Merge pull request 'Dockerize leftypol, again' (#115) from dockerize2 into config

Reviewed-on: #115

.dockerignore

@@ -0,0 +1,4 @@
+**/.git
+**/.gitignore
+/local-www
+**/.gitkeep

.gitignore

@@ -55,6 +55,7 @@ php_errors.log
 #vichan custom
 favicon.ico
 /static/spoiler.png
+local-www
 
 piwik/
 jwplayer/

Dockerfile

@@ -0,0 +1,29 @@
+FROM php:8.1.8-fpm
+
+COPY . /code
+
+RUN docker-php-ext-install pdo pdo_mysql
+RUN apt-get update -y && apt-get install -y libpng-dev libjpeg-dev libonig-dev
+RUN docker-php-ext-install mbstring
+RUN apt-get update -y && apt-get install -y libmcrypt-dev
+# RUN docker-php-ext-install -j$(nproc) mcrypt
+RUN docker-php-ext-install iconv
+RUN apt-get update -y && apt-get install -y imagemagick
+RUN apt-get update -y && apt-get install -y graphicsmagick
+RUN apt-get update -y && apt-get install -y gifsicle
+# RUN docker-php-ext-configure gd
+#         --with-jpeg=/usr/include
+#         --with-png-dir=/usr \
+RUN docker-php-ext-install gd
+RUN apt-get update -y \
+  && apt-get install -y libmemcached11 libmemcachedutil2 build-essential libmemcached-dev libz-dev git \
+  && pecl install memcached \
+  && echo extension=memcached.so >> /usr/local/etc/php/conf.d/memcached.ini \
+  && apt-get remove -y build-essential libmemcached-dev libz-dev \
+  && apt-get autoremove -y \
+  && apt-get clean \
+  && rm -rf /tmp/pear \
+  && curl -sS https://getcomposer.org/installer -o composer-setup.php \
+  && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
+  && docker-php-ext-install bcmath \
+  && cd /code && composer install

docker-compose.yml

@@ -5,17 +5,17 @@ services:
         context: .
         dockerfile: ./docker/nginx/Dockerfile
       ports:
-        - "8080:80"
+        - "9091:80"
       depends_on:
-        - db
+        - leftypol-db
       volumes:
-          - ./:/code
+          - ./local-www:/var/www/html
           - ./docker/nginx/leftypol.conf:/etc/nginx/conf.d/default.conf
           - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf
           - ./docker/nginx/proxy.conf:/etc/nginx/conf.d/proxy.conf
       networks:
-        leftchan_net:
-          ipv4_address: 172.20.0.3
+        d_leftypol_org:
+          ipv4_address: 172.21.0.3
       links:
           - php
   php:
@@ -23,30 +23,31 @@ services:
         context: .
         dockerfile: ./docker/php/Dockerfile
       volumes:
-          - ./:/code
+          - ./local-www:/var/www
           - ./docker/php/www.conf:/usr/local/etc/php-fpm.d/www.conf
       networks:
-        leftchan_net:
-          ipv4_address: 172.20.0.4
+        d_leftypol_org:
+          ipv4_address: 172.21.0.4
   #MySQL Service
-  db:
+  leftypol-db:
     image: mysql:8.0.35
-    container_name: db
+    container_name: leftypol-db
     restart: unless-stopped
     tty: true
     ports:
       - "3306:3306"
     environment:
-      MYSQL_DATABASE: lainchan
-      MYSQL_ROOT_PASSWORD: M9q5lO0RxJVh
+      MYSQL_DATABASE: vichan
+      MYSQL_ROOT_PASSWORD: password
+    command: "--default-authentication-plugin=mysql_native_password"
     networks:
-        leftchan_net:
-            ipv4_address: 172.20.0.2
+        d_leftypol_org:
+            ipv4_address: 172.21.0.2
 
 #Docker Networks
 networks:
-    leftchan_net:
+    d_leftypol_org:
         ipam:
             driver: default
             config:
-                - subnet: 172.20.0.0/16
+                - subnet: 172.21.0.0/16

docker/common-setup.sh

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol
-ln -s \
-   /code/banners/ \
-   /code/static/ \
-   /code/stylesheets/ \
-   /code/tools/ \
-   /code/walls/ \
-   /code/*.php \
-   /code/404.html \
-   /code/LICENSE.* \
-   /code/robots.txt \
-   /code/install.sql \
-   /var/www-leftypol/
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/js
-ln -s /code/js/* /var/www-leftypol/js/
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/templates
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/templates/cache
-ln -s /code/templates/* /var/www-leftypol/templates/
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/inc
-ln -s /code/inc/* /var/www-leftypol/inc/

docker/doc.md

@@ -0,0 +1,4 @@
+The `php-fpm` process runs containerized.
+The php application always uses `/var/www` as it's work directory and home folder, and if `/var/www` is bind mounted it
+is necessary to adjust the path passed via FastCGI to `php-fpm` by changing the root directory to `/var/www`.
+This can achieved in nginx by setting the `fastcgi_param SCRIPT_FILENAME` to `/var/www/$fastcgi_script_name;`

docker/nginx/Dockerfile

@@ -1,11 +1,8 @@
 FROM nginx:1.25.3-alpine
 
 COPY . /code
-RUN addgroup --system leftypol \
-   && adduser --system leftypol \
-   && adduser leftypol leftypol \
-   && /code/docker/common-setup.sh
-
+RUN adduser --system www-data \
+  && adduser www-data www-data
 
 CMD [ "nginx", "-g", "daemon off;" ]
-EXPOSE 80 443
+EXPOSE 80

docker/nginx/leftypol.conf

@@ -6,7 +6,7 @@ server {
 	listen 80 default_server;
 	listen [::]:80 default_server ipv6only=on;
 	server_name leftypol;
-	root /var/www-leftypol;
+	root /var/www/html;
 	add_header X-Frame-Options "SAMEORIGIN";
 	add_header X-Content-Type-Options "nosniff";
 
@@ -18,6 +18,21 @@ server {
 		try_files $uri @addslash;
 	}
 
+	# Expire rules for static content
+	# Media: images, icons, video, audio, HTC
+	location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+		expires 1M;
+		access_log off;
+		log_not_found off;
+		add_header Cache-Control "public";
+	}
+	# CSS and Javascript
+	location ~* \.(?:css|js)$ {
+		expires 1y;
+		access_log off;
+		log_not_found off;
+		add_header Cache-Control "public";
+	}
 	# Expire rules for static content
 	# Media: images, icons, video, audio, HTC
 	location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
@@ -56,7 +71,7 @@ server {
 		proxy_set_header Forwarded-Request-Id $x_request_id;
 		fastcgi_pass php-upstream;
 		fastcgi_index index.php;
-		fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+		fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
 		fastcgi_read_timeout 600;
 		include fastcgi_params;
 	}

docker/nginx/nginx.conf

@@ -1,15 +1,17 @@
 # This and proxy.conf are based on
 # https://github.com/dead-guru/devichan/blob/master/nginx/nginx.conf
 
-user  leftypol;
+user www-data;
 worker_processes auto;
 # daemon off;
 # error_log  /var/log/nginx/error.log warn;
 error_log /dev/stdout warn;
 pid       /var/run/nginx.pid;
+
 events {
 	worker_connections  1024;
 }
+
 http {
 	include       /etc/nginx/mime.types;
 	default_type  application/octet-stream;

docker/nginx/proxy.conf

@@ -33,7 +33,7 @@ real_ip_header X-Forwarded-For;
 
 set_real_ip_from 10.0.0.0/8;
 set_real_ip_from 172.16.0.0/12;
-set_real_ip_from 172.18.0.0/12;
+set_real_ip_from 172.18.0.0;
 set_real_ip_from 192.168.0.0/24;
 set_real_ip_from 127.0.0.0/8;
 

docker/php/Dockerfile

@@ -1,47 +1,89 @@
 # Based on https://github.com/dead-guru/devichan/blob/master/php-fpm/Dockerfile
 
 FROM composer AS composer
-FROM php:8.1-fpm-bullseye
-COPY --from=composer /usr/bin/composer /usr/bin/composer
-COPY . /code
+FROM php:7.2-fpm-alpine
 
-RUN apt-get update && apt-get upgrade -y && apt-get install -y \
-      zlib1g-dev libicu-dev g++ \
-      libjpeg62-turbo-dev \
-      libzip-dev \
+RUN apk add --no-cache \
+    zlib \
+    zlib-dev \
+    libpng \
     libpng-dev \
+    libjpeg-turbo \
+    libjpeg-turbo-dev \
+    libwebp \
     libwebp-dev \
-      libfreetype6-dev \
-      libxml2-dev \
-      git \
-      zip \
-      ffmpeg \
-      libonig-dev \
-      unzip \
-      libcurl4-openssl-dev \
-      libmagickwand-dev \
-      gifsicle \
+    libcurl \
+    curl-dev \
+    imagemagick \
     graphicsmagick \
+    gifsicle \
+    ffmpeg \
+    bind-tools \
     gettext \
-      imagemagick \
-      locales locales-all \
-      libmagickwand-dev \
+    gettext-dev \
+    icu-dev \
+    oniguruma \
+    oniguruma-dev \
+    libmcrypt \
     libmcrypt-dev \
+    lz4-libs \
+    lz4-dev \
+    imagemagick-dev \
+    pcre-dev \
+    $PHPIZE_DEPS \
     && docker-php-ext-configure gd \
-        --with-webp=/usr/include/webp \
-        --with-jpeg=/usr/include \
-        --with-freetype=/usr/include/freetype2/ \
+        --with-webp-dir=/usr/include/webp \
+        --with-jpeg-dir=/usr/include \
+    && docker-php-ext-install -j$(nproc) \
+        gd \
+        curl \
+        bcmath \
+        opcache \
+        pdo_mysql \
+        gettext \
+        intl \
+        mbstring \
+    && pecl update-channels \
+    && pecl install -o -f igbinary \
     && pecl install redis \
     && pecl install imagick \
-    && pecl install -o -f igbinary \
-    && docker-php-ext-install gd zip opcache intl pdo pdo_mysql mysqli bcmath gettext iconv mbstring curl \
-    && docker-php-ext-enable igbinary redis imagick \
-    && useradd -MU leftypol \
-    && /code/docker/common-setup.sh \
-    && ln -s /code/composer.json /code/composer.lock /var/www-leftypol/ \
-    && cd /var/www-leftypol && composer install
+    $$ docker-php-ext-enable \
+        igbinary \
+        redis \
+        imagick \
+    && apk del \
+        zlib-dev \
+        libpng-dev \
+        libjpeg-turbo-dev \
+        libwebp-dev \
+        curl-dev \
+        gettext-dev \
+        oniguruma-dev \
+        libmcrypt-dev \
+        lz4-dev \
+        imagemagick-dev \
+        pcre-dev \
+        $PHPIZE_DEPS \
+    && rm -rf /var/cache/*
+RUN rmdir /var/www/html \
+    && install -d -m 744 -o www-data -g www-data /var/www \
+    && install -d -m 700 -o www-data -g www-data /var/tmp/vichan \
+    && install -d -m 700 -o www-data -g www-data /var/cache/gen-cache \
+    && install -d -m 700 -o www-data -g www-data /var/cache/template-cache
+
+COPY --from=composer /usr/bin/composer /usr/local/bin/composer
+
+# Copy the bootstrap script.
+COPY ./docker/php/bootstrap.sh /usr/local/bin/bootstrap.sh
+
+# Copy the actual project (use .dockerignore to exclude stuff).
+COPY . /code
+
+# Make the instance configuration owned by www-data.
+# Make it writable by php.
+# Install the compose depedencies.
+RUN cd /code && composer install
 
-# RUN /code/docker/common-setup.sh php
-WORKDIR "/var/www-leftypol"
-CMD ["php-fpm"]
+WORKDIR "/var/www"
+CMD [ "bootstrap.sh" ]
 EXPOSE 9000

docker/php/bootstrap.sh

@@ -0,0 +1,80 @@
+#!/bin/sh
+
+set -eu
+
+function set_cfg() {
+    if [ ! -f "/var/www/inc/$1" ]; then
+        echo "INFO: Resetting $1"
+        touch "/var/www/inc/$1"
+        chown www-data "/var/www/inc/$1"
+        chgrp www-data "/var/www/inc/$1"
+        chmod 600 "/var/www/inc/$1"
+    else
+        echo "INFO: Using existing $1"
+    fi
+}
+
+if ! mountpoint -q /var/www; then
+    echo "WARNING: '/var/www' is not a mountpoint. All the data will remain inside the container!"
+fi
+
+if [ ! -w /var/www ] ; then
+    echo "ERROR: '/var/www' is not writable. Closing."
+    exit 1
+fi
+
+# Link the entrypoints from the exposed directory.
+ln -nfs \
+    /code/banners/ \
+    /code/tools/ \
+    /code/walls/ \
+    /code/*.php \
+    /code/LICENSE.* \
+    /code/404.html \
+    /code/install.sql \
+    /var/www/
+# Static files accessible from the webserver must be copied.
+cp -ur /code/static /var/www/
+cp -ur /code/stylesheets /var/www/
+
+# Ensure correct permissions are set, since this might be bind mount.
+chown www-data /var/www
+chgrp www-data /var/www
+
+# Initialize an empty robots.txt with the default if it doesn't exist.
+touch /var/www/robots.txt
+
+# Link the cache and tmp files directory.
+ln -nfs /var/tmp/vichan /var/www/tmp
+
+# Link the javascript directory.
+ln -nfs /code/js /var/www/
+
+# Link the html templates directory and it's cache.
+ln -nfs /code/templates /var/www/
+ln -nfs -T /var/cache/template-cache /var/www/templates/cache
+chown -h www-data /var/www/templates/cache
+chgrp -h www-data /var/www/templates/cache
+
+# Link the generic cache.
+ln -nfs -T /var/cache/gen-cache /var/www/tmp/cache
+chown -h www-data /var/www/tmp/cache
+chgrp -h www-data /var/www/tmp/cache
+
+# Create the included files directory and link them
+install -d -m 700 -o www-data -g www-data /var/www/inc
+for file in /code/inc/*; do
+    file="${file##*/}"
+    if [ ! -e /var/www/inc/$file ]; then
+        ln -s /code/inc/$file /var/www/inc/
+    fi
+done
+
+# Copy an empty instance configuration if the file is a link (it was linked because it did not exist before).
+set_cfg 'instance-config.php'
+
+# Link the composer dependencies.
+ln -nfs /code/vendor /var/www/
+
+# Start the php-fpm server.
+exec php-fpm

docker/php/www.conf

@@ -1,6 +1,12 @@
 [www]
-user = leftypol
-group = leftypol
+access.log = /proc/self/fd/2
+
+; Ensure worker stdout and stderr are sent to the main error log.
+catch_workers_output = yes
+
+user = www-data
+group = www-data
+
 listen = 127.0.0.1:9000
 pm = static
 pm.max_children = 16

inc/template.php

@@ -13,12 +13,15 @@ $twig = false;
 
 function load_twig() {
 	global $twig, $config;
+
+	$cache_dir = "{$config['dir']['template']}/cache/";
+
 	$loader = new Twig_Loader_Filesystem($config['dir']['template']);
 	$loader->setPaths($config['dir']['template']);
 	$twig = new Twig_Environment($loader, array(
 		'autoescape' => false,
-		'cache' => is_writable('templates') || (is_dir('templates/cache') && is_writable('templates/cache')) ?
-			"{$config['dir']['template']}/cache" : false,
+		'cache' => is_writable('templates/') || (is_dir($cache_dir) && is_writable($cache_dir)) ?
+			$cache_dir : false,
 		'debug' => $config['debug']
 	));
 	$twig->addExtension(new Twig_Extensions_Extension_Tinyboard());
@@ -69,4 +72,3 @@ function Element($templateFile, array $options) {
 		throw new Exception("Template file '${templateFile}' does not exist or is empty in '{$config['dir']['template']}'!");
 	}
 }
-

install.php

@@ -3,7 +3,7 @@
 // Installation/upgrade file
 define('VERSION', '5.1.3');
 
-if (fopen('inc/instance-config.php' , 'a') === false) {
+if (!is_writable('inc/instance-config.php') || !is_writable('inc/')) {
 	print('install.php does not have permission to write to /inc/, without permission the installer cannot continue');
 	exit();
 }
@@ -818,14 +818,14 @@ if ($step == 0) {
 		array(
 			'category' => 'File permissions',
 			'name' => getcwd() . '/templates/cache',
-			'result' => is_writable('templates') || (is_dir('templates/cache') && is_writable('templates/cache')),
+			'result' => is_dir('templates/cache/') && is_writable('templates/cache/'),
 			'required' => true,
 			'message' => 'You must give vichan permission to create (and write to) the <code>templates/cache</code> directory or performance will be drastically reduced.'
 		),
 		array(
 			'category' => 'File permissions',
 			'name' => getcwd() . '/tmp/cache',
-			'result' => is_dir('tmp/cache') && is_writable('tmp/cache'),
+			'result' => is_dir('tmp/cache/') && is_writable('tmp/cache/'),
 			'required' => true,
 			'message' => 'You must give vichan permission to write to the <code>tmp/cache</code> directory.'
 		),
@@ -993,4 +993,3 @@ if ($step == 0) {
 
 	echo Element('page.html', $page);
 }
-

site.conf

@@ -1,16 +0,0 @@
-server {
-    index index.php index.html;
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /code;
-
-    location ~ \.php$ {
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass php:9000;
-        fastcgi_index index.php;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-    }
-}