From cf7d8e1e48b87fc66f3370c579b1d04c1c87c9d8 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Tue, 5 Jun 2018 06:55:45 +0200
Subject: [PATCH] ensuring that container can run read-only and logs are
 forwarded to docker logs, fixes for latest alpine and cleanup

---
 .dockerignore          | 10 ++++++++++
 Dockerfile             |  9 +++------
 buildNoCache.sh        |  2 +-
 entrypoint.sh          |  6 +++---
 files/nginx.conf       | 38 ++++++++++++++++++--------------------
 files/php-fpm.conf     |  2 ++
 files/supervisord.conf | 13 ++++++++++++-
 7 files changed, 49 insertions(+), 31 deletions(-)
 create mode 100644 .dockerignore
 mode change 100644 => 100755 entrypoint.sh

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..731a58e
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,10 @@
+# Docs
+README.md
+LICENSE
+
+# build
+build.sh
+buildNoCache.sh
+
+# Git
+.git/
diff --git a/Dockerfile b/Dockerfile
index 5d9dc10..65a4625 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,11 +12,9 @@ RUN apk -U add \
     php7-gd \
     php7-mcrypt \
     php7-json \
-    php7-zlib \
     php7-pdo \
     php7-pdo_mysql \
     supervisor \
-    tini \
     ca-certificates \
     tar \
  && mkdir privatebin && cd privatebin \
@@ -32,10 +30,9 @@ COPY files/php-fpm.conf /etc/php7/php-fpm.conf
 COPY files/supervisord.conf /usr/local/etc/supervisord.conf
 COPY entrypoint.sh /
 
-RUN chmod +x /entrypoint.sh
-
-VOLUME [ "/privatebin/data", "/privatebin/cfg" ]
+# mark dirs as volumes that need to be writable, allows running the container --read-only
+VOLUME [ "/privatebin/data", "/privatebin/cfg", "/etc", "/tmp", "/var/tmp", "/run", "/var/log" ]
 
 EXPOSE 80
 LABEL description "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data."
-CMD ["/sbin/tini","--","/entrypoint.sh"]
+CMD ["/entrypoint.sh"]
diff --git a/buildNoCache.sh b/buildNoCache.sh
index 8c140b4..f805698 100755
--- a/buildNoCache.sh
+++ b/buildNoCache.sh
@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-docker build --rm --pull --no-cache -t jgeusebroek/zerobin .
\ No newline at end of file
+docker build --rm --pull --no-cache -t jgeusebroek/privatebin .
diff --git a/entrypoint.sh b/entrypoint.sh
old mode 100644
new mode 100755
index 07d3807..be3772b
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 
-addgroup -g ${GID} privatebin && adduser -h /privatebin -s /bin/sh -D -G privatebin -u ${UID} privatebin
-touch /var/run/php-fpm.sock
+addgroup -g ${GID} privatebin && \
+adduser -h /privatebin -H -s /bin/sh -D -G privatebin -u ${UID} privatebin
 
 if [ ! -f /privatebin/cfg/conf.php ]; then
 	cp /privatebin/conf.sample.php /privatebin/cfg/conf.php
 fi
 
-chown -R privatebin:privatebin /privatebin /var/run/php-fpm.sock /var/lib/nginx /tmp /var/tmp/nginx
+chown -R privatebin:privatebin /privatebin/data
 supervisord -c /usr/local/etc/supervisord.conf
diff --git a/files/nginx.conf b/files/nginx.conf
index f849f83..dd69cc2 100644
--- a/files/nginx.conf
+++ b/files/nginx.conf
@@ -12,8 +12,8 @@ http {
     include /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    access_log off;
-    error_log /var/log/nginx/error.log error;
+    access_log /dev/stdout;
+    error_log /dev/stderr error;
 
     sendfile on;
     keepalive_timeout 15;
@@ -47,14 +47,14 @@ http {
         image/svg+xml;
 
     server {
-    	listen 80;
-    	root /privatebin;
-    	index index.php index.html;
+        listen 80;
+        root /privatebin;
+        index index.php index.html;
 
-    	location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
-    		expires 30d;
-    		access_log off;
-	}
+        location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
+            expires 30d;
+            access_log off;
+        }
 
         location ~ ^/(data|cfg|tmp) {
             deny all;
@@ -68,17 +68,15 @@ http {
             deny all;
         }
 
-    	location / {
-        	try_files $uri $uri/ /index.php;
-    	}
-
-	location ~ \.php$ {
-    		fastcgi_index index.php;
-    		fastcgi_pass unix:/var/run/php-fpm.sock;
-    		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    		include /etc/nginx/fastcgi_params;
-	}
+        location / {
+            try_files $uri $uri/ /index.php;
+        }
 
+        location ~ \.php$ {
+            fastcgi_index index.php;
+            fastcgi_pass unix:/var/run/php-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include /etc/nginx/fastcgi_params;
+        }
     }
-
 }
diff --git a/files/php-fpm.conf b/files/php-fpm.conf
index 533a9ec..87afcb3 100644
--- a/files/php-fpm.conf
+++ b/files/php-fpm.conf
@@ -1,3 +1,5 @@
+[global]
+daemonize = no
 [www]
 user = privatebin
 group = privatebin
diff --git a/files/supervisord.conf b/files/supervisord.conf
index 0bdc45e..9bef749 100644
--- a/files/supervisord.conf
+++ b/files/supervisord.conf
@@ -1,8 +1,19 @@
 [supervisord]
 nodaemon=true
+pidfile=/var/run/supervisord.pid
+logfile=/var/log/supervisord.log
 
 [program:php-fpm]
-command=php-fpm7 --nodaemonize
+command=php-fpm7
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:nginx]
 command=nginx
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+