MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Some additional fixes/changes 

- Let the php container run the inet supervisord for the bg workers
  still
- Properly configure the cron container to exec cron
- Add configuration to optionally change the sock file location for
  php-fpm, allows us to specify a shared file between containers in a
  pod
- make new entrypoint files executable
- Set the php config value for `session.cookie_domain` so that it
  doesn't use the default of ''. When empty it falls back to the
  hostname which will be different per pod, meaning that each pod will
  handle session requests separately, which breaks things like OIDC.
pull/203/head
Jeremy Huntwork 2025-01-08 10:00:24 -05:00
parent b1dd1a81af
commit 99eb71a4cd
7 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
core/files/entrypoint.sh
View File

@ -74,14 +74,16 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
exec /entrypoint_k8s_nginx.sh exec /entrypoint_k8s_nginx.sh
;; ;;
php*) php*)
# Not ideal, but let supervisord manage the workers still
mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,}
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf &
exec /entrypoint_k8s_fpm.sh exec /entrypoint_k8s_fpm.sh
;; ;;
cron*) cron*)
mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} exec /entrypoint_cron.sh
exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
;; ;;
esac esac
else else
# start supervisord using the main configuration file so we have a socket interface # start supervisord using the main configuration file so we have a socket interface
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
fi fi

5
core/files/entrypoint_cron.sh
View File

@ -30,6 +30,11 @@ if [[ ! -p /tmp/cronlog ]]; then
mkfifo -m 777 /tmp/cronlog mkfifo -m 777 /tmp/cronlog
fi fi
if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
tail -f /tmp/cronlog &
exec cron -l -f
fi
# Build another fifo for the cron pipe # Build another fifo for the cron pipe
if [[ ! -p /tmp/cronpipe ]]; then if [[ ! -p /tmp/cronpipe ]]; then
mkfifo /tmp/cronpipe mkfifo /tmp/cronpipe

5
core/files/entrypoint_fpm.sh
View File

@ -28,6 +28,7 @@ change_php_vars() {
sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE" sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE" sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE"
sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE" sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE"
sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE"
done done
for FILE in /etc/php/*/fpm/pool.d/www.conf for FILE in /etc/php/*/fpm/pool.d/www.conf
@ -57,6 +58,10 @@ change_php_vars() {
echo "Configure PHP | Disabling 'pm.status_listen'" echo "Configure PHP | Disabling 'pm.status_listen'"
sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE"
fi fi
if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then
echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}"
sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE"
fi
done done
} }

3
core/files/entrypoint_k8s_fpm.sh Normal file → Executable file
View File

@ -1,4 +1,4 @@
#!/bin/bash #!/bin/bash -e
source /entrypoint_nginx.sh source /entrypoint_nginx.sh
source /entrypoint_fpm.sh source /entrypoint_fpm.sh
@ -10,7 +10,6 @@ echo "INIT | Initialize MySQL ..." && init_mysql
echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
echo "INIT | Update MISP app/files directory ..." && update_misp_data_files echo "INIT | Update MISP app/files directory ..." && update_misp_data_files
echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
echo "INIT | Flip NGINX live ..." && flip_nginx true true
# Run configure MISP script # Run configure MISP script
echo "INIT | Configure MISP installation ..." echo "INIT | Configure MISP installation ..."

3
core/files/entrypoint_k8s_nginx.sh Normal file → Executable file
View File

@ -1,9 +1,10 @@
#!/bin/bash #!/bin/bash -e
source /entrypoint_nginx.sh source /entrypoint_nginx.sh
# Initialize nginx # Initialize nginx
echo "INIT | Initialize NGINX ..." && init_nginx echo "INIT | Initialize NGINX ..." && init_nginx
echo "INIT | Flip NGINX live ..." && flip_nginx true true
# launch nginx as current shell process in container # launch nginx as current shell process in container
exec nginx -g 'daemon off;' exec nginx -g 'daemon off;'

6
core/files/entrypoint_nginx.sh
View File

@ -217,6 +217,12 @@ flip_nginx() {
} }
init_nginx() { init_nginx() {
# Optional location of PHP-FPM sock file
if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then
echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}"
sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp
fi
# Adjust timeouts # Adjust timeouts
echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}" echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}"
sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp

9
core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
View File

@ -10,12 +10,3 @@ stderr_logfile_maxbytes=0
port=127.0.0.1:9001 port=127.0.0.1:9001
username=supervisor username=supervisor
password=supervisor password=supervisor
[program:cron]
command=/entrypoint_cron.sh
autorestart=true
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0