fix(): delete all root processes

Dockerfile

@@ -1,17 +1,17 @@
 FROM alpine:3.4
-MAINTAINER Wonderfall <wonderfall@mondedie.fr>
+MAINTAINER Wonderfall <wonderfall@schrodinger.io>
 MAINTAINER Hardware <contact@meshup.net>
 
-ARG GPG_rainloop="3B79 7ECE 694F 3B7B 70F3  11A4 ED7C 49D9 87DA 4591"
+ARG GPG_FINGERPRINT="3B79 7ECE 694F 3B7B 70F3  11A4 ED7C 49D9 87DA 4591"
 
-ENV GID=991 UID=991
+ENV UID=991 GID=991
 
 RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
  && apk -U add \
     gnupg \
     nginx \
-    supervisor \
+    s6 \
-    tini@commuedge \
+    su-exec \
     php7-fpm@commuedge \
     php7-curl@commuedge \
     php7-iconv@commuedge \
@@ -32,7 +32,7 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a
  && FINGERPRINT="$(LANG=C gpg --verify rainloop-community-latest.zip.asc rainloop-community-latest.zip 2>&1 \
   | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
  && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
- && if [ "${FINGERPRINT}" != "${GPG_rainloop}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
+ && if [ "${FINGERPRINT}" != "${GPG_FINGERPRINT}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
  && echo "All seems good, now unzipping rainloop-community-latest.zip..." \
  && mkdir /rainloop && unzip -q /tmp/rainloop-community-latest.zip -d /rainloop \
  && find /rainloop -type d -exec chmod 755 {} \; \
@@ -42,11 +42,13 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a
 
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY php-fpm.conf /etc/php7/php-fpm.conf
-COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY s6.d /etc/s6.d
-COPY startup /usr/local/bin/startup
+COPY run.sh /usr/local/bin/run.sh
 
-RUN chmod +x /usr/local/bin/startup
+RUN chmod +x /usr/local/bin/run.sh /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
 
 VOLUME /rainloop/data
-EXPOSE 80
+
-CMD ["/sbin/tini","--","startup"]
+EXPOSE 8888
+
+CMD ["run.sh"]

README.md

@@ -2,22 +2,32 @@
 
 ![](https://i.goopics.net/nI.png)
 
+### What is this ?
+
 Rainloop is a simple, modern & fast web-based client. More details on the [official website](http://www.rainloop.net/).
 
 ### Features
-- Based on Alpine 3.3
+
+- Lightweight & secure image (no root process)
+- Based on Alpine 3.4
 - Latest Rainloop **Community Edition** (stable)
 - Contacts (DB) : sqlite, or mysql (server not built-in)
+- With Nginx and PHP7
 
-### How to use
+### Build-time variables
 
-```
+- **GPG_FINGERPRINT** : fingerprint of signing key
-docker run -d \
+
-  --name rainloop \
+### Ports
-  --link mariadb:mariadb \ # Optional
+
-  -v /mnt/docker/rainloop:/rainloop/data \
+- **8888**
-  hardware/rainloop
+
-```
+### Environment variables
+
+| Variable | Description | Type | Default value |
+| -------- | ----------- | ---- | ------------- |
+| **GID** | rainloop user id | *optional* | 991
+| **UID** | rainloop group id | *optional* | 991
 
 ### Reverse proxy example with nginx
 
@@ -27,15 +37,6 @@ https://github.com/hardware/mailserver/wiki/Reverse-proxy-configuration
 
 https://github.com/hardware/mailserver/wiki/Rainloop-initial-configuration
 
-#### Build-time variables
-
-- **GPG_rainloop** : fingerprint of signing key
-
-### Environment variables
-
-- **UID** : rainloop user id (*optional*, default: 991)
-- **GID** : rainloop group id (*optional*, default: 991)
-
 ### Docker-compose
 
 #### Docker-compose.yml
@@ -48,7 +49,7 @@ rainloop:
   volumes:
     - /mnt/docker/rainloop:/rainloop/data
 
-# if using mysql as contacts database :
+# if using mariadb as contacts database :
 
 mariadb:
   image: mariadb:10.1
@@ -66,4 +67,4 @@ mariadb:
 
 ```
 docker-compose up -d
-```
+```

nginx.conf

@@ -1,6 +1,5 @@
-user rainloop;
 worker_processes auto;
-pid /var/run/nginx.pid;
+pid /tmp/nginx.pid;
 daemon off;
 
 events {
@@ -13,7 +12,7 @@ http {
   default_type  application/octet-stream;
 
   access_log off;
-  error_log /var/log/nginx/error.log error;
+  error_log /tmp/ngx_error.log error;
 
   sendfile on;
   keepalive_timeout 15;
@@ -23,6 +22,12 @@ http {
   tcp_nodelay on;
   server_tokens off;
 
+  fastcgi_temp_path /tmp/fastcgi 1 2;
+  client_body_temp_path /tmp/client_body 1 2;
+  proxy_temp_path /tmp/proxy 1 2;
+  uwsgi_temp_path /tmp/uwsgi 1 2;
+  scgi_temp_path /tmp/scgi 1 2;
+
   gzip on;
   gzip_comp_level 5;
   gzip_min_length 512;
@@ -47,7 +52,7 @@ http {
     image/svg+xml;
 
   server {
-    listen 80;
+    listen 8888;
     root /rainloop;
     index index.php;
     charset utf-8;
@@ -61,12 +66,12 @@ http {
     }
 
     location ~* \.php$ {
-      try_files $uri =404;
       fastcgi_index index.php;
-      fastcgi_pass unix:/var/run/php-fpm.sock;
+      fastcgi_pass unix:/tmp/php-fpm.sock;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       include /etc/nginx/fastcgi_params;
     }
+
   }
 
 }

php-fpm.conf

@@ -2,11 +2,7 @@
 daemonize = no
 
 [www]
-user = rainloop
+listen = /tmp/php-fpm.sock
-group = rainloop
-listen = /var/run/php-fpm.sock
-listen.owner = rainloop
-listen.group = rainloop
 pm = dynamic
 pm.max_children = 5
 pm.start_servers = 2

run.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+chown -R $UID:$GID /rainloop /etc/nginx /etc/php7 /var/log /var/lib/nginx /tmp /etc/s6.d
+exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d

s6.d/.s6-svscan/finish

@@ -0,0 +1,2 @@
+#!/bin/sh
+exit 0

s6.d/nginx/run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec nginx

s6.d/php/run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec php-fpm7

startup

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-# Create user and group
-addgroup -g ${GID} rainloop && adduser -h /rainloop -s /bin/sh -D -G rainloop -u ${UID} rainloop
-
-# Set permissions
-chown -R rainloop:rainloop /rainloop /var/lib/nginx
-
-# RUN !
-supervisord -c /etc/supervisor/supervisord.conf

supervisord.conf

@@ -1,10 +0,0 @@
-[supervisord]
-logfile = /tmp/supervisord.log
-pidfile = /tmp/supervisord.pid
-nodaemon=true
-
-[program:php-fpm]
-command=php-fpm7
-
-[program:nginx]
-command=nginx