From 5b731739128a50224f9e4038507e69650552853f Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 11 Nov 2018 13:57:42 +0100 Subject: [PATCH] Implement support for multiple PHP versions This commit provides docker images and scripts to support multiple Debian and PHP releases via containers. --- LICENSE | 19 ++ build.sh | 12 ++ buster_php7/Dockerfile | 8 + buster_php7/Dockerfile-base | 31 +++ buster_php7/Dockerfile-mysql | 15 ++ buster_php7/Dockerfile-pgsql | 15 ++ buster_php7/fpm-pool.conf.tmpl | 15 ++ buster_php7/libnss-ldap.conf | 323 ++++++++++++++++++++++++++++++++ buster_php7/nsswitch.conf | 19 ++ buster_php7/start-fpm.sh | 11 ++ jessie_php5/Dockerfile | 8 + jessie_php5/Dockerfile-base | 38 ++++ jessie_php5/Dockerfile-mysql | 15 ++ jessie_php5/Dockerfile-pgsql | 15 ++ jessie_php5/fpm-pool.conf.tmpl | 15 ++ jessie_php5/libnss-ldap.conf | 323 ++++++++++++++++++++++++++++++++ jessie_php5/nsswitch.conf | 19 ++ jessie_php5/start-fpm.sh | 10 + run.sh | 58 ++++++ stretch_php7/Dockerfile | 8 + stretch_php7/Dockerfile-base | 32 ++++ stretch_php7/Dockerfile-mysql | 15 ++ stretch_php7/Dockerfile-pgsql | 15 ++ stretch_php7/fpm-pool.conf.tmpl | 15 ++ stretch_php7/libnss-ldap.conf | 323 ++++++++++++++++++++++++++++++++ stretch_php7/nsswitch.conf | 19 ++ stretch_php7/start-fpm.sh | 11 ++ wheezy_php5/Dockerfile | 8 + wheezy_php5/Dockerfile-base | 39 ++++ wheezy_php5/Dockerfile-mysql | 15 ++ wheezy_php5/Dockerfile-pgsql | 15 ++ wheezy_php5/fpm-pool.conf.tmpl | 15 ++ wheezy_php5/libnss-ldap.conf | 323 ++++++++++++++++++++++++++++++++ wheezy_php5/nsswitch.conf | 19 ++ wheezy_php5/start-fpm.sh | 10 + 35 files changed, 1851 insertions(+) create mode 100644 LICENSE create mode 100755 build.sh create mode 100644 buster_php7/Dockerfile create mode 100644 buster_php7/Dockerfile-base create mode 100644 buster_php7/Dockerfile-mysql create mode 100644 buster_php7/Dockerfile-pgsql create mode 100644 buster_php7/fpm-pool.conf.tmpl create mode 100644 buster_php7/libnss-ldap.conf create mode 100644 buster_php7/nsswitch.conf create mode 100755 buster_php7/start-fpm.sh create mode 100644 jessie_php5/Dockerfile create mode 100644 jessie_php5/Dockerfile-base create mode 100644 jessie_php5/Dockerfile-mysql create mode 100644 jessie_php5/Dockerfile-pgsql create mode 100644 jessie_php5/fpm-pool.conf.tmpl create mode 100644 jessie_php5/libnss-ldap.conf create mode 100644 jessie_php5/nsswitch.conf create mode 100755 jessie_php5/start-fpm.sh create mode 100755 run.sh create mode 100644 stretch_php7/Dockerfile create mode 100644 stretch_php7/Dockerfile-base create mode 100644 stretch_php7/Dockerfile-mysql create mode 100644 stretch_php7/Dockerfile-pgsql create mode 100644 stretch_php7/fpm-pool.conf.tmpl create mode 100644 stretch_php7/libnss-ldap.conf create mode 100644 stretch_php7/nsswitch.conf create mode 100755 stretch_php7/start-fpm.sh create mode 100644 wheezy_php5/Dockerfile create mode 100644 wheezy_php5/Dockerfile-base create mode 100644 wheezy_php5/Dockerfile-mysql create mode 100644 wheezy_php5/Dockerfile-pgsql create mode 100644 wheezy_php5/fpm-pool.conf.tmpl create mode 100644 wheezy_php5/libnss-ldap.conf create mode 100644 wheezy_php5/nsswitch.conf create mode 100755 wheezy_php5/start-fpm.sh diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2704d3f --- /dev/null +++ b/LICENSE @@ -0,0 +1,19 @@ +Copyright 2018 Jan Dittberner IT-Consulting & -Solutions + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..db98ee4 --- /dev/null +++ b/build.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +for dist in wheezy_php5 jessie_php5 stretch_php7 buster_php7; do + docker build --pull -t gnuviech/${dist}-base ${dist} -f ${dist}/Dockerfile-base + docker build -t gnuviech/${dist} ${dist} -f ${dist}/Dockerfile + docker build -t gnuviech/${dist}-mysql ${dist} -f ${dist}/Dockerfile-mysql + docker build -t gnuviech/${dist}-pgsql ${dist} -f ${dist}/Dockerfile-pgsql +done + +docker image prune -f diff --git a/buster_php7/Dockerfile b/buster_php7/Dockerfile new file mode 100644 index 0000000..b10d032 --- /dev/null +++ b/buster_php7/Dockerfile @@ -0,0 +1,8 @@ +FROM gnuviech/buster_php7-base:latest +LABEL maintainer="jan@dittberner.info" + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/buster_php7/Dockerfile-base b/buster_php7/Dockerfile-base new file mode 100644 index 0000000..ff6d6bb --- /dev/null +++ b/buster_php7/Dockerfile-base @@ -0,0 +1,31 @@ +FROM debian:buster +LABEL maintainer="jan@dittberner.info" +VOLUME /srv + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + dumb-init \ + libnss-ldap \ + nullmailer \ + php-curl \ + php-fpm \ + php-gd \ + php-imagick \ + php-imap \ + php-json \ + php-mail \ + php-mail-mime \ + php-mbstring \ + php-net-smtp \ + php-net-socket \ + php7.2-opcache \ + php-pspell \ + php-sqlite3 \ + psmisc \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/ + +RUN rm -f /etc/php/7.2/fpm/pool.d/www.conf diff --git a/buster_php7/Dockerfile-mysql b/buster_php7/Dockerfile-mysql new file mode 100644 index 0000000..43ac639 --- /dev/null +++ b/buster_php7/Dockerfile-mysql @@ -0,0 +1,15 @@ +FROM gnuviech/buster_php7-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php-mysql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/buster_php7/Dockerfile-pgsql b/buster_php7/Dockerfile-pgsql new file mode 100644 index 0000000..43ac639 --- /dev/null +++ b/buster_php7/Dockerfile-pgsql @@ -0,0 +1,15 @@ +FROM gnuviech/buster_php7-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php-mysql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/buster_php7/fpm-pool.conf.tmpl b/buster_php7/fpm-pool.conf.tmpl new file mode 100644 index 0000000..b5f2976 --- /dev/null +++ b/buster_php7/fpm-pool.conf.tmpl @@ -0,0 +1,15 @@ +[@user@] +user = @user@ +group = @user@ +listen = /var/run/php-fpm-docker/@user@-@variant@.sock +listen.owner = www-data +listen.group = www-data +pm = dynamic +pm.max_children = 20 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 1000 +chdir = / +request_slowlog_timeout = 10s +slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log diff --git a/buster_php7/libnss-ldap.conf b/buster_php7/libnss-ldap.conf new file mode 100644 index 0000000..068b433 --- /dev/null +++ b/buster_php7/libnss-ldap.conf @@ -0,0 +1,323 @@ +###DEBCONF### +# the configuration of this file will be done by debconf as long as the +# first line of the file says '###DEBCONF###' +# +# you should use dpkg-reconfigure libnss-ldap to configure this file. +# +# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $ +# +# This is the configuration file for the LDAP nameservice +# switch library and the LDAP PAM module. +# +# PADL Software +# http://www.padl.com +# + +# Your LDAP server. Must be resolvable without using LDAP. +# Multiple hosts may be specified, each separated by a +# space. How long nss_ldap takes to failover depends on +# whether your LDAP client library supports configurable +# network or connect timeouts (see bind_timelimit). +#host 127.0.0.1 + +# The distinguished name of the search base. +base dc=gnuviech,dc=internal + +# Another way to specify your LDAP server is to provide an +uri ldap://10.0.0.11/ +# Unix Domain Sockets to connect to a local LDAP Server. +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +# Please do not put double quotes around it as they +# would be included literally. +#binddn cn=proxyuser,dc=padl,dc=com + +# The credentials to bind with. +# Optional: default is no credential. +#bindpw secret + +# The distinguished name to bind to the server with +# if the effective user ID is root. Password is +# stored in /etc/libnss-ldap.secret (mode 600) +# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead +# of an editor to create the file. +#rootbinddn cn=manager,dc=example,dc=net + +# The port. +# Optional: default is 389. +#port 389 + +# The search scope. +#scope sub +#scope one +#scope base + +# Search timelimit +#timelimit 30 + +# Bind/connect timelimit +#bind_timelimit 30 + +# Reconnect policy: +# hard_open: reconnect to DSA with exponential backoff if +# opening connection failed +# hard_init: reconnect to DSA with exponential backoff if +# initializing connection failed +# hard: alias for hard_open +# soft: return immediately on server failure +#bind_policy hard + +# Connection policy: +# persist: DSA connections are kept open (default) +# oneshot: DSA connections destroyed after request +#nss_connect_policy persist + +# Idle timelimit; client will close connections +# (nss_ldap only) if the server has not been contacted +# for the number of seconds specified below. +#idle_timelimit 3600 + +# Use paged rseults +#nss_paged_results yes + +# Pagesize: when paged results enable, used to set the +# pagesize to a custom value +#pagesize 1000 + +# Filter to AND with uid=%s +#pam_filter objectclass=account + +# The user ID attribute (defaults to uid) +#pam_login_attribute uid + +# Search the root DSE for the password policy (works +# with Netscape Directory Server) +#pam_lookup_policy yes + +# Check the 'host' attribute for access control +# Default is no; if set to yes, and user has no +# value for the host attribute, and pam_ldap is +# configured for account management (authorization) +# then the user will not be allowed to login. +#pam_check_host_attr yes + +# Check the 'authorizedService' attribute for access +# control +# Default is no; if set to yes, and the user has no +# value for the authorizedService attribute, and +# pam_ldap is configured for account management +# (authorization) then the user will not be allowed +# to login. +#pam_check_service_attr yes + +# Group to enforce membership of +#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com + +# Group member attribute +#pam_member_attribute uniquemember + +# Specify a minium or maximum UID number allowed +#pam_min_uid 0 +#pam_max_uid 0 + +# Template login attribute, default template user +# (can be overriden by value of former attribute +# in user's entry) +#pam_login_attribute userPrincipalName +#pam_template_login_attribute uid +#pam_template_login nobody + +# HEADS UP: the pam_crypt, pam_nds_passwd, +# and pam_ad_passwd options are no +# longer supported. +# +# Do not hash the password at all; presume +# the directory server will do it, if +# necessary. This is the default. +#pam_password clear + +# Hash password locally; required for University of +# Michigan LDAP server, and works with Netscape +# Directory Server if you're using the UNIX-Crypt +# hash mechanism and not using the NT Synchronization +# service. +#pam_password crypt + +# Remove old password first, then update in +# cleartext. Necessary for use with Novell +# Directory Services (NDS) +#pam_password nds + +# RACF is an alias for the above. For use with +# IBM RACF +#pam_password racf + +# Update Active Directory password, by +# creating Unicode password and updating +# unicodePwd attribute. +#pam_password ad + +# Use the OpenLDAP password change +# extended operation to update the password. +#pam_password exop + +# Redirect users to a URL or somesuch on password +# changes. +#pam_password_prohibit_message Please visit http://internal to change your password. + +# Use backlinks for answering initgroups() +#nss_initgroups backlink + +# Enable support for RFC2307bis (distinguished names in group +# members) +#nss_schema rfc2307bis + +# RFC2307bis naming contexts +# Syntax: +# nss_base_XXX base?scope?filter +# where scope is {base,one,sub} +# and filter is a filter to be &'d with the +# default filter. +# You can omit the suffix eg: +# nss_base_passwd ou=People, +# to append the default base DN but this +# may incur a small performance impact. +#nss_base_passwd ou=People,dc=padl,dc=com?one +#nss_base_shadow ou=People,dc=padl,dc=com?one +#nss_base_group ou=Group,dc=padl,dc=com?one +#nss_base_hosts ou=Hosts,dc=padl,dc=com?one +#nss_base_services ou=Services,dc=padl,dc=com?one +#nss_base_networks ou=Networks,dc=padl,dc=com?one +#nss_base_protocols ou=Protocols,dc=padl,dc=com?one +#nss_base_rpc ou=Rpc,dc=padl,dc=com?one +#nss_base_ethers ou=Ethers,dc=padl,dc=com?one +#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne +#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one +#nss_base_aliases ou=Aliases,dc=padl,dc=com?one +#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +# attribute/objectclass mapping +# Syntax: +#nss_map_attribute rfc2307attribute mapped_attribute +#nss_map_objectclass rfc2307objectclass mapped_objectclass + +# configure --enable-nds is no longer supported. +# NDS mappings +#nss_map_attribute uniqueMember member + +# Services for UNIX 3.5 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount User +#nss_map_attribute uid msSFU30Name +#nss_map_attribute uniqueMember msSFU30PosixMember +#nss_map_attribute userPassword msSFU30Password +#nss_map_attribute homeDirectory msSFU30HomeDirectory +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_objectclass posixGroup Group +#pam_login_attribute msSFU30Name +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-mssfu-schema is no longer supported. +# Services for UNIX 2.0 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid msSFUName +#nss_map_attribute uniqueMember posixMember +#nss_map_attribute userPassword msSFUPassword +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup Group +#nss_map_attribute cn msSFUName +#pam_login_attribute msSFUName +#pam_filter objectclass=User +#pam_password ad + +# RFC 2307 (AD) mappings +#nss_map_objectclass posixAccount user +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid sAMAccountName +#nss_map_attribute homeDirectory unixHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup group +#nss_map_attribute uniqueMember member +#pam_login_attribute sAMAccountName +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-authpassword is no longer supported +# AuthPassword mappings +#nss_map_attribute userPassword authPassword + +# AIX SecureWay mappings +#nss_map_objectclass posixAccount aixAccount +#nss_base_passwd ou=aixaccount,?one +#nss_map_attribute uid userName +#nss_map_attribute gidNumber gid +#nss_map_attribute uidNumber uid +#nss_map_attribute userPassword passwordChar +#nss_map_objectclass posixGroup aixAccessGroup +#nss_base_group ou=aixgroup,?one +#nss_map_attribute cn groupName +#nss_map_attribute uniqueMember member +#pam_login_attribute userName +#pam_filter objectclass=aixAccount +#pam_password clear + +# For pre-RFC2307bis automount schema +#nss_map_objectclass automountMap nisMap +#nss_map_attribute automountMapName nisMapName +#nss_map_objectclass automount nisObject +#nss_map_attribute automountKey cn +#nss_map_attribute automountInformation nisMapEntry + +# Netscape SDK LDAPS +#ssl on + +# Netscape SDK SSL options +#sslpath /etc/ssl/certs + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +#ssl start_tls +#ssl on + +# OpenLDAP SSL options +# Require and verify server certificate (yes/no) +# Default is to use libldap's default behavior, which can be configured in +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". +#tls_checkpeer yes + +# CA certificates for server certificate verification +# At least one of these are required if tls_checkpeer is "yes" +#tls_cacertfile /etc/ssl/ca.cert +#tls_cacertdir /etc/ssl/certs + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Disable SASL security layers. This is needed for AD. +#sasl_secprops maxssf=0 + +# Override the default Kerberos ticket cache location. +#krb5_ccname FILE:/etc/.ldapcache + diff --git a/buster_php7/nsswitch.conf b/buster_php7/nsswitch.conf new file mode 100644 index 0000000..1d69bd7 --- /dev/null +++ b/buster_php7/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat ldap +group: compat ldap +shadow: compat + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/buster_php7/start-fpm.sh b/buster_php7/start-fpm.sh new file mode 100755 index 0000000..208dc03 --- /dev/null +++ b/buster_php7/start-fpm.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \ + < /usr/local/etc/fpm-pool.conf.tmpl \ + > "/etc/php/7.2/fpm/pool.d/${FPM_USER}.conf" + +/etc/init.d/nullmailer start +mkdir -p /run/php +/usr/sbin/php-fpm7.2 --nodaemonize diff --git a/jessie_php5/Dockerfile b/jessie_php5/Dockerfile new file mode 100644 index 0000000..8d1fb97 --- /dev/null +++ b/jessie_php5/Dockerfile @@ -0,0 +1,8 @@ +FROM gnuviech/jessie_php5-base:latest +LABEL maintainer="jan@dittberner.info" + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/jessie_php5/Dockerfile-base b/jessie_php5/Dockerfile-base new file mode 100644 index 0000000..5550722 --- /dev/null +++ b/jessie_php5/Dockerfile-base @@ -0,0 +1,38 @@ +FROM debian:jessie +LABEL maintainer="jan@dittberner.info" +VOLUME /srv + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + libnss-ldap \ + nullmailer \ + php-apc \ + php-mail \ + php-mail-mime \ + php-mail-mimedecode \ + php-net-smtp \ + php-net-socket \ + php5-apcu \ + php5-curl \ + php5-fpm \ + php5-gd \ + php5-imagick \ + php5-imap \ + php5-json \ + php5-mcrypt \ + php5-pspell \ + php5-sqlite \ + psmisc \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +RUN curl -o dumb-init_1.2.2.deb -L https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64.deb && \ + dpkg -i dumb-init_1.2.2.deb && \ + rm -f dumb-init_1.2.2.deb + +ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/ + +RUN rm -f /etc/php5/fpm/pool.d/www.conf diff --git a/jessie_php5/Dockerfile-mysql b/jessie_php5/Dockerfile-mysql new file mode 100644 index 0000000..3b07c19 --- /dev/null +++ b/jessie_php5/Dockerfile-mysql @@ -0,0 +1,15 @@ +FROM gnuviech/jessie_php5-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php5-mysql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/jessie_php5/Dockerfile-pgsql b/jessie_php5/Dockerfile-pgsql new file mode 100644 index 0000000..9842c04 --- /dev/null +++ b/jessie_php5/Dockerfile-pgsql @@ -0,0 +1,15 @@ +FROM gnuviech/jessie_php5-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php5-pgsql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/jessie_php5/fpm-pool.conf.tmpl b/jessie_php5/fpm-pool.conf.tmpl new file mode 100644 index 0000000..b5f2976 --- /dev/null +++ b/jessie_php5/fpm-pool.conf.tmpl @@ -0,0 +1,15 @@ +[@user@] +user = @user@ +group = @user@ +listen = /var/run/php-fpm-docker/@user@-@variant@.sock +listen.owner = www-data +listen.group = www-data +pm = dynamic +pm.max_children = 20 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 1000 +chdir = / +request_slowlog_timeout = 10s +slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log diff --git a/jessie_php5/libnss-ldap.conf b/jessie_php5/libnss-ldap.conf new file mode 100644 index 0000000..068b433 --- /dev/null +++ b/jessie_php5/libnss-ldap.conf @@ -0,0 +1,323 @@ +###DEBCONF### +# the configuration of this file will be done by debconf as long as the +# first line of the file says '###DEBCONF###' +# +# you should use dpkg-reconfigure libnss-ldap to configure this file. +# +# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $ +# +# This is the configuration file for the LDAP nameservice +# switch library and the LDAP PAM module. +# +# PADL Software +# http://www.padl.com +# + +# Your LDAP server. Must be resolvable without using LDAP. +# Multiple hosts may be specified, each separated by a +# space. How long nss_ldap takes to failover depends on +# whether your LDAP client library supports configurable +# network or connect timeouts (see bind_timelimit). +#host 127.0.0.1 + +# The distinguished name of the search base. +base dc=gnuviech,dc=internal + +# Another way to specify your LDAP server is to provide an +uri ldap://10.0.0.11/ +# Unix Domain Sockets to connect to a local LDAP Server. +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +# Please do not put double quotes around it as they +# would be included literally. +#binddn cn=proxyuser,dc=padl,dc=com + +# The credentials to bind with. +# Optional: default is no credential. +#bindpw secret + +# The distinguished name to bind to the server with +# if the effective user ID is root. Password is +# stored in /etc/libnss-ldap.secret (mode 600) +# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead +# of an editor to create the file. +#rootbinddn cn=manager,dc=example,dc=net + +# The port. +# Optional: default is 389. +#port 389 + +# The search scope. +#scope sub +#scope one +#scope base + +# Search timelimit +#timelimit 30 + +# Bind/connect timelimit +#bind_timelimit 30 + +# Reconnect policy: +# hard_open: reconnect to DSA with exponential backoff if +# opening connection failed +# hard_init: reconnect to DSA with exponential backoff if +# initializing connection failed +# hard: alias for hard_open +# soft: return immediately on server failure +#bind_policy hard + +# Connection policy: +# persist: DSA connections are kept open (default) +# oneshot: DSA connections destroyed after request +#nss_connect_policy persist + +# Idle timelimit; client will close connections +# (nss_ldap only) if the server has not been contacted +# for the number of seconds specified below. +#idle_timelimit 3600 + +# Use paged rseults +#nss_paged_results yes + +# Pagesize: when paged results enable, used to set the +# pagesize to a custom value +#pagesize 1000 + +# Filter to AND with uid=%s +#pam_filter objectclass=account + +# The user ID attribute (defaults to uid) +#pam_login_attribute uid + +# Search the root DSE for the password policy (works +# with Netscape Directory Server) +#pam_lookup_policy yes + +# Check the 'host' attribute for access control +# Default is no; if set to yes, and user has no +# value for the host attribute, and pam_ldap is +# configured for account management (authorization) +# then the user will not be allowed to login. +#pam_check_host_attr yes + +# Check the 'authorizedService' attribute for access +# control +# Default is no; if set to yes, and the user has no +# value for the authorizedService attribute, and +# pam_ldap is configured for account management +# (authorization) then the user will not be allowed +# to login. +#pam_check_service_attr yes + +# Group to enforce membership of +#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com + +# Group member attribute +#pam_member_attribute uniquemember + +# Specify a minium or maximum UID number allowed +#pam_min_uid 0 +#pam_max_uid 0 + +# Template login attribute, default template user +# (can be overriden by value of former attribute +# in user's entry) +#pam_login_attribute userPrincipalName +#pam_template_login_attribute uid +#pam_template_login nobody + +# HEADS UP: the pam_crypt, pam_nds_passwd, +# and pam_ad_passwd options are no +# longer supported. +# +# Do not hash the password at all; presume +# the directory server will do it, if +# necessary. This is the default. +#pam_password clear + +# Hash password locally; required for University of +# Michigan LDAP server, and works with Netscape +# Directory Server if you're using the UNIX-Crypt +# hash mechanism and not using the NT Synchronization +# service. +#pam_password crypt + +# Remove old password first, then update in +# cleartext. Necessary for use with Novell +# Directory Services (NDS) +#pam_password nds + +# RACF is an alias for the above. For use with +# IBM RACF +#pam_password racf + +# Update Active Directory password, by +# creating Unicode password and updating +# unicodePwd attribute. +#pam_password ad + +# Use the OpenLDAP password change +# extended operation to update the password. +#pam_password exop + +# Redirect users to a URL or somesuch on password +# changes. +#pam_password_prohibit_message Please visit http://internal to change your password. + +# Use backlinks for answering initgroups() +#nss_initgroups backlink + +# Enable support for RFC2307bis (distinguished names in group +# members) +#nss_schema rfc2307bis + +# RFC2307bis naming contexts +# Syntax: +# nss_base_XXX base?scope?filter +# where scope is {base,one,sub} +# and filter is a filter to be &'d with the +# default filter. +# You can omit the suffix eg: +# nss_base_passwd ou=People, +# to append the default base DN but this +# may incur a small performance impact. +#nss_base_passwd ou=People,dc=padl,dc=com?one +#nss_base_shadow ou=People,dc=padl,dc=com?one +#nss_base_group ou=Group,dc=padl,dc=com?one +#nss_base_hosts ou=Hosts,dc=padl,dc=com?one +#nss_base_services ou=Services,dc=padl,dc=com?one +#nss_base_networks ou=Networks,dc=padl,dc=com?one +#nss_base_protocols ou=Protocols,dc=padl,dc=com?one +#nss_base_rpc ou=Rpc,dc=padl,dc=com?one +#nss_base_ethers ou=Ethers,dc=padl,dc=com?one +#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne +#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one +#nss_base_aliases ou=Aliases,dc=padl,dc=com?one +#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +# attribute/objectclass mapping +# Syntax: +#nss_map_attribute rfc2307attribute mapped_attribute +#nss_map_objectclass rfc2307objectclass mapped_objectclass + +# configure --enable-nds is no longer supported. +# NDS mappings +#nss_map_attribute uniqueMember member + +# Services for UNIX 3.5 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount User +#nss_map_attribute uid msSFU30Name +#nss_map_attribute uniqueMember msSFU30PosixMember +#nss_map_attribute userPassword msSFU30Password +#nss_map_attribute homeDirectory msSFU30HomeDirectory +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_objectclass posixGroup Group +#pam_login_attribute msSFU30Name +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-mssfu-schema is no longer supported. +# Services for UNIX 2.0 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid msSFUName +#nss_map_attribute uniqueMember posixMember +#nss_map_attribute userPassword msSFUPassword +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup Group +#nss_map_attribute cn msSFUName +#pam_login_attribute msSFUName +#pam_filter objectclass=User +#pam_password ad + +# RFC 2307 (AD) mappings +#nss_map_objectclass posixAccount user +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid sAMAccountName +#nss_map_attribute homeDirectory unixHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup group +#nss_map_attribute uniqueMember member +#pam_login_attribute sAMAccountName +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-authpassword is no longer supported +# AuthPassword mappings +#nss_map_attribute userPassword authPassword + +# AIX SecureWay mappings +#nss_map_objectclass posixAccount aixAccount +#nss_base_passwd ou=aixaccount,?one +#nss_map_attribute uid userName +#nss_map_attribute gidNumber gid +#nss_map_attribute uidNumber uid +#nss_map_attribute userPassword passwordChar +#nss_map_objectclass posixGroup aixAccessGroup +#nss_base_group ou=aixgroup,?one +#nss_map_attribute cn groupName +#nss_map_attribute uniqueMember member +#pam_login_attribute userName +#pam_filter objectclass=aixAccount +#pam_password clear + +# For pre-RFC2307bis automount schema +#nss_map_objectclass automountMap nisMap +#nss_map_attribute automountMapName nisMapName +#nss_map_objectclass automount nisObject +#nss_map_attribute automountKey cn +#nss_map_attribute automountInformation nisMapEntry + +# Netscape SDK LDAPS +#ssl on + +# Netscape SDK SSL options +#sslpath /etc/ssl/certs + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +#ssl start_tls +#ssl on + +# OpenLDAP SSL options +# Require and verify server certificate (yes/no) +# Default is to use libldap's default behavior, which can be configured in +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". +#tls_checkpeer yes + +# CA certificates for server certificate verification +# At least one of these are required if tls_checkpeer is "yes" +#tls_cacertfile /etc/ssl/ca.cert +#tls_cacertdir /etc/ssl/certs + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Disable SASL security layers. This is needed for AD. +#sasl_secprops maxssf=0 + +# Override the default Kerberos ticket cache location. +#krb5_ccname FILE:/etc/.ldapcache + diff --git a/jessie_php5/nsswitch.conf b/jessie_php5/nsswitch.conf new file mode 100644 index 0000000..1d69bd7 --- /dev/null +++ b/jessie_php5/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat ldap +group: compat ldap +shadow: compat + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/jessie_php5/start-fpm.sh b/jessie_php5/start-fpm.sh new file mode 100755 index 0000000..75f2869 --- /dev/null +++ b/jessie_php5/start-fpm.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \ + < /usr/local/etc/fpm-pool.conf.tmpl \ + > "/etc/php5/fpm/pool.d/${FPM_USER}.conf" + +/etc/init.d/nullmailer start +/usr/sbin/php5-fpm --nodaemonize diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..d505690 --- /dev/null +++ b/run.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +set -e +valid_users=$(getent passwd | grep ^usr | cut -d : -f 1) + +if [ $# -lt 2 ]; then + echo "Usage: $0 [] " + echo + echo " is one of wheezy, jessie, stretch, buster" + echo " is one of mysql or pgsql" + echo " is a user name defined in ldap and on file" + echo + for u in $valid_users; do echo $u; done | xargs -n 10 echo + exit 1 +fi + +if [ $# -eq 3 ]; then + dist=$1 + username="$3" + variant="-$2" +else + dist=$1 + username="$2" + variant="" +fi + +case $dist in + wheezy|jessie) + image=gnuviech/${dist}_php5${variant} + ;; + stretch|buster) + image=gnuviech/${dist}_php7${variant} + ;; + *) + echo "Unknown distribution $dist" + exit 2 +esac + +for u in $valid_users; do + if [ "$u" = "${username}" ]; then + choosen_user=$u + fi +done + +if [ -z "$choosen_user" ]; then + echo "Invalid user ${username}" + exit 3 +fi + +docker run \ + --volume-driver=nfs --net=host --rm --detach \ + -v "file/web/$choosen_user:/srv" \ + -v "/var/run/php-fpm-docker:/var/run/php-fpm-docker" \ + -v "/var/log/php-fpm-docker:/var/log/php-fpm-docker" \ + -e "FPM_USER=$choosen_user" \ + -e "FPM_VARIANT=${dist}${variant}" \ + --name "${choosen_user}_${dist}${variant}" \ + "$image" diff --git a/stretch_php7/Dockerfile b/stretch_php7/Dockerfile new file mode 100644 index 0000000..c3e27fb --- /dev/null +++ b/stretch_php7/Dockerfile @@ -0,0 +1,8 @@ +FROM gnuviech/stretch_php7-base:latest +LABEL maintainer="jan@dittberner.info" + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/stretch_php7/Dockerfile-base b/stretch_php7/Dockerfile-base new file mode 100644 index 0000000..029dd8e --- /dev/null +++ b/stretch_php7/Dockerfile-base @@ -0,0 +1,32 @@ +FROM debian:stretch +LABEL maintainer="jan@dittberner.info" +VOLUME /srv + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + dumb-init \ + libnss-ldap \ + nullmailer \ + php-curl \ + php-fpm \ + php-gd \ + php-imagick \ + php-imap \ + php-json \ + php-mail \ + php-mail-mime \ + php-mbstring \ + php-mcrypt \ + php-net-smtp \ + php-net-socket \ + php-opcache \ + php-pspell \ + php-sqlite3 \ + psmisc \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/ + +RUN rm -f /etc/php/7.0/fpm/pool.d/www.conf diff --git a/stretch_php7/Dockerfile-mysql b/stretch_php7/Dockerfile-mysql new file mode 100644 index 0000000..25d22b1 --- /dev/null +++ b/stretch_php7/Dockerfile-mysql @@ -0,0 +1,15 @@ +FROM gnuviech/stretch_php7-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php-mysql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/stretch_php7/Dockerfile-pgsql b/stretch_php7/Dockerfile-pgsql new file mode 100644 index 0000000..25b70a4 --- /dev/null +++ b/stretch_php7/Dockerfile-pgsql @@ -0,0 +1,15 @@ +FROM gnuviech/stretch_php7-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php-pgsql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/stretch_php7/fpm-pool.conf.tmpl b/stretch_php7/fpm-pool.conf.tmpl new file mode 100644 index 0000000..b5f2976 --- /dev/null +++ b/stretch_php7/fpm-pool.conf.tmpl @@ -0,0 +1,15 @@ +[@user@] +user = @user@ +group = @user@ +listen = /var/run/php-fpm-docker/@user@-@variant@.sock +listen.owner = www-data +listen.group = www-data +pm = dynamic +pm.max_children = 20 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 1000 +chdir = / +request_slowlog_timeout = 10s +slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log diff --git a/stretch_php7/libnss-ldap.conf b/stretch_php7/libnss-ldap.conf new file mode 100644 index 0000000..068b433 --- /dev/null +++ b/stretch_php7/libnss-ldap.conf @@ -0,0 +1,323 @@ +###DEBCONF### +# the configuration of this file will be done by debconf as long as the +# first line of the file says '###DEBCONF###' +# +# you should use dpkg-reconfigure libnss-ldap to configure this file. +# +# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $ +# +# This is the configuration file for the LDAP nameservice +# switch library and the LDAP PAM module. +# +# PADL Software +# http://www.padl.com +# + +# Your LDAP server. Must be resolvable without using LDAP. +# Multiple hosts may be specified, each separated by a +# space. How long nss_ldap takes to failover depends on +# whether your LDAP client library supports configurable +# network or connect timeouts (see bind_timelimit). +#host 127.0.0.1 + +# The distinguished name of the search base. +base dc=gnuviech,dc=internal + +# Another way to specify your LDAP server is to provide an +uri ldap://10.0.0.11/ +# Unix Domain Sockets to connect to a local LDAP Server. +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +# Please do not put double quotes around it as they +# would be included literally. +#binddn cn=proxyuser,dc=padl,dc=com + +# The credentials to bind with. +# Optional: default is no credential. +#bindpw secret + +# The distinguished name to bind to the server with +# if the effective user ID is root. Password is +# stored in /etc/libnss-ldap.secret (mode 600) +# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead +# of an editor to create the file. +#rootbinddn cn=manager,dc=example,dc=net + +# The port. +# Optional: default is 389. +#port 389 + +# The search scope. +#scope sub +#scope one +#scope base + +# Search timelimit +#timelimit 30 + +# Bind/connect timelimit +#bind_timelimit 30 + +# Reconnect policy: +# hard_open: reconnect to DSA with exponential backoff if +# opening connection failed +# hard_init: reconnect to DSA with exponential backoff if +# initializing connection failed +# hard: alias for hard_open +# soft: return immediately on server failure +#bind_policy hard + +# Connection policy: +# persist: DSA connections are kept open (default) +# oneshot: DSA connections destroyed after request +#nss_connect_policy persist + +# Idle timelimit; client will close connections +# (nss_ldap only) if the server has not been contacted +# for the number of seconds specified below. +#idle_timelimit 3600 + +# Use paged rseults +#nss_paged_results yes + +# Pagesize: when paged results enable, used to set the +# pagesize to a custom value +#pagesize 1000 + +# Filter to AND with uid=%s +#pam_filter objectclass=account + +# The user ID attribute (defaults to uid) +#pam_login_attribute uid + +# Search the root DSE for the password policy (works +# with Netscape Directory Server) +#pam_lookup_policy yes + +# Check the 'host' attribute for access control +# Default is no; if set to yes, and user has no +# value for the host attribute, and pam_ldap is +# configured for account management (authorization) +# then the user will not be allowed to login. +#pam_check_host_attr yes + +# Check the 'authorizedService' attribute for access +# control +# Default is no; if set to yes, and the user has no +# value for the authorizedService attribute, and +# pam_ldap is configured for account management +# (authorization) then the user will not be allowed +# to login. +#pam_check_service_attr yes + +# Group to enforce membership of +#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com + +# Group member attribute +#pam_member_attribute uniquemember + +# Specify a minium or maximum UID number allowed +#pam_min_uid 0 +#pam_max_uid 0 + +# Template login attribute, default template user +# (can be overriden by value of former attribute +# in user's entry) +#pam_login_attribute userPrincipalName +#pam_template_login_attribute uid +#pam_template_login nobody + +# HEADS UP: the pam_crypt, pam_nds_passwd, +# and pam_ad_passwd options are no +# longer supported. +# +# Do not hash the password at all; presume +# the directory server will do it, if +# necessary. This is the default. +#pam_password clear + +# Hash password locally; required for University of +# Michigan LDAP server, and works with Netscape +# Directory Server if you're using the UNIX-Crypt +# hash mechanism and not using the NT Synchronization +# service. +#pam_password crypt + +# Remove old password first, then update in +# cleartext. Necessary for use with Novell +# Directory Services (NDS) +#pam_password nds + +# RACF is an alias for the above. For use with +# IBM RACF +#pam_password racf + +# Update Active Directory password, by +# creating Unicode password and updating +# unicodePwd attribute. +#pam_password ad + +# Use the OpenLDAP password change +# extended operation to update the password. +#pam_password exop + +# Redirect users to a URL or somesuch on password +# changes. +#pam_password_prohibit_message Please visit http://internal to change your password. + +# Use backlinks for answering initgroups() +#nss_initgroups backlink + +# Enable support for RFC2307bis (distinguished names in group +# members) +#nss_schema rfc2307bis + +# RFC2307bis naming contexts +# Syntax: +# nss_base_XXX base?scope?filter +# where scope is {base,one,sub} +# and filter is a filter to be &'d with the +# default filter. +# You can omit the suffix eg: +# nss_base_passwd ou=People, +# to append the default base DN but this +# may incur a small performance impact. +#nss_base_passwd ou=People,dc=padl,dc=com?one +#nss_base_shadow ou=People,dc=padl,dc=com?one +#nss_base_group ou=Group,dc=padl,dc=com?one +#nss_base_hosts ou=Hosts,dc=padl,dc=com?one +#nss_base_services ou=Services,dc=padl,dc=com?one +#nss_base_networks ou=Networks,dc=padl,dc=com?one +#nss_base_protocols ou=Protocols,dc=padl,dc=com?one +#nss_base_rpc ou=Rpc,dc=padl,dc=com?one +#nss_base_ethers ou=Ethers,dc=padl,dc=com?one +#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne +#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one +#nss_base_aliases ou=Aliases,dc=padl,dc=com?one +#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +# attribute/objectclass mapping +# Syntax: +#nss_map_attribute rfc2307attribute mapped_attribute +#nss_map_objectclass rfc2307objectclass mapped_objectclass + +# configure --enable-nds is no longer supported. +# NDS mappings +#nss_map_attribute uniqueMember member + +# Services for UNIX 3.5 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount User +#nss_map_attribute uid msSFU30Name +#nss_map_attribute uniqueMember msSFU30PosixMember +#nss_map_attribute userPassword msSFU30Password +#nss_map_attribute homeDirectory msSFU30HomeDirectory +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_objectclass posixGroup Group +#pam_login_attribute msSFU30Name +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-mssfu-schema is no longer supported. +# Services for UNIX 2.0 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid msSFUName +#nss_map_attribute uniqueMember posixMember +#nss_map_attribute userPassword msSFUPassword +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup Group +#nss_map_attribute cn msSFUName +#pam_login_attribute msSFUName +#pam_filter objectclass=User +#pam_password ad + +# RFC 2307 (AD) mappings +#nss_map_objectclass posixAccount user +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid sAMAccountName +#nss_map_attribute homeDirectory unixHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup group +#nss_map_attribute uniqueMember member +#pam_login_attribute sAMAccountName +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-authpassword is no longer supported +# AuthPassword mappings +#nss_map_attribute userPassword authPassword + +# AIX SecureWay mappings +#nss_map_objectclass posixAccount aixAccount +#nss_base_passwd ou=aixaccount,?one +#nss_map_attribute uid userName +#nss_map_attribute gidNumber gid +#nss_map_attribute uidNumber uid +#nss_map_attribute userPassword passwordChar +#nss_map_objectclass posixGroup aixAccessGroup +#nss_base_group ou=aixgroup,?one +#nss_map_attribute cn groupName +#nss_map_attribute uniqueMember member +#pam_login_attribute userName +#pam_filter objectclass=aixAccount +#pam_password clear + +# For pre-RFC2307bis automount schema +#nss_map_objectclass automountMap nisMap +#nss_map_attribute automountMapName nisMapName +#nss_map_objectclass automount nisObject +#nss_map_attribute automountKey cn +#nss_map_attribute automountInformation nisMapEntry + +# Netscape SDK LDAPS +#ssl on + +# Netscape SDK SSL options +#sslpath /etc/ssl/certs + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +#ssl start_tls +#ssl on + +# OpenLDAP SSL options +# Require and verify server certificate (yes/no) +# Default is to use libldap's default behavior, which can be configured in +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". +#tls_checkpeer yes + +# CA certificates for server certificate verification +# At least one of these are required if tls_checkpeer is "yes" +#tls_cacertfile /etc/ssl/ca.cert +#tls_cacertdir /etc/ssl/certs + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Disable SASL security layers. This is needed for AD. +#sasl_secprops maxssf=0 + +# Override the default Kerberos ticket cache location. +#krb5_ccname FILE:/etc/.ldapcache + diff --git a/stretch_php7/nsswitch.conf b/stretch_php7/nsswitch.conf new file mode 100644 index 0000000..1d69bd7 --- /dev/null +++ b/stretch_php7/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat ldap +group: compat ldap +shadow: compat + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/stretch_php7/start-fpm.sh b/stretch_php7/start-fpm.sh new file mode 100755 index 0000000..fbcbbc5 --- /dev/null +++ b/stretch_php7/start-fpm.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \ + < /usr/local/etc/fpm-pool.conf.tmpl \ + > "/etc/php/7.0/fpm/pool.d/${FPM_USER}.conf" + +/etc/init.d/nullmailer start +mkdir -p /run/php +/usr/sbin/php-fpm7.0 --nodaemonize diff --git a/wheezy_php5/Dockerfile b/wheezy_php5/Dockerfile new file mode 100644 index 0000000..b85d1d5 --- /dev/null +++ b/wheezy_php5/Dockerfile @@ -0,0 +1,8 @@ +FROM gnuviech/wheezy_php5-base:latest +LABEL maintainer="jan@dittberner.info" + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/wheezy_php5/Dockerfile-base b/wheezy_php5/Dockerfile-base new file mode 100644 index 0000000..4f29fb2 --- /dev/null +++ b/wheezy_php5/Dockerfile-base @@ -0,0 +1,39 @@ +FROM debian:wheezy +LABEL maintainer="jan@dittberner.info" +VOLUME /srv + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + libnss-ldap \ + libphp-adodb \ + nullmailer \ + php-apc \ + php-mail-mime \ + php-mail-mimedecode \ + php-net-smtp \ + php-net-socket \ + php5-adodb \ + php5-curl \ + php5-fpm \ + php5-gd \ + php5-gmp \ + php5-imap \ + php5-intl \ + php5-mcrypt \ + php5-pspell \ + php5-sqlite \ + php5-xmlrpc \ + procps \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +RUN curl -o dumb-init_1.2.2.deb -L https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64.deb && \ + dpkg -i dumb-init_1.2.2.deb && \ + rm -f dumb-init_1.2.2.deb + +ADD --chown=root:root nsswitch.conf libnss-ldap.conf /etc/ + +RUN rm -f /etc/php5/fpm/pool.d/www.conf diff --git a/wheezy_php5/Dockerfile-mysql b/wheezy_php5/Dockerfile-mysql new file mode 100644 index 0000000..17001cf --- /dev/null +++ b/wheezy_php5/Dockerfile-mysql @@ -0,0 +1,15 @@ +FROM gnuviech/wheezy_php5-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php5-mysql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/wheezy_php5/Dockerfile-pgsql b/wheezy_php5/Dockerfile-pgsql new file mode 100644 index 0000000..ea8bda1 --- /dev/null +++ b/wheezy_php5/Dockerfile-pgsql @@ -0,0 +1,15 @@ +FROM gnuviech/wheezy_php5-base:latest +LABEL maintainer="jan@dittberner.info" + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + php5-pgsql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/*.* + +COPY start-fpm.sh /usr/local/sbin +COPY fpm-pool.conf.tmpl /usr/local/etc + +ENTRYPOINT ["/usr/bin/dumb-init", "--"] +CMD ["/usr/local/sbin/start-fpm.sh"] diff --git a/wheezy_php5/fpm-pool.conf.tmpl b/wheezy_php5/fpm-pool.conf.tmpl new file mode 100644 index 0000000..b5f2976 --- /dev/null +++ b/wheezy_php5/fpm-pool.conf.tmpl @@ -0,0 +1,15 @@ +[@user@] +user = @user@ +group = @user@ +listen = /var/run/php-fpm-docker/@user@-@variant@.sock +listen.owner = www-data +listen.group = www-data +pm = dynamic +pm.max_children = 20 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 1000 +chdir = / +request_slowlog_timeout = 10s +slowlog = /var/log/php-fpm-docker/@user@-@variant@.slow.log diff --git a/wheezy_php5/libnss-ldap.conf b/wheezy_php5/libnss-ldap.conf new file mode 100644 index 0000000..068b433 --- /dev/null +++ b/wheezy_php5/libnss-ldap.conf @@ -0,0 +1,323 @@ +###DEBCONF### +# the configuration of this file will be done by debconf as long as the +# first line of the file says '###DEBCONF###' +# +# you should use dpkg-reconfigure libnss-ldap to configure this file. +# +# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $ +# +# This is the configuration file for the LDAP nameservice +# switch library and the LDAP PAM module. +# +# PADL Software +# http://www.padl.com +# + +# Your LDAP server. Must be resolvable without using LDAP. +# Multiple hosts may be specified, each separated by a +# space. How long nss_ldap takes to failover depends on +# whether your LDAP client library supports configurable +# network or connect timeouts (see bind_timelimit). +#host 127.0.0.1 + +# The distinguished name of the search base. +base dc=gnuviech,dc=internal + +# Another way to specify your LDAP server is to provide an +uri ldap://10.0.0.11/ +# Unix Domain Sockets to connect to a local LDAP Server. +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +# Please do not put double quotes around it as they +# would be included literally. +#binddn cn=proxyuser,dc=padl,dc=com + +# The credentials to bind with. +# Optional: default is no credential. +#bindpw secret + +# The distinguished name to bind to the server with +# if the effective user ID is root. Password is +# stored in /etc/libnss-ldap.secret (mode 600) +# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead +# of an editor to create the file. +#rootbinddn cn=manager,dc=example,dc=net + +# The port. +# Optional: default is 389. +#port 389 + +# The search scope. +#scope sub +#scope one +#scope base + +# Search timelimit +#timelimit 30 + +# Bind/connect timelimit +#bind_timelimit 30 + +# Reconnect policy: +# hard_open: reconnect to DSA with exponential backoff if +# opening connection failed +# hard_init: reconnect to DSA with exponential backoff if +# initializing connection failed +# hard: alias for hard_open +# soft: return immediately on server failure +#bind_policy hard + +# Connection policy: +# persist: DSA connections are kept open (default) +# oneshot: DSA connections destroyed after request +#nss_connect_policy persist + +# Idle timelimit; client will close connections +# (nss_ldap only) if the server has not been contacted +# for the number of seconds specified below. +#idle_timelimit 3600 + +# Use paged rseults +#nss_paged_results yes + +# Pagesize: when paged results enable, used to set the +# pagesize to a custom value +#pagesize 1000 + +# Filter to AND with uid=%s +#pam_filter objectclass=account + +# The user ID attribute (defaults to uid) +#pam_login_attribute uid + +# Search the root DSE for the password policy (works +# with Netscape Directory Server) +#pam_lookup_policy yes + +# Check the 'host' attribute for access control +# Default is no; if set to yes, and user has no +# value for the host attribute, and pam_ldap is +# configured for account management (authorization) +# then the user will not be allowed to login. +#pam_check_host_attr yes + +# Check the 'authorizedService' attribute for access +# control +# Default is no; if set to yes, and the user has no +# value for the authorizedService attribute, and +# pam_ldap is configured for account management +# (authorization) then the user will not be allowed +# to login. +#pam_check_service_attr yes + +# Group to enforce membership of +#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com + +# Group member attribute +#pam_member_attribute uniquemember + +# Specify a minium or maximum UID number allowed +#pam_min_uid 0 +#pam_max_uid 0 + +# Template login attribute, default template user +# (can be overriden by value of former attribute +# in user's entry) +#pam_login_attribute userPrincipalName +#pam_template_login_attribute uid +#pam_template_login nobody + +# HEADS UP: the pam_crypt, pam_nds_passwd, +# and pam_ad_passwd options are no +# longer supported. +# +# Do not hash the password at all; presume +# the directory server will do it, if +# necessary. This is the default. +#pam_password clear + +# Hash password locally; required for University of +# Michigan LDAP server, and works with Netscape +# Directory Server if you're using the UNIX-Crypt +# hash mechanism and not using the NT Synchronization +# service. +#pam_password crypt + +# Remove old password first, then update in +# cleartext. Necessary for use with Novell +# Directory Services (NDS) +#pam_password nds + +# RACF is an alias for the above. For use with +# IBM RACF +#pam_password racf + +# Update Active Directory password, by +# creating Unicode password and updating +# unicodePwd attribute. +#pam_password ad + +# Use the OpenLDAP password change +# extended operation to update the password. +#pam_password exop + +# Redirect users to a URL or somesuch on password +# changes. +#pam_password_prohibit_message Please visit http://internal to change your password. + +# Use backlinks for answering initgroups() +#nss_initgroups backlink + +# Enable support for RFC2307bis (distinguished names in group +# members) +#nss_schema rfc2307bis + +# RFC2307bis naming contexts +# Syntax: +# nss_base_XXX base?scope?filter +# where scope is {base,one,sub} +# and filter is a filter to be &'d with the +# default filter. +# You can omit the suffix eg: +# nss_base_passwd ou=People, +# to append the default base DN but this +# may incur a small performance impact. +#nss_base_passwd ou=People,dc=padl,dc=com?one +#nss_base_shadow ou=People,dc=padl,dc=com?one +#nss_base_group ou=Group,dc=padl,dc=com?one +#nss_base_hosts ou=Hosts,dc=padl,dc=com?one +#nss_base_services ou=Services,dc=padl,dc=com?one +#nss_base_networks ou=Networks,dc=padl,dc=com?one +#nss_base_protocols ou=Protocols,dc=padl,dc=com?one +#nss_base_rpc ou=Rpc,dc=padl,dc=com?one +#nss_base_ethers ou=Ethers,dc=padl,dc=com?one +#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne +#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one +#nss_base_aliases ou=Aliases,dc=padl,dc=com?one +#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +# attribute/objectclass mapping +# Syntax: +#nss_map_attribute rfc2307attribute mapped_attribute +#nss_map_objectclass rfc2307objectclass mapped_objectclass + +# configure --enable-nds is no longer supported. +# NDS mappings +#nss_map_attribute uniqueMember member + +# Services for UNIX 3.5 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount User +#nss_map_attribute uid msSFU30Name +#nss_map_attribute uniqueMember msSFU30PosixMember +#nss_map_attribute userPassword msSFU30Password +#nss_map_attribute homeDirectory msSFU30HomeDirectory +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_objectclass posixGroup Group +#pam_login_attribute msSFU30Name +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-mssfu-schema is no longer supported. +# Services for UNIX 2.0 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid msSFUName +#nss_map_attribute uniqueMember posixMember +#nss_map_attribute userPassword msSFUPassword +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup Group +#nss_map_attribute cn msSFUName +#pam_login_attribute msSFUName +#pam_filter objectclass=User +#pam_password ad + +# RFC 2307 (AD) mappings +#nss_map_objectclass posixAccount user +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid sAMAccountName +#nss_map_attribute homeDirectory unixHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup group +#nss_map_attribute uniqueMember member +#pam_login_attribute sAMAccountName +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-authpassword is no longer supported +# AuthPassword mappings +#nss_map_attribute userPassword authPassword + +# AIX SecureWay mappings +#nss_map_objectclass posixAccount aixAccount +#nss_base_passwd ou=aixaccount,?one +#nss_map_attribute uid userName +#nss_map_attribute gidNumber gid +#nss_map_attribute uidNumber uid +#nss_map_attribute userPassword passwordChar +#nss_map_objectclass posixGroup aixAccessGroup +#nss_base_group ou=aixgroup,?one +#nss_map_attribute cn groupName +#nss_map_attribute uniqueMember member +#pam_login_attribute userName +#pam_filter objectclass=aixAccount +#pam_password clear + +# For pre-RFC2307bis automount schema +#nss_map_objectclass automountMap nisMap +#nss_map_attribute automountMapName nisMapName +#nss_map_objectclass automount nisObject +#nss_map_attribute automountKey cn +#nss_map_attribute automountInformation nisMapEntry + +# Netscape SDK LDAPS +#ssl on + +# Netscape SDK SSL options +#sslpath /etc/ssl/certs + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +#ssl start_tls +#ssl on + +# OpenLDAP SSL options +# Require and verify server certificate (yes/no) +# Default is to use libldap's default behavior, which can be configured in +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". +#tls_checkpeer yes + +# CA certificates for server certificate verification +# At least one of these are required if tls_checkpeer is "yes" +#tls_cacertfile /etc/ssl/ca.cert +#tls_cacertdir /etc/ssl/certs + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Disable SASL security layers. This is needed for AD. +#sasl_secprops maxssf=0 + +# Override the default Kerberos ticket cache location. +#krb5_ccname FILE:/etc/.ldapcache + diff --git a/wheezy_php5/nsswitch.conf b/wheezy_php5/nsswitch.conf new file mode 100644 index 0000000..1d69bd7 --- /dev/null +++ b/wheezy_php5/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat ldap +group: compat ldap +shadow: compat + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/wheezy_php5/start-fpm.sh b/wheezy_php5/start-fpm.sh new file mode 100755 index 0000000..75f2869 --- /dev/null +++ b/wheezy_php5/start-fpm.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +sed "s/@user@/${FPM_USER}/g; s/@variant@/${FPM_VARIANT}/g" \ + < /usr/local/etc/fpm-pool.conf.tmpl \ + > "/etc/php5/fpm/pool.d/${FPM_USER}.conf" + +/etc/init.d/nullmailer start +/usr/sbin/php5-fpm --nodaemonize