initial build of php8.2 for fcgid - based on php8.0 build file

.dockerignore

-**/.git
-.gitlab-ci.yml
+**/.git*
+.git*
 .project
 README.md
-runlocal.sh
 Makefile
+runlocal.sh

.gitlab-ci.yml

@@ -6,7 +6,7 @@ variables:
 stages:
   - awsauth
   - build
-  - test
+  - trigger-php82-drupal9
 
 awsauth:
   stage: awsauth
@@ -47,10 +47,7 @@ build:
     - docker push $AWS_ECR_REGISTRY/$CI_PROJECT_NAME:$TAG
   retry: 2
 
-include:
-  - template: Container-Scanning.gitlab-ci.yml
+trigger-php82-drupal9:
+  stage: trigger-php82-drupal9
+  trigger: OCIO-Middleware/web-hosting/wheks-php82-drupal9
 
-.cs_common:
-  image: registry.containers.it.osu.edu/cache/gitlab-org/security-products/analyzers/container-scanning:4
-  variables:
-    CS_MAJOR_VERSION: 4

Dockerfile

-FROM docker.io/php:8.2-fpm
+FROM repo.service.osu.edu:5000/ocio-middleware/web-hosting/wheks-base
 LABEL maintainer="E. Stuart Hicks <hicks.367@osu.edu>"
+USER root
 
-# Preload users that we need consistent UIDs on
-RUN groupadd -g 90 postdrop
-RUN useradd -u 89 -g 90 -d /var/spool/postfix -M -s /sbin/nologin -c "Postfix user" postfix
-RUN groupadd -g 48 apache
-RUN useradd -u 48 -g 48 -G postdrop -d /var/www -M -s /bin/bash -c "Apache" apache
-RUN groupadd -g 91 shibd
-RUN useradd -u 91 -g 91 -G apache -d /var/run/shibboleth -M -s /sbin/nologin -c "Shibboleth SP daemon" shibd
-RUN groupadd -g 88 www
-RUN useradd -u 88 -g 88 -G apache,shibd -d /var/www -M -s /sbin/nologin -c "OTDI Web Hosting user" www
-RUN usermod -a -G www,postdrop www-data
+# Install OS dev packages we need to compile modules against
+RUN yum -y group install "Development Tools"
+RUN yum -y install lynx cmake cmake3 re2c mariadb mod_fcgid \
+       libxml2-devel libxslt-devel gd-devel gmp-devel libc-client-devel \
+       libicu-devel unixODBC-devel aspell-devel postgresql-devel \
+       libmcrypt-devel libtidy-devel libaio-devel ImageMagick-devel \
+       ImageMagick-c++-devel libXpm-devel openssl-devel mariadb-devel \
+       curl-devel freetype-devel libpng-devel sqlite-devel \
+       GeoIP-devel mhash-devel libdb-devel openldap-devel readline-devel \
+       libmemcached-devel fastlz-devel libzstd-devel oniguruma-devel \
+       libyaml-devel glibc-devel ncurses-devel libzip-devel
 
-# Update everything & install PHP LDAP extension
-RUN rm -f /etc/localtime && ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get -yq update
-RUN apt-get -yq install apt-utils
-RUN apt-get -yq upgrade
-RUN apt-get -yq install less nano git procps lsof postfix mailutils ldap-utils libnss-ldap libpam-ldap
-RUN apt-get -yq install libgd-dev libpng-dev libwebp-dev libjpeg-dev libxpm-dev libfreetype-dev libz-dev
-RUN apt-get -yq install libc-client-dev libkrb5-dev libldap-dev libsasl2-dev unixodbc-dev libbz2-dev
-RUN apt-get -yq install libgmp-dev libicu-dev libpq-dev libpspell-dev libxml2-dev libtidy-dev libxslt-dev
-RUN apt-get -yq install libzip-dev libssl-dev
-RUN apt-get -yq install libgeoip-dev imagemagick libmagickwand-dev libmcrypt-dev libmemcached-dev 
-RUN apt-get -yq install libzstd-dev libyaml-dev libyaz-dev
-RUN apt-get -yq install gdb
-
-# Install PHP 8.2 modules
+# External library builds
+COPY usr/local/src/ /usr/local/src/
 WORKDIR /usr/local/src
-ENV EXTRA_CFLAGS="-I/usr/src/php"
-RUN docker-php-source extract
-RUN { \
-		echo '# https://github.com/docker-library/php/issues/103#issuecomment-271413933'; \
-		echo 'AC_DEFUN([PHP_ALWAYS_SHARED],[])dnl'; \
-		echo; \
-		cat /usr/src/php/ext/odbc/config.m4; \
-	} > /tmp/temp.m4; \
-	mv /tmp/temp.m4 /usr/src/php/ext/odbc/config.m4
-RUN docker-php-ext-configure gd --with-webp --with-jpeg --with-xpm --with-freetype --enable-gd-jis-conv
-RUN docker-php-ext-configure imap --with-kerberos --with-imap-ssl
-RUN docker-php-ext-configure ldap --with-ldap-sasl
-RUN docker-php-ext-configure odbc --with-unixODBC=shared,/usr
-RUN docker-php-ext-configure pdo_odbc --with-pdo-odbc=unixODBC,/usr
+RUN tar zxf yaz-5.31.1.tar.gz && \
+    cd yaz-5.31.1 && \
+    ./configure && \
+    CORECOUNT=$(cat /proc/cpuinfo|egrep '^processor'|wc -l) nice make -j$(( $CORECOUNT + 1 )) && \
+    make install
 
-RUN docker-php-ext-install bcmath bz2 calendar dba exif gd gettext gmp imap 
-RUN docker-php-ext-install intl ldap mysqli odbc pcntl pdo pdo_mysql pdo_odbc
-RUN docker-php-ext-install pdo_pgsql pgsql pspell shmop soap sockets
-RUN docker-php-ext-install sysvsem sysvshm sysvmsg tidy xsl zip
-RUN docker-php-ext-enable opcache sodium
+# Install PHP 8.2
+RUN mkdir -pv /usr/local/etc/php /var/www/sharedtmp /var/www/privatedata
+RUN tar Jxf php-8.2.*.tar.xz && \
+    cd php-8.2.*/ && \
+    PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig \
+    ./configure \
+       --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu \
+       --target=x86_64-redhat-linux-gnu --program-prefix='' --disable-debug \
+       --with-libdir=lib64 --with-config-file-path=/usr/local/etc/php \
+       --with-config-file-scan-dir=/usr/local/etc/php/conf.d \
+       --disable-fpm --disable-rpath --enable-zts --enable-bcmath=shared \
+       --enable-calendar=shared --enable-cli --enable-ctype=shared \
+       --enable-dba=shared --enable-dom=shared --enable-exif=shared \
+       --enable-fileinfo=shared --enable-ftp=shared \
+       --enable-mbstring=shared --enable-mysqlnd --enable-pcntl=shared \
+       --enable-pdo=shared --enable-phar=shared --enable-posix=shared \
+       --enable-shmop=shared --enable-simplexml=shared --enable-soap=shared \
+       --enable-sockets=shared --enable-sysvsem=shared --enable-sysvshm=shared \
+       --enable-sysvmsg=shared --enable-tokenizer=shared --enable-xml=shared \
+       --enable-gd-jis-conv --enable-huge-code-pages --enable-intl=shared \
+       --enable-xmlreader=shared --enable-xmlwriter=shared \
+       --enable-gd=shared \
+       --without-gdbm --with-bz2=shared --with-curl=shared,/usr \
+       --with-freetype --with-gettext=shared --with-gmp=shared --with-iconv \
+       --with-jpeg --with-kerberos --with-layout=GNU --with-ldap=shared \
+       --with-ldap-sasl --with-mhash=shared,/usr --with-mysqli=shared \
+       --with-openssl --with-pdo-mysql=shared,/usr \
+       --with-pdo-odbc=shared,unixODBC,/usr --with-pdo-pgsql=shared,/usr \
+       --with-pdo-sqlite=shared,/usr --with-pear --with-pgsql=shared \
+       --with-pic --with-pspell=shared --with-readline=shared \
+       --with-sqlite3=shared --with-tidy=shared --with-unixODBC=shared,/usr \
+       --with-xpm --with-xsl=shared,/usr --with-zip=shared,/usr/local \
+       --with-zlib=shared,/usr && \
+    CORECOUNT=$(cat /proc/cpuinfo|egrep '^processor'|wc -l) \
+    nice make -j$(( $CORECOUNT + 1 )) && make install && \
+    cp -v php.ini-* /usr/local/etc/php/
 RUN cp -v /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini
+COPY usr/local/etc/php/conf.d/01_base_modules.ini /usr/local/etc/php/conf.d/
 
 # Build & install PECL modules
 RUN pecl channel-update pecl.php.net
@@ -58,40 +69,26 @@ RUN printf "\n" | pecl install --force apcu
 RUN pecl install --force igbinary
 RUN printf "\n" | pecl install --force imagick
 RUN printf "\n" | pecl install --force mcrypt
-RUN printf "yes\nyes\n\nyes\n\nyes\n\n\n\n" | pecl install --force memcached
+RUN printf "\n\n\nyes\n\nyes\n\n\n\n" | pecl install --force memcached
 RUN pecl install --force --configureoptions " \
-	with-mongodb-client-side-encryption=yes \
-	with-mongodb-sasl=yes with-mongodb-ssl=yes \
-	enable-mongodb-crypto-system-profile=yes \
-	with-mongodb-icu=yes" \
-	mongodb
+      with-mongodb-client-side-encryption=yes \
+      with-mongodb-sasl=yes with-mongodb-ssl=yes \
+      enable-mongodb-crypto-system-profile=yes \
+      with-mongodb-icu=yes" \
+    mongodb
 RUN printf "yes\nyes\nyes\n" | pecl install --force redis
 RUN pecl install --force uploadprogress
 RUN pecl install --force xdebug
 RUN pecl install --force xhprof
 RUN pecl install --force xmlrpc
 RUN printf "\n" | pecl install --force yaml
-RUN printf "\n" | pecl install --force yaz
-RUN git clone https://github.com/rlerdorf/geoip.git && \
-	cd geoip/ && \
-	phpize && \
-	./configure && \
-	make && make install && \
-	cd .. && \
-	rm -rfv geoip
+#RUN printf "\n" | pecl install --force yaz
 
-# Copy in our custom stuff
+# Push our customized files
 COPY etc/ /etc/
 COPY usr/ /usr/
-RUN mkdir -pv /var/www/sharedtmp /var/www/privatedata
-RUN chmod -c 2775 /var/www/privatedata
-RUN chmod -c 1777 /var/www/sharedtmp
-
-# Enable LDAP accounts
-RUN sed -E -i 's/^passwd:(.*)$/passwd:\1 ldap/' /etc/nsswitch.conf
-RUN sed -E -i 's/^group:(.*)$/group:\1 ldap/' /etc/nsswitch.conf
-RUN sed -E -i 's/^shadow:(.*)$/shadow:\1 ldap/' /etc/nsswitch.conf
-RUN sed -E -i 's/^gshadow:(.*)$/gshadow:\1 ldap/' /etc/nsswitch.conf
+RUN chmod -c 750 /etc/sudoers.d/
+RUN chmod -c 640 /etc/sudoers.d/*
 
 # Install PHP Composer
 RUN php composer-setup.php --2.2
@@ -105,13 +102,17 @@ RUN mv -v composer.phar /usr/local/bin/composer1.phar
 RUN ln -sv /usr/local/bin/composer1.phar /usr/local/bin/composer1
 RUN ln -sv /usr/local/bin/composer22.phar /usr/local/bin/composer
 
-# Final setup & cleanup
-RUN docker-php-source delete
-RUN apt-get -yq remove git
-RUN apt-get -yq autoremove
-RUN apt-get -yq clean
-RUN rm -rf /var/lib/apt/lists/* /tmp/* /usr/local/src/*
+# Clean up the build environment
+RUN yum -y group remove "Development Tools" \
+        --setopt=groupremove_leaf_only=1 \
+        --setopt=clean_requirements_on_remove=1
+RUN yum -y install patch
+RUN yum -y clean all
+RUN rm -rf /var/cache/yum/ /tmp/* /usr/local/src/*
+
+# Any final setup / cleanup
+RUN chmod -c 2775 /var/www/privatedata
+RUN chmod -c 1777 /var/www/sharedtmp
 
 WORKDIR /var/www
-ENTRYPOINT [ "/usr/local/bin/docker-php-entrypoint-custom" ]
-CMD [ "/usr/local/sbin/php-fpm" ]
+USER apache

Makefile

-IMAGE = wheks-php82
+IMAGE = wheks-php82:fcgid
 
 build-and-push:
 	docker build -t $(IMAGE) .

etc/httpd/conf.d/fcgid.conf

+LoadModule fcgid_module modules/mod_fcgid.so
+
+
+################################
+### mod_fcgid configuration  ###
+################################
+AddHandler fcgid-script fcg fcgi fpl
+
+# FcgidIdleTimeout n (300 seconds)
+# An idle fastcgi application will be terminated after IdleTimeout seconds.
+FcgidIdleTimeout 900
+
+# FcgidIdleScanInterval n (120 seconds)
+# The scan interval for idle fastcgi applications.
+FcgidIdleScanInterval 120
+
+# FcgidBusyTimeout n (300 seconds)
+# A fastcgi application will be terminated if handing a single request
+# longer than busy timeout.
+FcgidBusyTimeout 300
+
+# FcgidBusyScanInterval n (120 seconds)
+# The scan interval for busy timeout fastcgi applications.
+FcgidBusyScanInterval 120
+
+# FcgidErrorScanInterval n (3 seconds)
+# The scan interval for exit pending fastcgi applications. fastcgi
+# applications will be terminated within this scanning.
+FcgidErrorScanInterval 9
+
+# FcgidZombieScanInterval n (3 seconds)
+# The scan interval for zombie process.
+FcgidZombieScanInterval 9
+
+# FcgidProcessLifeTime n (3600 seconds)
+# A fastcgi application will be terminated if lifetime expired,
+# even no error is detected.
+FcgidProcessLifeTime 3600
+
+# FcgidIPCDir path (logs/fcgidsock)
+# The directory to put the UNIX domain socket. (UNIX only)
+# This directory should be writable only by apache user
+FcgidIPCDir /run/mod_fcgid
+
+# FcgidProcessTableFile path (logs/fcgid_shm)
+# The share memory file path. (UNIX only) (version >= 2.1 only)
+FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
+
+# FcgidSpawnScoreUpLimit n (10)
+# The spawn-speed control score up water limit. Score increases while
+# a process is spawned or terminated, and decreases as time progresses;
+# while the score is higher than FcgidSpawnScoreUpLimit, the spawning 
+# will be held for a while. The higher this number is, the higher speed 
+# of the spawning can be.
+FcgidSpawnScoreUpLimit 10
+
+# FcgidSpawnScore n (1)
+# The weight of spawning.  This weight will be plused to the spawn-control
+# score on every spawn. The higher this number is, the lower speed of
+# spawning can be.
+FcgidSpawnScore 1
+
+# FcgidTerminationScore n (2)
+# The weight of termination. This weight will be plused to the score while
+# fastcgi process terminates. The higher this number is, the lower speed
+# of spawning can be.
+FcgidTerminationScore 2
+
+# FcgidMaxProcesses n (1000)
+# The max count of total fastcgi process count.
+#FcgidMaxProcesses 512
+FcgidMaxProcesses 1024
+
+# FcgidMaxProcessesPerClass n (100)
+# The maximum number of fastcgi application instances allowed to run for
+# particular one fastcgi application.
+#
+# FcgidMinProcessesPerClass n (3)
+# The minimum number of fastcgi application instances for any one fastcgi
+# application.
+# Idle fastcgi will not be killed if their count is less than n
+# Set this to 0, and tweak IdleTimeout
+#
+FcgidMinProcessesPerClass 0
+FcgidMaxProcessesPerClass 6
+
+# FcgidConnectTimeout n (3 seconds)
+# The connect timeout to a fastcgi application.
+FcgidConnectTimeout 9
+
+# FcgidIOTimeout n (20 seconds)
+# The communication timeout to a fastcgi application. Please increase this
+# value if your CGI have a slow initialization or slow respond.
+FcgidIOTimeout 60
+
+# FcgidMaxRequestsPerProcess parameter allows mod_fcgid to exit after handling a certain
+# number of requests, similar to the existing ProcessLifeTime option.
+FcgidMaxRequestsPerProcess 1000
+
+# Max len in bytes --impacts upload/download size
+FcgidMaxRequestLen 105906176

etc/httpd/conf.d/php.conf

+AddHandler fcgid-script .php
+FcgidWrapper "/usr/local/bin/php-cgi" .php
+DirectoryIndex index.php
+
+<IfModule expires_module>
+	ExpiresByType application/x-httpd-php A0
+	ExpiresByType application/x-httpd-php-source A0
+	<FilesMatch "\.php$">
+		Header set Cache-Control "no-cache, no-store, max-age=0"
+	</FilesMatch>
+</IfModule>

etc/libnss-ldap.conf

-ldap_version 3
-uri ldaps://webhosting-ldap-nlb-ff10c809b1beba67.elb.us-east-2.amazonaws.com
-tls_checkpeer no
-base ou=nextweb,dc=osu,dc=edu
-scope sub
-binddn cn=wwwro2,ou=admins,dc=osu,dc=edu
-bindpw Smk6Ucsq74F0H3iZnKZeSNE4aTzV8VEzaeBBARUtOyGmMRBQbU

etc/profile.d/osuwebhosting.sh

+# /etc/profile.d/osuwebhosting.sh - set up for a web hosting environment
+export COMPOSER_MEMORY_LIMIT=-1
+export COMPOSER_PROCESS_TIMEOUT=86400
+alias cdweb='cd /var/www/html/'
+alias cdlog='cd /var/log/httpd/'

etc/security/limits.d/disable-core-dumps.conf

-# Disable core dumps since php-fpm's
-# setting doesn't seem to be enough
-*               soft    core            0
-*               hard    core            0

etc/sudoers.d/fcgid-startup

+# Allow starting Apache as root when a non-root user since mod_fcgid requires it
+apache	ALL=(root)		NOPASSWD:/usr/bin/rm /etc/sudoers.d/fcgid-startup
+apache	ALL=(root)		NOPASSWD:/usr/sbin/httpd

runlocal.sh

 docker run -it --rm --name wheks \
-  -p 9000:9000 \
-  -u 1000:1000 \
-  -e WHEKS_ACCTID=blah \
+  -p 8080:8080 \
+  -u 48 \
   -e WHEKS_UID=1000 \
   -e WHEKS_GID=1000 \
+  -e WHEKS_ACCTID=blah \
   -e WHEKS_HOST=blah.osu.edu \
   -e WHEKS_EMAIL=hicks.367@osu.edu \
   -e WHEKS_ENTITYID=https://blah.osu.edu/shibboleth \
   -v php-html:/var/www/html:rw \
-  wheks-php82 $@
-
-docker rm wheks
+  wheks-php82:fcgid $@

usr/local/bin/docker-php-entrypoint-custom

-#!/bin/sh
-
-# Overwrite default instance of php.ini with a custom one if one is found.
-# This is preferred to mapping in directly as the file
-if [ -r /usr/local/etc/php/php.ini-custom ]; then
-	if [ -w /usr/local/etc/php/ ]; then
-		echo "Replacing default php.ini with provided custom"
-		rm -vf /usr/local/etc/php/php.ini
-		cp -v /usr/local/etc/php/php.ini-custom /usr/local/etc/php/php.ini
-		chmod -v 440 /usr/local/etc/php/php.ini
-	else
-		echo "Unable to replace default php.ini!"
-	fi
-else
-	echo "Using existing php.ini"
-fi
-
-# Launch the actual entrypoint script for this container
-ulimit -c 0
-. /usr/local/bin/docker-php-entrypoint

usr/local/etc/php/conf.d/01_base_modules.ini

+extension=bcmath
+extension=bz2
+extension=calendar
+extension=ctype
+extension=curl
+extension=dba
+extension=dom
+extension=exif
+extension=fileinfo
+extension=ftp
+extension=gd
+extension=gettext
+extension=gmp
+extension=intl
+extension=ldap
+extension=mbstring
+extension=mysqli
+extension=odbc
+extension=pcntl
+extension=pdo
+extension=pdo_mysql
+extension=pdo_odbc
+extension=pdo_pgsql
+extension=pdo_sqlite
+extension=pgsql
+extension=phar
+extension=posix
+extension=pspell
+extension=readline
+extension=shmop
+extension=simplexml
+extension=soap
+extension=sockets
+extension=sqlite3
+extension=sysvmsg
+extension=sysvsem
+extension=sysvshm
+extension=tidy
+extension=tokenizer
+extension=xml
+extension=xmlreader
+extension=xmlwriter
+extension=xsl
+extension=zip
+extension=zlib
+zend_extension=opcache

usr/local/etc/php/conf.d/zzz_01_pecl_modules.ini → usr/local/etc/php/conf.d/02_pecl_modules.ini

 extension=apcu
-extension=geoip
+;extension=geoip
 extension=igbinary
 extension=imagick
 extension=mcrypt
@@ -7,8 +7,8 @@ extension=memcached
 extension=mongodb
 extension=redis
 extension=uploadprogress
-;;zend_extension=xdebug
+zend_extension=xdebug
 extension=xhprof
 extension=xmlrpc
 extension=yaml
-extension=yaz
+;extension=yaz

usr/local/etc/php/conf.d/zzz_02_osuwebhosting.ini → usr/local/etc/php/conf.d/03_osuwebhosting.ini

 ; Custom settings for OSU Web Hosting
+safe_mode = off
+register_globals = off
 expose_php = off
 date.timezone = "America/New_York"
 sys_temp_dir = "/var/www/sharedtmp"
 upload_tmp_dir = "/var/www/privatedata"
 soap.wsdl_cache_dir = "/var/www/sharedtmp"
+memory_limit = 512M
+realpath_cache_size = 1M
+max_execution_time = 60
+max_input_time = 60
+post_max_size = 19M
+upload_max_filesize = 18M
 
 ; Sessions
 session.save_handler = "files"

usr/local/sbin/apacheshib.sh

+#!/bin/bash
+sudo /usr/local/sbin/shibdwrapper.sh start
+sudo /usr/sbin/httpd -DFOREGROUND
+sudo /usr/local/sbin/shibdwrapper.sh stop