/docker/README.md @@ -57,6 +57,20 @@ The Docker image `2fauth/2fauth` is built on every commit pushed to the `master` You can therefore pull the image with `docker pull 2fauth/2fauth` and restart the container to update it. +## Build the image + +You can build the image from the `master` branch with `docker` and `git` using: + +```sh +docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git +``` + +You can also build a specific commit (see [master's commits](https://github.com/Bubka/2FAuth/commits/master)) by appending the commit hash with `#` to the command. For example: + +```sh +docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git#fba9e29bd4e3bb697296bb0bde60ae869537528b +``` + ## Implementation details - The container is based on `debian:buster-slim` From 3751e46eed1ebff2fca032f0afc1affcb5e15afd Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 10:37:03 -0400 Subject: [PATCH 24/57] Configure nginx to log to stdout and stderr --- Dockerfile | 2 -- docker/nginx.conf | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e02dd7d5..fadd154c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,8 +46,6 @@ RUN mkdir /run/php && \ EXPOSE 8000/tcp RUN touch /run/nginx.pid && \ chown www-data /run/nginx.pid -RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf # Create end user directory diff --git a/docker/nginx.conf b/docker/nginx.conf index fe0eac9b..cfa71f18 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -3,6 +3,9 @@ events {} http { include mime.types; + access_log /dev/stdout; + error_log /dev/stderr; + server { listen 8000; server_name 2fAuth; From d638b8f9512d65a78ff12401e1be555d6d6472b9 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 10:40:10 -0400 Subject: [PATCH 25/57] Verify Nginx config at build time --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index fadd154c..00ca5d64 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,6 +47,7 @@ EXPOSE 8000/tcp RUN touch /run/nginx.pid && \ chown www-data /run/nginx.pid COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf +RUN nginx -t # Create end user directory RUN mkdir -p /2fauth && \ From cb1efd552f8b1b889e55a50770104d2ee522f159 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 11:27:21 -0400 Subject: [PATCH 26/57] Use supervisord for Nginx+php-fpm --- Dockerfile | 19 ++++++++++--------- docker/entrypoint.sh | 12 +----------- docker/nginx.conf | 1 - docker/supervisord.conf | 19 +++++++++++++++++++ 4 files changed, 30 insertions(+), 21 deletions(-) create mode 100644 docker/supervisord.conf diff --git a/Dockerfile b/Dockerfile index 00ca5d64..dd83c511 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,17 @@ ARG DEBIAN_VERSION=buster-slim ARG COMPOSER_VERSION=2.1 +ARG SUPERVISORD_VERSION=v0.7.3 FROM composer:${COMPOSER_VERSION} AS composer +FROM qmcgaw/binpot:supervisord-${SUPERVISORD_VERSION} AS supervisord FROM debian:${DEBIAN_VERSION} ENV DEBIAN_FRONTEND=noninteractive # Composer 2 COPY --from=composer --chown=www-data /usr/bin/composer /usr/bin/composer +# Supervisord from https://github.com/ochinchina/supervisord +COPY --from=supervisord --chown=www-data /bin /usr/local/bin/supervisord # Install PHP and PHP system dependencies RUN apt-get update && \ @@ -20,10 +24,8 @@ RUN apt-get update && \ php-xml php7.3-gd php7.3-mbstring \ # Unzip for composer unzip \ - # PHP FPM and sudo to run PHP-FPM without root - php7.3-fpm sudo \ - # Nginx to serve HTTP and communicate with PHP-FPM - nginx \ + # Nginx and PHP FPM to serve over HTTP + php7.3-fpm nginx \ && \ # Clean up apt-get clean && \ @@ -32,15 +34,11 @@ RUN apt-get update && \ chown -R www-data /var/log/nginx /var/lib/nginx/ # PHP FPM configuration -# Allow to run it with sudo from user www-data -RUN echo "www-data ALL = NOPASSWD: /usr/sbin/service php7.3-fpm start, /usr/sbin/service php7.3-fpm status, /usr/sbin/service php7.3-fpm stop" > /etc/sudoers.d/www-data && \ - chmod 0440 /etc/sudoers.d/www-data # Pre-create files with the correct permissions RUN mkdir /run/php && \ touch /var/log/php7.3-fpm.log && \ chown www-data /run/php /var/log/php7.3-fpm.log && \ - chmod 700 /run/php /var/log/php7.3-fpm.log && \ - ln -sf /dev/stdout /var/log/php7.3-fpm.log + chmod 700 /run/php /var/log/php7.3-fpm.log # Nginx configuration EXPOSE 8000/tcp @@ -49,6 +47,9 @@ RUN touch /run/nginx.pid && \ COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf RUN nginx -t +# Supervisord configuration +COPY --chown=www-data docker/supervisord.conf /etc/supervisor/supervisord.conf + # Create end user directory RUN mkdir -p /2fauth && \ chown -R www-data /2fauth && \ diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 48426a6b..8408d830 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,11 +1,5 @@ #!/bin/bash -cleanup() { - set +e - echo "Stopping php7.3-fpm service..." - sudo service php7.3-fpm stop -} -trap cleanup 0 set -e if [ "${DB_CONNECTION}" = "sqlite" ]; then @@ -24,9 +18,6 @@ else fi ln -sF /2fauth/storage /srv/storage -sudo service php7.3-fpm start -sudo service php7.3-fpm status - if [ -f /2fauth/installed ]; then php artisan migrate php artisan config:clear @@ -40,5 +31,4 @@ else echo "do not remove me" > /2fauth/installed fi -echo "Nginx listening on :8000" -nginx +supervisord diff --git a/docker/nginx.conf b/docker/nginx.conf index cfa71f18..6dd1f752 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -1,4 +1,3 @@ -daemon off; events {} http { include mime.types; diff --git a/docker/supervisord.conf b/docker/supervisord.conf new file mode 100644 index 00000000..b90aa151 --- /dev/null +++ b/docker/supervisord.conf @@ -0,0 +1,19 @@ +[supervisord] +nodaemon=true +pidfile=/run/supervisord.pid +loglevel=info + +[program-default] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +autorestart=false +startretries=0 + +[program:php-fpm] +command=php-fpm7.3 -F + +[program:nginx] +command=nginx -g 'daemon off;' +depends_on=php-fpm From a82524692798ca592b29dc1e00bbb194cbb3cece Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 11:27:54 -0400 Subject: [PATCH 27/57] Horribly ugly suffix empty space --- docker/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index fc18161a..644bbf9c 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -16,7 +16,7 @@ services: # Set to true if you want to see debug information in error screens. - APP_DEBUG=false # This should be your email address - - SITE_OWNER=mail@example.com + - SITE_OWNER=mail@example.com # The encryption key for our database and sessions. Keep this very secure. # If you generate a new one all existing data must be considered LOST. # Change it to a string of exactly 32 chars or use command `php artisan key:generate` to generate it From 544a4486a4b7e1b47ca78d677a0d7467da6632fa Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 11:28:03 -0400 Subject: [PATCH 28/57] Show program versions at start --- docker/entrypoint.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 8408d830..b109d526 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -2,6 +2,11 @@ set -e +# Show versions +echo "supervisord version: $(supervisord version)" +php-fpm7.3 -v | head -n 1 +nginx -v + if [ "${DB_CONNECTION}" = "sqlite" ]; then if [ ! -f /2fauth/database.sqlite ]; then touch /2fauth/database.sqlite From 1a04a75232cd9977930e7cc9fa8bcb96a07cef4f Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 12:34:51 -0400 Subject: [PATCH 29/57] No need for /var/www/.composer dir --- Dockerfile | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index dd83c511..61006645 100644 --- a/Dockerfile +++ b/Dockerfile @@ -60,10 +60,6 @@ WORKDIR /srv RUN chown -R www-data /srv && \ chmod 700 /srv -# Fix ownership for /var/www -RUN chown -R www-data /var/www && \ - chmod 700 /var/www - # Run without root USER www-data @@ -72,8 +68,7 @@ COPY --chown=www-data artisan composer.json composer.lock ./ # Disable xdebug RUN phpdismod xdebug COPY --chown=www-data database ./database -RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader && \ - rm -rf /var/www/.composer +RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader # Copy the rest of the code COPY --chown=www-data . . From 2a63caafc556a687557e5cb66bfb6f183e38c1f8 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 12:35:01 -0400 Subject: [PATCH 30/57] Simplify entrypoint if else blocks --- docker/entrypoint.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index b109d526..1a1c8310 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -26,14 +26,13 @@ ln -sF /2fauth/storage /srv/storage if [ -f /2fauth/installed ]; then php artisan migrate php artisan config:clear - php artisan storage:link - php artisan config:cache else php artisan migrate:refresh php artisan passport:install - php artisan storage:link - php artisan config:cache echo "do not remove me" > /2fauth/installed fi +php artisan storage:link +php artisan config:cache + supervisord From b4d8a121effbc4ba0a87152c82b46230712931c3 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 12:35:12 -0400 Subject: [PATCH 31/57] Use absolute paths in supervisor config --- docker/supervisord.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/supervisord.conf b/docker/supervisord.conf index b90aa151..b1591316 100644 --- a/docker/supervisord.conf +++ b/docker/supervisord.conf @@ -12,8 +12,8 @@ autorestart=false startretries=0 [program:php-fpm] -command=php-fpm7.3 -F +command=/usr/sbin/php-fpm7.3 -F [program:nginx] -command=nginx -g 'daemon off;' +command=/usr/sbin/nginx -g 'daemon off;' depends_on=php-fpm From 8c65d16e6b2660829a3a9083219e6e6a60037b1c Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 12:51:26 -0400 Subject: [PATCH 32/57] Remove nginx commented lines --- docker/nginx.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/docker/nginx.conf b/docker/nginx.conf index 6dd1f752..5840d556 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -10,9 +10,6 @@ http { server_name 2fAuth; root /srv/public; - # add_header X-Frame-Options "SAMEORIGIN"; - # add_header X-Content-Type-Options "nosniff"; - index index.php; charset utf-8; From 5be6724a697273758630dcd0db930edef0e18b4a Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 18:18:18 -0400 Subject: [PATCH 33/57] Download and build vendor deps in separate stage - Faster rebuilds due to better caching - Lays the ground for faster cross building --- Dockerfile | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 61006645..d9c1aad8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,26 @@ ARG SUPERVISORD_VERSION=v0.7.3 FROM composer:${COMPOSER_VERSION} AS composer FROM qmcgaw/binpot:supervisord-${SUPERVISORD_VERSION} AS supervisord +FROM debian:${DEBIAN_VERSION} AS vendor +ENV DEBIAN_FRONTEND=noninteractive +COPY --from=composer --chown=www-data /usr/bin/composer /usr/bin/composer +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + # PHP + php7.3 \ + # PHP extensions for composer + php-xml php7.3-mbstring \ + # Unzip for composer + unzip \ + && \ + # Clean up + apt-get clean && \ + rm -rf /var/cache/* /var/lib/apt/lists/* +WORKDIR /srv +COPY artisan composer.json composer.lock ./ +COPY database ./database +RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader + FROM debian:${DEBIAN_VERSION} ENV DEBIAN_FRONTEND=noninteractive @@ -22,8 +42,6 @@ RUN apt-get update && \ php7.3-sqlite3 php7.3-mysql \ # PHP extensions php-xml php7.3-gd php7.3-mbstring \ - # Unzip for composer - unzip \ # Nginx and PHP FPM to serve over HTTP php7.3-fpm nginx \ && \ @@ -64,11 +82,7 @@ RUN chown -R www-data /srv && \ USER www-data # Dependencies -COPY --chown=www-data artisan composer.json composer.lock ./ -# Disable xdebug -RUN phpdismod xdebug -COPY --chown=www-data database ./database -RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader +COPY --from=vendor --chown=www-data /srv/vendor /srv/vendor # Copy the rest of the code COPY --chown=www-data . . From d6215a055e393ceb44a3cf83062849fb4cd8a41c Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 18:26:17 -0400 Subject: [PATCH 34/57] Change Dockerfile for cross building - Download and build vendor dependencies once on native platform - Build final image N times for N platforms with Docker emulation --- Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d9c1aad8..e790113f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,16 @@ +ARG BUILDPLATFORM=linux/amd64 +ARG TARGETPLATFORM ARG DEBIAN_VERSION=buster-slim ARG COMPOSER_VERSION=2.1 ARG SUPERVISORD_VERSION=v0.7.3 +FROM --platform=${BUILDPLATFORM} composer:${COMPOSER_VERSION} AS build-composer FROM composer:${COMPOSER_VERSION} AS composer FROM qmcgaw/binpot:supervisord-${SUPERVISORD_VERSION} AS supervisord -FROM debian:${DEBIAN_VERSION} AS vendor +FROM --platform=${BUILDPLATFORM} debian:${DEBIAN_VERSION} AS vendor ENV DEBIAN_FRONTEND=noninteractive -COPY --from=composer --chown=www-data /usr/bin/composer /usr/bin/composer +COPY --from=build-composer --chown=www-data /usr/bin/composer /usr/bin/composer RUN apt-get update && \ apt-get install -y --no-install-recommends \ # PHP From f74b40f253fd014b56b241a26837297b4f73581f Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 18:55:50 -0400 Subject: [PATCH 35/57] Add Docker Hub description workflow --- .github/workflows/dockerhub-readme.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/dockerhub-readme.yml diff --git a/.github/workflows/dockerhub-readme.yml b/.github/workflows/dockerhub-readme.yml new file mode 100644 index 00000000..c6a701c3 --- /dev/null +++ b/.github/workflows/dockerhub-readme.yml @@ -0,0 +1,21 @@ +name: Docker Hub description +on: + push: + branches: [master] + paths: + - docker/README.md + - .github/workflows/dockerhub-readme.yml +jobs: + dockerHubDescription: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2.3.4 + - name: Docker Hub Description + uses: peter-evans/dockerhub-description@v2.4.3 + with: + username: 2fauth + password: ${{ secrets.DOCKERHUB_PASSWORD }} + repository: 2fauth/2fauth + short-description: A web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes + readme-filepath: docker/README.md \ No newline at end of file From b1d4717aaa8ccd46344a8778d26f1723a856447f Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 21:14:54 -0400 Subject: [PATCH 36/57] Use PHP image to get vendor dependencies (faster) --- Dockerfile | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index e790113f..1c8d8095 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 ARG TARGETPLATFORM ARG DEBIAN_VERSION=buster-slim +ARG PHP_VERSION=7.3 ARG COMPOSER_VERSION=2.1 ARG SUPERVISORD_VERSION=v0.7.3 @@ -8,20 +9,11 @@ FROM --platform=${BUILDPLATFORM} composer:${COMPOSER_VERSION} AS build-composer FROM composer:${COMPOSER_VERSION} AS composer FROM qmcgaw/binpot:supervisord-${SUPERVISORD_VERSION} AS supervisord -FROM --platform=${BUILDPLATFORM} debian:${DEBIAN_VERSION} AS vendor +FROM --platform=${BUILDPLATFORM} php:${PHP_VERSION} AS vendor ENV DEBIAN_FRONTEND=noninteractive COPY --from=build-composer --chown=www-data /usr/bin/composer /usr/bin/composer RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - # PHP - php7.3 \ - # PHP extensions for composer - php-xml php7.3-mbstring \ - # Unzip for composer - unzip \ - && \ - # Clean up - apt-get clean && \ + apt-get install -y --no-install-recommends unzip && \ rm -rf /var/cache/* /var/lib/apt/lists/* WORKDIR /srv COPY artisan composer.json composer.lock ./ From 16225e441db5e1dfec2f0f594e36691774211e72 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 21:19:44 -0400 Subject: [PATCH 37/57] Pin PHP version to 7.3-buster --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1c8d8095..886ecb24 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 ARG TARGETPLATFORM ARG DEBIAN_VERSION=buster-slim -ARG PHP_VERSION=7.3 +ARG PHP_VERSION=7.3-buster ARG COMPOSER_VERSION=2.1 ARG SUPERVISORD_VERSION=v0.7.3 From e9a517fde8c4ad9f1e543ee6f46b21bd7ace95c8 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 21:25:42 -0400 Subject: [PATCH 38/57] Add test stage --- .dockerignore | 2 -- Dockerfile | 7 +++++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index 22f96ea7..09738c3a 100644 --- a/.dockerignore +++ b/.dockerignore @@ -5,7 +5,6 @@ tests .editorconfig .env.example .env.testing -.env.travis .gitattributes .gitignore .styleci.yml @@ -13,5 +12,4 @@ tests changelog.md Dockerfile LICENSE -phpunit.xml README.md diff --git a/Dockerfile b/Dockerfile index 886ecb24..86d36185 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,13 @@ COPY artisan composer.json composer.lock ./ COPY database ./database RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader +FROM --platform=${BUILDPLATFORM} vendor AS test +COPY . . +RUN mv .env.travis .env +RUN composer install +RUN php artisan key:generate +ENTRYPOINT [ "/srv/vendor/bin/phpunit" ] + FROM debian:${DEBIAN_VERSION} ENV DEBIAN_FRONTEND=noninteractive From 1f5b476aa291d3abbf18de617673124702e3be78 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Mon, 2 Aug 2021 23:31:31 -0400 Subject: [PATCH 39/57] Docker ignore webpack.mix.js --- .dockerignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.dockerignore b/.dockerignore index 09738c3a..3d889cfd 100644 --- a/.dockerignore +++ b/.dockerignore @@ -13,3 +13,4 @@ changelog.md Dockerfile LICENSE README.md +webpack.mix.js From 46b99fe2ea2963ed88e914f98f384d4519c6f947 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 09:24:33 -0400 Subject: [PATCH 40/57] Add opencontainers labels --- Dockerfile | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 86d36185..4119037f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -165,4 +165,16 @@ ENV \ MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" \ MIX_ENV=local - +ARG VERSION=unknown +ARG CREATED="an unknown date" +ARG COMMIT=unknown +LABEL \ + org.opencontainers.image.authors="https://github.com/Bubka" \ + org.opencontainers.image.version=$VERSION \ + org.opencontainers.image.created=$CREATED \ + org.opencontainers.image.revision=$COMMIT \ + org.opencontainers.image.url="https://github.com/Bubka/2FAuth" \ + org.opencontainers.image.documentation="https://hub.docker.com/r/2fauth/2fauth" \ + org.opencontainers.image.source="https://github.com/Bubka/2FAuth" \ + org.opencontainers.image.title="2fauth" \ + org.opencontainers.image.description="A web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes" From f0eb18653e1d4263e92d678f9154160a2b4db172 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 09:27:10 -0400 Subject: [PATCH 41/57] Add Github Actions workflow for Docker\ - Run tests in verify job - Publish only if verify pass - Cross build only for master pushes and releases - Build for amd64 only for branches --- .github/workflows/ci.yml | 111 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..52c9f5a2 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,111 @@ +name: CI +on: + push: + paths: + - .github/workflows/ci.yml + - app/** + - bootstrap/** + - config/** + - database/** + - docker/** + - public/** + - resources/** + - routes/** + - storage/** + - tests/** + - .dockerignore + - .env.travis + - artisan + - composer.json + - composer.lock + - Dockerfile + - phpunit.xml + - server.php + pull_request: + paths: + - .github/workflows/ci.yml + - app/** + - bootstrap/** + - config/** + - database/** + - docker/** + - public/** + - resources/** + - routes/** + - storage/** + - tests/** + - .dockerignore + - .env.travis + - artisan + - composer.json + - composer.lock + - Dockerfile + - phpunit.xml + - server.php + +jobs: + verify: + runs-on: ubuntu-latest + env: + DOCKER_BUILDKIT: "1" + steps: + - uses: actions/checkout@v2.3.4 + + - name: Build test image + run: docker build --target test -t test-container . + + - name: Run tests in test container + run: | + touch coverage.txt + docker run --rm \ + test-container + + - name: Build final image + run: docker build . + + publish: + needs: [verify] + if: github.event_name == 'push' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2.3.4 + + - uses: docker/setup-qemu-action@v1 + - uses: docker/setup-buildx-action@v1 + + - uses: docker/login-action@v1 + with: + username: 2fauth + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Set variables + id: vars + env: + EVENT_NAME: ${{ github.event_name }} + run: | + BRANCH=${GITHUB_REF#refs/heads/} + TAG=${GITHUB_REF#refs/tags/} + echo ::set-output name=commit::$(git rev-parse --short HEAD) + echo ::set-output name=created::$(date -u +%Y-%m-%dT%H:%M:%SZ) + if [ "$TAG" != "$GITHUB_REF" ]; then + echo ::set-output name=version::$TAG + echo ::set-output name=platforms::linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7 + elif [ "$BRANCH" = "master" ]; then + echo ::set-output name=version::latest + echo ::set-output name=platforms::linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7 + else + echo ::set-output name=version::$BRANCH + echo ::set-output name=platforms::linux/amd64 + fi + + - name: Build and push final image + uses: docker/build-push-action@v2.6.1 + with: + platforms: ${{ steps.vars.outputs.platforms }} + build-args: | + CREATED=${{ steps.vars.outputs.created }} + COMMIT=${{ steps.vars.outputs.commit }} + VERSION=${{ steps.vars.outputs.version }} + tags: | + 2fauth/2fauth:${{ steps.vars.outputs.version }} + push: true \ No newline at end of file From 482e97e2c15ada1c6a001626e47724e91e9afcfb Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 09:31:59 -0400 Subject: [PATCH 42/57] Migrate if installed commit differs from program commit --- Dockerfile | 1 + docker/entrypoint.sh | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4119037f..e5533510 100644 --- a/Dockerfile +++ b/Dockerfile @@ -168,6 +168,7 @@ ENV \ ARG VERSION=unknown ARG CREATED="an unknown date" ARG COMMIT=unknown +ENV COMMIT=${COMMIT} LABEL \ org.opencontainers.image.authors="https://github.com/Bubka" \ org.opencontainers.image.version=$VERSION \ diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 1a1c8310..2f8be0db 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -23,15 +23,20 @@ else fi ln -sF /2fauth/storage /srv/storage +# Note: ${COMMIT} is set by the CI if [ -f /2fauth/installed ]; then - php artisan migrate - php artisan config:clear + INSTALLED_COMMIT="$(cat /2fauth/installed)" + if [ "${INSTALLED_COMMIT}" != "${COMMIT}" ]; then + echo "Installed commit ${INSTALLED_COMMIT} is different from program commit ${COMMIT}, we are migrating..." + php artisan migrate + php artisan config:clear + fi else php artisan migrate:refresh php artisan passport:install - echo "do not remove me" > /2fauth/installed fi +echo "${COMMIT}" > /2fauth/installed php artisan storage:link php artisan config:cache From 2567906ccc2442c8659175e293fd21fd434ce83a Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 09:35:06 -0400 Subject: [PATCH 43/57] Docs: change database section --- docker/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker/README.md b/docker/README.md index 81f9e3ed..0ea8580d 100644 --- a/docker/README.md +++ b/docker/README.md @@ -71,6 +71,12 @@ You can also build a specific commit (see [master's commits](https://github.com/ docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git#fba9e29bd4e3bb697296bb0bde60ae869537528b ``` +## Change database + +If you want to change database, for example switch from SQLite to MySQL, there is no migration yet. + +You might want to remove the `installed` file bind mounted in `/2fauth` so the database is re-created. + ## Implementation details - The container is based on `debian:buster-slim` From 6a6e19f6c0ea16c888757eadeca8e34d6120bbfb Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 09:35:15 -0400 Subject: [PATCH 44/57] Docs: clean up todos --- docker/README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docker/README.md b/docker/README.md index 0ea8580d..8a2e1319 100644 --- a/docker/README.md +++ b/docker/README.md @@ -15,7 +15,7 @@ You can run 2fauth in a single Docker container. 1. Create a directory on your host `2fauth`: ```sh - mkdir 2fauth + mkdir 2fauth ``` 1. **If your host is not Windows**: since the container runs without root as user `www-data` (`uid=33(www-data) gid=33(www-data) groups=33(www-data)`), you need to fix the ownership and permissions of that directory: @@ -87,7 +87,4 @@ You might want to remove the `installed` file bind mounted in `/2fauth` so the d ## TODOs -- Write short commit hash to installed file to only migrate on commit change -- Base image (or other image) on Alpine. -- Setup CI to build image on push to master -- Change Dockerfile and CI to cross build for all architectures. +- Base image (or other image) on Alpine (for a possibly smaller image) From 82e199921b57ff7e52685058468f4a4ad659b5d9 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 10:36:08 -0400 Subject: [PATCH 45/57] Add trailing new line in ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 52c9f5a2..cf988ad8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,4 +108,4 @@ jobs: VERSION=${{ steps.vars.outputs.version }} tags: | 2fauth/2fauth:${{ steps.vars.outputs.version }} - push: true \ No newline at end of file + push: true From 25933bd4133a3491b7b8e22fb3a100ea46dac8fa Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Tue, 3 Aug 2021 10:37:42 -0400 Subject: [PATCH 46/57] Doc: add build status badge for ci.yml --- README.md | 1 + docker/README.md | 2 ++ 2 files changed, 3 insertions(+) diff --git a/README.md b/README.md index 73c9d7ab..526fc979 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # 2FAuth ![https://travis-ci.com/github/Bubka/2FAuth](https://img.shields.io/travis/com/bubka/2fauth?style=flat-square) +[![Docker build status](https://github.com/Bubka/2fauth/actions/workflows/ci.yml/badge.svg)](https://github.com/Bubka/2fauth/actions/workflows/ci.yml) ![https://codecov.io/gh/Bubka/2FAuth](https://img.shields.io/codecov/c/github/Bubka/2FAuth?style=flat-square) ![https://github.com/Bubka/2FAuth/blob/master/LICENSE](https://img.shields.io/github/license/Bubka/2FAuth.svg?style=flat-square) diff --git a/docker/README.md b/docker/README.md index 8a2e1319..b61a6266 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,5 +1,7 @@ # Docker +[![Build status](https://github.com/Bubka/2fauth/actions/workflows/ci.yml/badge.svg)](https://github.com/Bubka/2fauth/actions/workflows/ci.yml) + [![dockeri.co](https://dockeri.co/image/2fauth/2fauth)](https://hub.docker.com/r/2fauth/2fauth) You can run 2fauth in a single Docker container. From c24f5b27085e5b1f7a1a341b8f0eae2059d600c9 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 09:35:55 -0400 Subject: [PATCH 47/57] Remove support for mysql --- Dockerfile | 11 +++-------- docker/README.md | 7 +------ docker/docker-compose.yml | 9 +-------- 3 files changed, 5 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index e5533510..670db4ed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,8 +40,8 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends \ # PHP php7.3 \ - # PHP SQL drivers - php7.3-sqlite3 php7.3-mysql \ + # PHP SQLite driver + php7.3-sqlite3 \ # PHP extensions php-xml php7.3-gd php7.3-mbstring \ # Nginx and PHP FPM to serve over HTTP @@ -126,14 +126,9 @@ ENV \ # nothing will get logged, ever. APP_LOG_LEVEL=notice \ # Database config & credentials - # DB_CONNECTION can be mysql + # DB_CONNECTION can only be sqlite DB_CONNECTION=sqlite \ DB_DATABASE="/srv/database/database.sqlite" \ - # if you want to use MySQL: - DB_HOST=127.0.0.1 \ - DB_PORT=3306 \ - DB_USERNAME=homestead \ - DB_PASSWORD=secret \ # If you're looking for performance improvements, you could install memcached. CACHE_DRIVER=file \ SESSION_DRIVER=file \ diff --git a/docker/README.md b/docker/README.md index b61a6266..63037c99 100644 --- a/docker/README.md +++ b/docker/README.md @@ -11,6 +11,7 @@ You can run 2fauth in a single Docker container. - Runs without root as user `www-data` - [![Latest size](https://img.shields.io/docker/image-size/2fauth/2fauth/latest?label=Image%20size)](https://hub.docker.com/r/2fauth/2fauth/tags) - Compatible with `amd64` only for now +- Stores data in a Sqlite database file ## Setup @@ -73,12 +74,6 @@ You can also build a specific commit (see [master's commits](https://github.com/ docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git#fba9e29bd4e3bb697296bb0bde60ae869537528b ``` -## Change database - -If you want to change database, for example switch from SQLite to MySQL, there is no migration yet. - -You might want to remove the `installed` file bind mounted in `/2fauth` so the database is re-created. - ## Implementation details - The container is based on `debian:buster-slim` diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 644bbf9c..299ac29e 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -37,15 +37,8 @@ services: # If you set it to debug your logs will grow large, and fast. If you set it to emergency probably # nothing will get logged, ever. - APP_LOG_LEVEL=notice - # Database config & credentials - # DB_CONNECTION can be mysql - - DB_CONNECTION=sqlite + # Database config (can only be sqlite) - DB_DATABASE="/srv/database/database.sqlite" - # if you want to use MySQL: - - DB_HOST=mysql - - DB_PORT=3306 - - DB_USERNAME=homestead - - DB_PASSWORD=secret # If you're looking for performance improvements, you could install memcached. - CACHE_DRIVER=file - SESSION_DRIVER=file From 08af4ef670782e911de76f89888de4e8e97557c9 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 10:10:23 -0400 Subject: [PATCH 48/57] Remove ignored directives from php-fpm pool config --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 670db4ed..b7fac15d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,6 +54,9 @@ RUN apt-get update && \ chown -R www-data /var/log/nginx /var/lib/nginx/ # PHP FPM configuration +# Remove ignored directives from php-fpm pool config +RUN sed -i '/user = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf && \ + sed -i '/group = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf # Pre-create files with the correct permissions RUN mkdir /run/php && \ touch /var/log/php7.3-fpm.log && \ From de7a3cae838930af08a43f8f41853f8ae59ff5fd Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 10:16:39 -0400 Subject: [PATCH 49/57] UID and GID as build arguments - Defaults to 1000:1000 instead of www-data - Update docker readme --- Dockerfile | 39 ++++++++++++++++++++++----------------- docker/README.md | 6 +++--- 2 files changed, 25 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index b7fac15d..fabd2e74 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ FROM qmcgaw/binpot:supervisord-${SUPERVISORD_VERSION} AS supervisord FROM --platform=${BUILDPLATFORM} php:${PHP_VERSION} AS vendor ENV DEBIAN_FRONTEND=noninteractive -COPY --from=build-composer --chown=www-data /usr/bin/composer /usr/bin/composer +COPY --from=build-composer --chown=${UID}:${GID} /usr/bin/composer /usr/bin/composer RUN apt-get update && \ apt-get install -y --no-install-recommends unzip && \ rm -rf /var/cache/* /var/lib/apt/lists/* @@ -30,10 +30,13 @@ ENTRYPOINT [ "/srv/vendor/bin/phpunit" ] FROM debian:${DEBIAN_VERSION} ENV DEBIAN_FRONTEND=noninteractive +ARG UID=1000 +ARG GID=1000 + # Composer 2 -COPY --from=composer --chown=www-data /usr/bin/composer /usr/bin/composer +COPY --from=composer --chown=${UID}:${GID} /usr/bin/composer /usr/bin/composer # Supervisord from https://github.com/ochinchina/supervisord -COPY --from=supervisord --chown=www-data /bin /usr/local/bin/supervisord +COPY --from=supervisord --chown=${UID}:${GID} /bin /usr/local/bin/supervisord # Install PHP and PHP system dependencies RUN apt-get update && \ @@ -50,52 +53,54 @@ RUN apt-get update && \ # Clean up apt-get clean && \ rm -rf /var/cache/* /var/lib/apt/lists/* /etc/nginx/nginx.conf && \ - # Fix ownership to www-data - chown -R www-data /var/log/nginx /var/lib/nginx/ + # Fix ownership to ${UID}:${GID} + chown -R ${UID}:${GID} /var/log/nginx /var/lib/nginx/ # PHP FPM configuration -# Remove ignored directives from php-fpm pool config +# Change username and ownership in php-fpm pool config RUN sed -i '/user = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf && \ - sed -i '/group = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf + sed -i '/group = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf && \ + sed -i 's/listen.owner = www-data/listen.owner = ${UID}/g' /etc/php/7.3/fpm/pool.d/www.conf && \ + sed -i 's/listen.group = www-data/listen.group = ${GID}/g' /etc/php/7.3/fpm/pool.d/www.conf # Pre-create files with the correct permissions RUN mkdir /run/php && \ touch /var/log/php7.3-fpm.log && \ - chown www-data /run/php /var/log/php7.3-fpm.log && \ + chown ${UID}:${GID} /run/php /var/log/php7.3-fpm.log && \ chmod 700 /run/php /var/log/php7.3-fpm.log # Nginx configuration EXPOSE 8000/tcp RUN touch /run/nginx.pid && \ - chown www-data /run/nginx.pid -COPY --chown=www-data docker/nginx.conf /etc/nginx/nginx.conf + chown ${UID}:${GID} /run/nginx.pid +COPY --chown=${UID}:${GID} docker/nginx.conf /etc/nginx/nginx.conf RUN nginx -t # Supervisord configuration -COPY --chown=www-data docker/supervisord.conf /etc/supervisor/supervisord.conf +COPY --chown=${UID}:${GID} docker/supervisord.conf /etc/supervisor/supervisord.conf # Create end user directory RUN mkdir -p /2fauth && \ - chown -R www-data /2fauth && \ + chown -R ${UID}:${GID} /2fauth && \ chmod 700 /2fauth # Create /srv internal directory WORKDIR /srv -RUN chown -R www-data /srv && \ +RUN chown -R ${UID}:${GID} /srv && \ chmod 700 /srv # Run without root -USER www-data +USER ${UID}:${GID} # Dependencies -COPY --from=vendor --chown=www-data /srv/vendor /srv/vendor +COPY --from=vendor --chown=${UID}:${GID} /srv/vendor /srv/vendor # Copy the rest of the code -COPY --chown=www-data . . +COPY --chown=${UID}:${GID} . . RUN composer dump-autoload --no-scripts --no-dev --optimize # Entrypoint ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] -COPY --chown=www-data docker/entrypoint.sh /usr/local/bin/entrypoint.sh +COPY --chown=${UID}:${GID} docker/entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod 500 /usr/local/bin/entrypoint.sh ENV \ diff --git a/docker/README.md b/docker/README.md index 63037c99..938965df 100644 --- a/docker/README.md +++ b/docker/README.md @@ -8,10 +8,10 @@ You can run 2fauth in a single Docker container. ## Features -- Runs without root as user `www-data` - [![Latest size](https://img.shields.io/docker/image-size/2fauth/2fauth/latest?label=Image%20size)](https://hub.docker.com/r/2fauth/2fauth/tags) - Compatible with `amd64` only for now - Stores data in a Sqlite database file +- Runs without root as user with id `1000` and group id `1000` ## Setup @@ -21,10 +21,10 @@ You can run 2fauth in a single Docker container. mkdir 2fauth ``` -1. **If your host is not Windows**: since the container runs without root as user `www-data` (`uid=33(www-data) gid=33(www-data) groups=33(www-data)`), you need to fix the ownership and permissions of that directory: +1. **If your host is not Windows**: since the container runs without root as user `1000:1000`, you need to fix the ownership and permissions of that directory: ```sh - chown 33:33 2fauth + chown 1000:1000 2fauth chmod 700 2fauth ``` From 474331361ef4dc4b8e86f5a7a1fd3668cc60c396 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 10:19:24 -0400 Subject: [PATCH 50/57] Log out version, commit and build date at start --- Dockerfile | 5 ++++- docker/entrypoint.sh | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fabd2e74..bec512ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -171,7 +171,10 @@ ENV \ ARG VERSION=unknown ARG CREATED="an unknown date" ARG COMMIT=unknown -ENV COMMIT=${COMMIT} +ENV \ + VERSION=${VERSION} \ + CREATED=${CREATED} \ + COMMIT=${COMMIT} LABEL \ org.opencontainers.image.authors="https://github.com/Bubka" \ org.opencontainers.image.version=$VERSION \ diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 2f8be0db..98503941 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -2,6 +2,8 @@ set -e +echo "Running version ${VERSION} commit ${COMMIT} built on ${CREATED}" + # Show versions echo "supervisord version: $(supervisord version)" php-fpm7.3 -v | head -n 1 From 76a5c1a84e582f6d15a220701990f3ce21b47ec7 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 10:22:26 -0400 Subject: [PATCH 51/57] Add section to build image for specific release to docker readme --- docker/README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 938965df..3ccc037c 100644 --- a/docker/README.md +++ b/docker/README.md @@ -68,7 +68,17 @@ You can build the image from the `master` branch with `docker` and `git` using: docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git ``` -You can also build a specific commit (see [master's commits](https://github.com/Bubka/2FAuth/commits/master)) by appending the commit hash with `#` to the command. For example: +### Build the image for a specific release + +You can build a [specific release](https://github.com/Bubka/2FAuth/releases) by appending the release tag with `#` to the command. For example: + +```sh +docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git#v2.1.0 +``` + +### Build the image for a specific commit + +You can build a specific commit (see [master's commits](https://github.com/Bubka/2FAuth/commits/master)) by appending the commit hash with `#` to the command. For example: ```sh docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git#fba9e29bd4e3bb697296bb0bde60ae869537528b From ce263e49eb07aea553dbaf3893d7944aa0ec0e29 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 10:23:19 -0400 Subject: [PATCH 52/57] Docs: docker readme: Build the image with build arguments --- docker/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docker/README.md b/docker/README.md index 3ccc037c..733b975d 100644 --- a/docker/README.md +++ b/docker/README.md @@ -28,6 +28,8 @@ You can run 2fauth in a single Docker container. chmod 700 2fauth ``` + 💁 if you feel like using another ID, you can [build the image with build arguments](#Build-the-image-with-build-arguments). + 1. Run the container interactively: ```sh @@ -84,6 +86,22 @@ You can build a specific commit (see [master's commits](https://github.com/Bubka docker build -t 2fauth/2fauth https://github.com/Bubka/2FAuth.git#fba9e29bd4e3bb697296bb0bde60ae869537528b ``` +### Build the image with build arguments + +There are the following build arguments you can use to customize the image using `--build-arg key=value`: + +| Build argument | Default | Description | +| --- | --- | --- | +| `UID` | 1000 | The UID of the user to run the container as | +| `GID` | 1000 | The GID of the user to run the container as | +| `DEBIAN_VERSION` | `buster-slim` | The Debian version to use | +| `PHP_VERSION` | `7.3-buster` | The PHP version to use to get composer dependencies | +| `COMPOSER_VERSION` | `2.1` | The version of composer to use | +| `SUPERVISORD_VERSION` | `v0.7.3` | The version of supervisord to use | +| `VERSION` | `unknown` | The version of the image | +| `CREATED` | `an unknown date` | The date of the image build time | +| `COMMIT` | `unknown` | The commit hash of the Git commit used | + ## Implementation details - The container is based on `debian:buster-slim` From 78ba73f34bd170eb513b3d392f43b64e994a549e Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 11:03:28 -0400 Subject: [PATCH 53/57] Change to Alpine for x2 smaller image --- Dockerfile | 52 ++++++++++++++++++++--------------------- docker/entrypoint.sh | 8 +++---- docker/nginx.conf | 2 +- docker/supervisord.conf | 2 +- 4 files changed, 31 insertions(+), 33 deletions(-) diff --git a/Dockerfile b/Dockerfile index bec512ca..96b8e6fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 ARG TARGETPLATFORM -ARG DEBIAN_VERSION=buster-slim -ARG PHP_VERSION=7.3-buster +ARG ALPINE_VERSION=3.14 +ARG PHP_VERSION=7.3-alpine${ALPINE_VERSION} ARG COMPOSER_VERSION=2.1 ARG SUPERVISORD_VERSION=v0.7.3 @@ -10,15 +10,13 @@ FROM composer:${COMPOSER_VERSION} AS composer FROM qmcgaw/binpot:supervisord-${SUPERVISORD_VERSION} AS supervisord FROM --platform=${BUILDPLATFORM} php:${PHP_VERSION} AS vendor -ENV DEBIAN_FRONTEND=noninteractive COPY --from=build-composer --chown=${UID}:${GID} /usr/bin/composer /usr/bin/composer -RUN apt-get update && \ - apt-get install -y --no-install-recommends unzip && \ - rm -rf /var/cache/* /var/lib/apt/lists/* +RUN apk add --no-cache unzip WORKDIR /srv COPY artisan composer.json composer.lock ./ COPY database ./database RUN composer install --prefer-dist --no-scripts --no-dev --no-autoloader +RUN composer dump-autoload --no-scripts --no-dev --optimize FROM --platform=${BUILDPLATFORM} vendor AS test COPY . . @@ -27,8 +25,7 @@ RUN composer install RUN php artisan key:generate ENTRYPOINT [ "/srv/vendor/bin/phpunit" ] -FROM debian:${DEBIAN_VERSION} -ENV DEBIAN_FRONTEND=noninteractive +FROM alpine:${ALPINE_VERSION} ARG UID=1000 ARG GID=1000 @@ -39,39 +36,40 @@ COPY --from=composer --chown=${UID}:${GID} /usr/bin/composer /usr/bin/composer COPY --from=supervisord --chown=${UID}:${GID} /bin /usr/local/bin/supervisord # Install PHP and PHP system dependencies -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ +RUN apk add --update --no-cache \ # PHP - php7.3 \ + php7 \ + # Composer dependencies + php7-phar \ # PHP SQLite driver - php7.3-sqlite3 \ + php7-pdo_sqlite php7-sqlite3 \ # PHP extensions - php-xml php7.3-gd php7.3-mbstring \ + php7-xml php7-gd php7-mbstring \ + # Runtime dependencies + php7-session php7-json php7-openssl \ # Nginx and PHP FPM to serve over HTTP - php7.3-fpm nginx \ + php7-fpm nginx \ && \ # Clean up - apt-get clean && \ - rm -rf /var/cache/* /var/lib/apt/lists/* /etc/nginx/nginx.conf && \ + rm /etc/nginx/nginx.conf && \ # Fix ownership to ${UID}:${GID} - chown -R ${UID}:${GID} /var/log/nginx /var/lib/nginx/ + chown -R ${UID}:${GID} /var/lib/nginx/ # PHP FPM configuration # Change username and ownership in php-fpm pool config -RUN sed -i '/user = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf && \ - sed -i '/group = www-data/d' /etc/php/7.3/fpm/pool.d/www.conf && \ - sed -i 's/listen.owner = www-data/listen.owner = ${UID}/g' /etc/php/7.3/fpm/pool.d/www.conf && \ - sed -i 's/listen.group = www-data/listen.group = ${GID}/g' /etc/php/7.3/fpm/pool.d/www.conf +RUN sed -i '/user = nobody/d' /etc/php7/php-fpm.d/www.conf && \ + sed -i '/group = nobody/d' /etc/php7/php-fpm.d/www.conf && \ + sed -i '/listen.owner/d' /etc/php7/php-fpm.d/www.conf && \ + sed -i '/listen.group/d' /etc/php7/php-fpm.d/www.conf # Pre-create files with the correct permissions RUN mkdir /run/php && \ - touch /var/log/php7.3-fpm.log && \ - chown ${UID}:${GID} /run/php /var/log/php7.3-fpm.log && \ - chmod 700 /run/php /var/log/php7.3-fpm.log + chown ${UID}:${GID} /run/php /var/log/php7 && \ + chmod 700 /run/php /var/log/php7 # Nginx configuration EXPOSE 8000/tcp -RUN touch /run/nginx.pid && \ - chown ${UID}:${GID} /run/nginx.pid +RUN touch /run/nginx/nginx.pid /var/lib/nginx/logs/error.log && \ + chown ${UID}:${GID} /run/nginx/nginx.pid /var/lib/nginx/logs/error.log COPY --chown=${UID}:${GID} docker/nginx.conf /etc/nginx/nginx.conf RUN nginx -t @@ -96,7 +94,7 @@ COPY --from=vendor --chown=${UID}:${GID} /srv/vendor /srv/vendor # Copy the rest of the code COPY --chown=${UID}:${GID} . . -RUN composer dump-autoload --no-scripts --no-dev --optimize +# RUN composer dump-autoload --no-scripts --no-dev --optimize # Entrypoint ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 98503941..e5ea071a 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh set -e @@ -6,7 +6,7 @@ echo "Running version ${VERSION} commit ${COMMIT} built on ${CREATED}" # Show versions echo "supervisord version: $(supervisord version)" -php-fpm7.3 -v | head -n 1 +php-fpm7 -v | head -n 1 nginx -v if [ "${DB_CONNECTION}" = "sqlite" ]; then @@ -14,7 +14,7 @@ if [ "${DB_CONNECTION}" = "sqlite" ]; then touch /2fauth/database.sqlite fi rm -f /srv/database/database.sqlite - ln -sF /2fauth/database.sqlite /srv/database/database.sqlite + ln -s /2fauth/database.sqlite /srv/database/database.sqlite fi # Inject storage in /2fauth and use it with a symlink @@ -23,7 +23,7 @@ if [ ! -d /2fauth/storage ]; then else rm -r /srv/storage fi -ln -sF /2fauth/storage /srv/storage +ln -s /2fauth/storage /srv/storage # Note: ${COMMIT} is set by the CI if [ -f /2fauth/installed ]; then diff --git a/docker/nginx.conf b/docker/nginx.conf index 5840d556..defee915 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -24,7 +24,7 @@ http { error_page 404 /index.php; location ~ \.php$ { - fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; include fastcgi_params; } diff --git a/docker/supervisord.conf b/docker/supervisord.conf index b1591316..c685ff0d 100644 --- a/docker/supervisord.conf +++ b/docker/supervisord.conf @@ -12,7 +12,7 @@ autorestart=false startretries=0 [program:php-fpm] -command=/usr/sbin/php-fpm7.3 -F +command=/usr/sbin/php-fpm7 -F [program:nginx] command=/usr/sbin/nginx -g 'daemon off;' From e3da58d55dfee22f19cb7c65981a2b938ba0975d Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 16:35:39 -0400 Subject: [PATCH 54/57] CI: only run publish job if on base repo --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf988ad8..a7594138 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,10 +65,13 @@ jobs: publish: needs: [verify] - if: github.event_name == 'push' + if: github.event_name == 'push' && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v2.3.4 + with: + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} - uses: docker/setup-qemu-action@v1 - uses: docker/setup-buildx-action@v1 From 364939fdedb68702b4dc343df709d57a9e1c4c2c Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 16:38:35 -0400 Subject: [PATCH 55/57] Add trailing new line to docker hub readme workflow --- .github/workflows/dockerhub-readme.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub-readme.yml b/.github/workflows/dockerhub-readme.yml index c6a701c3..1f804c60 100644 --- a/.github/workflows/dockerhub-readme.yml +++ b/.github/workflows/dockerhub-readme.yml @@ -18,4 +18,4 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} repository: 2fauth/2fauth short-description: A web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes - readme-filepath: docker/README.md \ No newline at end of file + readme-filepath: docker/README.md From 0f1af9d1c63256092d3f4e71285460c754f1e360 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 16:47:21 -0400 Subject: [PATCH 56/57] Docs: docker readme final pass - CPU arch compatibility - Assumption on path being `/yourpath` - Fix chown from 33 to 1000 - Warning to backup database beforing updating - Add tagged images information - Update implementation details - Remove TODOs as they are all done --- docker/README.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docker/README.md b/docker/README.md index 733b975d..df16ac28 100644 --- a/docker/README.md +++ b/docker/README.md @@ -9,13 +9,15 @@ You can run 2fauth in a single Docker container. ## Features - [![Latest size](https://img.shields.io/docker/image-size/2fauth/2fauth/latest?label=Image%20size)](https://hub.docker.com/r/2fauth/2fauth/tags) -- Compatible with `amd64` only for now -- Stores data in a Sqlite database file +- Compatible with: `amd64`, `386`, `arm64`, `arm/v6` and `arm/v7` +- Stores data in an Sqlite database file - Runs without root as user with id `1000` and group id `1000` ## Setup -1. Create a directory on your host `2fauth`: +We assume your current directory is `/yourpath`. + +1. Create a directory on your host: ```sh mkdir 2fauth @@ -50,7 +52,7 @@ You can stop it with `CTRL+C`. If you already have an SQLite file, move it to `/yourpath/2fauth/database.sqlite` on your host before starting the container. Don't forget to fix its ownership and permissions if you run on *nix: ```sh -chown 33:33 /yourpath/2fauth/database.sqlite +chown 1000:1000 /yourpath/2fauth/database.sqlite chmod 700 /yourpath/2fauth/database.sqlite ``` @@ -58,10 +60,14 @@ The container will automagically pick it up. ## Update +⚠️ At the very least, backup your `database.sqlite` file to avoid bad surprises! + The Docker image `2fauth/2fauth` is built on every commit pushed to the `master` branch. You can therefore pull the image with `docker pull 2fauth/2fauth` and restart the container to update it. +You can also use tagged images, see [Docker Hub tags](https://hub.docker.com/r/2fauth/2fauth/tags?page=1&ordering=last_updated) which are produced on Github releases. + ## Build the image You can build the image from the `master` branch with `docker` and `git` using: @@ -104,12 +110,8 @@ There are the following build arguments you can use to customize the image using ## Implementation details -- The container is based on `debian:buster-slim` -- The container runs an Nginx server together with PHP-FPM as a system service. +- The final Docker image is based on `alpine:3.14` with minimal packages installed +- The container runs [`supervisord`](https://github.com/ochinchina/supervisord) to handle both an Nginx server and a PHP-FPM server together - The `/srv` directory holds the repository data and PHP code. - The `/2fauth` directory is targeted for the container end users. -- By default the container logs the Nginx logs and the PHP-FPM logs. The application logs can be found in `/2fauth/storage/logs`. - -## TODOs - -- Base image (or other image) on Alpine (for a possibly smaller image) +- By default the container logs the Nginx logs and the PHP-FPM logs. The application logs (if any) can be found in `/2fauth/storage/logs`. From 0e7ddcb8cb88a71fa0fde2cc66759e71c8a9c816 Mon Sep 17 00:00:00 2001 From: "Quentin McGaw (desktop)" Date: Wed, 4 Aug 2021 16:52:58 -0400 Subject: [PATCH 57/57] Only run DockerHub description workflow on base repo --- .github/workflows/dockerhub-readme.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dockerhub-readme.yml b/.github/workflows/dockerhub-readme.yml index 1f804c60..9079a189 100644 --- a/.github/workflows/dockerhub-readme.yml +++ b/.github/workflows/dockerhub-readme.yml @@ -7,6 +7,7 @@ on: - .github/workflows/dockerhub-readme.yml jobs: dockerHubDescription: + if: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: - name: Checkout