ensuring that container can run read-only and logs are forwarded to docker logs, fixes for latest alpine and cleanup

.dockerignore

@@ -0,0 +1,10 @@
+# Docs
+README.md
+LICENSE
+
+# build
+build.sh
+buildNoCache.sh
+
+# Git
+.git/

Dockerfile

@@ -12,11 +12,9 @@ RUN apk -U add \
     php7-gd \
     php7-mcrypt \
     php7-json \
-    php7-zlib \
     php7-pdo \
     php7-pdo_mysql \
     supervisor \
-    tini \
     ca-certificates \
     tar \
  && mkdir privatebin && cd privatebin \
@@ -32,10 +30,9 @@ COPY files/php-fpm.conf /etc/php7/php-fpm.conf
 COPY files/supervisord.conf /usr/local/etc/supervisord.conf
 COPY entrypoint.sh /
 
-RUN chmod +x /entrypoint.sh
+# mark dirs as volumes that need to be writable, allows running the container --read-only
-
+VOLUME [ "/privatebin/data", "/privatebin/cfg", "/etc", "/tmp", "/var/tmp", "/run", "/var/log" ]
-VOLUME [ "/privatebin/data", "/privatebin/cfg" ]
 
 EXPOSE 80
 LABEL description "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data."
-CMD ["/sbin/tini","--","/entrypoint.sh"]
+CMD ["/entrypoint.sh"]

buildNoCache.sh

@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-docker build --rm --pull --no-cache -t jgeusebroek/zerobin .
+docker build --rm --pull --no-cache -t jgeusebroek/privatebin .

entrypoint.sh

@@ -1,11 +1,11 @@
 #!/bin/sh
 
-addgroup -g ${GID} privatebin && adduser -h /privatebin -s /bin/sh -D -G privatebin -u ${UID} privatebin
+addgroup -g ${GID} privatebin && \
-touch /var/run/php-fpm.sock
+adduser -h /privatebin -H -s /bin/sh -D -G privatebin -u ${UID} privatebin
 
 if [ ! -f /privatebin/cfg/conf.php ]; then
 	cp /privatebin/conf.sample.php /privatebin/cfg/conf.php
 fi
 
-chown -R privatebin:privatebin /privatebin /var/run/php-fpm.sock /var/lib/nginx /tmp /var/tmp/nginx
+chown -R privatebin:privatebin /privatebin/data
 supervisord -c /usr/local/etc/supervisord.conf

files/nginx.conf

@@ -12,8 +12,8 @@ http {
     include /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    access_log off;
+    access_log /dev/stdout;
-    error_log /var/log/nginx/error.log error;
+    error_log /dev/stderr error;
 
     sendfile on;
     keepalive_timeout 15;
@@ -47,14 +47,14 @@ http {
         image/svg+xml;
 
     server {
-    	listen 80;
+        listen 80;
-    	root /privatebin;
+        root /privatebin;
-    	index index.php index.html;
+        index index.php index.html;
 
-    	location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
+        location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
-    		expires 30d;
+            expires 30d;
-    		access_log off;
+            access_log off;
-	}
+        }
 
         location ~ ^/(data|cfg|tmp) {
             deny all;
@@ -68,17 +68,15 @@ http {
             deny all;
         }
 
-    	location / {
+        location / {
-        	try_files $uri $uri/ /index.php;
+            try_files $uri $uri/ /index.php;
-    	}
+        }
-
-	location ~ \.php$ {
-    		fastcgi_index index.php;
-    		fastcgi_pass unix:/var/run/php-fpm.sock;
-    		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    		include /etc/nginx/fastcgi_params;
-	}
 
+        location ~ \.php$ {
+            fastcgi_index index.php;
+            fastcgi_pass unix:/var/run/php-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include /etc/nginx/fastcgi_params;
+        }
     }
-
 }

files/php-fpm.conf

@@ -1,3 +1,5 @@
+[global]
+daemonize = no
 [www]
 user = privatebin
 group = privatebin

files/supervisord.conf

@@ -1,8 +1,19 @@
 [supervisord]
 nodaemon=true
+pidfile=/var/run/supervisord.pid
+logfile=/var/log/supervisord.log
 
 [program:php-fpm]
-command=php-fpm7 --nodaemonize
+command=php-fpm7
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:nginx]
 command=nginx
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+