Build docker on release (#836)

* test docker build action

* fix typo

* add simple Dockerfile

* check location to find out why it can't find the dockerfile

* add checkout step

* typo

* add the correct Dockerfile

* add files for building container and action it on a release tag

* fix path

* pass version into the Docker build

* don't cache

* typo

* build the docker image

* don't fire on every push

* verify the files are there

* check path

* diagnose

* fetch the release from s3 for building

* add bucket as a param

* clean up a little

* add build workflow for dev

* show command

* limit scope

* increase verbosity

* install s3cmd with pip

* use vars for bucket

* show key used (will rotate)

* split build args into multiple lines

* format build-args correctly

* remove debug output

* rename dockerfile to .release

* trigger dev on testing tags

* build without fetching from S3

* update paths

* update

* use phplist3 path

* fix path

* keep it relative

* and again

* once more

* try artifacts

* typo

* other typo

* use env

* use file context

* use Path Context

* copy files in place

* fake version and avoid firing all

* update

* set config and enable site

* typo

* add note  about initialise

* update phplint

* typo

* set Docker user to be www-data

* remove SF upload and add Docker build

* update test version

* debug

* copy file for Docker build

* remove user restriction (for now)

* add upload to SF

* install rsync if necessary

* make each test build different

* upload as artifact

* add verbosity

* typo

* mark unstable as RC to put it in the development folder

* tidy up

* tweak security and redirect logs to docker output

* add vars for repo and image

Author: michield

.github/workflows/build-release.yml

@@ -198,8 +198,10 @@ jobs:
           sha256sum phplist-${RELEASE_VERSION}.* > phplist-${RELEASE_VERSION}.sha256
           sha1sum phplist-${RELEASE_VERSION}.* > phplist-${RELEASE_VERSION}.sha1
           ls -l 
+          ## move the files for use in Docker build
           mv phplist-$RELEASE_VERSION phplist3 
           cd $GITHUB_WORKSPACE
+          cp ../phplist-${RELEASE_VERSION}.tgz .
 
       - name: Set up S3cmd cli tool
         uses: s3-actions/[email protected]
@@ -215,6 +217,14 @@ jobs:
           s3cmd put phplist-${RELEASE_VERSION}.* s3://${{ secrets.AWS_S3_VERSIONS_BUCKET }}/
           s3cmd put phplist3/public_html/lists/admin/images/power-phplist.png s3://${{ secrets.AWS_S3_POWERED_BUCKET }}/images/${RELEASE_VERSION}/
 
+      - name: Upload the package as artifact
+        if: always()
+        uses: actions/upload-artifact@v2
+        with:
+          path: "phplist-*.tgz"
+          name: "phpList Release File"
+          retention-days: 3
+
       - name: Upload the files to SF
         run: |
           export SSHPASS=${{ secrets.SF_PASS }}
@@ -236,3 +246,23 @@ jobs:
             bye
           EOF
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1 
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          no-cache: true
+          file: Dockerfile.release
+          tags: ${{ secrets.DOCKERHUB_REPO }}/${{ secrets.DOCKERHUB_IMAGE }}:${{ env.RELEASE_VERSION }}
+          build-args: |
+            VERSION=${{ env.RELEASE_VERSION }}

Dockerfile.release

@@ -6,9 +6,9 @@ LABEL maintainer="[email protected]"
 RUN apt-get update && apt-get upgrade -y
 
 RUN apt-get install -y apt-utils \
-    vim apache2 net-tools php-mysql \
+    apache2 php-mysql \
     libapache2-mod-php php-curl php-gd \
-    git cron php-imap php-xml php-zip php-mbstring
+    cron php-imap php-xml php-zip php-mbstring
 
 RUN useradd -d /var/www/phpList3 phplist
 
@@ -19,18 +19,23 @@ RUN rm -rf /var/www/phpList3 && mkdir -p /var/www/phpList3
 RUN rm -rf /etc/phplist && mkdir /etc/phplist
 
 COPY docker/docker-apache-phplist.conf /etc/apache2/sites-available
+COPY docker/security.conf /etc/apache2/conf-available
 COPY docker/docker-entrypoint.sh /usr/local/bin/
 RUN chmod 755 /usr/local/bin/docker-entrypoint.sh
 RUN a2ensite docker-apache-phplist
 RUN a2enmod rewrite
+RUN a2enmod headers
+RUN a2disconf other-vhosts-access-log
+RUN sed -i s/LogLevel.*/LogLevel\ warn/ /etc/apache2/apache2.conf
 
 COPY docker/phplist-crontab /etc/cron.d/
 COPY docker/docker-phplist-config-live.php /etc/phplist/config.php
 
 COPY phplist-${VERSION}.tgz ./
 
-RUN tar zvxf phplist-$VERSION.tgz
+RUN tar zxf phplist-$VERSION.tgz
 RUN mv phplist-$VERSION/* /var/www/phpList3/
+RUN rm -rf /phplist-$VERSION*
 
 RUN rm -f /etc/apache2/sites-enabled/000-default.conf && \
     cd /var/www/ && find . -type d -name .git -print0 | xargs -0 rm -rf && \
@@ -41,5 +46,4 @@ RUN chown -R www-data: /var/www/phpList3
 
 EXPOSE 80 
 
-VOLUME ["/var/www", "/var/log/apache2"]
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

docker/docker-apache-phplist.conf

@@ -6,12 +6,16 @@ ServerName phplist.docker
         DirectoryIndex index.php
         php_value upload_max_filesize 50M
         php_value post_max_size 100M
-        LogLevel core:info
-
-        ErrorLog ${APACHE_LOG_DIR}/phplist_error.log
-        CustomLog ${APACHE_LOG_DIR}/phplist_access.log vhost_combined
 
         <Directory /var/www/phpList3>
           AllowOverride All
+          Options -Indexes
         </Directory>
+
+        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /proc/self/fd/1 combined env=!forwarded
+        CustomLog /proc/self/fd/1 proxy env=forwarded
+        ErrorLog /proc/self/fd/1
 </VirtualHost>

docker/docker-entrypoint.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+## entry point file, needed to be able to pass ENV vars from docker-compose.yml to the containers.
+
+echo Initialising phpList, Please wait
+
+exec 6>&1
+exec > /usr/bin/phplist
+
+echo '#!/bin/bash'
+echo -n
+echo 'exec 6>&1'
+echo 'exec > /dev/null 2>&1'
+printenv | sed 's/^\(.*\)$/export \1/g'
+echo -n
+echo 'exec 1>&6 6>&-'
+echo /usr/bin/php /var/www/phpList3/public_html/lists/admin/index.php -c /etc/phplist/config.php \$\*
+
+exec 1>&6 6>&-
+chmod 755 /usr/bin/phplist
+
+## wait for the DB container, but not forever
+UNCONNECTED=$(phplist | grep "Cannot connect")
+COUNT=1
+while [[ "$UNCONNECTED" ]] && [[ $COUNT -lt 11 ]] ; do
+    echo Waiting for the Database to be available - $COUNT/10
+    sleep 10;
+    UNCONNECTED=$(phplist | grep "Cannot connect")
+    COUNT=$(( $COUNT + 1 ))
+done
+
+if [[ "$UNCONNECTED" ]]; then
+    echo Failed to find a Database to connect to
+    exit;
+fi
+
+/usr/bin/phplist -pinitialise ## https://github.com/phpList/phplist3/issues/718 - @TODO make this work
+/usr/bin/phplist -pinitlanguages
+
+service cron start
+echo $(phplist --version) READY
+/usr/sbin/apache2ctl -D FOREGROUND

docker/docker-phplist-config-dev.php

@@ -0,0 +1,21 @@
+<?php
+
+$database_host = getenv('DB_HOST');
+$database_name = getenv('DB_NAME');
+$database_user = getenv('DB_USER');
+$database_password = getenv('DB_PASSWORD');
+$mailhost = getenv('MAILHOST');
+define('PHPMAILERHOST', $mailhost);
+define('PHPMAILERPORT', 1025);
+define('TEST', 0);
+define('HASH_ALGO', 'sha256');
+define('UPLOADIMAGES_DIR','images');
+define ("MANUALLY_PROCESS_BOUNCES",0);
+define ("MANUALLY_PROCESS_QUEUE",0);
+define('CHECK_REFERRER',false);
+#define('VERBOSE', 1);
+#define('PHPMAILER_SMTP_DEBUG', 1);
+define('PHPMAILER_SECURE',0);
+define('DEVVERSION',true);
+
+$developer_email = '[email protected]';

docker/docker-phplist-config-live.php

@@ -0,0 +1,15 @@
+<?php
+
+$database_host = getenv('DB_HOST');
+$database_name = getenv('DB_NAME');
+$database_user = getenv('DB_USER');
+$database_password = getenv('DB_PASSWORD');
+$mailhost = getenv('MAILHOST');
+define('PHPMAILERHOST', $mailhost);
+define('TEST', 0);
+define('HASH_ALGO', 'sha256');
+define('UPLOADIMAGES_DIR','images');
+define ('MANUALLY_PROCESS_BOUNCES',1);
+define ('MANUALLY_PROCESS_QUEUE',0);
+define('PHPMAILER_SECURE',0);
+define('CHECK_REFERRER',false);

docker/phplist-crontab

@@ -0,0 +1,2 @@
+*/1 * * * * phplist -pprocessqueue >> /var/log/phplist.log 2>&1
+0 3 * * * phplist -pprocessbounces >> /var/log/phplist-bounces.log 2>&1

docker/security.conf

@@ -0,0 +1,73 @@
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages.
+#
+#<Directory />
+#   AllowOverride None
+#   Require all denied
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens Minimal
+#ServerTokens OS
+#ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+ServerSignature Off
+#ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories. For example, for subversion:
+#
+#<DirectoryMatch "/\.svn">
+#   Require all denied
+#</DirectoryMatch>
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+Header set X-Frame-Options: "sameorigin"
+Header set X-XSS-Protection "1; mode=block"
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

scripts/install-plugins.sh

@@ -7,6 +7,13 @@ to=$2
 
 echo $from $to
 
+[[ -x $(which rsync) ]] || {
+  apt install -y rsync
+}
+
 for plugin in $(find $from -type d -name phplist-plugin-*); do
-  [[ ! -z "$(ls -A $plugin/plugins/)" ]] && rsync -a $plugin/plugins/* $to
+  [[ ! -z "$(ls -A $plugin/plugins/)" ]] && {
+    echo installing plugin $plugin
+    rsync -a $plugin/plugins/* $to
+  }
 done

scripts/install-themes.sh

@@ -7,6 +7,9 @@ to=$2
 
 echo $from $to
 
+[[ -x $(which rsync) ]] || {
+  apt install -y rsync
+}
 for theme in $(ls -d $from/*/phplist-ui-*); do
   [[ ! -z "$(ls -A $theme)" ]] && {
     echo installing $theme