From 99032ef15c863470d128978c397b3e91e79fdbc0 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Wed, 6 Nov 2019 22:26:30 +0100 Subject: [PATCH] a dockerized EGroupware development enviroment --- doc/docker/development/Dockerfile | 82 ++++++++++++ doc/docker/development/build.sh | 23 ++++ doc/docker/development/docker-compose.yml | 155 ++++++++++++++++++++++ doc/docker/development/entrypoint.sh | 116 ++++++++++++++++ doc/docker/development/nginx.conf | 117 ++++++++++++++++ 5 files changed, 493 insertions(+) create mode 100644 doc/docker/development/Dockerfile create mode 100755 doc/docker/development/build.sh create mode 100644 doc/docker/development/docker-compose.yml create mode 100755 doc/docker/development/entrypoint.sh create mode 100644 doc/docker/development/nginx.conf diff --git a/doc/docker/development/Dockerfile b/doc/docker/development/Dockerfile new file mode 100644 index 0000000000..feec6db843 --- /dev/null +++ b/doc/docker/development/Dockerfile @@ -0,0 +1,82 @@ +################################################################################ +## +## EGroupware FPM container using Ubuntu 18.04 and PHP 7.3 from ondrej/php PPA +## +################################################################################ +FROM ubuntu:18.04 +MAINTAINER rb@egroupware.org + +ARG VERSION=dev-master + +RUN apt-get update \ + && apt-get install -y software-properties-common \ + && LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php \ + && apt-get update \ + && bash -c "apt-get install -y php7.3-{cli,mysql,json,gd,xsl,bz2,opcache,apcu,tidy,zip,bcmath,mbstring,smbclient,ldap,curl,fpm,pgsql,gmp}" \ + # fpm and php.ini settings + && sed -e 's/^;\?listen \?=.*/listen = 9000/g' \ + -e '/allowed_clients/d' \ + -e '/pm.max_children/s/=.*/= 80/' \ + -e '/catch_workers_output/s/^;/;/' \ + -e '/error_log/d' \ + -e 's/^;\?pm.max_requests =.*/pm.max_requests = 30/' \ + -e 's/^;\?php_admin_value\[memory_limit\].*/php_admin_value[memory_limit] = 172M/' \ + -e 's/^;\?request_terminate_timeout.*/request_terminate_timeout = 70m/' \ + -i /etc/php/7.3/fpm/pool.d/www.conf \ + && sed -e 's/^;\?session.gc_maxlifetime.*/session.gc_maxlifetime = 14400/g' \ + -e 's|^;\?date.timezone.*|date.timezone = UTC|g' \ + -e 's|^;\?sys_temp_dir.*|sys_temp_dir = /tmp|g' \ + -e 's|^;\?disable_functions.*|disable_functions = exec,passthru,shell_exec,system,proc_open,popen|g' \ + -e 's|^;\?max_execution_time \?=.*|max_execution_time = 90|g' \ + -e 's|^;\?upload_max_filesize \?=.*|upload_max_filesize = 64M|g' \ + -e 's|^;\?post_max_size \?=.*|post_max_size = 65M|g' \ + -e 's|^;\?max_input_vars \?=.*|max_input_vars = 2000|g' \ + -e 's|^;\?zlib.output_compression \?=.*|zlib.output_compression = On|g' \ + -e 's|^;\?opcache.validate_timestamps \?=.*|opcache.validate_timestamps=0|g' \ + -i /etc/php/7.3/fpm/php.ini \ + && sed -e 's|^;\?date.timezone.*|date.timezone = UTC|g' \ + -e 's|^;\?sys_temp_dir.*|sys_temp_dir = /tmp|g' \ + -i /etc/php/7.3/cli/php.ini \ + # create directory for pid file + && mkdir -p /run/php \ + # send logs to stderr to be viewed by docker logs + && ln -s /dev/stderr /var/log/php7.3-fpm.log \ + # install tools to build EGroupware + && apt-get install -y rsync npm zip curl sudo cron patch \ + && npm install -g grunt-cli \ + && bash -c \ +'EXPECTED_SIGNATURE=$(curl https://composer.github.io/installer.sig); \ +curl https://getcomposer.org/installer > composer-setup.php; \ +ACTUAL_SIGNATURE=$(php -r "echo hash_file(\"sha384\", \"composer-setup.php\");"); \ +if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]; \ +then \ + >&2 echo "ERROR: Invalid Composer installer signature"; \ + RESULT=1; \ +else \ + php composer-setup.php --quiet --install-dir /usr/local/bin; \ + RESULT=$?; \ +fi; \ +rm composer-setup.php; \ +exit $RESULT' \ + # disable certificate checks for LDAP as most LDAP and AD servers have no "valid" cert + && echo "TLS_REQCERT never" >> /etc/ldap/ldap.conf + +# install diverse developper tools, not installed above / in stock container +RUN apt-get install -y php7.3-xdebug git vim yarn \ + && echo "xdebug.remote_enable=1" >> /etc/php/7.3/fpm/conf.d/20-xdebug.ini \ + && echo "xdebug.remote_port=9001" >> /etc/php/7.3/fpm/conf.d/20-xdebug.ini \ + && echo "xdebug.remote_host=172.17.0.1" >> /etc/php/7.3/fpm/conf.d/20-xdebug.ini \ + && ln -s /usr/local/bin/composer.phar /usr/local/bin/composer \ + && sed -e 's|^;\?opcache.validate_timestamps \?=.*|opcache.validate_timestamps=1|g' \ + -i /etc/php/7.3/fpm/php.ini \ + && apt-get clean + +VOLUME /var/www +VOLUME /var/lib/egroupware + +EXPOSE 9000 + +ADD entrypoint.sh / + +CMD ["php-fpm7.3", "--nodaemonize"] +ENTRYPOINT ["/entrypoint.sh"] diff --git a/doc/docker/development/build.sh b/doc/docker/development/build.sh new file mode 100755 index 0000000000..35fbe6c6af --- /dev/null +++ b/doc/docker/development/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -x + +DEFAULT=$(git branch|grep ^*|cut -c3-) +TAG=${1:-$DEFAULT} +VERSION=$TAG +BRANCH=$(echo $VERSION|sed 's/\.[0-9]\{8\}$//') +[ $VERSION = $BRANCH ] && VERSION="$BRANCH.x-dev" + +cd $(dirname $0) + +docker pull ubuntu:18.04 +docker build --build-arg "VERSION=$VERSION" -t egroupware/development:$TAG . && { + docker push egroupware/development:$TAG + # tag only stable releases as latest + [ $TAG != "master" ] && { + docker tag egroupware/development:$TAG egroupware/development:latest + docker push egroupware/development:latest + } + [ "$BRANCH" != $VERSION -a "${BRANCH}.x-dev" != $VERSION ] && { + docker tag egroupware/development:$VERSION egroupware/development:$BRANCH + docker push egroupware/development:$BRANCH + } +} diff --git a/doc/docker/development/docker-compose.yml b/doc/docker/development/docker-compose.yml new file mode 100644 index 0000000000..cd0f9cb3c4 --- /dev/null +++ b/doc/docker/development/docker-compose.yml @@ -0,0 +1,155 @@ +version: '3' +volumes: + # data directory: here are the files stored (/var/lib/egroupware by default) + data: + driver_opts: + type: none + o: bind + # to upgrade an existing non-docker installation most easy is to use the existing + # data directory /var/lib/egroupware AND the host database see below + #device: /var/lib/egroupware + # otherwise data is stored in data subdirectory of the current directory + device: $PWD/data + # sources directory or document root mounted as /var/www inside the container + sources: + driver_opts: + type: none + o: bind + # use this if you have an existing document root with an egroupware directory inside + #device: /var/www + # otherwise sources/document is stored in sources subdirectory of current directory + device: $PWD/sources + # sources for push server, swoolpush subdirectory of egroupware + sources-push: + driver_opts: + type: none + o: bind + device: $PWD/sources/egroupware/swoolpush + # for Mac and Windows, do NOT use a directory for the DB, as the Docker host is in a VM! + db: + sessions: + # cache files from compose, npm and yarn (actually /root inside the container) + cache: +services: + egroupware: + image: egroupware/development:master + # setting a default language for a new installation + #environment: + #- LANG=de + volumes: + - sources:/var/www + - data:/var/lib/egroupware + - sessions:/var/lib/php/sessions + - cache:/root + # if you want to use the host database: + # 1. comment out the whole db service below AND + # 2. set EGW_DB_HOST=localhost AND + # 3. uncomment the next line and modify the host path (first one), it depends on your distro: + # - RHEL/CentOS /var/lib/mysql/mysql.sock + # - openSUSE/SLE /var/run/mysql/mysql.sock + # - Debian/Ubuntu /var/run/mysqld/mysqld.sock + #- /var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock + environment: + # + # MariaDB/MySQL host to use: for internal service use "db", for host database (socket bind-mounted into container) use "localhost" + - EGW_DB_HOST=db + # grant host is needed for NOT using localhost / unix domain socket for MySQL/MariaDB + - EGW_DB_GRANT_HOST=172.% + # for internal db service you should to specify a root password here AND in db service + # a database "egroupware" with a random password is created for you on installation (password is stored in header.inc.php in data directory) + #- EGW_DB_ROOT=root + - EGW_DB_ROOT_PW=secret + # alternativly you can specify an already existing database with full right by the given user! + #- EGW_DB_NAME=egroupware + #- EGW_DB_USER=egroupware + #- EGW_DB_PASS= + # + # further post_install.php arguments can be passed as a single enviroment variable with space separated assignments + # "= =" see https://github.com/EGroupware/egroupware/blob/master/doc/rpm-build/post_install.php#L17 + # to configure eg. LDAP for authentication and account storage use + #- EGW_POST_INSTALL='account-auth=ldap,ldap ldap_base=ou=egroupware,dc=example,dc=org ldap_host=tls://ldap.example.org ldap_admin=cn=admin,$base ldap_admin_pw=secret ldap_context=cn=users,$base ldap_group_context=cn=groups,$base' + # + # extra non-default apps (need to start with EGW_EXTRA_APP!) + # + # new push server not yet in composer.json + - EGW_EXTRA_APP_PUSH=https://github.com/EGroupware/swoolepush.git + # EPL apps (need extra credentials!) + #- EGW_EXTRA_APPS_EPL=https://github.com/EGroupwareGmbH/epl.git https://github.com/EGroupwareGmbH/esyncpro.git https://github.com/EGroupwareGmbH/policy.git https://github.com/EGroupwareGmbH/webauthn.git + # old Wiki + - EGW_EXTRA_APP_WIKI=https://github.com/EGroupware/wiki.git + # old API and eTemplate(1) + - EGW_EXTRA_APP_OLDAPI=https://github.com/EGroupware/phpgwapi.git https://github.com/EGroupware/etemplate.git + # + # XDEBUG_REMOTE_HOST need to be set, if the host running the IDE is different from 172.17.0.1 (Mac can use docker.for.mac.localhost) + - XDEBUG_REMOTE_HOST=docker.for.mac.localhost + + restart: always + depends_on: + - db + container_name: egroupware + # set the ip-address of your docker host AND your official DNS name so EGroupware + # can access Rocket.Chat or Collabora without the need to go over your firewall + #extra_hosts: + #- "my.host.name:ip-address" + + nginx: + image: nginx:stable-alpine + volumes: + - sources:/var/www:ro + # to add a certificate create a certificate.pem containing (in that order) + # 1. private key + # 2. public key + # 3. (optional) chain certificates + # uncomment to the next line + # ./certificate.pem:/etc/ssl/private/certificate.pem + # AND uncomment the three lines starting with "listen 443", "ssl_certificate", "ssl_certificate_key" in nginx.conf + - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro + ports: + # if no webserver is running on the host, change (first) number to 80 or 443 + - "8080:80" + - "4443:443" + depends_on: + - egroupware + container_name: egroupware-nginx + + # run an own MariaDB:10.4 (you can use EGroupware's database backup and restore to add your existing database) + db: + image: mariadb + environment: + #- MYSQL_ROOT=root + - MYSQL_ROOT_PASSWORD=secret + volumes: + - db:/var/lib/mysql + container_name: egroupware-db + + # push server using phpswoole + #push: + # image: phpswoole/swoole:latest-dev + # volumes: + # - sources-push:/var/www + # - sessions:/var/lib/php/sessions + # container_name: egroupware-push + + # automatic updates of all containers daily at 4am + # see https://containrrr.github.io/watchtower for more information + watchtower: + image: containrrr/watchtower + volumes: + - /var/run/docker.sock:/var/run/docker.sock + # For automatic EPL Updates (not necessary for CE!) you need to pass docker + # credentials into watchtower after running: docker login download.egroupware.org + #- /root/.docker/config.json:/config.json:ro + environment: + - WATCHTOWER_CLEANUP=true # delete old image after update to not fill up the disk + # for email notifications add your email and mail-server here + #- WATCHTOWER_NOTIFICATIONS=email + #- WATCHTOWER_NOTIFICATIONS_LEVEL=info # possible values: panic, fatal, error, warn, info or debug + #- WATCHTOWER_NOTIFICATION_EMAIL_FROM="watchtower@my-domain.com" + #- WATCHTOWER_NOTIFICATION_EMAIL_TO="me@my-domain.com" + #- WATCHTOWER_NOTIFICATION_EMAIL_SERVER="mail.my-domain.com" # if you give your MX here, you need no user/password + #- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25 + #- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="watchtower@my-domain.com" + #- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="secret" + command: --schedule "0 0 4 * * *" + container_name: egroupware-watchtower + restart: always diff --git a/doc/docker/development/entrypoint.sh b/doc/docker/development/entrypoint.sh new file mode 100755 index 0000000000..64f5a63782 --- /dev/null +++ b/doc/docker/development/entrypoint.sh @@ -0,0 +1,116 @@ +#!/bin/bash +set -ex + +VERSION=${VERSION:-dev-master} + +# if EGW_SESSION_TIMEOUT is set in environment, propagate value to php.ini +test -n "$EGW_SESSION_TIMEOUT" && test "$EGW_SESSION_TIMEOUT" -ge 1440 && + sed -e "s/^;\?session.gc_maxlifetime.*/session.gc_maxlifetime = $EGW_SESSION_TIMEOUT/g" \ + -i /etc/php/7.3/fpm/php.ini + +# if XDEBUG_REMOTE_HOST is set, patch it into xdebug config +test -n "$XDEBUG_REMOTE_HOST" && \ + sed -e "s/^xdebug.remote_host.*/xdebug.remote_host=$XDEBUG_REMOTE_HOST/g" \ + -i /etc/php/7.3/fpm/conf.d/*xdebug.ini + +# downgrade composer to 1.8.6, as 1.9.x does not work with "dev-master" version :( +composer selfupdate 1.8.6 + +# installation fails without git identity +git config --global user.email || git config --global user.email "you@example.com" + +# install EGroupware sources, if not already there +[ -f /var/www/egroupware/header.inc.php ] || { + cd /var/www \ + && ln -sf egroupware/api/templates/default/images/favicon.ico \ + && composer.phar create-project --prefer-source --keep-vcs --no-scripts egroupware/egroupware:$VERSION \ + && cd egroupware \ + && ./install-cli.php \ + && ln -sf /var/lib/egroupware/header.inc.php \ + && sed -e 's/apache/www-data/' -e 's|/usr/share|/var/www|g' doc/rpm-build/egroupware.cron > /etc/cron.d/egroupware +} + +# check if we have further apps to install (EPL or old ones ...) +cd /var/www/egroupware +for url in $(env|grep ^EGW_EXTRA_APP|cut -d= -f2) +do + app=$(basename $url .git) + [ $app == "epl" ] && app=stylite + [ -d $app ] || { + git clone $url $app \ + && (cd $app; git remote set-url --push origin $(echo $url|sed 's|https://github.com/|git@github.com:|')) \ + && [ -f header.inc.php ] && doc/rpm-build/post_install.php --install-app $(basename $url .git) \ + || true # do not stop, if one clone fails + } +done + +# install phpMyAdmin sources, if not already there +[ -d /var/www/phpmyadmin ] || { + cd /var/www \ + && composer.phar create-project --prefer-source --keep-vcs --no-scripts phpmyadmin/phpmyadmin \ + && cd phpmyadmin \ + && yarn install || true +} +[ -f /var/www/phpmyadmin/config.inc.php ] || { + cd /var/www/phpmyadmin \ + && blowfish_secret=$(php -r "echo base64_encode(random_bytes(24));") \ + && sed -e "s/localhost/db/g" \ + -e "s/cfg\['blowfish_secret'\] = '';/cfg['blowfish_secret'] = '$blowfish_secret';/g" \ + config.sample.inc.php > config.inc.php +} + +# create data directory +[ -d /var/lib/egroupware/default ] || { + mkdir -p /var/lib/egroupware/default/files/sqlfs \ + && mkdir -p /var/lib/egroupware/default/backup \ + && chown -R www-data:www-data /var/lib/egroupware \ + && chmod 700 /var/lib/egroupware/ +} + +# add private CA so egroupware can validate your certificate to talk to Collabora or Rocket.Chat +test -f /usr/local/share/ca-certificates/private-ca.crt && + update-ca-certificates + +# write install-log in /var/lib/egroupware (only readable by root!) +LOG=/var/lib/egroupware/egroupware-docker-install.log +touch $LOG +chmod 600 $LOG + +max_retries=10 +export try=0 +# EGW_SKIP_INSTALL=true skips initial installation (no header.inc.php yet) +until [ -n "$EGW_SKIP_INSTALL" -a ! -f /var/www/egroupware/header.inc.php ] || \ + php /var/www/egroupware/doc/rpm-build/post_install.php \ + --start_webserver "" --autostart_webserver "" \ + --start_db "" --autostart_db "" \ + --db_type "${EGW_DB_TYPE:-mysqli}" \ + --db_host "${EGW_DB_HOST:-localhost}" \ + --db_grant_host "${EGW_DB_GRANT_HOST:-localhost}" \ + --db_root "${EGW_DB_ROOT:-root}" \ + --db_root_pw "${EGW_DB_ROOT_PW:-}" \ + --db_name "${EGW_DB_NAME:-egroupware}" \ + --db_user "${EGW_DB_USER:-egroupware}" \ + --db_pass "${EGW_DB_PASS:-}" +do + if [ "$try" -gt "$max_retries" ]; then + echo "Installing of EGroupware failed!" + break + fi + echo "Retrying EGroupware installation in 3 seconds ..." + try=$((try+1)) + sleep 3s +done 2>&1 | tee -a $LOG + +[ "$(git config --global user.email)" == "you@example.com" ] && { + echo "No git user set, please do so by running:" + echo "git config --global user.email "your@email.address" + echo "git config --global user.name "Your Name" +} + +# as we can NOT exit from until (runs a subshell), we need to check and do it here +[ "$(tail -1 $LOG)" = "Installing of EGroupware failed!" ] && exit 1 + +# to run async jobs +service cron start + +exec "$@" \ No newline at end of file diff --git a/doc/docker/development/nginx.conf b/doc/docker/development/nginx.conf new file mode 100644 index 0000000000..b8190055e0 --- /dev/null +++ b/doc/docker/development/nginx.conf @@ -0,0 +1,117 @@ +# stuff for http block +client_max_body_size 1g; +# fix error: upstream sent too big header while reading response header from upstream +fastcgi_buffers 16 16k; +fastcgi_buffer_size 32k; + +upstream fpm { + server egroupware:9000; +} + +server { + access_log off; + + listen 80 default_server; + + # ssl config (enable following line plus either include or ssl_certificate* line) + #listen 443 ssl http2 default_server; + #include snippets/snakeoil.conf; # requires ssl-certs package installed! + # concatenate private key, certificate and intermediate certs to /etc/ssl/private/certificate.pem + #ssl_certificate /etc/ssl/private/certificate.pem; + #ssl_certificate_key /etc/ssl/private/certificate.pem; + # HTTP Strict-Transport-Security header (start with a short max-age!) + #add_header Strict-Transport-Security max-age=31536000; # 31536000sec=1year + + server_name _; + root /var/www; + + index index.php index.html index.htm; + + # other settings + client_max_body_size 65M; + + # EGroupware installed in /var/www/egroupware + location ^~ /egroupware { + alias /var/www/egroupware/; + try_files $uri $uri/ =404; + location ~ ^/egroupware(/(?U).+\.php) { + # do not allow to call files ment to be included only + #location ~ ^$path/(vendor|[^/]+/(src|setup|inc))/ { + # return 403; + #} + alias /var/www/egroupware; + fastcgi_pass fpm; + # added to support WebDAV/CalDAV/CardDAV + fastcgi_read_timeout 60m; + fastcgi_index index.php; + fastcgi_split_path_info ^((?U).+\.php)(.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + # standard Nginx + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/egroupware$1; + fastcgi_param DOCUMENT_ROOT /var/www/html; + } + location ~ (?i)\.(ico|jpe?g|gif|png|svg|xet|xml|js|css|html|map|swf)$ { + access_log off; + expires 10d; + add_header Pragma public; + add_header Cache-Control "public"; + location ~ ^/egroupware(/.*)$ { + alias /var/www/egroupware/; + try_files $1 =404; + } + } + } + + # push-server + #location /egroupware/push { + # proxy_http_version 1.1; + # proxy_set_header Host $http_host; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + # proxy_pass http://push:9501; + #} + + # PHP in docroot + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + fastcgi_pass fpm; + fastcgi_read_timeout 60m; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } + + # ActiveSync support + location /Microsoft-Server-ActiveSync { + fastcgi_pass fpm; + # added to support WebDAV/CalDAV/CardDAV + fastcgi_read_timeout 60m; + fastcgi_index index.php; + fastcgi_split_path_info ^((?U).+\.php)(.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /var/www/egroupware/activesync/index.php; + } + # CalDAV & CardDAV autoconfig + location ~ ^/.well-known/(caldav|carddav)$ { + return 301 $scheme://$http_host/egroupware/groupdav.php/; + } + location ~ ^(/principals/users/.*)$ { + return 301 $scheme://$http_host/egroupware/groupdav.php$1; + } + # Nginx does NOT use index for OPTIONS requests breakng WebDAV + # for Windows, which sends OPTIONS / and stalls on Nginx 405 response! + # This also redirects all requests to root to EGroupware. + location = / { + return 301 $scheme://$http_host/egroupware/index.php; + } +}