From db20e64366a2f5b54fbbb726fd7e19127f2512cc Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Wed, 24 Mar 2021 15:57:23 -0600 Subject: [PATCH] Correct startup bug in Apache2 container Use in-built apache user/group instead of new httpd user. Explicitly set permissions where necessary. Send Access & Error Logs to stdout/stderr for more insight Display meaningful error message to new users when they run the container without a cert --- Dockerfile | 26 +++++++++++++++++++------- README.md | 3 +++ scripts/httpd-foreground | 22 ++++++++++++++++++++++ 3 files changed, 44 insertions(+), 7 deletions(-) create mode 100755 scripts/httpd-foreground diff --git a/Dockerfile b/Dockerfile index e666b2f..712c0fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_REGISTRY=repo1.dso.mil +ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.3 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} @@ -8,9 +8,13 @@ RUN dnf -y update && dnf -y upgrade && \ dnf -y install httpd mod_ssl && \ dnf -y clean all -RUN useradd httpd && \ - chown -R httpd:httpd /etc/httpd/ && \ +COPY scripts/httpd-foreground /etc/httpd/httpd-foreground + +RUN chown -R apache:apache /etc/httpd/ && \ + chmod +x /etc/httpd/httpd-foreground && \ chmod 0770 /run/httpd/ && \ + chown -R apache:apache /var/log/httpd && \ + sed -i 's/Listen\ 80/#Listen\ 80/' /etc/httpd/conf/httpd.conf && \ echo 'ServerName localhost' >> /etc/httpd/conf.d/ssl.conf && \ sed -i 's/^#SSLProtocol/SSLProtocol/' /etc/httpd/conf.d/ssl.conf && \ sed -i 's/\-SSLv3/\+TLSv1.2/' /etc/httpd/conf.d/ssl.conf && \ @@ -18,12 +22,20 @@ RUN useradd httpd && \ sed -i 's/443/8443/' /etc/httpd/conf.d/ssl.conf && \ echo "SSLFIPS on" >> /etc/httpd/conf.d/ssl.conf && \ fips-mode-setup --enable && \ - update-crypto-policies --set FIPS + update-crypto-policies --set FIPS && \ + sed -ri \ + -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!g' \ + -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!g' \ + -e 's!^(\s*TransferLog)\s+\S+!\1 /proc/self/fd/1!g' \ + "/etc/httpd/conf/httpd.conf" \ + "/etc/httpd/conf.d/ssl.conf" EXPOSE 8443 -HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 CMD [ "curl -f http://localhost:8443" || exit 1 ] +HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 CMD [ "curl -f https://localhost:8443" || exit 1 ] + +STOPSIGNAL SIGWINCH -USER httpd +USER apache -ENTRYPOINT ["/usr/sbin/httpd", "-D", "FOREGROUND"] +ENTRYPOINT ["/etc/httpd/httpd-foreground"] diff --git a/README.md b/README.md index 81f922c..7fe661f 100644 --- a/README.md +++ b/README.md @@ -13,5 +13,8 @@ In order to run the container, enter the following command inside this directory docker run -d -p 8443:8443 This will build and run the container. +In order to use this container, you must supply your own TLS certificates by building a container built from this container. Instructions are provided if you run the container without the necessary files installed, and in the scripts/httpd-foreground file. + + ### Additioanal information For additional information, visit http://httpd.apache.org/ diff --git a/scripts/httpd-foreground b/scripts/httpd-foreground new file mode 100755 index 0000000..c04464d --- /dev/null +++ b/scripts/httpd-foreground @@ -0,0 +1,22 @@ +#!/bin/sh + +if [ ! -f /etc/pki/tls/certs/localhost.crt ]; +then + echo "#=====ERROR====" + echo "#In order to properly use this container you use supply your own SSL certificates"; + echo "#Create a new Dockerfile with the following contents:"; + echo ""; + echo "###########"; + echo ""; + echo "FROM registry1.ironbank.dso.mil/apache2"; + echo "COPY localhost.crt /etc/pki/tls/certs/localhost.crt"; + echo "COPY localhost.key /etc/pki/tls/private/localhost.key"; + echo "USER root"; + echo "RUN chmod a+r /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key"; + echo "USER apache"; + echo "#build this container and use the result in your application"; + exit 1; +fi; + +exec httpd -DFOREGROUND + -- 2.22.4