diff --git a/conf/php/zz-docker.conf b/conf/php/zz-docker.conf new file mode 100644 index 0000000..2febc07 --- /dev/null +++ b/conf/php/zz-docker.conf @@ -0,0 +1,9 @@ +[global] +error_log = /proc/self/fd/2 +; https://github.com/docker-library/php/pull/725#issuecomment-443540114 +log_limit = 8192 + +[www] +catch_workers_output = yes +decorate_workers_output = no + diff --git a/debian/Dockerfile b/debian/Dockerfile index 5cc909b..a68a168 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -26,6 +26,7 @@ ENV PHP_VERSION=8.2 ENV GNUPGHOME=/var/lib/passbolt/.gnupg ENV PASSBOLT_FLAVOUR=$PASSBOLT_FLAVOUR ENV PASSBOLT_PKG="passbolt-$PASSBOLT_FLAVOUR-server" +ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency" SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN apt-get update \ @@ -53,13 +54,13 @@ RUN apt-get update \ && sed -i 's,www-data.*$,root su -s /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron" www-data >/proc/1/fd/1 2>\&1,' /etc/cron.d/$PASSBOLT_PKG \ && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \ && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \ - && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \ - && ln -sf /dev/stderr /var/log/passbolt/error.log \ - && ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log + && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log COPY conf/supervisor/cron.conf /etc/supervisor/conf.d/cron.conf COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf +COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf + COPY scripts/entrypoint/docker-entrypoint.sh /docker-entrypoint.sh COPY scripts/entrypoint/passbolt/entrypoint.sh /passbolt/entrypoint.sh COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh @@ -67,8 +68,6 @@ COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths. COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh COPY scripts/wait-for.sh /usr/bin/wait-for.sh -# Docker API does not support buildkit so we -# need to do this workaround https://github.com/docker/for-linux/issues/1136 RUN chmod 0644 /etc/supervisor/conf.d/* \ && chmod 0700 /docker-entrypoint.sh \ && chmod 0700 /passbolt/* \ diff --git a/debian/Dockerfile.rootless b/debian/Dockerfile.rootless index 384f1a9..ee2f13b 100644 --- a/debian/Dockerfile.rootless +++ b/debian/Dockerfile.rootless @@ -35,6 +35,7 @@ ENV SUPERCRONIC_VERSION=0.2.28 ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v${SUPERCRONIC_VERSION}/supercronic-linux-${SUPERCRONIC_ARCH} \ SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH} ENV PASSBOLT_FLAVOUR="${PASSBOLT_FLAVOUR}" +ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency" SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -98,8 +99,6 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt. && chown -R www-data:0 /var/log/nginx \ && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \ && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \ - && ln -sf /dev/stderr /var/log/passbolt/error.log \ - && ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log \ && chown -R www-data:0 /var/log/supervisor \ && touch /var/www/.profile \ && chown www-data:www-data /var/www/.profile \ @@ -109,6 +108,7 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt. && chown www-data:www-data /etc/environment \ && chmod 600 /etc/environment +COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf COPY scripts/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh COPY scripts/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh @@ -116,8 +116,6 @@ COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths. COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh COPY scripts/wait-for.sh /usr/bin/wait-for.sh -# Docker API does not support buildkit so we -# need to do this workaround https://github.com/docker/for-linux/issues/1136 RUN chmod 0644 /etc/supervisor/conf.d/* \ && chmod 0755 /docker-entrypoint.sh \ && chmod 0755 /passbolt/* \ diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index 3608119..faab70e 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -4,7 +4,7 @@ before(:all) do @mysql_image = Docker::Image.create( - 'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : "mariadb:10.11" + 'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : 'mariadb:10.11' ) @mysql = Docker::Container.create( diff --git a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb index 3396743..dbedcef 100644 --- a/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb +++ b/spec/docker_runtime_no_envs/runtime_no_envs_spec.rb @@ -4,7 +4,7 @@ before(:all) do @mysql_image = Docker::Image.create( - 'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : "mariadb:10.11" + 'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : 'mariadb:10.11' ) @mysql = Docker::Container.create( @@ -63,7 +63,7 @@ let(:passbolt_host) { @container.json['NetworkSettings']['IPAddress'] } let(:uri) { '/install' } - let(:curl) { "curl -sk -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" } + let(:curl) { "curl -skL -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" } describe 'php service' do it 'is running supervised' do diff --git a/spec/docker_runtime_with_passbolt_php/docker_runtime_with_passbolt_php_spec.rb b/spec/docker_runtime_with_passbolt_php/docker_runtime_with_passbolt_php_spec.rb index 09e4d6a..878b242 100644 --- a/spec/docker_runtime_with_passbolt_php/docker_runtime_with_passbolt_php_spec.rb +++ b/spec/docker_runtime_with_passbolt_php/docker_runtime_with_passbolt_php_spec.rb @@ -54,7 +54,8 @@ 'DATASOURCES_DEFAULT_USERNAME=passbolt', 'DATASOURCES_DEFAULT_DATABASE=passbolt', 'PASSBOLT_SSL_FORCE=true', - 'PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE=true' + 'PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE=true', + 'PASSBOLT_HEALTHCHECK_ERROR=true' ], 'Image' => @image.id, 'Binds' => $binds.append( @@ -76,9 +77,32 @@ @container.kill end + let(:passbolt_host) { @container.json['NetworkSettings']['IPAddress'] } + let(:curl) { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" } + describe 'force fingerprint calculation' do it 'is contains fingerprint environment variable' do expect(file('/etc/environment').content).to match(/PASSBOLT_GPG_SERVER_KEY_FINGERPRINT/) end end + + describe 'throws exception in logs' do + let(:uri) { 'healthcheck/error' } + it 'returns 500' do + expect(command(curl).stdout).to eq '500' + end + + it 'shows exception in logs' do + expect(@container.logs(stderr: true)).to match(/^.*\[Cake\\Http\\Exception\\InternalErrorException\] Internal Server Error.*/) + end + end + + describe 'can not access outside webroot' do + let(:uri) { 'vendor/autoload.php' } + let(:curl) { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" } + it 'returns 404' do + expect(command(curl).stdout).to eq '404' + end + end + end