From 0ad5fd568d60d3a37338b6636cbc28aa828f7a1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9Ccrowdvector=E2=80=9D?= Date: Sun, 28 Mar 2021 16:20:41 -0400 Subject: [PATCH 1/3] Update to the latest version --- Dockerfile | 67 ++++---- LICENSE | 6 +- README.md | 10 +- configs/magic | 10 ++ configs/php-fpm.conf | 6 + configs/php.dev.ini | 38 +++++ configs/php.ini | 38 +++++ configs/www.conf | 18 +++ configs/www.ubi.conf | 22 +++ configs/xdebug.ini | 25 +++ hardening_manifest.yaml | 308 ++++++++++++++++++------------------ scripts/decrypt.sh | 22 +++ scripts/php-fpm-healthcheck | 139 ++++++++++++++++ 13 files changed, 507 insertions(+), 202 deletions(-) create mode 100644 configs/magic create mode 100644 configs/php-fpm.conf create mode 100644 configs/php.dev.ini create mode 100644 configs/php.ini create mode 100644 configs/www.conf create mode 100644 configs/www.ubi.conf create mode 100644 configs/xdebug.ini create mode 100755 scripts/decrypt.sh create mode 100755 scripts/php-fpm-healthcheck diff --git a/Dockerfile b/Dockerfile index 18df38c..74b042b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,16 @@ -ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=redhat/ubi/ubi8 ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} - -ARG VERSION=0.0.6 +ARG VERSION=21.13 #COPY LICENSE /licenses/innosabi RUN \ dnf -y update && \ - dnf -y module install php:7.3/minimal && \ - dnf -y install php-fpm php-json php-mbstring php-xml php-gd php-intl php-ldap php-opcache php-mysqlnd php-dba + dnf -y module install php:7.4/minimal && \ + dnf -y install php-fpm php-json php-mbstring php-xml php-gd php-intl php-ldap php-opcache php-mysqlnd php-dba php-bcmath openssl ### Memcached Packages @@ -29,9 +28,9 @@ COPY fastlz.rpm fastlz.rpm # Add Remi GPG key COPY RPM-GPG-KEY-remi2020 RPM-GPG-KEY-remi2019 RPM-GPG-KEY-remi2018 fedora.gpg /tmp/ RUN rpm --import /tmp/RPM-GPG-KEY-remi2020 && \ - rpm --import /tmp/RPM-GPG-KEY-remi2019 && \ - rpm --import /tmp/RPM-GPG-KEY-remi2018 && \ - rpm --import /tmp/fedora.gpg + rpm --import /tmp/RPM-GPG-KEY-remi2019 && \ + rpm --import /tmp/RPM-GPG-KEY-remi2018 && \ + rpm --import /tmp/fedora.gpg # Remi COPY php-pecl-msgpack.rpm php-pecl-msgpack.rpm @@ -46,7 +45,7 @@ COPY gdk-pixbuf2.rpm gdk-pixbuf2.rpm COPY ilmbase.rpm ilmbase.rpm COPY pixman.rpm pixman.rpm COPY cairo.rpm cairo.rpm -#COPY graphviz.rpm graphviz.rpm +COPY graphviz.rpm graphviz.rpm COPY fftw-libs-double.rpm fftw-libs-double.rpm COPY LibRaw.rpm LibRaw.rpm COPY librsvg2.rpm librsvg2.rpm @@ -59,15 +58,10 @@ COPY xorg-x11-fonts.rpm xorg-x11-fonts.rpm COPY libraqm.rpm libraqm.rpm # Remi -#COPY php-pecl-imagick.rpm php-pecl-imagick.rpm +COPY php-pecl-imagick.rpm php-pecl-imagick.rpm COPY liblqr.rpm liblqr.rpm -#COPY ImageMagick-libs.rpm ImageMagick-libs.rpm -#COPY ImageMagick.rpm ImageMagick.rpm - -#Copy application and dependencies -COPY appserver.tar.gz.aes.tar.gz /tmp/appserver.tar.gz.aes.tar.gz -RUN cd /tmp && tar -zxvf appserver.tar.gz.aes.tar.gz && rm appserver.tar.gz.aes.tar.gz - +COPY ImageMagick-libs.rpm ImageMagick-libs.rpm +COPY ImageMagick.rpm ImageMagick.rpm # Install and clean RUN \ @@ -75,32 +69,33 @@ RUN \ rm -f *.rpm && \ dnf -y clean all +COPY configs/php.ini /etc/php.ini +COPY configs/php-fpm.conf /etc/php-fpm.conf +COPY configs/www.ubi.conf /usr/local/etc/php-fpm.d/www.conf +COPY configs/magic /usr/local/etc/magic +COPY scripts/php-fpm-healthcheck /usr/local/bin/ -WORKDIR /opt/ignite -RUN mkdir /storage +# Create all main directories to set access rights +RUN mkdir /run/php-fpm +RUN mkdir -p /storage +RUN mkdir -p /opt/ignite/core -RUN mv /tmp/composer.lock /opt/ignite -RUN mv /tmp/composer.json /opt/ignite -RUN mv /tmp/appserver.tar.gz.aes /opt/ignite +WORKDIR /opt/ignite -#COPY version version +#Copy application and dependencies +COPY appserver.tar.gz.aes.tar.gz /tmp/appserver.tar.gz.aes.tar.gz +RUN cd /tmp && tar -zxvf appserver.tar.gz.aes.tar.gz && rm appserver.tar.gz.aes.tar.gz +RUN mv /tmp/appserver.tar.gz.aes /opt/ignite -# Keep this in sync with .gitlab-ci CI change detection -#COPY ["application", "/opt/ignite/core/application"] -#COPY ["library", "/opt/ignite/core/library"] -#COPY ["bin/cron.php", "bin/crowd.php", "/opt/ignite/core/bin/"] -#COPY ["public/index.php", "/opt/ignite/core/public/"] -#COPY ["bootstrap.php", "composer.json", "composer.lock", "/opt/ignite/core/"] +RUN mv /tmp/composer.lock /opt/ignite +RUN mv /tmp/composer.json /opt/ignite -#COPY docker/appserver/php.ini /etc/php.ini -#COPY docker/appserver/php-fpm.conf /etc/php-fpm.conf -#COPY docker/appserver/www.ubi.conf /usr/local/etc/php-fpm.d/www.conf -#COPY docker/appserver/magic /usr/local/etc/magic +COPY scripts/decrypt.sh /usr/sbin/decrypt.sh -RUN mkdir /run/php-fpm RUN chown -R apache:apache /run/php-fpm -RUN sed -i 's/listen = \/run\/php-fpm\/www.sock/listen = 9000/g' /etc/php-fpm.d/www.conf -ENTRYPOINT [ "/usr/sbin/php-fpm" ] +RUN chown -R apache:apache /opt/ignite + +ENTRYPOINT [ "/usr/sbin/decrypt.sh", "/usr/sbin/php-fpm" ] EXPOSE 9000 diff --git a/LICENSE b/LICENSE index c35164a..984c809 100644 --- a/LICENSE +++ b/LICENSE @@ -1,9 +1,9 @@ LICENSE: COMMERCIAL -(c) 2001-2020 innosabi, 2020 Collaboration.ai +(c) 2001-2021 innosabi, 2020-2021 Collaboration.Ai -You need to acquire a license from innosabi to use this product. This product includes open source software. +You need to acquire a license from Collaboration.Ai to use this product. This product includes open source software. The source code of the open source parts and its licenses is included or can be requested. innosabi GmbH, Möhlstraße 2, 81675 München -Collaboration.ai, 661 Auburn Avenue NE, Suite 5, Atlanta, GA 30312-1940 +Collaboration.Ai, 661 Auburn Avenue NE, Suite 5, Atlanta, GA 30312-1940 diff --git a/README.md b/README.md index c35164a..eb727ab 100644 --- a/README.md +++ b/README.md @@ -1,9 +1 @@ -LICENSE: COMMERCIAL - -(c) 2001-2020 innosabi, 2020 Collaboration.ai - -You need to acquire a license from innosabi to use this product. This product includes open source software. -The source code of the open source parts and its licenses is included or can be requested. - -innosabi GmbH, Möhlstraße 2, 81675 München -Collaboration.ai, 661 Auburn Avenue NE, Suite 5, Atlanta, GA 30312-1940 +Application server for CrowdVector. This container provides backend functionality for CrowdVector application. It is based on php-cli and php-fpm diff --git a/configs/magic b/configs/magic new file mode 100644 index 0000000..46a7e4a --- /dev/null +++ b/configs/magic @@ -0,0 +1,10 @@ +# Magic local data for file(1) command. +# Insert here your local magic data. Format is described in magic(5). + +# Recognize CSS files +0 search/2048/c =font-size: Cascading Style Sheet text +!:mime text/css +0 search/2048/c =color: Cascading Style Sheet text +!:mime text/css +0 search/2048/c =width: Cascading Style Sheet text +!:mime text/css diff --git a/configs/php-fpm.conf b/configs/php-fpm.conf new file mode 100644 index 0000000..b131cfb --- /dev/null +++ b/configs/php-fpm.conf @@ -0,0 +1,6 @@ +[global] + +;pid = /run/php-fpm/php-fpm.pid +error_log = /proc/self/fd/2 +daemonize = no +include=/usr/local/etc/php-fpm.d/*.conf diff --git a/configs/php.dev.ini b/configs/php.dev.ini new file mode 100644 index 0000000..a5d181a --- /dev/null +++ b/configs/php.dev.ini @@ -0,0 +1,38 @@ +[PHP] + +; For documentation visit +; https://www.php.net/manual/en/ini.list.php + +short_open_tag = Off +output_buffering = 4096 +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority +expose_php = Off + +max_input_time = 60 +memory_limit = 256M + +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_errors = Off +log_errors = On +report_memleaks = On + +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +post_max_size = 50M +upload_max_filesize = 50M + +enable_dl = Off + +[CLI Server] + +cli_server.color = On + +[opcache] + +opcache.enable=1 +opcache.memory_consumption=512 +opcache.interned_strings_buffer=32 +opcache.max_accelerated_files=100000 +opcache.validate_timestamps=3 +opcache.blacklist_filename=/storage/instances diff --git a/configs/php.ini b/configs/php.ini new file mode 100644 index 0000000..090a06c --- /dev/null +++ b/configs/php.ini @@ -0,0 +1,38 @@ +[PHP] + +; For documentation visit +; https://www.php.net/manual/en/ini.list.php + +short_open_tag = Off +output_buffering = 4096 +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority +expose_php = Off + +max_input_time = 60 +memory_limit = 256M + +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_errors = Off +log_errors = On +report_memleaks = On + +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +post_max_size = 50M +upload_max_filesize = 50M + +enable_dl = Off + +[CLI Server] + +cli_server.color = On + +[opcache] + +opcache.enable=1 +opcache.memory_consumption=512 +opcache.interned_strings_buffer=32 +opcache.max_accelerated_files=100000 +opcache.validate_timestamps=0 +opcache.blacklist_filename=/storage/instances diff --git a/configs/www.conf b/configs/www.conf new file mode 100644 index 0000000..82a97fa --- /dev/null +++ b/configs/www.conf @@ -0,0 +1,18 @@ +[www] + +listen = 0.0.0.0:9000 + +; Allow 32 parallel requests per container +pm = static +pm.max_children = 32 +pm.status_path = /status + +ping.path = /monitoring/ping +ping.response = pong + +; Log slow requests to the docker container logs +; slowlog = /proc/self/fd/2 +; request_slowlog_timeout = 1s + +; This is required for env injection and multi-tenancy +clear_env = no diff --git a/configs/www.ubi.conf b/configs/www.ubi.conf new file mode 100644 index 0000000..a40d976 --- /dev/null +++ b/configs/www.ubi.conf @@ -0,0 +1,22 @@ +[www] + +user = apache +group = apache + +listen = 0.0.0.0:9000 + +; Allow 32 parallel requests per container +pm = static +pm.max_children = 32 +pm.status_path = /status + +ping.path = /monitoring/ping +ping.response = pong + +;access.log = log/$pool.access.log + +;slowlog = log/$pool.log.slow +;request_slowlog_timeout = 0 + +; This is required for env injection and multi-tenancy +clear_env = no diff --git a/configs/xdebug.ini b/configs/xdebug.ini new file mode 100644 index 0000000..631ab30 --- /dev/null +++ b/configs/xdebug.ini @@ -0,0 +1,25 @@ +; Load xDebug +zend_extension=xdebug.so + +; Enable colors on CLI +xdebug.cli_color=1 + +; The IDE key to filter connections. +xdebug.idekey=PHPSTORM + +; Remote connection settings +xdebug.start_with_request=yes +xdebug.discover_client_host=0 +xdebug.remote_handler=dbgp +xdebug.client_host=docker.for.mac.host.internal +xdebug.mode=debug +xdebug.client_port=9999 +xdebug.log=/tmp/xdebug.log + +; Profiler settings +xdebug.output_dir="/tmp/xdebug/profiling" + +; @todo +xdebug.var_display_max_children=-1 +xdebug.var_display_max_data=-1 +xdebug.var_display_max_depth=-1 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index cd1900c..2e3af4a 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "collaborationai/crowd-vector/appserver" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "0.0.6" +- "21.13" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://collaboration.ai/products/crowdvector/" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Collaboration.Ai" - org.opencontainers.image.version: "0.0.6" + org.opencontainers.image.version: "21.13" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "CrowdVector" ## This value can be "opensource" or "commercial" @@ -37,162 +37,162 @@ labels: # List of resources to make available to the offline build context resources: -- filename: fedora.gpg - url: https://getfedora.org/static/fedora.gpg - validation: - type: sha256 - value: fa8c7bc737685389cb7faed7105b103f2afb3a2b8e329785d3fe3290e522d30e -- filename: RPM-GPG-KEY-remi2020 - url: https://rpms.remirepo.net/RPM-GPG-KEY-remi2020 - validation: - type: sha256 - value: 0483c1e7a7bf6bf6fe62882585d3bb9d903656ad020dd7045f2d496229c01959 -- filename: RPM-GPG-KEY-remi2019 - url: https://rpms.remirepo.net/RPM-GPG-KEY-remi2019 - validation: - type: sha256 - value: bba72d91ef180f18d3e7626a36ddd605d6f82ae31ce37802498b05d5444f52bb -- filename: RPM-GPG-KEY-remi2018 - url: https://rpms.remirepo.net/RPM-GPG-KEY-remi2018 - validation: - type: sha256 - value: 01992da5a631f40d0c733441f8623e0ceddcb98541b70ad528c51f04877875fb -- filename: RPM-GPG-KEY-CentOS-Official - url: https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official - validation: - type: sha256 - value: 146059788b214d7ba0dd70c1cf21111e594c6cfde201da8a9a88fe7101be8a78 -- filename: fastlz.rpm - url: https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/f/fastlz-0.1.0-0.12.20070619svnrev12.el8.x86_64.rpm - validation: - type: sha256 - value: 9709ef361090892632cbdbb6002d96b4ab77e8b6dbed4568b215b153eda49e36 -- filename: gdk-pixbuf2.rpm - url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/gdk-pixbuf2-2.36.12-5.el8.x86_64.rpm - validation: - type: sha256 - value: 94cb8dceb47a5b01e3c0542ea3b48601d720325da28e6e6d89ae529e4fddcd97 -- filename: pixman.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/pixman-0.38.4-1.el8.x86_64.rpm - validation: - type: sha256 - value: ddbbf3a8191dbc1a9fcb67ccf9cea0d34dbe9bbb74780e1359933cd03ee24451 -- filename: libXaw.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/libXaw-1.0.13-10.el8.x86_64.rpm - validation: - type: sha256 - value: d82ca1d1d9aea848d05ac0ffe889f921a19f37883ae1cf6ba1ca0528e2ab46e4 -- filename: ilmbase.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/ilmbase-2.2.0-11.el8.x86_64.rpm - validation: - type: sha256 - value: ed2e48ad367e08c5f6d0e79c405ff38967506895c0e39209d301d56529f6ddaa -- filename: php-pecl-imagick.rpm - url: https://rpms.remirepo.net/enterprise/8/php73/x86_64/php-pecl-imagick-3.4.4-10.el8.remi.7.3.x86_64.rpm - validation: - type: sha256 - value: 4c65f8fa3421e96664a8c226248b0495a26adeb2bdd004170665ad7ae50b0b0b -- filename: graphviz.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/graphviz-2.40.1-40.el8.x86_64.rpm - validation: - type: sha256 - value: b70b6fdaf8fe66a2823d5d415b016acfb0d6f6b6a2a7154820db9ef76e908a90 -- filename: libwmf-lite.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/libwmf-lite-0.2.9-8.el8_0.x86_64.rpm - validation: - type: sha256 - value: e539923a2a5b5f484264007524cf13bf9731c27454784ef2b05d516115cd7bf3 -- filename: fftw-libs-double.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/fftw-libs-double-3.3.5-11.el8.x86_64.rpm - validation: - type: sha256 - value: ed2767829f8545739e9861254cc4c729a43f0e67b981af3102649b4732feaeff -- filename: ImageMagick.rpm - url: https://rpms.remirepo.net/enterprise/8/remi/x86_64/ImageMagick-6.9.11.45-1.el8.remi.x86_64.rpm - validation: - type: sha256 - value: 9c2d0174c5d4b80d7fa1876fb820d3d08a88aa43f276f1d73421729c679af865 -- filename: ImageMagick-libs.rpm - url: https://rpms.remirepo.net/enterprise/8/remi/x86_64/ImageMagick-libs-6.9.11.45-1.el8.remi.x86_64.rpm - validation: - type: sha256 - value: b5d7a88767f12ed7ef30a365760bde534716830e1e8b991548df44432d9b31d4 -- filename: cairo.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/cairo-1.15.12-3.el8.x86_64.rpm - validation: - type: sha256 - value: 2fcd7a063cab2e103fd4fdf8f4c63d09b9f3d60759c3b0982c75ed9a9e57bdf8 -- filename: LibRaw.rpm - url: http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/LibRaw-0.19.5-2.el8.i686.rpm - validation: - type: sha256 - value: 6c1daf29b5fe10d281394196a40e0d914880eb3c31cf961f3ee99ab61d92a649 -- filename: librsvg2.rpm - url: http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/librsvg2-2.42.7-4.el8.x86_64.rpm - validation: - type: sha256 - value: 44f01d59b88bf019a11a25e9c38650d6f6d82abbdd2165783772d7d92c0c97af -- filename: libtool-ltdl.rpm - url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtool-ltdl-2.4.6-25.el8.x86_64.rpm - validation: - type: sha256 - value: 7dcd11f03fa0979841bf0afe0a2ac8f360502d0a2dee8322a39115595c2464ec -- filename: liblqr.rpm - url: https://rpms.remirepo.net/enterprise/8/remi/x86_64/liblqr-1-0.4.2-11.el8.remi.x86_64.rpm - validation: - type: sha256 - value: d79bd08cc0580fa3bd0f1c02c5a523403d8655411b4d7b49f7922963839156f4 -- filename: xorg-x11-fonts.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarch.rpm - validation: - type: sha256 - value: 723c0424ce3ec12586d390f2c6d01a2075e9f91543eb5b9a5a998636d49cb3b0 -- filename: php-pecl-igbinary.rpm - url: https://rpms.remirepo.net/enterprise/8/php73/x86_64/php-pecl-igbinary-3.1.6-1.el8.remi.7.3.x86_64.rpm - validation: - type: sha256 - value: 40451064b4c3075573081902d0cfb42a5ab8f12f53f91a764e95b12da8e8ca3a -- filename: php-pecl-msgpack.rpm - url: https://rpms.remirepo.net/enterprise/8/php73/x86_64/php-pecl-msgpack-2.1.1-1.el8.remi.7.3.x86_64.rpm - validation: - type: sha256 - value: f6a1f7a29bd99d10932ac7a7a7fd7f7cae83e4b1a1e076979a1ca1c8e063bb2a -- filename: libmemcached.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/libmemcached-1.0.18-15.el8.x86_64.rpm - validation: - type: sha256 - value: a98237988be726539deb640103644929fcb0a3ffe5a4fcff1d488b866374b253 -- filename: libraqm.rpm - url: https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/l/libraqm-0.7.0-4.el8.x86_64.rpm - validation: - type: sha256 - value: c71a88565f0951fac9e9de7ae5f2b5a48aceaf8da6f75d10ebbbb6717bde32fe -- filename: php-pecl-memcached.rpm - url: https://rpms.remirepo.net/enterprise/8/php73/x86_64/php-pecl-memcached-3.1.5-1.el8.remi.7.3.x86_64.rpm - validation: - type: sha256 - value: e35fc7c08150ef638810a1a2dce19c06545ed575b0737a4aa0ec19347584170a -- filename: libmemcached-libs.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/libmemcached-libs-1.0.18-15.el8.x86_64.rpm - validation: - type: sha256 - value: 412be2f692dbd7b761ba2cf35f6bbdf5c6af7ad862689f49399e3a176744f870 -- filename: pango.rpm - url: http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/pango-1.42.4-6.el8.x86_64.rpm - validation: - type: sha256 - value: 8246d152767da7e6dd297599ed4c55b8bde2a5c18e54d97a80d44eb3099d6e89 -- filename: appserver.tar.gz.aes.tar.gz - url: https://gitlab.com/crowdvector/dist/-/raw/feature/distribution/appserver/appserver.tar.gz.aes.tar.gz - validation: - type: sha256 - value: 125282343b1c8ae7d2c5d1bfd10fb70b9f84a245b9837a245c74ae2c41f78ca5 + - url: "https://getfedora.org/static/fedora.gpg" + filename: "fedora.gpg" + validation: + type: "sha256" + value: "5bdfc8afe0997046080d3d25950cbf5255fe6f647635bfe7f9b9f35be97e7196" + - url: "https://rpms.remirepo.net/RPM-GPG-KEY-remi2020" + filename: "RPM-GPG-KEY-remi2020" + validation: + type: "sha256" + value: "0483c1e7a7bf6bf6fe62882585d3bb9d903656ad020dd7045f2d496229c01959" + - url: "https://rpms.remirepo.net/RPM-GPG-KEY-remi2019" + filename: "RPM-GPG-KEY-remi2019" + validation: + type: "sha256" + value: "bba72d91ef180f18d3e7626a36ddd605d6f82ae31ce37802498b05d5444f52bb" + - url: "https://rpms.remirepo.net/RPM-GPG-KEY-remi2018" + filename: "RPM-GPG-KEY-remi2018" + validation: + type: "sha256" + value: "01992da5a631f40d0c733441f8623e0ceddcb98541b70ad528c51f04877875fb" + - url: "https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official" + filename: "RPM-GPG-KEY-CentOS-Official" + validation: + type: "sha256" + value: "146059788b214d7ba0dd70c1cf21111e594c6cfde201da8a9a88fe7101be8a78" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/fastlz-0.1.0-0.12.20070619svnrev12.el8.x86_64.rpm" + filename: "fastlz.rpm" + validation: + type: "sha256" + value: "9709ef361090892632cbdbb6002d96b4ab77e8b6dbed4568b215b153eda49e36" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/gdk-pixbuf2-2.36.12-5.el8.x86_64.rpm" + filename: "gdk-pixbuf2.rpm" + validation: + type: "sha256" + value: "94cb8dceb47a5b01e3c0542ea3b48601d720325da28e6e6d89ae529e4fddcd97" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/pixman-0.38.4-1.el8.x86_64.rpm" + filename: "pixman.rpm" + validation: + type: "sha256" + value: "ddbbf3a8191dbc1a9fcb67ccf9cea0d34dbe9bbb74780e1359933cd03ee24451" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/libXaw-1.0.13-10.el8.x86_64.rpm" + filename: "libXaw.rpm" + validation: + type: "sha256" + value: "d82ca1d1d9aea848d05ac0ffe889f921a19f37883ae1cf6ba1ca0528e2ab46e4" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/ilmbase-2.2.0-11.el8.x86_64.rpm" + filename: "ilmbase.rpm" + validation: + type: "sha256" + value: "ed2e48ad367e08c5f6d0e79c405ff38967506895c0e39209d301d56529f6ddaa" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/php-pecl-imagick-3.4.4-10.el8.remi.7.4.x86_64.rpm" + filename: "php-pecl-imagick.rpm" + validation: + type: "sha256" + value: "ee970eb9253619761dd6cb5825037a103e8e6b33c6d8c5d77179abf707e2c66b" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/graphviz-2.40.1-40.el8.x86_64.rpm" + filename: "graphviz.rpm" + validation: + type: "sha256" + value: "b70b6fdaf8fe66a2823d5d415b016acfb0d6f6b6a2a7154820db9ef76e908a90" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/libwmf-lite-0.2.9-8.el8_0.x86_64.rpm" + filename: "libwmf-lite.rpm" + validation: + type: "sha256" + value: "e539923a2a5b5f484264007524cf13bf9731c27454784ef2b05d516115cd7bf3" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/fftw-libs-double-3.3.5-11.el8.x86_64.rpm" + filename: "fftw-libs-double.rpm" + validation: + type: "sha256" + value: "ed2767829f8545739e9861254cc4c729a43f0e67b981af3102649b4732feaeff" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/ImageMagick-6.9.11.60-1.el8.remi.x86_64.rpm" + filename: "ImageMagick.rpm" + validation: + type: "sha256" + value: "4ac62abc77bf7167252f611c927dfe05cb27e4a3ba3a0d988383d5225b8f0f40" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/ImageMagick-libs-6.9.11.60-1.el8.remi.x86_64.rpm" + filename: "ImageMagick-libs.rpm" + validation: + type: "sha256" + value: "b6dfe99aee70afab8db67e76b32a8da48d9ec90671f4e8c7659fe754d9c4fa9d" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/cairo-1.15.12-3.el8.x86_64.rpm" + filename: "cairo.rpm" + validation: + type: "sha256" + value: "2fcd7a063cab2e103fd4fdf8f4c63d09b9f3d60759c3b0982c75ed9a9e57bdf8" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/LibRaw-0.19.5-2.el8.x86_64.rpm" + filename: "LibRaw.rpm" + validation: + type: "sha256" + value: "b7a990676a9d74f74d368867006b896fac2e3c11f329fd61b81d9c4247d8a13b" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/librsvg2-2.42.7-4.el8.x86_64.rpm" + filename: "librsvg2.rpm" + validation: + type: "sha256" + value: "44f01d59b88bf019a11a25e9c38650d6f6d82abbdd2165783772d7d92c0c97af" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/libtool-ltdl-2.4.6-25.el8.x86_64.rpm" + filename: "libtool-ltdl.rpm" + validation: + type: "sha256" + value: "7dcd11f03fa0979841bf0afe0a2ac8f360502d0a2dee8322a39115595c2464ec" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/liblqr-1-0.4.2-11.el8.remi.x86_64.rpm" + filename: "liblqr.rpm" + validation: + type: "sha256" + value: "d79bd08cc0580fa3bd0f1c02c5a523403d8655411b4d7b49f7922963839156f4" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarch.rpm" + filename: "xorg-x11-fonts.rpm" + validation: + type: "sha256" + value: "723c0424ce3ec12586d390f2c6d01a2075e9f91543eb5b9a5a998636d49cb3b0" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/php-pecl-igbinary-3.2.1-1.el8.remi.7.4.x86_64.rpm" + filename: "php-pecl-igbinary.rpm" + validation: + type: "sha256" + value: "99ac1ef1f73e9e27a4f4516828852b38e36d86d9225cca56ae885446bba1e7ed" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/php-pecl-msgpack-2.1.2-1.el8.remi.7.4.x86_64.rpm" + filename: "php-pecl-msgpack.rpm" + validation: + type: "sha256" + value: "4eb2366f72a0002e9d2627e5967d45a9125a00641c9fd420c1ec981e4a63d692" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/libmemcached-1.0.18-15.el8.x86_64.rpm" + filename: "libmemcached.rpm" + validation: + type: "sha256" + value: "a98237988be726539deb640103644929fcb0a3ffe5a4fcff1d488b866374b253" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/libraqm-0.7.0-4.el8.x86_64.rpm" + filename: "libraqm.rpm" + validation: + type: "sha256" + value: "c71a88565f0951fac9e9de7ae5f2b5a48aceaf8da6f75d10ebbbb6717bde32fe" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/php-pecl-memcached-3.1.5-1.el8.remi.7.4.x86_64.rpm" + filename: "php-pecl-memcached.rpm" + validation: + type: "sha256" + value: "667abde23582e725e115080de88c92583bce654b0bc0959b841338a0f42dcb0e" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/libmemcached-libs-1.0.18-15.el8.x86_64.rpm" + filename: "libmemcached-libs.rpm" + validation: + type: "sha256" + value: "412be2f692dbd7b761ba2cf35f6bbdf5c6af7ad862689f49399e3a176744f870" + - url: "https://gitlab.com/crowdvector/dist/-/raw/master/dependencies/appserver/pango-1.42.4-6.el8.x86_64.rpm" + filename: "pango.rpm" + validation: + type: "sha256" + value: "8246d152767da7e6dd297599ed4c55b8bde2a5c18e54d97a80d44eb3099d6e89" + - url: "https://gitlab.com/crowdvector/dist/-/raw/feature/distribution/docker/appserver/appserver-21.13.tar.gz.aes.tar.gz" + filename: "appserver.tar.gz.aes.tar.gz" + validation: + type: "sha256" + value: "6c9bfeb89ec49580900811d27b9d0fdd9b2238abdd614fcc75d7ffba1642b268" # List of project maintainers maintainers: -- email: "fedramp_admin@collaboration.ai" +- email: "jay@collaboration.ai" name: "Collaboration.Ai" - username: "crowdvector" + username: "jpunnackal" cht_member: false - name: "Delali Kwami" username: "kwami.delali" diff --git a/scripts/decrypt.sh b/scripts/decrypt.sh new file mode 100755 index 0000000..de00e2a --- /dev/null +++ b/scripts/decrypt.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +path=$(pwd) +cd /opt/ignite/ + +if [ -f "appserver.tar.gz.aes" ]; then + # Decrypt and extract source, remove duplicate package files + + echo "Decrypting source..." + openssl aes-256-cbc -md sha256 -d -in appserver.tar.gz.aes -out appserver.tar.gz -k $LICENSE_KEY && rm appserver.tar.gz.aes + + echo "Unpacking source..." + tar -xf appserver.tar.gz && rm appserver.tar.gz + + # Remove duplicate package files + rm composer.json composer.lock +fi + +cd $path + +echo "Starting main process..." +eval $@ diff --git a/scripts/php-fpm-healthcheck b/scripts/php-fpm-healthcheck new file mode 100755 index 0000000..b476190 --- /dev/null +++ b/scripts/php-fpm-healthcheck @@ -0,0 +1,139 @@ +#!/bin/sh +# vim: set filetype=sh : + +# Author: https://github.com/renatomefi +# The original code lives in https://github.com/renatomefi/php-fpm-healthcheck +# +# A POSIX compliant shell script to healthcheck PHP fpm status, can be used only for pinging the status page +# or check for specific metrics +# +# i.e.: ./php-fpm-healthcheck --verbose --active-processes=6 +# The script will fail in case the 'active processes' is bigger than 6. +# +# You can combine multiple options as well, the first one to fail will fail the healthcheck +# i.e.: ./php-fpm-healthcheck --listen-queue-len=10 --active-processes=6 +# +# Ping mode (exit 0 if php-fpm returned data): ./php-fpm-healthcheck +# +# Ping mode with data (outputs php-fpm status text): ./php-fpm-healthcheck -v +# +# Exit status codes: +# 2,9,111 - Couldn't connect to PHP fpm, is it running? +# 8 - Couldn't reach PHP fpm status page, have you configured it with `pm.status_path = /status`? +# 1 - A healthcheck condition has failed +# 3 - Invalid option given +# 4 - One or more required softwares are missing +# +# Available options: +# -v|--verbose +# +# Metric options, fails in case the CURRENT VALUE is bigger than the GIVEN VALUE +# --accepted-conn=n +# --listen-queue=n +# --max-listen-queue=n +# --idle-processes=n +# --active-processes=n +# --total-processes=n +# --max-active-processes=n +# --max-children-reached=n +# --slow-requests=n +# + +set -eu + +OPTIND=1 # Reset getopt in case it has been used previously in the shell + +# Required software +FCGI_CMD_PATH=$(command -v cgi-fcgi) || { >&2 echo "Make sure fcgi is installed (i.e. apk add --no-cache fcgi). Aborting."; exit 4; } +command -v sed 1> /dev/null || { >&2 echo "Make sure sed is installed (i.e. apk add --no-cache busybox). Aborting."; exit 4; } +command -v tail 1> /dev/null || { >&2 echo "Make sure tail is installed (i.e. apk add --no-cache busybox). Aborting."; exit 4; } +command -v grep 1> /dev/null || { >&2 echo "Make sure grep is installed (i.e. apk add --no-cache grep). Aborting."; exit 4; } + +# Get status from fastcgi connection +# $1 - cgi-fcgi connect argument +get_fpm_status() { + if test "$VERBOSE" = 1; then printf "Trying to connect to php-fpm via: %s%s\\n" "$1" "$SCRIPT_NAME"; fi; + + # Since I cannot use pipefail I'll just split these in two commands + FPM_STATUS=$(env -i REQUEST_METHOD="$REQUEST_METHOD" SCRIPT_NAME="$SCRIPT_NAME" SCRIPT_FILENAME="$SCRIPT_FILENAME" "$FCGI_CMD_PATH" -bind -connect "$1" 2> /dev/null) + FPM_STATUS=$(echo "$FPM_STATUS" | tail +5) + + if test "$VERBOSE" = 1; then printf "php-fpm status output:\\n%s\\n" "$FPM_STATUS"; fi; + + if test "$FPM_STATUS" = "File not found."; then + >&2 printf "php-fpm status page non reachable\\n"; + exit 8; + fi; +} + +# $1 - fpm option +# $2 - expected value threshold +check_fpm_health_by() { + OPTION=$(echo "$1" | sed 's/--//g; s/-/ /g;') + VALUE_EXPECTED="$2"; + VALUE_ACTUAL=$(echo "$FPM_STATUS" | grep "^$OPTION:" | cut -d: -f2 | sed 's/ //g') + + if test "$VERBOSE" = 1; then printf "'%s' value '%s' and expected is less than '%s'\\n" "$OPTION" "$VALUE_ACTUAL" "$VALUE_EXPECTED"; fi; + + if test "$VALUE_ACTUAL" -gt "$VALUE_EXPECTED"; then + >&2 printf "'%s' value '%s' is greater than expected '%s'\\n" "$OPTION" "$VALUE_ACTUAL" "$VALUE_EXPECTED"; + exit 1; + fi; +} + +PARAM_AMOUNT=0 + +# $1 - fpm option +# $2 - expected value threshold +check_later() { + # The POSIX sh way to check if it's an integer, also the output is supressed since it's polution + if ! test "$2" -eq "$2" 2> /dev/null; then + >&2 printf "'%s' option value must be an integer, '%s' given\\n" "$1" "$2"; exit 3; + fi + + PARAM_AMOUNT=$(( PARAM_AMOUNT + 1 )) + + eval "PARAM_TO_CHECK$PARAM_AMOUNT=$1" + eval "VALUE_TO_CHECK$PARAM_AMOUNT=$2" +} + +# From the PARAM_TO_CHECK/VALUE_TO_CHECK magic variables, do all the checks +check_fpm_health() { + j=1 + while [ $j -le $PARAM_AMOUNT ]; do + eval "CURRENT_PARAM=\$PARAM_TO_CHECK$j" + eval "CURRENT_VALUE=\$VALUE_TO_CHECK$j" + check_fpm_health_by "$CURRENT_PARAM" "$CURRENT_VALUE" + j=$(( j + 1 )) + done +} + +if ! GETOPT=$(getopt -o v --long verbose,accepted-conn:,listen-queue:,max-listen-queue:,listen-queue-len:,idle-processes:,active-processes:,total-processes:,max-active-processes:,max-children-reached:,slow-requests: -n 'php-fpm-healthcheck' -- "$@"); then + >&2 echo "Invalid options, terminating." ; exit 3 +fi; + +eval set -- "$GETOPT" + +# FastCGI variables +FCGI_CONNECT_DEFAULT="localhost:9000" +FCGI_STATUS_PATH_DEFAULT="/status" + +export REQUEST_METHOD="GET" +export SCRIPT_NAME="${FCGI_STATUS_PATH:-$FCGI_STATUS_PATH_DEFAULT}" +export SCRIPT_FILENAME="${FCGI_STATUS_PATH:-$FCGI_STATUS_PATH_DEFAULT}" +FCGI_CONNECT="${FCGI_CONNECT:-$FCGI_CONNECT_DEFAULT}" + +VERBOSE=0 + +while test "$1"; do + case "$1" in + -v|--verbose ) VERBOSE=1; shift ;; + --) shift ; break ;; + * ) check_later "$1" "$2"; shift 2 ;; + esac +done + +FPM_STATUS=false + +get_fpm_status "$FCGI_CONNECT" +check_fpm_health -- GitLab From 724ae49f4aba12fe6c6144c778f89f95327a6e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9Ccrowdvector=E2=80=9D?= Date: Sun, 28 Mar 2021 20:20:53 -0400 Subject: [PATCH 2/3] Correcting LICENSE --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 984c809..c938b44 100644 --- a/LICENSE +++ b/LICENSE @@ -6,4 +6,4 @@ You need to acquire a license from Collaboration.Ai to use this product. This pr The source code of the open source parts and its licenses is included or can be requested. innosabi GmbH, Möhlstraße 2, 81675 München -Collaboration.Ai, 661 Auburn Avenue NE, Suite 5, Atlanta, GA 30312-1940 +Collaboration.Ai, 1120 S. 2nd St. Unit 811, Minneapolis, MN 55415 -- GitLab From a546461484b6178a69d19b92e1003a7cd0a28c22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9Ccrowdvector=E2=80=9D?= Date: Mon, 29 Mar 2021 00:13:37 -0400 Subject: [PATCH 3/3] Renamed configs to config --- Dockerfile | 10 +++++----- LICENSE | 3 +-- {configs => config}/magic | 0 {configs => config}/php-fpm.conf | 0 {configs => config}/php.dev.ini | 0 {configs => config}/php.ini | 0 {configs => config}/www.conf | 0 {configs => config}/www.ubi.conf | 0 {configs => config}/xdebug.ini | 0 hardening_manifest.yaml | 2 +- 10 files changed, 7 insertions(+), 8 deletions(-) rename {configs => config}/magic (100%) rename {configs => config}/php-fpm.conf (100%) rename {configs => config}/php.dev.ini (100%) rename {configs => config}/php.ini (100%) rename {configs => config}/www.conf (100%) rename {configs => config}/www.ubi.conf (100%) rename {configs => config}/xdebug.ini (100%) diff --git a/Dockerfile b/Dockerfile index 74b042b..b60698b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_REGISTRY=registry1.dso.mil/ironbank ARG BASE_IMAGE=redhat/ubi/ubi8 ARG BASE_TAG=8.3 @@ -69,10 +69,10 @@ RUN \ rm -f *.rpm && \ dnf -y clean all -COPY configs/php.ini /etc/php.ini -COPY configs/php-fpm.conf /etc/php-fpm.conf -COPY configs/www.ubi.conf /usr/local/etc/php-fpm.d/www.conf -COPY configs/magic /usr/local/etc/magic +COPY config/php.ini /etc/php.ini +COPY config/php-fpm.conf /etc/php-fpm.conf +COPY config/www.ubi.conf /usr/local/etc/php-fpm.d/www.conf +COPY config/magic /usr/local/etc/magic COPY scripts/php-fpm-healthcheck /usr/local/bin/ # Create all main directories to set access rights diff --git a/LICENSE b/LICENSE index c938b44..7e6a416 100644 --- a/LICENSE +++ b/LICENSE @@ -1,9 +1,8 @@ LICENSE: COMMERCIAL -(c) 2001-2021 innosabi, 2020-2021 Collaboration.Ai +(c) 2020-2021 Collaboration.Ai You need to acquire a license from Collaboration.Ai to use this product. This product includes open source software. The source code of the open source parts and its licenses is included or can be requested. -innosabi GmbH, Möhlstraße 2, 81675 München Collaboration.Ai, 1120 S. 2nd St. Unit 811, Minneapolis, MN 55415 diff --git a/configs/magic b/config/magic similarity index 100% rename from configs/magic rename to config/magic diff --git a/configs/php-fpm.conf b/config/php-fpm.conf similarity index 100% rename from configs/php-fpm.conf rename to config/php-fpm.conf diff --git a/configs/php.dev.ini b/config/php.dev.ini similarity index 100% rename from configs/php.dev.ini rename to config/php.dev.ini diff --git a/configs/php.ini b/config/php.ini similarity index 100% rename from configs/php.ini rename to config/php.ini diff --git a/configs/www.conf b/config/www.conf similarity index 100% rename from configs/www.conf rename to config/www.conf diff --git a/configs/www.ubi.conf b/config/www.ubi.conf similarity index 100% rename from configs/www.ubi.conf rename to config/www.ubi.conf diff --git a/configs/xdebug.ini b/config/xdebug.ini similarity index 100% rename from configs/xdebug.ini rename to config/xdebug.ini diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 2e3af4a..e1a3866 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -191,7 +191,7 @@ resources: # List of project maintainers maintainers: - email: "jay@collaboration.ai" - name: "Collaboration.Ai" + name: "Jay Punnackal" username: "jpunnackal" cht_member: false - name: "Delali Kwami" -- GitLab