image size reduction, better cronjobs, better tests, better logs

Dockerfile

@@ -14,27 +14,28 @@ ARG PECL_PASSBOLT_EXTENSIONS="gnupg \
       redis \
       mcrypt"
 
-ENV PECL_BASE_URL="https://pecl.php.net/get"
+ARG PASSBOLT_DEV_PACKAGES="libgpgme11-dev \
-ENV PHP_EXT_DIR="/usr/src/php/ext"
-
-WORKDIR /var/www/passbolt
-RUN apt-get update && apt-get -y install \
-      --no-install-recommends \
-      nginx \
-      libgpgme11-dev \
-      gnupg1 \
-      mysql-client \
       libpng-dev \
       libicu-dev \
       libxslt1-dev \
       libmcrypt-dev \
+      unzip \
+      git"
+
+ENV PECL_BASE_URL="https://pecl.php.net/get"
+ENV PHP_EXT_DIR="/usr/src/php/ext"
+
+WORKDIR /var/www/passbolt
+RUN apt-get update \
+    && apt-get -y install --no-install-recommends $PASSBOLT_DEV_PACKAGES \
+         nginx \
+         gnupg \
+         libgpgme11 \
+         libmcrypt4 \
+         mysql-client \
          supervisor \
-      git \
          netcat \
-      procps \
          cron \
-    && mv /usr/bin/gpg /usr/bin/gpg2 \
-    && update-alternatives --verbose --install /usr/bin/gpg gnupg /usr/bin/gpg1 50 \
     && mkdir /home/www-data \
     && chown -R www-data:www-data /home/www-data \
     && usermod -d /home/www-data www-data \
@@ -45,19 +46,22 @@ RUN apt-get update && apt-get -y install \
        done \
     && docker-php-ext-install -j4 $PHP_EXTENSIONS $PECL_PASSBOLT_EXTENSIONS \
     && docker-php-ext-enable $PHP_EXTENSIONS $PECL_PASSBOLT_EXTENSIONS \
+    && docker-php-source delete \
     && curl -sS https://getcomposer.org/installer | php \
     && mv composer.phar /usr/local/bin/composer \
     && curl -sSL $PASSBOLT_URL | tar zxf - -C . --strip-components 1 \
-    && composer install --no-dev --optimize-autoloader \
+    && composer install -n --no-dev --optimize-autoloader \
     && chown -R www-data:www-data . \
     && chmod 775 $(find /var/www/passbolt/tmp -type d) \
     && chmod 664 $(find /var/www/passbolt/tmp -type f) \
     && chmod 775 $(find /var/www/passbolt/webroot/img/public -type d) \
     && chmod 664 $(find /var/www/passbolt/webroot/img/public -type f) \
-    && rm /etc/nginx/sites-enabled/default
+    && rm /etc/nginx/sites-enabled/default \
+    && apt-get purge -y --auto-remove $PASSBOLT_DEV_PACKAGES \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY conf/passbolt.conf /etc/nginx/conf.d/default.conf
-COPY conf/supervisord.conf /etc/supervisord.conf
+COPY conf/supervisord.conf /etc/supervisor/supervisord.conf
 COPY bin/docker-entrypoint.sh /docker-entrypoint.sh
 
 EXPOSE 80 443

bin/docker-entrypoint.sh

@@ -18,24 +18,26 @@ gpg_gen_key() {
   expiration="${PASSBOLT_KEY_EXPIRATION:-0}"
 
   su -m -c "gpg --batch --no-tty --gen-key <<EOF
-    Key-Type: 1
+    Key-Type: default
 		Key-Length: $key_length
-		Subkey-Type: 1
+		Subkey-Type: default
 		Subkey-Length: $subkey_length
     Name-Real: $key_name
     Name-Email: $key_email
     Expire-Date: $expiration
+    %no-protection
 		%commit
 EOF" -ls /bin/sh www-data
 
+  su -c "gpg --batch --yes --pinentry-mode loopback --quick-gen-key --passphrase '' $key_email" -ls /bin/sh www-data
+
   su -c "gpg --armor --export-secret-keys $key_email > $gpg_private_key" -ls /bin/sh www-data
   su -c "gpg --armor --export $key_email > $gpg_public_key" -ls /bin/sh www-data
 }
 
 gpg_import_key() {
-  key_id=$(su -m -c "gpg --with-colons $gpg_private_key | grep sec |cut -f5 -d:" -ls /bin/sh www-data)
+  su -c "gpg --batch --import $gpg_public_key" -ls /bin/bash www-data
-  su -c "gpg --batch --import $gpg_public_key" -ls /bin/sh www-data
+  su -c "gpg --batch --import $gpg_private_key" -ls /bin/bash www-data
-  su -c "gpg -K $key_id" -ls /bin/sh www-data || su -m -c "gpg --batch --import $gpg_private_key" -ls /bin/sh www-data
 }
 
 gen_ssl_cert() {
@@ -46,11 +48,11 @@ gen_ssl_cert() {
 
 install() {
   tables=$(mysql \
-    -u "$DATASOURCES_DEFAULT_USERNAME" \
+    -u "${DATASOURCES_DEFAULT_USERNAME:-passbolt}" \
-    -h "$DATASOURCES_DEFAULT_HOST" \
+    -h "${DATASOURCES_DEFAULT_HOST:-localhost}" \
-    -P "$DATASOURCES_DEFAULT_PORT" \
+    -P "${DATASOURCES_DEFAULT_PORT:-3306}" \
-    -BN -e "SHOW TABLES FROM $DATASOURCES_DEFAULT_DATABASE" \
+    -BN -e "SHOW TABLES FROM ${DATASOURCES_DEFAULT_DATABASE:-passbolt}" \
-    -p"$DATASOURCES_DEFAULT_PASSWORD" |wc -l)
+    -p"${DATASOURCES_DEFAULT_PASSWORD:-P4ssb0lt}" |wc -l)
   app_config="/var/www/passbolt/config/app.php"
 
   if [ ! -f "$app_config" ]; then
@@ -58,21 +60,23 @@ install() {
   fi
 
   if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ]; then
-    gpg_auto_fingerprint="$(su -c "gpg --with-fingerprint $gpg_public_key | grep fingerprint | awk '{for(i=4;i<=NF;++i)printf \$i}'" -ls /bin/sh www-data)"
+    gpg_auto_fingerprint="$(su -c "gpg --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/sh www-data)"
     export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
   fi
 
   if [ "$tables" -eq 0 ]; then
     su -c '/var/www/passbolt/bin/cake passbolt install --no-admin --force' -s /bin/sh www-data
   else
+    su -c '/var/www/passbolt/bin/cake migrations migrate' -s /bin/sh www-data
     echo "Enjoy! ☮"
   fi
 }
 
 email_cron_job() {
+  printenv > /etc/environment
+  sed -i 's/=\(.*\)/="\1"/g' /etc/environment
   cron_task='/etc/cron.d/passbolt_email'
-  process_email="/var/www/passbolt/bin/cake EmailQueue.sender --quiet"
+  echo "* * * * * su -c \"source /etc/environment ; /var/www/passbolt/bin/cake EmailQueue.sender\" -s /bin/bash www-data >> /var/log/cron.log 2>&1" >> $cron_task
-  echo "* * * * * su -c \"$process_email\" -s /bin/sh www-data" >> $cron_task
 
   crontab /etc/cron.d/passbolt_email
 }
@@ -93,4 +97,4 @@ fi
 install
 email_cron_job
 
-/usr/bin/supervisord -n -c /etc/supervisord.conf
+/usr/bin/supervisord -n

conf/supervisord.conf

@@ -1,15 +1,13 @@
+; supervisor config file
+
 [unix_http_server]
-file=/tmp/supervisor.sock   ; (the path to the socket file)
+file=/var/run/supervisor.sock   ; (the path to the socket file)
+chmod=0700                       ; sockef file mode (default 0700)
 
 [supervisord]
-logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log)
+logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
-logfile_maxbytes=50MB        ; (max main logfile bytes b4 rotation;default 50MB)
+pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-logfile_backups=10           ; (num of main logfile rotation backups;default 10)
+childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
-loglevel=info                ; (log level;default info; others: debug,warn,trace)
-pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-nodaemon=false               ; (start in foreground if true;default false)
-minfds=1024                  ; (min. avail startup file descriptors;default 1024)
-minprocs=200                 ; (min. avail process descriptors;default 200)
 
 ; the below section must remain in the config file for RPC
 ; (supervisorctl/web interface) to work, additional interfaces may be
@@ -18,19 +16,37 @@ minprocs=200                 ; (min. avail process descriptors;default 200)
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
 
 [supervisorctl]
-serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
+serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL  for a unix socket
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
 
 [program:php-fpm]
 command=php-fpm
 autostart=true
 priority=5
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:nginx]
 command=nginx -g "daemon off;"
 autostart=true
 priority=10
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:cron]
-command=cron
+command=cron -f -l
 autostart=true
 priority=20
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

docker-compose.yml

@@ -10,7 +10,8 @@ services:
       - 3306
 
   passbolt:
-    image: gcr.io/passbolt-production/passbolt-api:2.0.0-rc2-debian
+    image: passbolt/passbolt:develop-debian
+    tty: true
     depends_on:
       - db
     env_file:

spec/docker_image/image_spec.rb

@@ -26,7 +26,7 @@ describe 'Dockerfile' do
   let(:composer)        { '/usr/local/bin/composer'}
   let(:php_extensions)  { [
     'curl', 'gd', 'intl', 'json', 'mcrypt', 'mysqlnd', 'xsl', 'phar',
-    'posix', 'xml', 'xsl', 'zlib', 'ctype', 'pdo', 'gnupg', 'pdo_mysql'
+    'posix', 'xml', 'zlib', 'ctype', 'pdo', 'gnupg', 'pdo_mysql'
     ] }
 
   describe 'passbolt required php extensions' do

spec/docker_runtime/runtime_spec.rb

@@ -49,17 +49,17 @@ describe 'passbolt_api service' do
 
   describe 'php service' do
     it 'is running supervised' do
-      expect(process('php-fpm')).to be_running.under('supervisor')
+      expect(service('php-fpm')).to be_running.under('supervisor')
     end
 
     it 'has its port open' do
-      expect(port(9000)).to be_listening.with('tcp')
+      expect(@container.json['Config']['ExposedPorts']).to have_key('9000/tcp')
     end
   end
 
   describe 'email cron' do
     it 'is running supervised' do
-      expect(service('crond')).to be_running.under('supervisor')
+      expect(service('cron')).to be_running.under('supervisor')
     end
   end
 
@@ -69,11 +69,11 @@ describe 'passbolt_api service' do
     end
 
     it 'is listening on port 80' do
-      expect(port(80)).to be_listening.with('tcp')
+      expect(@container.json['Config']['ExposedPorts']).to have_key('80/tcp')
     end
 
     it 'is listening on port 443' do
-      expect(port(443)).to be_listening.with('tcp')
+      expect(@container.json['Config']['ExposedPorts']).to have_key('443/tcp')
     end
   end