diff --git a/alpine-base-php/php7-newrelic/Dockerfile.tmpl b/alpine-base-php/php7-newrelic/Dockerfile.tmpl index 80da5f30..21da92ca 100644 --- a/alpine-base-php/php7-newrelic/Dockerfile.tmpl +++ b/alpine-base-php/php7-newrelic/Dockerfile.tmpl @@ -47,4 +47,5 @@ RUN curl -s -o /tmp/newrelic.tar.gz \ rm -f /etc/php7/conf.d/newrelic.ini && \ mkdir -p /etc/services.d/newrelic && \ mv /run_newrelic /etc/services.d/newrelic/run && \ + chmod 751 /etc/services.d/newrelic/run && \ mv /10_newrelic.ini /etc/php7/conf.d/10_newrelic.ini diff --git a/alpine-base-php/php7-newrelic/run_newrelic b/alpine-base-php/php7-newrelic/run_newrelic old mode 100644 new mode 100755 index 0ca9c59a..e21bc363 --- a/alpine-base-php/php7-newrelic/run_newrelic +++ b/alpine-base-php/php7-newrelic/run_newrelic @@ -1,4 +1,4 @@ -#!/bin/sh +#!/command/with-contenv sh set -e exec /usr/bin/newrelic-daemon -c /etc/newrelic/newrelic.cfg -f diff --git a/alpine-base-php/php7/Dockerfile.tmpl b/alpine-base-php/php7/Dockerfile.tmpl index e34b3b69..4f3c1fa9 100644 --- a/alpine-base-php/php7/Dockerfile.tmpl +++ b/alpine-base-php/php7/Dockerfile.tmpl @@ -134,6 +134,7 @@ RUN \ mkdir -p /etc/services.d/fpm /srv/www/html && \ mv /tmp/msmtprc /etc/msmtprc && \ mv /tmp/run_fpm /etc/services.d/fpm/run && \ + chmod 751 /etc/services.d/fpm/run && \ \ # Fixup the sendmail path for msmtp and set it as mailer. ln -sf /usr/bin/msmtp /usr/sbin/sendmail && \ diff --git a/alpine-base-php/php7/etc/services/run_fpm b/alpine-base-php/php7/etc/services/run_fpm old mode 100644 new mode 100755 index 053176f7..da1d2428 --- a/alpine-base-php/php7/etc/services/run_fpm +++ b/alpine-base-php/php7/etc/services/run_fpm @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv sh +#!/command/with-contenv sh set -e # If the PHP_XDEBUG env var is "true", and we are not in a production environment, then drop a config snippet to load the xdebug module before starting. diff --git a/alpine-base-php/php8-newrelic/Dockerfile.tmpl b/alpine-base-php/php8-newrelic/Dockerfile.tmpl index 7eb9859c..f254a235 100644 --- a/alpine-base-php/php8-newrelic/Dockerfile.tmpl +++ b/alpine-base-php/php8-newrelic/Dockerfile.tmpl @@ -47,4 +47,5 @@ RUN curl -s -o /tmp/newrelic.tar.gz \ rm -f /etc/php8/conf.d/newrelic.ini && \ mkdir -p /etc/services.d/newrelic && \ mv /run_newrelic /etc/services.d/newrelic/run && \ + chmod 751 /etc/services.d/newrelic/run && \ mv /10_newrelic.ini /etc/php8/conf.d/10_newrelic.ini diff --git a/alpine-base-php/php8-newrelic/run_newrelic b/alpine-base-php/php8-newrelic/run_newrelic old mode 100644 new mode 100755 index 0ca9c59a..e21bc363 --- a/alpine-base-php/php8-newrelic/run_newrelic +++ b/alpine-base-php/php8-newrelic/run_newrelic @@ -1,4 +1,4 @@ -#!/bin/sh +#!/command/with-contenv sh set -e exec /usr/bin/newrelic-daemon -c /etc/newrelic/newrelic.cfg -f diff --git a/alpine-base-php/php8/Dockerfile.tmpl b/alpine-base-php/php8/Dockerfile.tmpl index e9331c9f..326917cf 100644 --- a/alpine-base-php/php8/Dockerfile.tmpl +++ b/alpine-base-php/php8/Dockerfile.tmpl @@ -132,6 +132,7 @@ RUN \ mkdir -p /etc/services.d/fpm /srv/www/html && \ mv /tmp/msmtprc /etc/msmtprc && \ mv /tmp/run_fpm /etc/services.d/fpm/run && \ + chmod 751 /etc/services.d/fpm/run && \ \ # Fixup the sendmail path for msmtp and set it as mailer. ln -sf /usr/bin/msmtp /usr/sbin/sendmail && \ diff --git a/alpine-base-php/php8/etc/services/run_fpm b/alpine-base-php/php8/etc/services/run_fpm old mode 100644 new mode 100755 index 03f66682..263d766c --- a/alpine-base-php/php8/etc/services/run_fpm +++ b/alpine-base-php/php8/etc/services/run_fpm @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv sh +#!/command/with-contenv sh set -e # If the PHP_XDEBUG env var is "true", then drop a config snippet to load the xdebug module before starting. diff --git a/alpine-base-s6/Dockerfile.tmpl b/alpine-base-s6/Dockerfile.tmpl index ea7b92c7..077b5497 100644 --- a/alpine-base-s6/Dockerfile.tmpl +++ b/alpine-base-s6/Dockerfile.tmpl @@ -20,14 +20,23 @@ LABEL org.label-schema.schema-version="1.0" \ org.label-schema.distribution="Alpine Linux" \ org.label-schema.distribution-version=$UPSTREAM -RUN apk add --no-cache --purge -uU curl && \ - S6VERSION=$(curl -sSL https://api.github.com/repos/just-containers/s6-overlay/releases/latest | awk '/tag_name/{print $4;exit}' FS='[""]' | sed -e 's_v__') && \ - S6ARCH=$(uname -m | sed 's/x86_64/amd64/') && \ - echo "Installing s6 version: $S6VERSION for $S6ARCH" && \ - curl -o /tmp/s6-overlay.tar.gz -jkSL https://github.com/just-containers/s6-overlay/releases/download/v${S6VERSION}/s6-overlay-${S6ARCH}.tar.gz && \ - tar xzf /tmp/s6-overlay.tar.gz -C / && \ +RUN apk add --no-cache --purge -uU xz curl xz && \ + S6_OVERLAY_VERSION=$(curl -sSL https://api.github.com/repos/just-containers/s6-overlay/releases/latest | awk '/tag_name/{print $4;exit}' FS='[""]' | sed -e 's_v__') && \ + S6_OVERLAY_ARCH=$(uname -m) && \ + echo "Installing s6 version: $S6_OVERLAY_VERSION for $S6_OVERLAY_ARCH" && \ + curl -o /tmp/s6-overlay-noarch-${S6_OVERLAY_VERSION}.tar.xz -jkSL https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch-${S6_OVERLAY_VERSION}.tar.xz && \ + curl -o /tmp/s6-overlay-noarch-${S6_OVERLAY_VERSION}.tar.xz.sha256 -jkSL https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch-${S6_OVERLAY_VERSION}.tar.xz.sha256 && \ + curl -o /tmp/s6-overlay-${S6_OVERLAY_ARCH}-${S6_OVERLAY_VERSION}.tar.xz -jkSL https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_OVERLAY_ARCH}-${S6_OVERLAY_VERSION}.tar.xz && \ + curl -o /tmp/s6-overlay-${S6_OVERLAY_ARCH}-${S6_OVERLAY_VERSION}.tar.xz.sha256 -jkSL https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_OVERLAY_ARCH}-${S6_OVERLAY_VERSION}.tar.xz.sha256 && \ + cd /tmp && \ + sha256sum -c *.sha256 && \ + tar xJf /tmp/s6-overlay-noarch-${S6_OVERLAY_VERSION}.tar.xz -C / && \ + tar xJf /tmp/s6-overlay-${S6_OVERLAY_ARCH}-${S6_OVERLAY_VERSION}.tar.xz -C / && \ rm -rf /var/cache/apk/* /tmp/* +# Unfortunately the maintainer has decided to break settting PATH via an env var. This undoes that breakage. +COPY init / + ENTRYPOINT ["/init"] CMD [] diff --git a/alpine-base-s6/init b/alpine-base-s6/init new file mode 100755 index 00000000..a09a5671 --- /dev/null +++ b/alpine-base-s6/init @@ -0,0 +1,41 @@ +#!/bin/sh -e + +# This is the first program launched at container start. +# We don't know where our binaries are and we cannot guarantee +# that the default PATH can access them. +# So this script needs to be entirely self-contained until it has +# at least /command, /usr/bin and /bin in its PATH. + +addpath () { + x="$1" + IFS=: + set -- $PATH + IFS= + while test "$#" -gt 0 ; do + if test "$1" = "$x" ; then + return + fi + shift + done + PATH="${x}:$PATH" +} + +if read GLOBAL_PATH < /etc/s6-overlay/config/global_path ; then + PATH=${GLOBAL_PATH}:${PATH} +fi + +addpath /bin +addpath /usr/bin +addpath /command +export PATH + +# Now we're good: s6-overlay-suexec is accessible via PATH, as are +# all our binaries. +# Run preinit as root, then run stage0 as the container's user (can be +# root, can be a normal user). + +exec s6-overlay-suexec \ + ' /package/admin/s6-overlay-3.0.0.2/libexec/preinit' \ + '' \ + /package/admin/s6-overlay-3.0.0.2/libexec/stage0 \ + "$@" diff --git a/alpine-php/php-k8s-v7/Dockerfile.tmpl b/alpine-php/php-k8s-v7/Dockerfile.tmpl index 6884d81c..d8a808d1 100644 --- a/alpine-php/php-k8s-v7/Dockerfile.tmpl +++ b/alpine-php/php-k8s-v7/Dockerfile.tmpl @@ -49,6 +49,7 @@ RUN \ /tmp/lua /tmp/sites-enabled /tmp/win-utf \ /etc/nginx && \ mv /tmp/run_nginx /etc/services.d/nginx/run && \ + chmod 751 /etc/services.d/nginx/run && \ mkdir -p /var/cache/nginx /var/lib/nginx/tmp /var/tmp/nginx && \ chgrp appuser /var/lib/nginx && \ chown -R appuser /var/cache/nginx /var/lib/nginx/tmp /var/tmp/nginx && \ diff --git a/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf b/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf index 1ba970c6..aaa47209 100644 --- a/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf +++ b/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf @@ -4,6 +4,7 @@ limit_req_status 429; ## Determine if this is a bot request via the user-agent string. map $http_user_agent $isbot_ua { default 0; + ~*pingdom 0; ~*(bot|crawler|spider) 1; } diff --git a/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf.template b/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf.template index 8d8522a1..fe992b0e 100644 --- a/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf.template +++ b/alpine-php/php-k8s-v7/etc/nginx/ratelimit.conf.template @@ -6,6 +6,7 @@ limit_req_status 429; ## Determine if this is a bot request via the user-agent string. map $http_user_agent $isbot_ua { default 0; + ~*pingdom 0; ~*(bot|crawler|spider) 1; } diff --git a/alpine-php/php-k8s-v7/etc/services.d/run_nginx b/alpine-php/php-k8s-v7/etc/services.d/run_nginx old mode 100644 new mode 100755 index fd7d348f..1e49c92e --- a/alpine-php/php-k8s-v7/etc/services.d/run_nginx +++ b/alpine-php/php-k8s-v7/etc/services.d/run_nginx @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv sh +#!/command/with-contenv sh set -e -envsubst '$NGINX_LIMIT_BOTS $NGINX_BURST_BOTS $NGINX_LIMIT_HUMANS $NGINX_BURST_HUMANS' < /etc/nginx/ratelimit.conf.template > /etc/nginx/ratelimit.conf && exec nginx -g "daemon off;" +envsubst '$NGINX_LIMIT_BOTS $NGINX_BURST_BOTS $NGINX_LIMIT_HUMANS $NGINX_BURST_HUMANS' < /etc/nginx/ratelimit.conf.template > /etc/nginx/ratelimit.conf && exec /usr/sbin/nginx -g "daemon off;" diff --git a/alpine-php/php-k8s-v8/Dockerfile.tmpl b/alpine-php/php-k8s-v8/Dockerfile.tmpl index 7fe2d4bd..bcbc79aa 100644 --- a/alpine-php/php-k8s-v8/Dockerfile.tmpl +++ b/alpine-php/php-k8s-v8/Dockerfile.tmpl @@ -46,6 +46,7 @@ RUN \ /tmp/lua /tmp/sites-enabled /tmp/win-utf \ /etc/nginx && \ mv /tmp/run_nginx /etc/services.d/nginx/run && \ + chmod 751 /etc/services.d/nginx/run && \ mkdir -p /var/cache/nginx /var/lib/nginx/tmp /var/tmp/nginx && \ chgrp appuser /var/lib/nginx && \ chown -R appuser /var/cache/nginx /var/lib/nginx/tmp /var/tmp/nginx && \ diff --git a/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf b/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf index 1ba970c6..aaa47209 100644 --- a/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf +++ b/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf @@ -4,6 +4,7 @@ limit_req_status 429; ## Determine if this is a bot request via the user-agent string. map $http_user_agent $isbot_ua { default 0; + ~*pingdom 0; ~*(bot|crawler|spider) 1; } diff --git a/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf.template b/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf.template index 8d8522a1..fe992b0e 100644 --- a/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf.template +++ b/alpine-php/php-k8s-v8/etc/nginx/ratelimit.conf.template @@ -6,6 +6,7 @@ limit_req_status 429; ## Determine if this is a bot request via the user-agent string. map $http_user_agent $isbot_ua { default 0; + ~*pingdom 0; ~*(bot|crawler|spider) 1; } diff --git a/alpine-php/php-k8s-v8/etc/services.d/run_nginx b/alpine-php/php-k8s-v8/etc/services.d/run_nginx old mode 100644 new mode 100755 index fd7d348f..1e49c92e --- a/alpine-php/php-k8s-v8/etc/services.d/run_nginx +++ b/alpine-php/php-k8s-v8/etc/services.d/run_nginx @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv sh +#!/command/with-contenv sh set -e -envsubst '$NGINX_LIMIT_BOTS $NGINX_BURST_BOTS $NGINX_LIMIT_HUMANS $NGINX_BURST_HUMANS' < /etc/nginx/ratelimit.conf.template > /etc/nginx/ratelimit.conf && exec nginx -g "daemon off;" +envsubst '$NGINX_LIMIT_BOTS $NGINX_BURST_BOTS $NGINX_LIMIT_HUMANS $NGINX_BURST_HUMANS' < /etc/nginx/ratelimit.conf.template > /etc/nginx/ratelimit.conf && exec /usr/sbin/nginx -g "daemon off;" diff --git a/alpine-varnish/default.vcl b/alpine-varnish/default.vcl index eefdd9c6..3eefa74a 100644 --- a/alpine-varnish/default.vcl +++ b/alpine-varnish/default.vcl @@ -8,9 +8,9 @@ # See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/ # and http://varnish-cache.org/trac/wiki/VCLExamples for more examples. -# Marker to tell the VCL compiler that this VCL has been adapted to the -# new 4.0 format. -vcl 4.0; +# Marker to tell the VCL compiler that this VCL has been written with the +# 4.0 or 4.1 syntax. +vcl 4.1; # Default backend definition. Set this to point to your content server. backend default {