From 7a9f1ba599be0b9554b9b33a9c863dcfb0c990f0 Mon Sep 17 00:00:00 2001 From: Jan Eitzinger Date: Tue, 14 Sep 2021 12:42:12 +0200 Subject: [PATCH] Optimize php config. Use existing www-data user. --- data/init.sh | 6 +++--- docker-compose.yml | 11 +---------- php-fpm/Dockerfile | 5 +---- php-fpm/entrypoint.sh | 1 + php-fpm/php.ini | 2 +- php-fpm/symfony.pool.conf | 7 ++++--- 6 files changed, 11 insertions(+), 21 deletions(-) diff --git a/data/init.sh b/data/init.sh index 3e9c627..2666838 100755 --- a/data/init.sh +++ b/data/init.sh @@ -22,10 +22,10 @@ wget https://hpc-mover.rrze.uni-erlangen.de/HPC-Data/0x7b58aefb/eig7ahyo6fo2bais tar xJf job-archive.tar.xz rm ./job-archive.tar.xz -# 101 is the uid and gid of the user and group www in the cc-php container running php-fpm. +# 101 is the uid and gid of the user and group www-data in the cc-php container running php-fpm. # For a demo with no new jobs it is enough to give www read permissions on that directory. -echo "This script needs to chown the job-archive directory so that the application can write to it:" -sudo chown -R 101:101 ./job-archive +# echo "This script needs to chown the job-archive directory so that the application can write to it:" +# sudo chown -R 82:82 ./job-archive mkdir -p influxdb/data wget https://hpc-mover.rrze.uni-erlangen.de/HPC-Data/0x7b58aefb/eig7ahyo6fo2bais0ephuf2aitohv1ai/influxdbv2-data.tar.xz diff --git a/docker-compose.yml b/docker-compose.yml index f6676b3..f9901aa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -42,9 +42,6 @@ services: - LDAP_DOMAIN=${LDAP_DOMAIN} volumes: - ${DATADIR}/ldap:/container/service/slapd/assets/config/bootstrap/ldif/custom - ports: - - "127.0.0.1:389:389" - - "127.0.0.1:636:636" redis: container_name: cc-redis @@ -52,7 +49,7 @@ services: command: [ "redis-server", "--save", "", - "--maxmemory", "1gb", + "--maxmemory", "2gb", "--maxmemory-policy", "allkeys-lru"] php: @@ -87,11 +84,6 @@ services: container_name: cc-nginx build: context: ./nginx - args: - NGINX_SYMFONY_SERVER_NAME: ${NGINX_SYMFONY_SERVER_NAME} - MYSQL_PASSWORD: ${MYSQL_PASSWORD} - INFLUXDB_PASSWORD: ${INFLUXDB_PASSWORD} - APP_ENVIRONMENT: ${APP_ENVIRONMENT} ports: - "127.0.0.1:${NGINX_PORT}:80" depends_on: @@ -100,7 +92,6 @@ services: - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx/conf.d - NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/templates - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template - - NGINX_SYMFONY_SERVER_NAME=${NGINX_SYMFONY_SERVER_NAME} volumes: - ${DATADIR}/symfony:/var/www/symfony:cached diff --git a/php-fpm/Dockerfile b/php-fpm/Dockerfile index 907f57f..bc11674 100644 --- a/php-fpm/Dockerfile +++ b/php-fpm/Dockerfile @@ -57,12 +57,9 @@ COPY symfony.pool.conf /usr/local/etc/php/php-fpm.d/ COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh -RUN addgroup -S www -RUN adduser -S -D -H -g "php-fpm user" -G www -s /sbin/nologin www - ARG APP_ENVIRONMENT ENV APP_ENV=${APP_ENVIRONMENT} -ENV APP_SECRET=67d829bf61dc5f87a73fd814e2c9f629 +ENV APP_SECRET=${APP_SECRET} ENV APP_DEBUG=1 ENV REDIS_URL=redis://cc-redis ENV LDAP_URL=ldap://cc-ldap diff --git a/php-fpm/entrypoint.sh b/php-fpm/entrypoint.sh index ee12df7..0e1e8fd 100755 --- a/php-fpm/entrypoint.sh +++ b/php-fpm/entrypoint.sh @@ -15,6 +15,7 @@ if [ "$APP_CLUSTERCOCKPIT_INIT" = true ]; then fi ln -s /var/lib/job-archive var/job-archive + chown -R www-data:www-data /var/www/symfony/* /var/www/symfony/.??* fi # Reports php environment on container startup diff --git a/php-fpm/php.ini b/php-fpm/php.ini index 17e3e67..38a374e 100644 --- a/php-fpm/php.ini +++ b/php-fpm/php.ini @@ -1900,7 +1900,7 @@ opcache.preload=/var/www/symfony/config/preload.php ; Preloading code as root is not allowed for security reasons. This directive ; facilitates to let the preloading to be run as another user. ; http://php.net/opcache.preload_user -opcache.preload_user=www +opcache.preload_user=www-data ; Prevents caching files that are less than this number of seconds old. It ; protects from caching of incompletely updated files. In case all file updates diff --git a/php-fpm/symfony.pool.conf b/php-fpm/symfony.pool.conf index 8c361f7..0848d81 100644 --- a/php-fpm/symfony.pool.conf +++ b/php-fpm/symfony.pool.conf @@ -6,8 +6,8 @@ ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. -user = www -group = www +user = www-data +group = www-data ; The address on which to accept FastCGI requests. ; Valid syntaxes are: @@ -78,10 +78,11 @@ env[APP_ENV] = $APP_ENV env[APP_SECRET] = $APP_SECRET env[APP_DEBUG] = $APP_DEBUG env[INFLUXDB_URL] = $INFLUXDB_URL -env[INFLUXDB_V2_URL] = $INFLUXDB_V2_URL env[INFLUXDB_TOKEN] = $INFLUXDB_TOKEN env[DATABASE_URL] = $DATABASE_URL env[REDIS_URL] = $REDIS_URL +env[LDAP_URL] = $LDAP_URL +env[LDAP_PW] = $LDAP_PW env[CORS_ALLOW_ORIGIN] = $CORS_ALLOW_ORIGIN ; Catch worker output