#147: Adds CentOS-7 branch.

Author: jdeathe

CHANGELOG.md

@@ -1,52 +1,326 @@
 # =============================================================================
 # jdeathe/centos-ssh-apache-php-fcgi
 #
-# CentOS-6, Apache 2.2, PHP 5.3, PHP Memcached 1.0, PHP APC 3.1.
+# CentOS-7, Apache 2.4, PHP 5.4, PHP Memcached 2.2, Zend Opcache.
 # 
 # =============================================================================
-FROM jdeathe/centos-ssh-apache-php:1.11.0
+# FROM jdeathe/centos-ssh-apache-php:1.11.0
+FROM jdeathe/centos-ssh:2.4.0
+
+# Use the form ([{fqdn}-]{package-name}|[{fqdn}-]{provider-name})
+ARG PACKAGE_NAME="app"
+ARG PACKAGE_PATH="/opt/${PACKAGE_NAME}"
+ARG PACKAGE_RELEASE_VERSION="0.10.0"
 
 # -----------------------------------------------------------------------------
 # FastCGI support
 # -----------------------------------------------------------------------------
 RUN rpm --rebuilddb \
-	&& yum -y erase \
-		php-5.3.3-49.el6 \
 	&& yum -y install \
 		--setopt=tsflags=nodocs \
 		--disableplugin=fastestmirror \
-		fcgi-2.4.0-12.el6 \
-		mod_fcgid-2.3.9-1.el6 \
+		elinks-0.12-0.37.pre6.el7 \
+		fcgi-2.4.0-25.el7 \
+		httpd-2.4.6-80.el7.centos.1 \
+		httpd-tools-2.4.6-80.el7.centos.1 \
+		mod_fcgid-2.3.9-4.el7_4.1 \
+		mod_ssl-2.4.6-80.el7.centos.1 \
+		php-cli-5.4.16-45.el7 \
+		php-pecl-zendopcache-7.0.5-2.el7 \
+		php-pecl-memcached-2.2.0-1.el7 \
 	&& yum versionlock add \
+		elinks \
 		fcgi \
+		httpd-* \
 		mod_fcgid \
+		mod_ssl \
+		php-* \
 	&& rm -rf /var/cache/yum/* \
 	&& yum clean all
 
+# -----------------------------------------------------------------------------
+# Global Apache configuration changes
+# - Disable Apache directory indexes and welcome page.
+# - Disable Apache language based content negotiation.
+# - Custom Apache configuration.
+# -----------------------------------------------------------------------------
+RUN cp -pf \
+		/etc/httpd/conf/httpd.conf \
+		/etc/httpd/conf/httpd.conf.default \
+	&& sed -i \
+		-e '/^KeepAlive .*$/d' \
+		-e '/^MaxKeepAliveRequests .*$/d' \
+		-e '/^KeepAliveTimeout .*$/d' \
+		-e '/^ServerSignature On$/d' \
+		-e '/^ServerTokens OS$/d' \
+		-e 's~^NameVirtualHost \(.*\)$~#NameVirtualHost \1~g' \
+		-e 's~^User .*$~User ${APACHE_RUN_USER}~g' \
+		-e 's~^Group .*$~Group ${APACHE_RUN_GROUP}~g' \
+		-e 's~^DocumentRoot \(.*\)$~#DocumentRoot \1~g' \
+		-e 's~^IndexOptions \(.*\)$~#IndexOptions \1~g' \
+		-e 's~^IndexIgnore \(.*\)$~#IndexIgnore \1~g' \
+		-e 's~^AddIconByEncoding \(.*\)$~#AddIconByEncoding \1~g' \
+		-e 's~^AddIconByType \(.*\)$~#AddIconByType \1~g' \
+		-e 's~^AddIcon \(.*\)$~#AddIcon \1~g' \
+		-e 's~^DefaultIcon \(.*\)$~#DefaultIcon \1~g' \
+		-e 's~^ReadmeName \(.*\)$~#ReadmeName \1~g' \
+		-e 's~^HeaderName \(.*\)$~#HeaderName \1~g' \
+		-e 's~^\(Alias /icons/ ".*"\)$~#\1~' \
+		-e '/<Directory "\/var\/www\/icons">/,/#<\/Directory>/ s~^~#~' \
+		-e 's~^LanguagePriority \(.*\)$~#LanguagePriority \1~g' \
+		-e 's~^ForceLanguagePriority \(.*\)$~#ForceLanguagePriority \1~g' \
+		-e 's~^AddLanguage \(.*\)$~#AddLanguage \1~g' \
+		/etc/httpd/conf/httpd.conf \
+	&& truncate -s 0 \
+		/etc/httpd/conf.d/autoindex.conf \
+	&& chmod 444 \
+		/etc/httpd/conf.d/autoindex.conf \
+	&& truncate -s 0 \
+		/etc/httpd/conf.d/welcome.conf \
+	&& chmod 444 \
+		/etc/httpd/conf.d/welcome.conf \
+	&& { \
+		echo ''; \
+		echo '#'; \
+		echo '# Custom configuration'; \
+		echo '#'; \
+		echo 'KeepAlive On'; \
+		echo 'MaxKeepAliveRequests 200'; \
+		echo 'KeepAliveTimeout 2'; \
+		echo 'LogFormat \'; \
+		echo '  "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" \'; \
+		echo '  forwarded_for_combined'; \
+		echo 'Include /etc/services-config/httpd/conf.d/*.conf'; \
+		echo 'ExtendedStatus Off'; \
+		echo 'Listen 8443'; \
+		echo 'Options -Indexes'; \
+		echo 'ServerSignature Off'; \
+		echo 'ServerTokens Prod'; \
+		echo 'TraceEnable Off'; \
+		echo 'UseCanonicalName On'; \
+		echo 'UseCanonicalPhysicalPort On'; \
+	} >> /etc/httpd/conf/httpd.conf
+
+# -----------------------------------------------------------------------------
+# Disable all Apache modules and enable the minimum
+# -----------------------------------------------------------------------------
+RUN sed -i \
+	-e 's~^\(LoadModule .*\)$~#\1~g' \
+	-e 's~^#\(LoadModule mime_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule log_config_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule setenvif_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule status_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule authz_host_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule dir_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule alias_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule expires_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule deflate_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule headers_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule alias_module .*\)$~\1~' \
+	-e 's~^#\(LoadModule version_module .*\)$~\1~' \
+	/etc/httpd/conf.modules.d/00-base.conf \
+	/etc/httpd/conf.modules.d/00-dav.conf \
+	/etc/httpd/conf.modules.d/00-lua.conf \
+	/etc/httpd/conf.modules.d/00-proxy.conf \
+	/etc/httpd/conf.modules.d/00-ssl.conf \
+	/etc/httpd/conf.modules.d/00-systemd.conf
+
+# -----------------------------------------------------------------------------
+# Disable SSL + the default SSL Virtual Host
+# -----------------------------------------------------------------------------
+RUN sed -ri \
+		-e '/<VirtualHost _default_:443>/,/<\/VirtualHost>/ s~^~#~' \
+		-e 's~(SSLSessionCacheTimeout.*)$~\1\n\nSSLUseStapling on\nSSLStaplingCache shmcb:/run/httpd/sslstaplingcache(512000)\nSSLStaplingResponderTimeout 5\nSSLStaplingReturnResponderErrors off~' \
+		/etc/httpd/conf.d/ssl.conf \
+	&& cat \
+		/etc/httpd/conf.d/ssl.conf \
+		> /etc/httpd/conf.d/ssl.conf.off \
+	&& > \
+		/etc/httpd/conf.d/ssl.conf \
+	&& chmod 444 \
+		/etc/httpd/conf.d/ssl.conf
+
+# -----------------------------------------------------------------------------
+# Limit threads for the application user
+# -----------------------------------------------------------------------------
+RUN { \
+		echo ''; \
+		echo -e '@apache\tsoft\tnproc\t85'; \
+		echo -e '@apache\thard\tnproc\t170'; \
+	} >> /etc/security/limits.conf
+
+# -----------------------------------------------------------------------------
+# Global PHP configuration changes
+# -----------------------------------------------------------------------------
+RUN sed \
+		-e 's~^; .*$~~' \
+		-e 's~^;*$~~' \
+		-e '/^$/d' \
+		-e 's~^\[~\n\[~g' \
+		/etc/php.ini \
+		> /etc/php.d/00-php.ini.default \
+	&& sed -r \
+		-e 's~^;(user_ini.filename =)$~\1~g' \
+		-e 's~^;(cgi.fix_pathinfo=1)$~\1~g' \
+		-e 's~^;(date.timezone =)$~\1 UTC~g' \
+		-e 's~^(expose_php = )On$~\1Off~g' \
+		-e 's~^;(realpath_cache_size = ).*$~\14096k~' \
+		-e 's~^;(realpath_cache_ttl = ).*$~\1600~' \
+		-e 's~^;?(session.name = ).*$~\1"${PHP_OPTIONS_SESSION_NAME:-PHPSESSID}"~' \
+		-e 's~^;?(session.save_handler = ).*$~\1"${PHP_OPTIONS_SESSION_SAVE_HANDLER:-files}"~' \
+		-e 's~^;?(session.save_path = ).*$~\1"${PHP_OPTIONS_SESSION_SAVE_PATH:-/var/lib/php/session}"~' \
+		/etc/php.d/00-php.ini.default \
+		> /etc/php.d/00-php.ini \
+	&& sed \
+		-e 's~^; .*$~~' \
+		-e 's~^;*$~~' \
+		-e '/^$/d' \
+		-e 's~^\[~\n\[~g' \
+		/etc/php.d/opcache.ini \
+		> /etc/php.d/opcache.ini.default \
+	&& sed \
+		-e 's~^;\(opcache.enable_cli=\).*$~\11~g' \
+		-e 's~^\(opcache.max_accelerated_files=\).*$~\132531~g' \
+		-e 's~^;\(opcache.validate_timestamps=\).*$~\10~g' \
+		/etc/php.d/opcache.ini.default \
+		> /etc/php.d/opcache.ini
+
+# -----------------------------------------------------------------------------
+# Add default system users
+# -----------------------------------------------------------------------------
+RUN useradd -r -M -d /var/www/app -s /sbin/nologin app \
+	&& useradd -r -M -d /var/www/app -s /sbin/nologin -G apache,app app-www \
+	&& usermod -a -G app-www app \
+	&& usermod -a -G app-www,app apache
+
 # -----------------------------------------------------------------------------
 # Copy files into place
 # -----------------------------------------------------------------------------
+ADD src/usr/bin \
+	/usr/bin/
+ADD src/usr/sbin \
+	/usr/sbin/
 ADD src/opt/scmi \
 	/opt/scmi/
+ADD src/etc/profile.d \
+	/etc/profile.d/
 ADD src/etc/systemd/system \
 	/etc/systemd/system/
+ADD src/etc/services-config/httpd/httpd-bootstrap.conf \
+	/etc/services-config/httpd/
+ADD src/etc/services-config/httpd/conf.d/*.conf \
+	/etc/services-config/httpd/conf.d/
+ADD src/etc/services-config/httpd/conf.virtualhost.d/*.conf \
+	/etc/services-config/httpd/conf.virtualhost.d/
+ADD src/etc/services-config/supervisor/supervisord.d \
+	/etc/services-config/supervisor/supervisord.d/
+
+RUN mkdir -p \
+		/etc/services-config/{httpd/{conf,conf.d,conf.virtualhost.d},ssl/{certs,private}} \
+	&& cp \
+		/etc/httpd/conf/httpd.conf \
+		/etc/services-config/httpd/conf/ \
+	&& ln -sf \
+		/etc/services-config/httpd/conf.virtualhost.d \
+		/etc/httpd/conf.virtualhost.d \
+	&& ln -sf \
+		/etc/services-config/httpd/httpd-bootstrap.conf \
+		/etc/httpd-bootstrap.conf \
+	&& ln -sf \
+		/etc/services-config/httpd/conf/httpd.conf \
+		/etc/httpd/conf/httpd.conf \
+	&& ln -sf \
+		/etc/services-config/ssl/certs/localhost.crt \
+		/etc/pki/tls/certs/localhost.crt \
+	&& ln -sf \
+		/etc/services-config/supervisor/supervisord.conf \
+		/etc/supervisord.conf \
+	&& ln -sf \
+		/etc/services-config/supervisor/supervisord.d/httpd-bootstrap.conf \
+		/etc/supervisord.d/httpd-bootstrap.conf \
+	&& ln -sf \
+		/etc/services-config/supervisor/supervisord.d/httpd-wrapper.conf \
+		/etc/supervisord.d/httpd-wrapper.conf \
+	&& chmod 700 \
+		/usr/{bin/healthcheck,sbin/httpd-{bootstrap,startup,wrapper}}
 
 # -----------------------------------------------------------------------------
 # Package installation
 # -----------------------------------------------------------------------------
+RUN mkdir -p -m 750 ${PACKAGE_PATH} \
+	&& curl -Ls \
+		https://github.com/jdeathe/php-hello-world/archive/${PACKAGE_RELEASE_VERSION}.tar.gz \
+	| tar -xzpf - \
+		--strip-components=1 \
+		--exclude="*.gitkeep" \
+		-C ${PACKAGE_PATH} \
+	&& sed -i \
+		-e 's~^description =.*$~description = "This CentOS / Apache / PHP-CGI (FastCGI) service is running in a container."~' \
+		${PACKAGE_PATH}/etc/views/index.ini \
+	&& mv \
+		${PACKAGE_PATH}/public \
+		${PACKAGE_PATH}/public_html \
+	&& $(\
+		if [[ -f /usr/share/php-pecl-apc/apc.php ]]; then \
+			cp \
+				/usr/share/php-pecl-apc/apc.php \
+				${PACKAGE_PATH}/public_html/_apc.php; \
+		fi \
+	) \
+	&& chown -R app:app-www ${PACKAGE_PATH} \
+	&& find ${PACKAGE_PATH} -type d -exec chmod 750 {} + \
+	&& find ${PACKAGE_PATH}/var -type d -exec chmod 770 {} + \
+	&& find ${PACKAGE_PATH} -type f -exec chmod 640 {} + \
+	&& find ${PACKAGE_PATH}/bin -type f -exec chmod 750 {} +
+
+# Fix Version requirements for setifempty Header option.
 RUN sed -i \
-	-e 's~^description =.*$~description = "This CentOS / Apache / PHP-CGI (FastCGI) service is running in a container."~' \
-	${PACKAGE_PATH}/etc/views/index.ini
+	-e 's~<IfVersion < 2.4>~<IfVersion < 2.4.7>~' \
+	-e 's~<IfVersion >= 2.4>~<IfVersion >= 2.4.7>~' \
+	-e 's~^\(\s*Header always setifempty.*\)$~#\1~' \
+	${PACKAGE_PATH}/etc/httpd/conf.d/50-headers.conf
+
+EXPOSE 80 8443 443
 
 # -----------------------------------------------------------------------------
 # Set default environment variables used to configure the service container
 # -----------------------------------------------------------------------------
-ENV APACHE_MPM="worker"
+ENV APACHE_CONTENT_ROOT="/var/www/${PACKAGE_NAME}" \
+	BASH_ENV="/usr/sbin/httpd-startup" \
+	ENV="/usr/sbin/httpd-startup"
+ENV APACHE_AUTOSTART_HTTPD_BOOTSTRAP=true \
+	APACHE_AUTOSTART_HTTPD_WRAPPER=true \
+	APACHE_CUSTOM_LOG_FORMAT="combined" \
+	APACHE_CUSTOM_LOG_LOCATION="var/log/apache_access_log" \
+	APACHE_ERROR_LOG_LOCATION="var/log/apache_error_log" \
+	APACHE_ERROR_LOG_LEVEL="warn" \
+	APACHE_EXTENDED_STATUS_ENABLED=false \
+	APACHE_HEADER_X_SERVICE_UID="{{HOSTNAME}}" \
+	APACHE_LOAD_MODULES="" \
+	APACHE_MOD_SSL_ENABLED=false \
+	APACHE_MPM="worker" \
+	APACHE_OPERATING_MODE="production" \
+	APACHE_PUBLIC_DIRECTORY="public_html" \
+	APACHE_RUN_GROUP="app-www" \
+	APACHE_RUN_USER="app-www" \
+	APACHE_SERVER_ALIAS="" \
+	APACHE_SERVER_NAME="" \
+	APACHE_SSL_CERTIFICATE="" \
+	APACHE_SSL_CIPHER_SUITE="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \
+	APACHE_SSL_PROTOCOL="All -SSLv2 -SSLv3" \
+	APACHE_SYSTEM_USER="app" \
+	PACKAGE_PATH="${PACKAGE_PATH}" \
+	PHP_OPTIONS_DATE_TIMEZONE="UTC" \
+	PHP_OPTIONS_SESSION_NAME="PHPSESSID" \
+	PHP_OPTIONS_SESSION_SAVE_HANDLER="files" \
+	PHP_OPTIONS_SESSION_SAVE_PATH="var/session" \
+	SSH_AUTOSTART_SSHD=false \
+	SSH_AUTOSTART_SSHD_BOOTSTRAP=false
 
 # -----------------------------------------------------------------------------
 # Set image metadata
 # -----------------------------------------------------------------------------
-ARG RELEASE_VERSION="1.11.0"
+ARG RELEASE_VERSION="2.0.0"
 LABEL \
 	maintainer="James Deathe <james.deathe@gmail.com>" \
 	install="docker run \
@@ -77,6 +351,12 @@ jdeathe/centos-ssh-apache-php-fcgi:${RELEASE_VERSION} \
 	org.deathe.license="MIT" \
 	org.deathe.vendor="jdeathe" \
 	org.deathe.url="https://github.com/jdeathe/centos-ssh-apache-php-fcgi" \
-	org.deathe.description="CentOS-6 6.10 x86_64 - Apache 2.2, PHP-CGI 5.3 (FastCGI), PHP memcached 1.0, PHP APC 3.1."
+	org.deathe.description="CentOS-7 7.5.1804 x86_64 - Apache 2.4, PHP-CGI 5.4 (FastCGI), PHP memcached 2.2, Zend Opcache 7.0."
+
+HEALTHCHECK \
+	--interval=1s \
+	--timeout=1s \
+	--retries=10 \
+	CMD ["/usr/bin/healthcheck"]
 
 CMD ["/usr/sbin/httpd-startup", "/usr/bin/supervisord", "--configuration=/etc/supervisord.conf"]

Dockerfile

@@ -1 +1 @@
-CentOS-6 6.10 x86_64 - Apache / PHP-CGI (FastCGI) / PHP memcached / PHP APC.
+CentOS-7 7.5.1804 x86_64 - Apache / PHP-CGI (FastCGI) / PHP memcached / Zend Opcache.

README-short.txt

@@ -1,16 +1,25 @@
 centos-ssh-apache-php-fcgi
 ==========================
 
-Docker Image including CentOS-6 6.10 x86_64, Apache 2.2, PHP-CGI 5.3 (FastCGI), PHP memcached 1.0, PHP APC 3.1.
+Docker Image including:
+- CentOS-6 6.10 x86_64, Apache 2.2, PHP-CGI 5.3 (FastCGI), PHP memcached 1.0, PHP APC 3.1.
+- CentOS-7 7.5.1804 x86_64, Apache 2.4, PHP-CGI 5.4 (FastCGI), PHP memcached 2.2, Zend Opcache 7.0.
 
 Apache PHP web server, loading only a minimal set of Apache modules by default. Supports custom configuration via environment variables.
 
 ## Overview & links
 
-The latest CentOS-6 based release can be pulled from the centos-6 Docker tag. For a specific release tag the convention is `centos-6-1.11.0` or `1.11.0` for the [1.11.0](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/tree/1.11.0) release tag.
-
+- `centos-7`, `centos-7-2.0.0`, `2.0.0` [(centos-7/Dockerfile)](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-7/Dockerfile)
 - `centos-6`, `centos-6-1.11.0`, `1.11.0` [(centos-6/Dockerfile)](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-6/Dockerfile)
 
+#### centos-6
+
+The latest CentOS-6 based release can be pulled from the centos-6 Docker tag. It is recommended to select a specific release tag - the convention is `centos-6-1.11.0` or `1.11.0` for the [1.11.0](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/tree/1.11.0) release tag.
+
+#### centos-7
+
+The latest CentOS-7 based release can be pulled from the centos-7 Docker tag. It is recommended to select a specific release tag - the convention is `centos-7-2.0.0` or `2.0.0` for the [2.0.0](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/tree/2.0.0) release tag.
+
 This build of [Apache](https://httpd.apache.org/), (httpd CentOS package), uses the [mod_fcgid](https://httpd.apache.org/mod_fcgid/) module to run [PHP](http://php.net/) as a [FastCGI](http://www.fastcgi.com/) process.
 
 Included in the build are the [SCL](https://www.softwarecollections.org/), [EPEL](http://fedoraproject.org/wiki/EPEL) and [IUS](https://ius.io) repositories. Installed packages include [OpenSSH](http://www.openssh.com/portable.html) secure shell, [vim-minimal](http://www.vim.org/), [elinks](http://elinks.or.cz) (for fullstatus support), PHP [APC](http://pecl.php.net/package/APC), PHP [Memcached](http://pecl.php.net/package/memcached) are installed along with python-setuptools, [supervisor](http://supervisord.org/) and [supervisor-stdout](https://github.com/coderanger/supervisor-stdout).
@@ -65,7 +74,8 @@ On first run, the bootstrap script, ([/usr/sbin/httpd-bootstrap](https://github.
 The `apachectl` command can be accessed as follows.
 
 ```
-$ docker exec -it apache-php.pool-1.1.1 apachectl -h
+$ docker exec -it apache-php.pool-1.1.1 \
+	bash -c "apachectl -h"
 ```
 
 ## Instructions