Merge branch 'feature/PB-37351' into 'develop'

PB-37351: forward php-fpm error logs to stdout using LOG_ERROR_URL with tests See merge request passbolt/passbolt_docker!212
passbolt · Dec 30, 2024 · 3d657dc · 3d657dc
2 parents de62c07 + 3cff256
commit 3d657dc
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 13 deletions.
diff --git a/conf/php/zz-docker.conf b/conf/php/zz-docker.conf
@@ -0,0 +1,9 @@
+[global]
+error_log = /proc/self/fd/2
+; https://github.com/docker-library/php/pull/725#issuecomment-443540114
+log_limit = 8192
+
+[www]
+catch_workers_output = yes
+decorate_workers_output = no
+
diff --git a/debian/Dockerfile b/debian/Dockerfile
@@ -26,6 +26,7 @@ ENV PHP_VERSION=8.2
 ENV GNUPGHOME=/var/lib/passbolt/.gnupg
 ENV PASSBOLT_FLAVOUR=$PASSBOLT_FLAVOUR
 ENV PASSBOLT_PKG="passbolt-$PASSBOLT_FLAVOUR-server"
+ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update \
@@ -53,22 +54,20 @@ RUN apt-get update \
   && sed -i 's,www-data.*$,root su -s /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron" www-data >/proc/1/fd/1 2>\&1,' /etc/cron.d/$PASSBOLT_PKG \
   && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \
   && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
-  && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
-  && ln -sf /dev/stderr /var/log/passbolt/error.log \
-  && ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log
+  && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log
 
 COPY conf/supervisor/cron.conf /etc/supervisor/conf.d/cron.conf
 COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
 COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf
+COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf
+
 COPY scripts/entrypoint/docker-entrypoint.sh /docker-entrypoint.sh
 COPY scripts/entrypoint/passbolt/entrypoint.sh /passbolt/entrypoint.sh
 COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh
 COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh
 COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
 
-# Docker API does not support buildkit so we
-# need to do this workaround https://github.com/docker/for-linux/issues/1136
 RUN chmod 0644 /etc/supervisor/conf.d/* \
   && chmod 0700 /docker-entrypoint.sh \
   && chmod 0700 /passbolt/* \

diff --git a/debian/Dockerfile.rootless b/debian/Dockerfile.rootless
@@ -35,6 +35,7 @@ ENV SUPERCRONIC_VERSION=0.2.28
 ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v${SUPERCRONIC_VERSION}/supercronic-linux-${SUPERCRONIC_ARCH} \
   SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH}
 ENV PASSBOLT_FLAVOUR="${PASSBOLT_FLAVOUR}"
+ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -98,8 +99,6 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
   && chown -R www-data:0 /var/log/nginx \
   && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
   && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
-  && ln -sf /dev/stderr /var/log/passbolt/error.log \
-  && ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log \
   && chown -R www-data:0 /var/log/supervisor \
   && touch /var/www/.profile \
   && chown www-data:www-data /var/www/.profile \
@@ -109,15 +108,14 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
   && chown www-data:www-data /etc/environment \
   && chmod 600 /etc/environment
 
+COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf
 COPY scripts/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh
 COPY scripts/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh
 COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh
 COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh
 COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
 
-# Docker API does not support buildkit so we
-# need to do this workaround https://github.com/docker/for-linux/issues/1136
 RUN chmod 0644 /etc/supervisor/conf.d/* \
   && chmod 0755 /docker-entrypoint.sh \
   && chmod 0755 /passbolt/* \

diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb
@@ -4,7 +4,7 @@
   before(:all) do
     @mysql_image =
       Docker::Image.create(
-        'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : "mariadb:10.11"
+        'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : 'mariadb:10.11'
       )
 
     @mysql = Docker::Container.create(

diff --git a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb
@@ -4,7 +4,7 @@
   before(:all) do
     @mysql_image =
       Docker::Image.create(
-        'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : "mariadb:10.11"
+        'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : 'mariadb:10.11'
       )
 
     @mysql = Docker::Container.create(
@@ -63,7 +63,7 @@
 
   let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
   let(:uri)               { '/install' }
-  let(:curl)              { "curl -sk -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
+  let(:curl)              { "curl -skL -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
 
   describe 'php service' do
     it 'is running supervised' do

diff --git a/spec/docker_runtime_with_passbolt_php/docker_runtime_with_passbolt_php_spec.rb b/spec/docker_runtime_with_passbolt_php/docker_runtime_with_passbolt_php_spec.rb
@@ -54,7 +54,8 @@
         'DATASOURCES_DEFAULT_USERNAME=passbolt',
         'DATASOURCES_DEFAULT_DATABASE=passbolt',
         'PASSBOLT_SSL_FORCE=true',
-        'PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE=true'
+        'PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE=true',
+        'PASSBOLT_HEALTHCHECK_ERROR=true'
       ],
       'Image' => @image.id,
       'Binds' => $binds.append(
@@ -76,9 +77,32 @@
     @container.kill
   end
 
+  let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
+  let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
+
   describe 'force fingerprint calculation' do
     it 'is contains fingerprint environment variable' do
       expect(file('/etc/environment').content).to match(/PASSBOLT_GPG_SERVER_KEY_FINGERPRINT/)
     end
   end
+
+  describe 'throws exception in logs' do
+    let(:uri) { 'healthcheck/error' }
+    it 'returns 500' do
+      expect(command(curl).stdout).to eq '500'
+    end
+
+    it 'shows exception in logs' do
+      expect(@container.logs(stderr: true)).to match(/^.*\[Cake\\Http\\Exception\\InternalErrorException\] Internal Server Error.*/)
+    end
+  end
+
+  describe 'can not access outside webroot' do
+    let(:uri) { 'vendor/autoload.php' }
+    let(:curl) { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
+    it 'returns 404' do
+      expect(command(curl).stdout).to eq '404'
+    end
+  end
+
 end