From 2620f40a99210b4bd12dad4b2d18d3c80cbf4fcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 12:06:03 +0100 Subject: [PATCH 01/19] Initiated gh workflows with trivy scans --- .github/workflows/container-ci.yaml | 63 +++++++++++++++++++++++++++++ fastcgi-client/Dockerfile | 8 ++++ httpd-shibd/Dockerfile | 32 +++++++++++++++ httpd-shibd/config/shibboleth.repo | 9 +++++ php-fpm/Dockerfile | 54 +++++++++++++++++++++++++ 5 files changed, 166 insertions(+) create mode 100644 .github/workflows/container-ci.yaml create mode 100644 fastcgi-client/Dockerfile create mode 100644 httpd-shibd/Dockerfile create mode 100644 httpd-shibd/config/shibboleth.repo create mode 100644 php-fpm/Dockerfile diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml new file mode 100644 index 0000000..1decac3 --- /dev/null +++ b/.github/workflows/container-ci.yaml @@ -0,0 +1,63 @@ +name: build +on: + push: + branches: + - main + - dev + pull_request: + +jobs: + scan-redcap-fastcgi-client: + name: trivy + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Build an image from Dockerfile + run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + scan-redcap-httpd-shibd: + name: trivy + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Build an image from Dockerfile + run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + scan-redcap-php-fpm: + name: trivy + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Build an image from Dockerfile + run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + diff --git a/fastcgi-client/Dockerfile b/fastcgi-client/Dockerfile new file mode 100644 index 0000000..ffe6b45 --- /dev/null +++ b/fastcgi-client/Dockerfile @@ -0,0 +1,8 @@ +FROM alpine:3.18 + +LABEL maintainer=APHP + +RUN apk update &&\ + apk add fcgi + +ENTRYPOINT ["cgi-fcgi"] diff --git a/httpd-shibd/Dockerfile b/httpd-shibd/Dockerfile new file mode 100644 index 0000000..41fc4fb --- /dev/null +++ b/httpd-shibd/Dockerfile @@ -0,0 +1,32 @@ +FROM rockylinux:9 + +### Adding Shibboleth official repos +COPY ./config/shibboleth.repo /etc/yum.repos.d/shibboleth.repo + +### Installing httpd, shibboleth & supervisor +RUN dnf install -y epel-release &&\ + dnf update -y &&\ + dnf install -y shibboleth.x86_64 httpd supervisor mod_ssl &&\ + dnf clean all + +RUN ls -lah /var/run + +### Creating a non-root user to manage supervisorctl & setting rights to launch the daemon +RUN adduser supervisor &&\ + usermod -a -G apache supervisor &&\ + usermod -a -G shibd supervisor &&\ + mkdir -p /etc/supervisor &&\ + chown -v root:supervisor "/var/log" &&\ + chown -Rv supervisor:supervisor "/var/log/supervisor" &&\ + chown -Rv supervisor:supervisor "/var/log/httpd" &&\ + chown -Rv supervisor:supervisor "/var/log/shibboleth" &&\ + chown -Rv supervisor:supervisor "/etc/supervisor" &&\ + chown -Rv supervisor:supervisor "/usr/bin/supervisord" &&\ + chown -Rv supervisor:supervisor "/var/run/supervisor" + +USER supervisor + +WORKDIR /var/www/redcap + +### Launching supervisord +ENTRYPOINT ["/usr/bin/supervisord"] diff --git a/httpd-shibd/config/shibboleth.repo b/httpd-shibd/config/shibboleth.repo new file mode 100644 index 0000000..509af03 --- /dev/null +++ b/httpd-shibd/config/shibboleth.repo @@ -0,0 +1,9 @@ +[shibboleth] +name=Shibboleth (rockylinux9) +# Please report any problems to https://shibboleth.atlassian.net/jira +type=rpm-md +mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux9 +gpgcheck=1 +gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key + https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key +enabled=1 diff --git a/php-fpm/Dockerfile b/php-fpm/Dockerfile new file mode 100644 index 0000000..0108e9c --- /dev/null +++ b/php-fpm/Dockerfile @@ -0,0 +1,54 @@ +FROM php:8.1-fpm-bookworm + +### Installing required packages +RUN apt-get update -y &&\ + apt-get -y --no-install-recommends install \ + net-tools \ + vim \ + wget \ + curl \ + ghostscript \ + libcurl4-openssl-dev \ + zip \ + msmtp \ + libzip-dev \ + libfreetype6-dev \ + libjpeg62-turbo-dev \ + imagemagick \ + libmagickwand-dev \ + libpng-dev \ + dos2unix && \ + apt clean + +# Installing PHP extensions +RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \ + docker-php-ext-install mysqli && \ + docker-php-ext-install -j$(nproc) gd && \ + docker-php-ext-install pdo_mysql && \ + docker-php-ext-install zip && \ + docker-php-ext-install curl && \ + pecl install imagick && \ + docker-php-ext-enable imagick + +# Installing REDCap webapp +RUN rm -rf /var/www/html + +RUN mkdir -p /app/redcap && \ + ln -s /app/redcap /var/www/redcap + +RUN chmod 775 -R /var/www/redcap && \ + chown -R www-data:www-data /app/redcap && \ + chown -R www-data:www-data /var/www/redcap + +RUN mkdir /edocs \ + && chmod 775 -R /edocs \ + && chown -R www-data:www-data /edocs + +WORKDIR /var/www/redcap + +# Switching to app user +USER www-data + +### Starting PHP-FPM service ### +CMD ["php-fpm"] + From 6563552484cb0a5ab2f0208fbfabe61a8009dffb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 12:06:50 +0100 Subject: [PATCH 02/19] Edited trivy scans severity to match with internal ci --- .github/workflows/container-ci.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 1decac3..30a4774 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -23,7 +23,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL' scan-redcap-httpd-shibd: name: trivy @@ -41,7 +41,7 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL' scan-redcap-php-fpm: name: trivy @@ -59,5 +59,5 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + severity: 'CRITICAL' From 433cdbd8c026f740f36b176549c8fc533d9afdf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 12:28:18 +0100 Subject: [PATCH 03/19] Refactored github jobs and added hadolint step --- .github/workflows/container-ci.yaml | 42 ++++++++++++++++++----------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 30a4774..1a2225b 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -7,15 +7,19 @@ on: pull_request: jobs: - scan-redcap-fastcgi-client: - name: trivy + redcap-fastcgi-client: + name: redcap-fastcgi-client runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 - - name: Build an image from Dockerfile + uses: actions/checkout@v4 + - name: Lint Dockerfile with Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./fastcgi-client/Dockerfile + - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client - - name: Run Trivy vulnerability scanner + - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: image-ref: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}' @@ -25,15 +29,19 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL' - scan-redcap-httpd-shibd: - name: trivy + redcap-httpd-shibd: + name: redcap-httpd-shibd runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 - - name: Build an image from Dockerfile + uses: actions/checkout@v4 + - name: Lint Dockerfile with Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./httpd-shibd/Dockerfile + - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd - - name: Run Trivy vulnerability scanner + - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: image-ref: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}' @@ -43,15 +51,19 @@ jobs: vuln-type: 'os,library' severity: 'CRITICAL' - scan-redcap-php-fpm: - name: trivy + redcap-php-fpm: + name: redcap-php-fpm runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 - - name: Build an image from Dockerfile + uses: actions/checkout@v4 + - name: Lint Dockerfile with Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./php-fpm/Dockerfile + - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm - - name: Run Trivy vulnerability scanner + - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: image-ref: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}' From 56588ae158c1760f745eeb97892eff423165cc4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 12:49:35 +0100 Subject: [PATCH 04/19] - Added recommended linting fixs - Added dependencies and cleaned jobs --- .../workflows/ci-redcap-fastcgi-client.yaml | 40 ++++++++++ .github/workflows/ci-redcap-httpd-shibd.yaml | 40 ++++++++++ .github/workflows/ci-redcap-php-fpm.yaml | 40 ++++++++++ .github/workflows/container-ci.yaml | 75 ------------------- fastcgi-client/Dockerfile | 4 +- php-fpm/Dockerfile | 5 +- 6 files changed, 125 insertions(+), 79 deletions(-) create mode 100644 .github/workflows/ci-redcap-fastcgi-client.yaml create mode 100644 .github/workflows/ci-redcap-httpd-shibd.yaml create mode 100644 .github/workflows/ci-redcap-php-fpm.yaml delete mode 100644 .github/workflows/container-ci.yaml diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml new file mode 100644 index 0000000..5d1072f --- /dev/null +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -0,0 +1,40 @@ +name: build +on: + push: + branches: + - main + - dev + pull_request: + +jobs: + lint-redcap-fastcgi-client: + name: lint-redcap-fastcgi-client + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Lint Dockerfile with Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./fastcgi-client/Dockerfile + override-info: DL3008,DL3018,DL3041,SC2046 + failure-threshold: warning + + scan-redcap-fastcgi-client: + name: scan-redcap-fastcgi-client + needs: lint-redcap-fastcgi-client + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Build container from Dockerfile + run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client + - name: Scan container for vulnerabilities with Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml new file mode 100644 index 0000000..292a0c4 --- /dev/null +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -0,0 +1,40 @@ +name: build +on: + push: + branches: + - main + - dev + pull_request: + +jobs: + lint-redcap-httpd-shibd: + name: lint-redcap-httpd-shibd + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Lint Dockerfile with Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./httpd-shibd/Dockerfile + override-info: DL3008,DL3018,DL3041,SC2046 + failure-threshold: warning + + scan-redcap-httpd-shibd: + name: scan-redcap-httpd-shibd + needs: lint-redcap-httpd-shibd + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Build container from Dockerfile + run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd + - name: Scan container for vulnerabilities with Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml new file mode 100644 index 0000000..32667d8 --- /dev/null +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -0,0 +1,40 @@ +name: build +on: + push: + branches: + - main + - dev + pull_request: + +jobs: + lint-redcap-php-fpm: + name: lint-redcap-php-fpm + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Lint Dockerfile with Hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ./php-fpm/Dockerfile + override-info: DL3008,DL3018,DL3041,SC2046 + failure-threshold: warning + + scan-redcap-php-fpm: + name: scan-redcap-php-fpm + needs: lint-redcap-php-fpm + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Build container from Dockerfile + run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm + - name: Scan container for vulnerabilities with Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml deleted file mode 100644 index 1a2225b..0000000 --- a/.github/workflows/container-ci.yaml +++ /dev/null @@ -1,75 +0,0 @@ -name: build -on: - push: - branches: - - main - - dev - pull_request: - -jobs: - redcap-fastcgi-client: - name: redcap-fastcgi-client - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Lint Dockerfile with Hadolint - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ./fastcgi-client/Dockerfile - - name: Build container from Dockerfile - run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client - - name: Scan container for vulnerabilities with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL' - - redcap-httpd-shibd: - name: redcap-httpd-shibd - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Lint Dockerfile with Hadolint - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ./httpd-shibd/Dockerfile - - name: Build container from Dockerfile - run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd - - name: Scan container for vulnerabilities with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL' - - redcap-php-fpm: - name: redcap-php-fpm - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Lint Dockerfile with Hadolint - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: ./php-fpm/Dockerfile - - name: Build container from Dockerfile - run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm - - name: Scan container for vulnerabilities with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}' - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL' - diff --git a/fastcgi-client/Dockerfile b/fastcgi-client/Dockerfile index ffe6b45..0b98904 100644 --- a/fastcgi-client/Dockerfile +++ b/fastcgi-client/Dockerfile @@ -1,8 +1,8 @@ -FROM alpine:3.18 +FROM alpine:3 LABEL maintainer=APHP RUN apk update &&\ - apk add fcgi + apk add --no-cache fcgi ENTRYPOINT ["cgi-fcgi"] diff --git a/php-fpm/Dockerfile b/php-fpm/Dockerfile index 0108e9c..f9c4141 100644 --- a/php-fpm/Dockerfile +++ b/php-fpm/Dockerfile @@ -1,4 +1,4 @@ -FROM php:8.1-fpm-bookworm +FROM php:8.3-fpm-bookworm ### Installing required packages RUN apt-get update -y &&\ @@ -18,7 +18,8 @@ RUN apt-get update -y &&\ libmagickwand-dev \ libpng-dev \ dos2unix && \ - apt clean + apt-get clean && \ + rm -rf /var/lib/apt/lists/* # Installing PHP extensions RUN docker-php-ext-configure gd --with-freetype --with-jpeg && \ From 8a760fa693bce24f9c5eea93cdb1ecf2471beafe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 12:54:24 +0100 Subject: [PATCH 05/19] Added dockle step for all actions --- .github/workflows/ci-redcap-fastcgi-client.yaml | 7 +++++++ .github/workflows/ci-redcap-httpd-shibd.yaml | 7 +++++++ .github/workflows/ci-redcap-php-fpm.yaml | 7 +++++++ 3 files changed, 21 insertions(+) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index 5d1072f..0a3f089 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -29,6 +29,13 @@ jobs: uses: actions/checkout@v4 - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client + - name: Run dockle on container + uses: goodwithtech/dockle-action@main + with: + image: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}' + format: 'list' + exit-code: '1' + exit-level: 'fatal' - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index 292a0c4..e93c950 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -29,6 +29,13 @@ jobs: uses: actions/checkout@v4 - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd + - name: Run dockle on container + uses: goodwithtech/dockle-action@main + with: + image: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}' + format: 'list' + exit-code: '1' + exit-level: 'fatal' - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 32667d8..ba1f336 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -29,6 +29,13 @@ jobs: uses: actions/checkout@v4 - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm + - name: Run dockle on container + uses: goodwithtech/dockle-action@main + with: + image: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}' + format: 'list' + exit-code: '1' + exit-level: 'fatal' - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: From 565bf832bf8e9182f67e39dcc49137349bb457b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 13:05:03 +0100 Subject: [PATCH 06/19] Switched dockle action and fixed a build issue with php-fpm image --- .github/workflows/ci-redcap-fastcgi-client.yaml | 12 ++++++------ .github/workflows/ci-redcap-httpd-shibd.yaml | 12 ++++++------ .github/workflows/ci-redcap-php-fpm.yaml | 12 ++++++------ php-fpm/Dockerfile | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index 0a3f089..41f1346 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -29,13 +29,13 @@ jobs: uses: actions/checkout@v4 - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client - - name: Run dockle on container - uses: goodwithtech/dockle-action@main + - name: Run Dockle + uses: erzz/dockle-action@v1.4.0 with: - image: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}' - format: 'list' - exit-code: '1' - exit-level: 'fatal' + image: ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} + report-format: json + failure-threshold: fatal + exit-code: 1 - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index e93c950..be0e3da 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -29,13 +29,13 @@ jobs: uses: actions/checkout@v4 - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd - - name: Run dockle on container - uses: goodwithtech/dockle-action@main + - name: Run Dockle + uses: erzz/dockle-action@v1.4.0 with: - image: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}' - format: 'list' - exit-code: '1' - exit-level: 'fatal' + image: ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} + report-format: json + failure-threshold: fatal + exit-code: 1 - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index ba1f336..772cf5e 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -29,13 +29,13 @@ jobs: uses: actions/checkout@v4 - name: Build container from Dockerfile run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm - - name: Run dockle on container - uses: goodwithtech/dockle-action@main + - name: Run Dockle + uses: erzz/dockle-action@v1.4.0 with: - image: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}' - format: 'list' - exit-code: '1' - exit-level: 'fatal' + image: ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} + report-format: json + failure-threshold: fatal + exit-code: 1 - name: Scan container for vulnerabilities with Trivy uses: aquasecurity/trivy-action@0.28.0 with: diff --git a/php-fpm/Dockerfile b/php-fpm/Dockerfile index f9c4141..d6714e6 100644 --- a/php-fpm/Dockerfile +++ b/php-fpm/Dockerfile @@ -1,4 +1,4 @@ -FROM php:8.3-fpm-bookworm +FROM php:8.2-fpm-bookworm ### Installing required packages RUN apt-get update -y &&\ From 36ff296e98cf9ea57e1f3b94ee43b527ffe7ad2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 13:10:27 +0100 Subject: [PATCH 07/19] Added trivy license check --- .github/workflows/ci-redcap-fastcgi-client.yaml | 1 + .github/workflows/ci-redcap-httpd-shibd.yaml | 1 + .github/workflows/ci-redcap-php-fpm.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index 41f1346..f086df2 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -43,5 +43,6 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true + scanners: 'vuln,secret,licence' vuln-type: 'os,library' severity: 'CRITICAL' diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index be0e3da..21604d5 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -43,5 +43,6 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true + scanners: 'vuln,secret,licence' vuln-type: 'os,library' severity: 'CRITICAL' diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 772cf5e..080134a 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -43,5 +43,6 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true + scanners: 'vuln,secret,licence' vuln-type: 'os,library' severity: 'CRITICAL' From e767017fe1c72fff7512ec31f45fc0a752b352b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 13:13:56 +0100 Subject: [PATCH 08/19] Fixed typo in license scanner name --- .github/workflows/ci-redcap-fastcgi-client.yaml | 2 +- .github/workflows/ci-redcap-httpd-shibd.yaml | 2 +- .github/workflows/ci-redcap-php-fpm.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index f086df2..af2f80c 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -43,6 +43,6 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - scanners: 'vuln,secret,licence' + scanners: 'vuln,secret,license' vuln-type: 'os,library' severity: 'CRITICAL' diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index 21604d5..5f53616 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -43,6 +43,6 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - scanners: 'vuln,secret,licence' + scanners: 'vuln,secret,license' vuln-type: 'os,library' severity: 'CRITICAL' diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 080134a..9caaedd 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -43,6 +43,6 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - scanners: 'vuln,secret,licence' + scanners: 'vuln,secret,license' vuln-type: 'os,library' severity: 'CRITICAL' From 8822ec2b73cde302421af08ce3e5a4c326a68d56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 13:38:11 +0100 Subject: [PATCH 09/19] Testin docker log and push actions --- .github/workflows/ci-redcap-php-fpm.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 9caaedd..0cffcca 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -9,7 +9,7 @@ on: jobs: lint-redcap-php-fpm: name: lint-redcap-php-fpm - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v4 @@ -46,3 +46,22 @@ jobs: scanners: 'vuln,secret,license' vuln-type: 'os,library' severity: 'CRITICAL' + + push-redcap-php-fpm: + name: push-redcap-php-fpm + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v3.3.0 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + - name: Build and push + uses: docker/build-push-action@v6.9.0 + with: + context: "{{defaultContext}}:php-fpm" + push: true + tags: ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} \ No newline at end of file From f9d4c7c2809aa40e6be985500ac1c51424959a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 24 Nov 2024 13:47:33 +0100 Subject: [PATCH 10/19] Fixed dependencies and added push stage for other github images --- .../workflows/ci-redcap-fastcgi-client.yaml | 20 +++++++++++++++++++ .github/workflows/ci-redcap-httpd-shibd.yaml | 20 +++++++++++++++++++ .github/workflows/ci-redcap-php-fpm.yaml | 1 + 3 files changed, 41 insertions(+) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index af2f80c..7783dd3 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -46,3 +46,23 @@ jobs: scanners: 'vuln,secret,license' vuln-type: 'os,library' severity: 'CRITICAL' + + push-redcap-fastcgi-client: + name: push-redcap-fastcgi-client + needs: scan-redcap-fastcgi-client + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v3.3.0 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + - name: Build and push + uses: docker/build-push-action@v6.9.0 + with: + context: "{{defaultContext}}:fastcgi-client" + push: true + tags: ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index 5f53616..ac4315f 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -46,3 +46,23 @@ jobs: scanners: 'vuln,secret,license' vuln-type: 'os,library' severity: 'CRITICAL' + + push-redcap-httpd-shibd: + name: push-redcap-httpd-shibd + needs: scan-redcap-httpd-shibd + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v3.3.0 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + - name: Build and push + uses: docker/build-push-action@v6.9.0 + with: + context: "{{defaultContext}}:httpd-shibd" + push: true + tags: ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} \ No newline at end of file diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 0cffcca..3bd0da4 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -49,6 +49,7 @@ jobs: push-redcap-php-fpm: name: push-redcap-php-fpm + needs: scan-redcap-php-fpm runs-on: ubuntu-24.04 steps: - name: Checkout code From 436aaf0fe092c5643febf3a05e8b24e9aa849034 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 26 Nov 2024 16:04:36 +0100 Subject: [PATCH 11/19] Updated php fcgi to have non-root user --- fastcgi-client/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fastcgi-client/Dockerfile b/fastcgi-client/Dockerfile index 0b98904..0b69f32 100644 --- a/fastcgi-client/Dockerfile +++ b/fastcgi-client/Dockerfile @@ -5,4 +5,8 @@ LABEL maintainer=APHP RUN apk update &&\ apk add --no-cache fcgi +RUN useradd cgi + +USER cgi + ENTRYPOINT ["cgi-fcgi"] From cb2f15856345c9b0399691bafea189c13f709610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 26 Nov 2024 16:36:48 +0100 Subject: [PATCH 12/19] Replaces useradd with adduser in th ealpine build of fastcgi client --- fastcgi-client/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fastcgi-client/Dockerfile b/fastcgi-client/Dockerfile index 0b69f32..0d92c5e 100644 --- a/fastcgi-client/Dockerfile +++ b/fastcgi-client/Dockerfile @@ -5,7 +5,7 @@ LABEL maintainer=APHP RUN apk update &&\ apk add --no-cache fcgi -RUN useradd cgi +RUN adduser -S cgi USER cgi From e569a6f7e77e20c97cd205b025106de9979d86a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:05:27 +0100 Subject: [PATCH 13/19] Added docs, contribs and refactored pipelines to push images with correct oci tags --- .../workflows/ci-redcap-fastcgi-client.yaml | 40 ++++++++-- .github/workflows/ci-redcap-httpd-shibd.yaml | 33 +++++++- .github/workflows/ci-redcap-php-fpm.yaml | 33 +++++++- CONTRIBUTING | 21 +++++ LICENSE | 2 + NOTICE | 14 ++++ README.md | 37 ++++++++- fastcgi-client/README.md | 23 ++++++ httpd-shibd/README.md | 79 +++++++++++++++++++ php-fpm/README.md | 32 ++++++++ 10 files changed, 298 insertions(+), 16 deletions(-) create mode 100644 CONTRIBUTING create mode 100644 NOTICE create mode 100644 fastcgi-client/README.md create mode 100644 httpd-shibd/README.md create mode 100644 php-fpm/README.md diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index 7783dd3..06c7c64 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -1,10 +1,11 @@ name: build + on: push: branches: - - main - - dev - pull_request: + - "dev" + tags: + - "v*.*.*" jobs: lint-redcap-fastcgi-client: @@ -54,15 +55,40 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + # list of Docker images to use as base name for tags + images: | + ghcr.io/aphp/fastcgi-client + # generate Docker tags based on the following events/attributes + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: 'Login to GitHub Container Registry' uses: docker/login-action@v3.3.0 with: registry: ghcr.io username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} + - name: Build and push - uses: docker/build-push-action@v6.9.0 + uses: docker/build-push-action@v6 with: - context: "{{defaultContext}}:fastcgi-client" - push: true - tags: ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index ac4315f..3e8c9bc 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -54,15 +54,40 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + # list of Docker images to use as base name for tags + images: | + ghcr.io/aphp/httpd-shibd + # generate Docker tags based on the following events/attributes + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: 'Login to GitHub Container Registry' uses: docker/login-action@v3.3.0 with: registry: ghcr.io username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} + - name: Build and push - uses: docker/build-push-action@v6.9.0 + uses: docker/build-push-action@v6 with: - context: "{{defaultContext}}:httpd-shibd" - push: true - tags: ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} \ No newline at end of file + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 3bd0da4..13d48de 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -54,15 +54,40 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + # list of Docker images to use as base name for tags + images: | + ghcr.io/aphp/php-fpm + # generate Docker tags based on the following events/attributes + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: 'Login to GitHub Container Registry' uses: docker/login-action@v3.3.0 with: registry: ghcr.io username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} + - name: Build and push - uses: docker/build-push-action@v6.9.0 + uses: docker/build-push-action@v6 with: - context: "{{defaultContext}}:php-fpm" - push: true - tags: ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} \ No newline at end of file + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/CONTRIBUTING b/CONTRIBUTING new file mode 100644 index 0000000..4c3613c --- /dev/null +++ b/CONTRIBUTING @@ -0,0 +1,21 @@ + +## How to contribute to the `aphp/redcap-containers` project + +#### **Did you find a bug?** + +* **Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/aphp/redcap-containers/issues). + +* If you're unable to find an open issue addressing the problem, [open a new one](https://github.com/aphp/redcap-containers/issues/new). Be sure to include a **title and clear description**, as much relevant information as possible, and a **code sample** or an **executable test case** demonstrating the expected behavior that is not occurring. + +#### **Did you write a patch that fixes a bug?** + +* Open a new GitHub pull request with the patch. + +* Ensure the PR description clearly describes the problem and solution. Include the relevant issue number if applicable. + +#### **Do you intend to add a new feature or change an existing one?** + +* Suggest your change in a dedicated issue. + +* Do not submit a PR on GitHub until you have collected positive feedback about the change. + diff --git a/LICENSE b/LICENSE index 261eeb9..43b2cbc 100644 --- a/LICENSE +++ b/LICENSE @@ -199,3 +199,5 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + +[2023 - 2024] [REDCap Helm Chart] © Assistance Publique – Hôpitaux de Paris. \ No newline at end of file diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..e4568f2 --- /dev/null +++ b/NOTICE @@ -0,0 +1,14 @@ +This software contains the following dependencies developped by Broadcom : + +- Docker Images + - alpinelinux : https://github.com/alpinelinux/docker-alpine + - rockylinux : https://github.com/rocky-linux/sig-cloud-instance-images + - docker/php: https://github.com/docker-library/php + +Those dependecies are present as source f the images presents in this repository. +Indidual licence statements are presents in the following links : + - alpinelinux : https://github.com/alpinelinux/docker-alpine/blob/master/LICENSE + - rockylinux : https://rockylinux.org/fr-FR/legal/licensing + - docker/php: https://github.com/docker-library/php/blob/master/LICENSE + +The build process of the images present in this repository includes a licence check - reports can be found in the Github Actions. diff --git a/README.md b/README.md index 89fd52e..be5ec29 100644 --- a/README.md +++ b/README.md @@ -1 +1,36 @@ -# redcap-containers \ No newline at end of file +# APHP - REDCap Helm Chart containers + +## Presentation + +This repository is hosting the container images that are needed to run the REDCap Helm Chart provided by the Greater Paris University Hospitals. + +Those images are as follow : +- `httpd-shibd` : A custom container made to host an instance of Apache HTTPd and Shibboleth. + - [see the `httpd-shibd` folder](./httpd-shibd/) +- `fastcgi-client` : A simple FastCGI client. + - [see the `fastcgi-client` folder](./fastcgi-client/) +- `php-fpm` : A PHP 8.2 FPM server that contains all dependencies and configurations needed by REDCap. + - [see the `php-fpm` folder](./php-fpm/) + +Each subfolder contains its own README file. + +All those containers are `rootless`, and **none of them is containing, or distributing REDCap binairies**. +If you wish to use REDCap and are not sure where to start, you may visit the dedicated [REDCap Community Site](https://projectredcap.org/resources/community/). + +## Continous Integration / Continous Delivery + +This project uses 3 Github Workflows (presents under the .github/workflows directory), which will, for each image : +- Lint the Dockerfile using `Hadolint` +- Scan the container images using `Dockle` +- Runs critical vulnerability, secrets and license checks on the container image using `Trivy` +- Pushes the container images to this project's GHCR for it to be retrieved as a container image. + +## How can I contribute? + +You're welcome to read the [contrinuting guidelines](./CONTRIBUTING). + +## How is this project licensed? + +The informations about the licensing and the dependencies of this project can be found under : +- The [project's license file](./LICENSE) +- The [legal notice](./NOTICE) \ No newline at end of file diff --git a/fastcgi-client/README.md b/fastcgi-client/README.md new file mode 100644 index 0000000..0299887 --- /dev/null +++ b/fastcgi-client/README.md @@ -0,0 +1,23 @@ +# `aphp/fastcgi-client` container image + +## Description +This image aims to build a container able to do simple FastCGI calls. This is usefull to do calls to REDCap (eg : for firing the cronjobs) "internally", without having to expose the REDCap cronjob URL to the internet. It can be used for all alike purposes, as fring REDCap's autoinstall once the software is deployed on the PHP-FPM Server + +## Content +This is a simple rootless image, based on Alpine Linux 3, on top of which is installed the [`cgi-fcgi`](https://github.com/FastCGI-Archives/fcgi2) binairies. + +## How to use + +The container image build from this project's Github Workflow is hosted on the GHCR of the [`aphp/redcap-containers` project](https://github.com/aphp/redcap-containers/pkgs/container/redcap-fastcgi-client). You can pull it using that command : + +```sh +docker pull ghcr.io/aphp/redcap-fastcgi-client:latest +``` + +## How to build locally + +From the root of this repository, simply build the image (example with Docker) : + +```sh +docker build -t localhost/redcap-fastcgi-client:latest ./fastcgi-client +``` \ No newline at end of file diff --git a/httpd-shibd/README.md b/httpd-shibd/README.md new file mode 100644 index 0000000..42b6204 --- /dev/null +++ b/httpd-shibd/README.md @@ -0,0 +1,79 @@ +# `aphp/httpd-shibd` container image + +## Description +This image aims to build a custom container made to host an instance of Apache HTTPd and Shibboleth. Since Shibboleth is provided as a HTTPd module that spawns its own process, it cannot be easily isolated in a dedicated container. This container is then spawning and managing both of those processes with a `supervisord` rootless installation. +You can then map a `supervisord` configuration file that will handle the spawning of HTTPd and/or Shibboleth, according to your usecase. + +## Content +This image use [the reccomended way to install Shibboleth](https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335566/RPMInstall) on a RHEL/CentOS/RockyLinux 8+ base OS, alogside httpd. +A dedicated non-root user is then created in order to manage the processes in a secure way. + +## Configuration + +### supervisord + +Usually, a `supervisord` configuration file is used alongside this image, in order to efficienly manage and logs the processes activity. + +Here's an example : + +```ini +[supervisord] +#user=supervisor +pidfile=/var/run/supervisor/supervisord.pid +logfile=/var/log/supervisor/supervisord.log +logfile_backups=10 ; (num of main logfile rotation backups;default 10) +loglevel=info ; (log level;default info; others: debug,warn,trace) +nodaemon=true ; (start in foreground if true;default false) +minfds=1024 ; (min. avail startup file descriptors;default 1024) +minprocs=200 ; (min. avail process descriptors;default 200) + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[eventlistener:processes] +command=bash -c "printf 'READY\n' && while read line; do kill -SIGQUIT $PPID; done < /dev/stdin" +events=PROCESS_STATE_STOPPED,PROCESS_STATE_EXITED,PROCESS_STATE_FATAL + +[program:httpd] +command=httpd -c "CustomLog /dev/stdout common" -c "ErrorLog /dev/stderr" -DFOREGROUND +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +killasgroup=true +stopasgroup=true + +# If you wish to spawn Shibboleth process +[program:shibd] +command=shibd -F +stderr_logfile=/dev/fd/1 +stderr_logfile_maxbytes=0 +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +``` + +### HTTPd + +Depending of your usecase, the REDcap Communite Site can provide you zith the best ways to configure your HTTPd server. + +## How to use + +The container image build from this project's Github Workflow is hosted on the GHCR of the [`aphp/redcap-containers` project](https://github.com/aphp/redcap-containers/pkgs/container/redcap-httpd-shibd). You can pull it using that command : + +```sh +docker pull ghcr.io/aphp/redcap-httpd-shibd:latest +``` + +If you wish to run it alongside the `supervisord` config file, juste use the following command : + +```sh +docker run ghcr.io/aphp/redcap-httpd-shibd:latest -v ${your-config-file}:/etc/supervisor/supervisord-redcap-front.conf +``` + +## How to build locally + +From the root of this repository, simply build the image (example with Docker) : + +```sh +docker build -t localhost/redcap-httpd-shibd:latest ./httpd-shibd +``` \ No newline at end of file diff --git a/php-fpm/README.md b/php-fpm/README.md new file mode 100644 index 0000000..b0155e6 --- /dev/null +++ b/php-fpm/README.md @@ -0,0 +1,32 @@ +# `aphp/php-fpm` container image + +## Description +This image aims to provides with a PHP 8.2 FPM server, including all the dependencies that REDCap needs to operates correctly (this includes several image processing librairies, as well as some custom PHP extensions as `imagemagick`). + +**This image doesn't contains, nor distributes REDCap binairies**. +If you wish to use REDCap and are not sure where to start, you may visit the dedicated [REDCap Community Site](https://projectredcap.org/resources/community/). + +## Content +... + +## How to use + +The container image build from this project's Github Workflow is hosted on the GHCR of the [`aphp/redcap-containers` project](https://github.com/aphp/redcap-containers/pkgs/container/redcap-php-fpm). You can pull it using that command : + +```sh +docker pull ghcr.io/aphp/redcap-php-fpm:latest +``` + +If you want to serve the REDCap application with that image, you will have to retrieve the REDCap install archive, and map the content of the `redcap` directory to `` directory inside the container, like so (example with Docker) : + +```sh +docker run ghcr.io/aphp/redcap-php-fpm:latest-v ${redcap-app-dir}:/var/www/redcap +``` + +## How to build locally + +From the root of this repository, simply build the image (example with Docker) : + +```sh +docker build -t localhost/redcap-php-fpm:latest ./php-fpm +``` \ No newline at end of file From be5d6277506f267e2d5f711a10dba7a1c857aaff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:08:13 +0100 Subject: [PATCH 14/19] Added contributing md extension --- CONTRIBUTING => CONTRIBUTING.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename CONTRIBUTING => CONTRIBUTING.md (100%) diff --git a/CONTRIBUTING b/CONTRIBUTING.md similarity index 100% rename from CONTRIBUTING rename to CONTRIBUTING.md From 0df82edc1a40aa988fe17b07ef7d7d7f1193b01c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:08:51 +0100 Subject: [PATCH 15/19] Fixed typo and ref to contribution guide --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be5ec29..d2b57e5 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ This project uses 3 Github Workflows (presents under the .github/workflows direc ## How can I contribute? -You're welcome to read the [contrinuting guidelines](./CONTRIBUTING). +You're welcome to read the [contributing guidelines](./CONTRIBUTING.md). ## How is this project licensed? From 4c452a7bd5d6b5a4620ccebf4de41a18130f9994 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:11:35 +0100 Subject: [PATCH 16/19] Fixed typo and readme, and fixed bad context ref for dockerfile --- .github/workflows/ci-redcap-fastcgi-client.yaml | 1 + .github/workflows/ci-redcap-httpd-shibd.yaml | 1 + .github/workflows/ci-redcap-php-fpm.yaml | 1 + README.md | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index 06c7c64..2312e83 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -89,6 +89,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v6 with: + context: "{{defaultContext}}:fastcgi-client" push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index 3e8c9bc..510cac4 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -88,6 +88,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v6 with: + context: "{{defaultContext}}:httpd-shibd" push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index 13d48de..da3db89 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -88,6 +88,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v6 with: + context: "{{defaultContext}}:php-fpm" push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/README.md b/README.md index d2b57e5..af3e334 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ This project uses 3 Github Workflows (presents under the .github/workflows direc ## How can I contribute? -You're welcome to read the [contributing guidelines](./CONTRIBUTING.md). +You're welcome to read the [contribution guidelines](./CONTRIBUTING.md). ## How is this project licensed? From 037d37c941b9d0eac8dbfc4e31112735d7c07a95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:26:20 +0100 Subject: [PATCH 17/19] Added missing readme content for php fpm imag, and fixed images tag --- .github/workflows/ci-redcap-fastcgi-client.yaml | 2 +- .github/workflows/ci-redcap-httpd-shibd.yaml | 2 +- .github/workflows/ci-redcap-php-fpm.yaml | 2 +- php-fpm/README.md | 14 +++++++++++--- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index 2312e83..b72af83 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -62,7 +62,7 @@ jobs: with: # list of Docker images to use as base name for tags images: | - ghcr.io/aphp/fastcgi-client + ghcr.io/aphp/redcqp-fastcgi-client # generate Docker tags based on the following events/attributes tags: | type=schedule diff --git a/.github/workflows/ci-redcap-httpd-shibd.yaml b/.github/workflows/ci-redcap-httpd-shibd.yaml index 510cac4..2ef2b9c 100644 --- a/.github/workflows/ci-redcap-httpd-shibd.yaml +++ b/.github/workflows/ci-redcap-httpd-shibd.yaml @@ -61,7 +61,7 @@ jobs: with: # list of Docker images to use as base name for tags images: | - ghcr.io/aphp/httpd-shibd + ghcr.io/aphp/redcap-httpd-shibd # generate Docker tags based on the following events/attributes tags: | type=schedule diff --git a/.github/workflows/ci-redcap-php-fpm.yaml b/.github/workflows/ci-redcap-php-fpm.yaml index da3db89..970a555 100644 --- a/.github/workflows/ci-redcap-php-fpm.yaml +++ b/.github/workflows/ci-redcap-php-fpm.yaml @@ -61,7 +61,7 @@ jobs: with: # list of Docker images to use as base name for tags images: | - ghcr.io/aphp/php-fpm + ghcr.io/aphp/redcap-php-fpm # generate Docker tags based on the following events/attributes tags: | type=schedule diff --git a/php-fpm/README.md b/php-fpm/README.md index b0155e6..3958d5e 100644 --- a/php-fpm/README.md +++ b/php-fpm/README.md @@ -1,13 +1,21 @@ # `aphp/php-fpm` container image ## Description -This image aims to provides with a PHP 8.2 FPM server, including all the dependencies that REDCap needs to operates correctly (this includes several image processing librairies, as well as some custom PHP extensions as `imagemagick`). +This image aims to provides with a PHP 8.2 FPM server, including all the dependencies that REDCap needs to operates correctly (this includes several image processing librairies, as well as some custom PHP extensions as `imagick`). **This image doesn't contains, nor distributes REDCap binairies**. If you wish to use REDCap and are not sure where to start, you may visit the dedicated [REDCap Community Site](https://projectredcap.org/resources/community/). ## Content -... +The image is based on the official PHP 8.2 FPM image (debian-bookworm flavor), on top of which are added a few librairies and php extensions, such as : +- `imagick` +- `libpng` +- `libcurl` +- `mysqli` +- `ghostscript` + +On top of this, the `/app/redcap` (with a symlink pointing to`/var/www/redcap`) and `/edocs` dirs are created with suitzable persmissions, ready to handle a redcap installation. +Finally, the image being rootless, the user `www-data` is exposed as the one executing the process. ## How to use @@ -20,7 +28,7 @@ docker pull ghcr.io/aphp/redcap-php-fpm:latest If you want to serve the REDCap application with that image, you will have to retrieve the REDCap install archive, and map the content of the `redcap` directory to `` directory inside the container, like so (example with Docker) : ```sh -docker run ghcr.io/aphp/redcap-php-fpm:latest-v ${redcap-app-dir}:/var/www/redcap +docker run ghcr.io/aphp/redcap-php-fpm:latest -v ${redcap-app-dir}:/var/www/redcap ``` ## How to build locally From 99af8fabf0690891daa9bdc0f56fc3076cc43b06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:31:01 +0100 Subject: [PATCH 18/19] Fixed bad tag name --- .github/workflows/ci-redcap-fastcgi-client.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-redcap-fastcgi-client.yaml b/.github/workflows/ci-redcap-fastcgi-client.yaml index b72af83..c6e06a2 100644 --- a/.github/workflows/ci-redcap-fastcgi-client.yaml +++ b/.github/workflows/ci-redcap-fastcgi-client.yaml @@ -62,7 +62,7 @@ jobs: with: # list of Docker images to use as base name for tags images: | - ghcr.io/aphp/redcqp-fastcgi-client + ghcr.io/aphp/redcap-fastcgi-client # generate Docker tags based on the following events/attributes tags: | type=schedule From da7e3b8ff9538bc3069431bc8ad6100cdbf6d6a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Sun, 1 Dec 2024 15:37:03 +0100 Subject: [PATCH 19/19] Fixed typos in various READMEs --- fastcgi-client/README.md | 2 +- httpd-shibd/README.md | 2 +- php-fpm/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fastcgi-client/README.md b/fastcgi-client/README.md index 0299887..dffb3ee 100644 --- a/fastcgi-client/README.md +++ b/fastcgi-client/README.md @@ -1,7 +1,7 @@ # `aphp/fastcgi-client` container image ## Description -This image aims to build a container able to do simple FastCGI calls. This is usefull to do calls to REDCap (eg : for firing the cronjobs) "internally", without having to expose the REDCap cronjob URL to the internet. It can be used for all alike purposes, as fring REDCap's autoinstall once the software is deployed on the PHP-FPM Server +This image aims to build a container able to do simple FastCGI calls. This is usefull for calling REDCap, eg. for firing the cronjobs "internally", without having to expose the REDCap cronjob URL to the internet. It can be used for all alike purposes, like firing REDCap's autoinstall once the software is deployed on the PHP-FPM Server. ## Content This is a simple rootless image, based on Alpine Linux 3, on top of which is installed the [`cgi-fcgi`](https://github.com/FastCGI-Archives/fcgi2) binairies. diff --git a/httpd-shibd/README.md b/httpd-shibd/README.md index 42b6204..23c92f9 100644 --- a/httpd-shibd/README.md +++ b/httpd-shibd/README.md @@ -54,7 +54,7 @@ stdout_logfile_maxbytes=0 ### HTTPd -Depending of your usecase, the REDcap Communite Site can provide you zith the best ways to configure your HTTPd server. +Depending of your usecase, the REDcap Communite Site can provide you with the best ways to configure your HTTPd server. ## How to use diff --git a/php-fpm/README.md b/php-fpm/README.md index 3958d5e..54ca37b 100644 --- a/php-fpm/README.md +++ b/php-fpm/README.md @@ -14,7 +14,7 @@ The image is based on the official PHP 8.2 FPM image (debian-bookworm flavor), o - `mysqli` - `ghostscript` -On top of this, the `/app/redcap` (with a symlink pointing to`/var/www/redcap`) and `/edocs` dirs are created with suitzable persmissions, ready to handle a redcap installation. +On top of this, the `/app/redcap` (with a symlink pointing to`/var/www/redcap`) and `/edocs` dirs are created with suitable persmissions, ready to handle a REDCap installation. Finally, the image being rootless, the user `www-data` is exposed as the one executing the process. ## How to use