Some additional fixes/changes

- Let the php container run the inet supervisord for the bg workers still - Properly configure the cron container to exec cron - Add configuration to optionally change the sock file location for php-fpm, allows us to specify a shared file between containers in a pod - make new entrypoint files executable - Set the php config value for `session.cookie_domain` so that it doesn't use the default of ''. When empty it falls back to the hostname which will be different per pod, meaning that each pod will handle session requests separately, which breaks things like OIDC.
2025-01-08 10:00:24 -05:00 · 2025-01-08 10:00:24 -05:00 · 99eb71a4cd
parent b1dd1a81af
commit 99eb71a4cd
7 changed files with 24 additions and 15 deletions
--- a/core/files/entrypoint.sh
+++ b/core/files/entrypoint.sh
@ -74,14 +74,16 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
      exec /entrypoint_k8s_nginx.sh
    ;;
    php*)
+      # Not ideal, but let supervisord manage the workers still
+      mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,}
+      /usr/bin/supervisord -c /etc/supervisor/supervisord.conf &
      exec /entrypoint_k8s_fpm.sh
    ;;
    cron*)
-      mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,}
-      exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+      exec /entrypoint_cron.sh
    ;;
  esac
 else
  # start supervisord using the main configuration file so we have a socket interface
  /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
-fi
+fi
--- a/core/files/entrypoint_cron.sh
+++ b/core/files/entrypoint_cron.sh
@ -30,6 +30,11 @@ if [[ ! -p /tmp/cronlog ]]; then
    mkfifo -m 777 /tmp/cronlog
 fi

+if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
+    tail -f /tmp/cronlog &
+    exec cron -l -f
+fi
+
 # Build another fifo for the cron pipe
 if [[ ! -p /tmp/cronpipe ]]; then
    mkfifo /tmp/cronpipe
--- a/core/files/entrypoint_fpm.sh
+++ b/core/files/entrypoint_fpm.sh
@ -28,6 +28,7 @@ change_php_vars() {
        sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
        sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE"
        sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE"
+        sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE"
    done

    for FILE in /etc/php/*/fpm/pool.d/www.conf
@ -57,6 +58,10 @@ change_php_vars() {
            echo "Configure PHP | Disabling 'pm.status_listen'"
            sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE"
        fi
+        if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then
+            echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}"
+            sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE"
+        fi
    done
 }

--- a/core/files/entrypoint_k8s_fpm.sh
+++ b/core/files/entrypoint_k8s_fpm.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e

 source /entrypoint_nginx.sh
 source /entrypoint_fpm.sh
@ -10,7 +10,6 @@ echo "INIT | Initialize MySQL ..." && init_mysql
 echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
 echo "INIT | Update MISP app/files directory ..." && update_misp_data_files
 echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
-echo "INIT | Flip NGINX live ..." && flip_nginx true true

 # Run configure MISP script
 echo "INIT | Configure MISP installation ..."
--- a/core/files/entrypoint_k8s_nginx.sh
+++ b/core/files/entrypoint_k8s_nginx.sh
@ -1,9 +1,10 @@
-#!/bin/bash
+#!/bin/bash -e

 source /entrypoint_nginx.sh

 # Initialize nginx
 echo "INIT | Initialize NGINX ..." && init_nginx
+echo "INIT | Flip NGINX live ..." && flip_nginx true true

 # launch nginx as current shell process in container
 exec nginx -g 'daemon off;'
--- a/core/files/entrypoint_nginx.sh
+++ b/core/files/entrypoint_nginx.sh
@ -217,6 +217,12 @@ flip_nginx() {
 }

 init_nginx() {
+    # Optional location of PHP-FPM sock file
+    if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then
+        echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}"
+        sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp
+    fi
+
    # Adjust timeouts
    echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}"
    sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp
--- a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
+++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
@ -10,12 +10,3 @@ stderr_logfile_maxbytes=0
 port=127.0.0.1:9001
 username=supervisor
 password=supervisor
-
-[program:cron]
-command=/entrypoint_cron.sh
-autorestart=true
-redirect_stderr=true
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0