Rootless Docker/Optimized build (#932)

* Rootless Dockerfile/Optimized build Add unneeded files to .dockerignore Split Dockerfile into more stages to allow Composer/Yarn to run concurrently Don't log supervisord to a file, as file logging in a Docker container makes no sense Redirect process output to container output for log processors Run all processes as non-root Minimize files with write permission for non-root user Move docker folder out of .github, as it has nothing to do with GitHub * Remove install-php-extensions utility after use and name final stage * Test arm64 runner * Allow Docker workflow caching multi-arch separately * Fix Docker publish workflow branches * Move Caddyfile/crontab config into docker directory, remove redundant supervisord user * Further restrict permissions * Supervisord logs
2025-05-19 21:04:44 +02:00 · 2025-01-23 01:01:14 -08:00 · 2025-01-23 01:01:14 -08:00 · 6a4963200c
commit 6a4963200c
parent 37ba62410f
9 changed files with 116 additions and 65 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,10 +1,29 @@
 **.DS_Store
 .env
 .devcontainer
 .dockerignore
 .editorconfig
 .git
-node_modules
+.github
-vendor
+**.gitignore
 .php-cs-fixer.dist.php
 .prettierrc.json
 .vscode
 Dockerfile
 bounties.md
 compose.yml
 contributing.md
 contributor_license_agreement.md
 database/database.sqlite
 docker/README.md
 node_modules
 phpstan.neon
 phpunit.xml
 readme.md
 storage/debugbar/*.json
 storage/logs/*.log
 storage/framework/cache/data/*
 storage/framework/sessions/*
 storage/framework/testing
 storage/framework/views/*.php
 storage/logs/*.log
 vendor
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@ -71,6 +71,8 @@ jobs:
            VERSION=${{ steps.build_info.outputs.version_tag }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          tags: ${{ steps.docker_meta.outputs.tags }}
          cache-from: type=gha,scope=tagged${{ matrix.os }}
          cache-to: type=gha,scope=tagged${{ matrix.os }},mode=max
      - name: Build and Push (main)
        uses: docker/build-push-action@v6
@ -84,5 +86,5 @@ jobs:
            VERSION=dev-${{ steps.build_info.outputs.short_sha }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          tags: ${{ steps.docker_meta.outputs.tags }}
-          cache-from: type=gha
+          cache-from: type=gha,scope=${{ matrix.os }}
-          cache-to: type=gha,mode=max
+          cache-to: type=gha,scope=${{ matrix.os }},mode=max
--- a/108
+++ b/108
@ -1,69 +1,103 @@
 # syntax=docker.io/docker/dockerfile:1.7-labs
 # Pelican Production Dockerfile
 # ================================
-# Stage 1: Build PHP Dependencies
+# Stage 1: Build PHP Base Image
 # ================================
-FROM --platform=$TARGETOS/$TARGETARCH php:8.3-fpm-alpine AS composer
+FROM --platform=$TARGETOS/$TARGETARCH php:8.3-fpm-alpine AS base
 ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/
 RUN install-php-extensions bcmath gd intl zip opcache pcntl posix pdo_mysql
 RUN rm /usr/local/bin/install-php-extensions
 # ================================
 # Stage 2-1: Composer Install
 # ================================
 FROM --platform=$TARGETOS/$TARGETARCH base AS composer
 WORKDIR /build
 COPY . ./
 COPY --from=composer:latest /usr/bin/composer /usr/local/bin/composer
-# Install required libraries and PHP extensions
+# Copy bare minimum to install Composer dependencies
-RUN apk update && apk add --no-cache \
+COPY composer.json composer.lock ./
    libpng-dev libjpeg-turbo-dev freetype-dev libzip-dev icu-dev \
    zip unzip curl \
    && docker-php-ext-install bcmath gd intl zip opcache pcntl posix pdo_mysql
-RUN composer install --no-dev --optimize-autoloader
+RUN composer install --no-dev --no-interaction --no-autoloader --no-scripts
 # ================================
-# Stage 2: Build Frontend Assets
+# Stage 2-2: Yarn Install
 # ================================
 FROM --platform=$TARGETOS/$TARGETARCH node:20-alpine AS yarn
 WORKDIR /build
-COPY --from=composer /build .
+# Copy bare minimum to install Yarn dependencies
 COPY package.json yarn.lock ./
 RUN yarn config set network-timeout 300000 \
-    && yarn install --frozen-lockfile \
+    && yarn install --frozen-lockfile
    && yarn run build
 # ================================
-# Stage 3: Build Final Application Image
+# Stage 3-1: Composer Optimize
 # ================================
-FROM --platform=$TARGETOS/$TARGETARCH php:8.3-fpm-alpine
+FROM --platform=$TARGETOS/$TARGETARCH composer AS composerbuild
 # Copy full code to optimize autoload
 COPY --exclude=Caddyfile --exclude=docker/ . ./
 RUN composer dump-autoload --optimize
 # ================================
 # Stage 3-2: Build Frontend Assets
 # ================================
 FROM --platform=$TARGETOS/$TARGETARCH yarn AS yarnbuild
 WORKDIR /build
 # Copy full code
 COPY --exclude=Caddyfile --exclude=docker/ . ./
 COPY --from=composer /build .
 RUN yarn run build
 # ================================
 # Stage 4: Build Final Application Image
 # ================================
 FROM --platform=$TARGETOS/$TARGETARCH base AS final
 WORKDIR /var/www/html
 COPY --from=composer:latest /usr/bin/composer /usr/local/bin/composer
 # Install additional required libraries
 RUN apk update && apk add --no-cache \
-    libpng-dev libjpeg-turbo-dev freetype-dev libzip-dev icu-dev \
+    caddy ca-certificates supervisor supercronic
    zip unzip curl caddy ca-certificates supervisor
-# Copy PHP extensions and configuration from Composer stage
+COPY --chown=root:www-data --chmod=640 --from=composerbuild /build .
-COPY --from=composer /usr/local/lib/php/extensions/ /usr/local/lib/php/extensions/
+COPY --chown=root:www-data --chmod=640 --from=yarnbuild /build/public ./public
 COPY --from=composer /usr/local/etc/php/conf.d/ /usr/local/etc/php/conf.d/
-COPY Caddyfile /etc/caddy/Caddyfile
+# Set permissions
-COPY --from=yarn /build .
+# First ensure all files are owned by root and restrict www-data to read access
-
+RUN chown root:www-data ./ \
-RUN touch .env
+    && chmod 750 ./ \
-
+    # Files should not have execute set, but directories need it
-# Set permissions for Laravel directories
+    && find ./ -type d -exec chmod 750 {} \; \
-RUN chmod -R 755 storage bootstrap/cache \
+    # Symlink to env/database path, as www-data won't be able to write to webroot
-    && chown -R www-data:www-data ./
+    && ln -s /pelican-data/.env ./.env \
-
+    && ln -s /pelican-data/database/database.sqlite ./database/database.sqlite \
-# Add Laravel scheduler to crontab
+    # Create necessary directories
-RUN echo "* * * * * php /var/www/html/artisan schedule:run >> /dev/null 2>&1" | crontab -u www-data -
+    && mkdir -p /pelican-data /var/run/supervisord /etc/supercronic \
    # Finally allow www-data write permissions where necessary
    && chown -R www-data:www-data /pelican-data ./storage ./bootstrap/cache /var/run/supervisord \
    && chmod -R u+rwX,g+rwX,o-rwx /pelican-data ./storage ./bootstrap/cache /var/run/supervisord
 # Configure Supervisor
-RUN cp .github/docker/supervisord.conf /etc/supervisord.conf && \
+COPY docker/supervisord.conf /etc/supervisord.conf
-    mkdir /var/log/supervisord/
+COPY docker/Caddyfile /etc/caddy/Caddyfile
 # Add Laravel scheduler to crontab
 COPY docker/crontab /etc/supercronic/crontab
 COPY docker/entrypoint.sh ./docker/entrypoint.sh
 HEALTHCHECK --interval=5m --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost/up || exit 1
@ -72,5 +106,7 @@ EXPOSE 80 443
 VOLUME /pelican-data
-ENTRYPOINT [ "/bin/ash", ".github/docker/entrypoint.sh" ]
+USER www-data
 ENTRYPOINT [ "/bin/ash", "docker/entrypoint.sh" ]
 CMD [ "supervisord", "-n", "-c", "/etc/supervisord.conf" ]
--- a/compose.yml
+++ b/compose.yml
@ -28,6 +28,7 @@ x-common:
 services:
  panel:
    image: ghcr.io/pelican-dev/panel:latest
    build: .
    restart: always
    networks:
      - default
--- a/docker/Caddyfile
+++ b/docker/Caddyfile
--- a/.github/docker/README.md
+++ b/.github/docker/README.md
--- a/docker/crontab
+++ b/docker/crontab
@ -0,0 +1 @@
 * * * * * php /var/www/html/artisan schedule:run
--- a/.github/docker/entrypoint.sh
+++ b/.github/docker/entrypoint.sh
@ -1,14 +1,11 @@
 #!/bin/ash -e
-#mkdir -p /var/log/supervisord/ /var/log/php8/ \
+## check for .env file or symlink and generate app keys if missing
-
+if [ -f /var/www/html/.env ]; then
 ## check for .env file and generate app keys if missing
 if [ -f /pelican-data/.env ]; then
  echo "external vars exist."
  rm -rf /var/www/html/.env
 else
  echo "external vars don't exist."
-  rm -rf /var/www/html/.env
+  # webroot .env is symlinked to this path
  touch /pelican-data/.env
  ## manually generate a key because key generate --force fails
@ -26,10 +23,7 @@ else
  echo -e "APP_INSTALLED=false" >> /pelican-data/.env
 fi
-mkdir /pelican-data/database
+mkdir /pelican-data/database /var/www/html/storage/logs/supervisord 2>/dev/null
 ln -s /pelican-data/.env /var/www/html/
 chown -h www-data:www-data /var/www/html/.env
 ln -s /pelican-data/database/database.sqlite /var/www/html/database/
 if ! grep -q "APP_KEY=" .env || grep -q "APP_KEY=$" .env; then
  echo "Generating APP_KEY..."
@ -45,10 +39,6 @@ php artisan migrate --force
 echo -e "Optimizing Filament"
 php artisan filament:optimize
 ## start cronjobs for the queue
 echo -e "Starting cron jobs."
 crond -L /var/log/crond -l 5
 export SUPERVISORD_CADDY=false
 ## disable caddy if SKIP_CADDY is set
@ -59,7 +49,5 @@ else
  export SUPERVISORD_CADDY=true
 fi
 chown -R www-data:www-data /pelican-data/.env /pelican-data/database
 echo "Starting Supervisord"
 exec "$@"
--- a/.github/docker/supervisord.conf
+++ b/.github/docker/supervisord.conf
@ -4,16 +4,14 @@ username=dummy
 password=dummy
 [supervisord]
-logfile=/var/log/supervisord/supervisord.log    ; supervisord log file
+logfile=/var/www/html/storage/logs/supervisord/supervisord.log    ; supervisord log file
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=2                               ; number of backed up logfiles
 loglevel=error                                  ; info, debug, warn, trace
-pidfile=/var/run/supervisord.pid                ; pidfile location
+pidfile=/var/run/supervisord/supervisord.pid    ; pidfile location
-nodaemon=false                                  ; run supervisord as a daemon
+nodaemon=true                                   ; run supervisord as a daemon
 minfds=1024                                     ; number of startup file descriptors
 minprocs=200                                    ; number of process descriptors
 user=root                                       ; default user
 childlogdir=/var/log/supervisord/               ; where child log files will live
 [rpcinterface:supervisor]
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
@ -30,7 +28,6 @@ autorestart=true
 [program:queue-worker]
 command=/usr/local/bin/php /var/www/html/artisan queue:work --tries=3
 user=www-data
 autostart=true
 autorestart=true
@ -39,5 +36,12 @@ command=caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
 autostart=%(ENV_SUPERVISORD_CADDY)s
 autorestart=%(ENV_SUPERVISORD_CADDY)s
 priority=10
-stdout_events_enabled=true
+stdout_logfile=/dev/fd/1
-stderr_events_enabled=true
+stdout_logfile_maxbytes=0
 redirect_stderr=true
 [program:supercronic]
 command=supercronic /etc/supercronic/crontab
 autostart=true
 autorestart=true
 redirect_stderr=true
		`@ -0,0 +1 @@`
							`* * * * * php /var/www/html/artisan schedule:run`