From 99eb71a4cd11f8c01733758b695a95cb7ce7c044 Mon Sep 17 00:00:00 2001 From: Jeremy Huntwork Date: Wed, 8 Jan 2025 10:00:24 -0500 Subject: [PATCH] Some additional fixes/changes - Let the php container run the inet supervisord for the bg workers still - Properly configure the cron container to exec cron - Add configuration to optionally change the sock file location for php-fpm, allows us to specify a shared file between containers in a pod - make new entrypoint files executable - Set the php config value for `session.cookie_domain` so that it doesn't use the default of ''. When empty it falls back to the hostname which will be different per pod, meaning that each pod will handle session requests separately, which breaks things like OIDC. --- core/files/entrypoint.sh | 8 +++++--- core/files/entrypoint_cron.sh | 5 +++++ core/files/entrypoint_fpm.sh | 5 +++++ core/files/entrypoint_k8s_fpm.sh | 3 +-- core/files/entrypoint_k8s_nginx.sh | 3 ++- core/files/entrypoint_nginx.sh | 6 ++++++ core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s | 9 --------- 7 files changed, 24 insertions(+), 15 deletions(-) mode change 100644 => 100755 core/files/entrypoint_k8s_fpm.sh mode change 100644 => 100755 core/files/entrypoint_k8s_nginx.sh diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 7545f8c..bb90cb2 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -74,14 +74,16 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then exec /entrypoint_k8s_nginx.sh ;; php*) + # Not ideal, but let supervisord manage the workers still + mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} + /usr/bin/supervisord -c /etc/supervisor/supervisord.conf & exec /entrypoint_k8s_fpm.sh ;; cron*) - mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} - exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + exec /entrypoint_cron.sh ;; esac else # start supervisord using the main configuration file so we have a socket interface /usr/bin/supervisord -c /etc/supervisor/supervisord.conf -fi \ No newline at end of file +fi diff --git a/core/files/entrypoint_cron.sh b/core/files/entrypoint_cron.sh index 66e5bf8..5a2640f 100755 --- a/core/files/entrypoint_cron.sh +++ b/core/files/entrypoint_cron.sh @@ -30,6 +30,11 @@ if [[ ! -p /tmp/cronlog ]]; then mkfifo -m 777 /tmp/cronlog fi +if [ -n "$KUBERNETES_SERVICE_HOST" ]; then + tail -f /tmp/cronlog & + exec cron -l -f +fi + # Build another fifo for the cron pipe if [[ ! -p /tmp/cronpipe ]]; then mkfifo /tmp/cronpipe diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index f231e55..dbb09f6 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -28,6 +28,7 @@ change_php_vars() { sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE" sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE" sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE" + sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE" done for FILE in /etc/php/*/fpm/pool.d/www.conf @@ -57,6 +58,10 @@ change_php_vars() { echo "Configure PHP | Disabling 'pm.status_listen'" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" fi + if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}" + sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE" + fi done } diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh old mode 100644 new mode 100755 index ba08ddf..c12ec83 --- a/core/files/entrypoint_k8s_fpm.sh +++ b/core/files/entrypoint_k8s_fpm.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -e source /entrypoint_nginx.sh source /entrypoint_fpm.sh @@ -10,7 +10,6 @@ echo "INIT | Initialize MySQL ..." && init_mysql echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files echo "INIT | Update MISP app/files directory ..." && update_misp_data_files echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions -echo "INIT | Flip NGINX live ..." && flip_nginx true true # Run configure MISP script echo "INIT | Configure MISP installation ..." diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh old mode 100644 new mode 100755 index 13638d3..cc9634c --- a/core/files/entrypoint_k8s_nginx.sh +++ b/core/files/entrypoint_k8s_nginx.sh @@ -1,9 +1,10 @@ -#!/bin/bash +#!/bin/bash -e source /entrypoint_nginx.sh # Initialize nginx echo "INIT | Initialize NGINX ..." && init_nginx +echo "INIT | Flip NGINX live ..." && flip_nginx true true # launch nginx as current shell process in container exec nginx -g 'daemon off;' diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index 085a703..6a1576a 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -217,6 +217,12 @@ flip_nginx() { } init_nginx() { + # Optional location of PHP-FPM sock file + if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}" + sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp + fi + # Adjust timeouts echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}" sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s index 296e384..aa929c2 100644 --- a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s +++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s @@ -10,12 +10,3 @@ stderr_logfile_maxbytes=0 port=127.0.0.1:9001 username=supervisor password=supervisor - -[program:cron] -command=/entrypoint_cron.sh -autorestart=true -redirect_stderr=true -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0