Docker+Apache+Php+Oci8+Mantis

2019-04-07 15:31:32

因为工作需要,需要部署一个BUG系统!最后选用的Mantis。然后将数据库采用项目系统所用的Oracle测试库,之前部署的是apache+php5+oci8,但是安全组扫描时发现因部署后一直没有升级的原因,php存在漏洞,想趁着这次升级干脆改成Docker。

重新安装CentOS7 1804后,安装Docker,pull了php+apache的镜像:

FROM php:7.3-apache

RUN cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\
        echo "Asia/shanghai" > /etc/timezone
ADD oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm /root/
ADD oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm /root/

RUN apt-get update && apt-get install -y alien libaio1 && apt-get clean
RUN alien -i /root/oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm \
    /root/oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm

RUN pecl install oci8-2.2.0 \
    && docker-php-ext-enable oci8
ENV ORACLE_HOME /usr/lib/oracle/11.2/client64/lib
ENV LD_LIBRARY_PATH $LD_LIBRARY_PATH:$ORACLE_HOME
RUN cp /usr/local/lib/php/extensions/no-debug-non-zts-20180731/oci8.so /usr/lib/oracle/11.2/client64/lib
ADD php.ini /usr/local/etc/php/php.ini

部署后发现PHP没有漏洞了,但是apache是存在漏洞的,因为php的官方镜像操作系统是debian9,apache采用apt-get方式安装的,现在最新版本是2.4.25。而apache官方最新的程序是apache2.4.39,那么问题来了,通过apt-get不能升级到最新的apache,只能通过编译安装。

为保证生产和测试系统没有安全漏洞,只能重新构建镜像,三种方案选择:

  1. 基础镜像采用php:7.3,在基础镜像增加apache和oci8;
  2. 基础镜像采用apache:2.4.39,编译安装php+oci8;
  3. 基础镜像采用centos或debian:stretch-slim,基于github的php和apache的build代码安装PHP+apache+oci8。

第一种和第二种方案最简单,网上教程大把,就是配置apache和php参数比较繁琐。 第三种方案看起来是最完美的,可是build代码居然有400多行,搞疯了。

最终方案:alpine3.9+php7.3.4+nginx1.15.10+oci2.2

FROM php:7.3.4-fpm-alpine3.9

LABEL maintainer="Ghoct <ghoct@ghoct.com>"

ENV NGINX_VERSION 1.15.10
ENV TNS_ADMIN=/opt/oracle_client/instantclient_11_2
ENV LD_LIBRARY_PATH=/opt/oracle_client/instantclient_11_2
ENV ORACLE_HOME=/opt/oracle_client/instantclient_11_2

RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
	&& CONFIG="\
		--prefix=/etc/nginx \
		--sbin-path=/usr/sbin/nginx \
		--modules-path=/usr/lib/nginx/modules \
		--conf-path=/etc/nginx/nginx.conf \
		--error-log-path=/var/log/nginx/error.log \
		--http-log-path=/var/log/nginx/access.log \
		--pid-path=/var/run/nginx.pid \
		--lock-path=/var/run/nginx.lock \
		--http-client-body-temp-path=/var/cache/nginx/client_temp \
		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
		--user=nginx \
		--group=nginx \
		--with-http_ssl_module \
		--with-http_realip_module \
		--with-http_addition_module \
		--with-http_sub_module \
		--with-http_dav_module \
		--with-http_flv_module \
		--with-http_mp4_module \
		--with-http_gunzip_module \
		--with-http_gzip_static_module \
		--with-http_random_index_module \
		--with-http_secure_link_module \
		--with-http_stub_status_module \
		--with-http_auth_request_module \
		--with-http_xslt_module=dynamic \
		--with-http_image_filter_module=dynamic \
		--with-http_geoip_module=dynamic \
		--with-threads \
		--with-stream \
		--with-stream_ssl_module \
		--with-stream_ssl_preread_module \
		--with-stream_realip_module \
		--with-stream_geoip_module=dynamic \
		--with-http_slice_module \
		--with-mail \
		--with-mail_ssl_module \
		--with-compat \
		--with-file-aio \
		--with-http_v2_module \
	" \
	&& addgroup -S nginx \
	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
	&& apk add --no-cache --virtual .build-deps \
		gcc \
		libc-dev \
		make \
		openssl-dev \
		pcre-dev \
		zlib-dev \
		linux-headers \
		curl \
		gnupg1 \
		libxslt-dev \
		gd-dev \
		geoip-dev \
	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \
	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc \
	&& export GNUPGHOME="$(mktemp -d)" \
	&& found=''; \
	for server in \
		ha.pool.sks-keyservers.net \
		hkp://keyserver.ubuntu.com:80 \
		hkp://p80.pool.sks-keyservers.net:80 \
		pgp.mit.edu \
	; do \
		echo "Fetching GPG key $GPG_KEYS from $server"; \
		gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
	done; \
	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
	gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
	&& rm -rf "$GNUPGHOME" nginx.tar.gz.asc \
	&& mkdir -p /usr/src \
	&& tar -zxC /usr/src -f nginx.tar.gz \
	&& rm nginx.tar.gz \
	&& cd /usr/src/nginx-$NGINX_VERSION \
	&& ./configure $CONFIG --with-debug \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& mv objs/nginx objs/nginx-debug \
	&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
	&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
	&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
	&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
	&& ./configure $CONFIG \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& make install \
	&& rm -rf /etc/nginx/html/ \
	&& mkdir /etc/nginx/conf.d/ \
	&& mkdir -p /usr/share/nginx/html/ \
	&& install -m644 html/index.html /usr/share/nginx/html/ \
	&& install -m644 html/50x.html /usr/share/nginx/html/ \
	&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
	&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
	&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
	&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
	&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
	&& strip /usr/sbin/nginx* \
	&& strip /usr/lib/nginx/modules/*.so \
	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
	\
	# Bring in gettext so we can get `envsubst`, then throw
	# the rest away. To do this, we need to install `gettext`
	# then move `envsubst` out of the way so `gettext` can
	# be deleted completely, then move `envsubst` back.
	&& apk add --no-cache --virtual .gettext gettext \
	&& mv /usr/bin/envsubst /tmp/ \
	\
	&& runDeps="$( \
		scanelf --needed --nobanner --format '%n#p' /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
			| tr ',' '\n' \
			| sort -u \
			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
	)" \
	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
	&& apk del .build-deps \
	&& apk del .gettext \
	&& mv /tmp/envsubst /usr/local/bin/ \
	\
	# Bring in tzdata so users could set the timezones through the environment
	# variables
	&& apk add --no-cache tzdata \
	\
	# forward request and error logs to docker log collector
	&& ln -sf /dev/stdout /var/log/nginx/access.log \
	&& ln -sf /dev/stderr /var/log/nginx/error.log

RUN apk add libaio libnsl  && \
	curl -fSL https://raw.githubusercontent.com/bumpx/oracle-instantclient/master/instantclient-basic-linux.x64-11.2.0.4.0.zip -o /tmp/basic.zip && \
	curl -fSL https://raw.githubusercontent.com/bumpx/oracle-instantclient/master/instantclient-sdk-linux.x64-11.2.0.4.0.zip -o /tmp/sdk.zip && \
	mkdir -p /opt/oracle_client && \
	unzip -d /opt/oracle_client/ /tmp/basic.zip && \
	unzip -d /opt/oracle_client/ /tmp/sdk.zip && \
	rm -f /tmp/*.zip && \
	ln -s /opt/oracle_client/instantclient_11_2 ${ORACLE_HOME} && \
	ln -s ${ORACLE_HOME}/libclntsh.so.* ${ORACLE_HOME}/libclntsh.so && \
	ln -s ${ORACLE_HOME}/libocci.so.* ${ORACLE_HOME}/libocci.so && \
	ln -s ${ORACLE_HOME}/lib* /usr/lib && \
	ln -s /usr/lib/libnsl.so.2.0.0  /usr/lib/libnsl.so.1 &&\
	ln /usr/lib/libnsl.so.2.0.0  ${ORACLE_HOME}/libnsl.so.1 &&\
	docker-php-ext-configure oci8 --with-oci8=instantclient,$ORACLE_HOME &&\
	docker-php-ext-install oci8 && \
    docker-php-source delete

COPY nginx.conf /etc/nginx/nginx.conf
COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf
COPY index.php /var/www/html

EXPOSE 80 9000

STOPSIGNAL SIGTERM

CMD ["nginx", "-g", "daemon off;"]
Docker-Compose参数检索

Define and run multi-container applications with Docker. Usage: docker-compose [-f <arg>...] [options] [COMMAND] [ARGS...] docker-compose -h|--help Options: -f, --file FILE Specify an alternate compose file (default: docker-compose.yml) -p, --project-name NAME Specify an alternate project name (default: directory name) --verbose Show more output --log-level LEVEL Set log

(Untitled)

这是一个测试! #!/bin/bash if i in test; fi 字体测试 this is test!