From ba393914dd251e02c67204640511f5cb1c0dd6b5 Mon Sep 17 00:00:00 2001 From: Tom Noogen Date: Wed, 14 Feb 2018 14:52:59 -0600 Subject: [PATCH 1/4] rollback mysql changes --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1d3d096..7cf142d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,7 +42,7 @@ RUN \ && tar -xof ngx-misc.tar.gz -C /usr/src/nginx/set-misc-nginx-module --strip-components=1 \ && rm ngx-misc.tar.gz \ - && add-apt-repository -r 'deb [arch=amd64,i386] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu xenial main' \ +# && add-apt-repository -r 'deb [arch=amd64,i386] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu xenial main' \ # add nginx repo && curl -s https://nginx.org/keys/nginx_signing.key | apt-key add - \ @@ -127,7 +127,7 @@ RUN \ && sed -i -e "s/\"nginx apache2/\"apache2/g" /tmp/vst-install-ubuntu.sh \ # fix mariadb instead of mysql -# && sed -i -e "s/mysql\-/mariadb\-/g" /tmp/vst-install-ubuntu.sh \ + && sed -i -e "s/mysql\-/mariadb\-/g" /tmp/vst-install-ubuntu.sh \ # begin install vesta && bash /tmp/vst-install-ubuntu.sh \ From 32c0c2eb97584416bd888c6c5196af26c17f17b1 Mon Sep 17 00:00:00 2001 From: Tom Noogen Date: Sat, 17 Feb 2018 14:10:26 -0600 Subject: [PATCH 2/4] aufs workaround --- rootfs/etc/my_init.d/startup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rootfs/etc/my_init.d/startup.sh b/rootfs/etc/my_init.d/startup.sh index 7e13ba0..89f7ff3 100755 --- a/rootfs/etc/my_init.d/startup.sh +++ b/rootfs/etc/my_init.d/startup.sh @@ -6,7 +6,9 @@ if [ ! -f /home/admin/bin/my-startup.sh ]; then echo "[i] running for the 1st time" rsync --update -raz /vesta-start/* /vesta rsync --update -raz /sysprepz/home/* /home - +# work around for AUFS bug +# as per https://github.com/docker/docker/issues/783#issuecomment-56013588 + mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private # save some bytes, you can do it later # rm -rf /sysprepz # rm -rf /vesta-start From b86f8c83fdf15364c78b0157657052bc397b242d Mon Sep 17 00:00:00 2001 From: Tom Noogen Date: Sun, 18 Mar 2018 10:21:44 -0500 Subject: [PATCH 3/4] security and updates --- Dockerfile | 17 ++++++++--------- README.md | 17 +++++++++++------ 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7cf142d..17ee60d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,15 @@ -FROM niiknow/docker-hostingbase:1.0.3 +FROM niiknow/docker-hostingbase:1.0.8 MAINTAINER friends@niiknow.org ENV DEBIAN_FRONTEND=noninteractive \ VESTA=/usr/local/vesta \ - GOLANG_VERSION=1.9.3 \ + GOLANG_VERSION=1.10 \ NGINX_BUILD_DIR=/usr/src/nginx \ NGINX_DEVEL_KIT_VERSION=0.3.0 NGINX_SET_MISC_MODULE_VERSION=0.31 \ - NGINX_VERSION=1.13.8 \ - NGINX_PAGESPEED_VERSION=1.12.34.3 \ - NGINX_PSOL_VERSION=1.12.34.2 \ + NGINX_VERSION=1.13.9 \ + NGINX_PAGESPEED_VERSION=1.13.35.2 \ + NGINX_PSOL_VERSION=1.13.35.2 \ IMAGE_FILTER_URL=https://raw.githubusercontent.com/niiknow/docker-nginx-image-proxy/master/build/src/ngx_http_image_filter_module.c # start @@ -52,7 +52,7 @@ RUN \ # update && apt-get update && apt-get -y --no-install-recommends upgrade \ - && apt-get install -y --no-install-recommends libpcre3-dev libssl-dev dpkg-dev libgd-dev iproute \ + && apt-get install -y --no-install-recommends libpcre3-dev libssl-dev dpkg-dev libgd-dev iproute uuid-dev \ # install nginx with pagespeed first so vesta config can override && mkdir -p ${NGINX_BUILD_DIR} \ @@ -69,7 +69,7 @@ RUN \ && sed -i "s/--with-http_ssl_module/--with-http_ssl_module --with-http_image_filter_module --add-module=\/usr\/src\/nginx\/ngx_devel_kit --add-module=\/usr\/src\/nginx\/set-misc-nginx-module --add-module=\/usr\/src\/nginx\/ngx_pagespeed-latest-stable/g" ${NGINX_BUILD_DIR}/nginx-${NGINX_VERSION}/debian/rules \ # Load Pagespeed module, PSOL and nginx - && curl -SL https://github.com/pagespeed/ngx_pagespeed/archive/v${NGINX_PAGESPEED_VERSION}-stable.zip -o ${NGINX_BUILD_DIR}/latest-stable.zip \ + && curl -SL https://github.com/apache/incubator-pagespeed-ngx/archive/v${NGINX_PAGESPEED_VERSION}-stable.zip -o latest-stable.zip \ && unzip latest-stable.zip \ && mv incubator-pagespeed-ngx-${NGINX_PAGESPEED_VERSION}-stable ngx_pagespeed-latest-stable \ && cd ngx_pagespeed-latest-stable \ @@ -166,7 +166,7 @@ RUN \ # install nodejs, memcached, redis-server, openvpn, mongodb, dotnet-sdk, and couchdb && apt-get install -yf --no-install-recommends nodejs memcached php-memcached redis-server \ - openvpn mongodb-org php-mongodb couchdb dotnet-sdk-2.1.4 \ + openvpn mongodb-org php-mongodb couchdb dotnet-sdk-2.1.101 \ # setting upawscli, golang # awscli @@ -474,7 +474,6 @@ RUN \ && sed -i -e 's:^save:# save:g' \ -e 's:^bind:# bind:g' \ -e 's:^logfile:# logfile:' \ - -e 's:daemonize yes:daemonize no:' \ -e 's:# maxmemory \(.*\)$:maxmemory 256mb:' \ -e 's:# maxmemory-policy \(.*\)$:maxmemory-policy allkeys-lru:' \ /etc/redis/redis.conf \ diff --git a/README.md b/README.md index e0fd3c0..9ccf8e4 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ What's included? * ubuntu 16.04 lts + Vesta 0.9.8-18 * nginx (proxy) -> apache2 -> php-fcgi - high performance and flexible implementation * added ability to also run php-fpm -* ssh/sftp, letsencrypt, memcached, redis, MariaDB 10.1, postgresql 9.5, nodejs 8.x, golang 1.9, openvpn, mongodb, couchdb, .net core 2.0 runtime +* ssh/sftp, letsencrypt, memcached, redis, MariaDB 10.2, postgresql 9.5, nodejs 8.x, golang 1.10, openvpn, mongodb, couchdb, .net core 2.0 runtime * folder redirection for data persistence and automatic daily backup provided by VestaCP * DNS, named, dovecot/roundcube, spamassassin, clamav, etc... -- disabled by default * vesta panel SSL (LE-issued) for mail and control panel - provide $VESTA_DOMAIN environment variable @@ -41,7 +41,7 @@ FTP was not installed on purpose because it's not secure. Use SFTP instead on t - [x] **Dovecot/roundcube email, phpmyadmin, phppgadmin, and DNS services** are disabled by default. Look at /home/admin/bin/my-startup.sh for instruction on how to re-enable these services. ### misc/tested/verified -- [x] ssh/sftp, nginx, apache2, php7.1 + v8js +- [x] ssh/sftp, nginx, apache2, php7.0+ & v8js - [x] log viewing in Vesta - [x] backup and restore - [x] Vesta FileManager @@ -75,12 +75,17 @@ If you use this Docker for hosting and allow your user to login, I also recommen Enjoy!!! ## Release Notes -1.1.0 - starting from this version, we upgraded to MariaDB 10.2, please login as root and run the command: +1.1.9 - Update to be more secure and compliance. A bunch of security issues discovered during the holidays were patched by various vendors including cpu (meltdown & spectre) and .net core issues: + ``` -# mysql_upgrade --verbose -u root -p -# service mysql restart +- php 5.6 v8js no longer supported due to security issues resulting in older v8 deprecation. +- update nginx to 1.13.9 - rebuilt with latest ngx_pagespeed +- update golang 1.10 +- update to dotnet-sdk-2.1.101 +- update from 3.4 to 3.6 for mongodb ``` -And finish by restarting the docker container. + +1.1.0 - starting from this version, we upgraded to MariaDB 10.2. 1.0.8 - introducing vesta 0.9.8-18, update to this docker image then run */bin/vesta-update.sh* to update Vesta. From 9fe6fbd32f1cf82815ac8a4057fcdebc65a1bd21 Mon Sep 17 00:00:00 2001 From: Tom Noogen Date: Sun, 18 Mar 2018 18:27:43 -0500 Subject: [PATCH 4/4] debug build --- Dockerfile | 38 +------------------------------------- 1 file changed, 1 insertion(+), 37 deletions(-) diff --git a/Dockerfile b/Dockerfile index 17ee60d..0b45135 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,11 +12,8 @@ ENV DEBIAN_FRONTEND=noninteractive \ NGINX_PSOL_VERSION=1.13.35.2 \ IMAGE_FILTER_URL=https://raw.githubusercontent.com/niiknow/docker-nginx-image-proxy/master/build/src/ngx_http_image_filter_module.c -# start RUN \ cd /tmp \ - -# add our user and group first to make sure their IDs get assigned consistently && echo "nginx mysql bind clamav ssl-cert dovecot dovenull Debian-exim postgres debian-spamd epmd couchdb memcache mongodb redis" | xargs -n1 groupadd -K GID_MIN=100 -K GID_MAX=999 ${g} \ && echo "nginx nginx mysql mysql bind bind clamav clamav dovecot dovecot dovenull dovenull Debian-exim Debian-exim postgres postgres debian-spamd debian-spamd epmd epmd couchdb couchdb memcache memcache mongodb mongodb redis redis" | xargs -n2 useradd -d /nonexistent -s /bin/false -K UID_MIN=100 -K UID_MAX=999 -g ${g} \ && usermod -d /var/lib/mysql mysql \ @@ -30,92 +27,58 @@ RUN \ && usermod -d /var/lib/couchdb -s /bin/bash couchdb \ && usermod -d /var/lib/mongodb -a -G nogroup mongodb \ && usermod -d /var/lib/redis redis \ - -# build nginx set misc && curl -sL "https://github.com/simpl/ngx_devel_kit/archive/v$NGINX_DEVEL_KIT_VERSION.tar.gz" -o dev-kit.tar.gz \ && mkdir -p /usr/src/nginx/ngx_devel_kit \ && tar -xof dev-kit.tar.gz -C /usr/src/nginx/ngx_devel_kit --strip-components=1 \ && rm dev-kit.tar.gz \ - && curl -sL "https://github.com/openresty/set-misc-nginx-module/archive/v$NGINX_SET_MISC_MODULE_VERSION.tar.gz" -o ngx-misc.tar.gz \ && mkdir -p /usr/src/nginx/set-misc-nginx-module \ && tar -xof ngx-misc.tar.gz -C /usr/src/nginx/set-misc-nginx-module --strip-components=1 \ && rm ngx-misc.tar.gz \ - -# && add-apt-repository -r 'deb [arch=amd64,i386] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu xenial main' \ - -# add nginx repo && curl -s https://nginx.org/keys/nginx_signing.key | apt-key add - \ && cp /etc/apt/sources.list /etc/apt/sources.list.bak \ && echo "deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx" | tee -a /etc/apt/sources.list \ && echo "deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx" | tee -a /etc/apt/sources.list \ - -# update && apt-get update && apt-get -y --no-install-recommends upgrade \ && apt-get install -y --no-install-recommends libpcre3-dev libssl-dev dpkg-dev libgd-dev iproute uuid-dev \ - -# install nginx with pagespeed first so vesta config can override && mkdir -p ${NGINX_BUILD_DIR} \ - && cd ${NGINX_BUILD_DIR} \ - -# get the source && apt-get source nginx=${NGINX_VERSION} -y \ && mv ${NGINX_BUILD_DIR}/nginx-${NGINX_VERSION}/src/http/modules/ngx_http_image_filter_module.c ${NGINX_BUILD_DIR}/nginx-${NGINX_VERSION}/src/http/modules/ngx_http_image_filter_module.bak \ - - -# apply patch && curl -SL $IMAGE_FILTER_URL --output ${NGINX_BUILD_DIR}/nginx-${NGINX_VERSION}/src/http/modules/ngx_http_image_filter_module.c \ && sed -i "s/--with-http_ssl_module/--with-http_ssl_module --with-http_image_filter_module --add-module=\/usr\/src\/nginx\/ngx_devel_kit --add-module=\/usr\/src\/nginx\/set-misc-nginx-module --add-module=\/usr\/src\/nginx\/ngx_pagespeed-latest-stable/g" ${NGINX_BUILD_DIR}/nginx-${NGINX_VERSION}/debian/rules \ - -# Load Pagespeed module, PSOL and nginx && curl -SL https://github.com/apache/incubator-pagespeed-ngx/archive/v${NGINX_PAGESPEED_VERSION}-stable.zip -o latest-stable.zip \ && unzip latest-stable.zip \ && mv incubator-pagespeed-ngx-${NGINX_PAGESPEED_VERSION}-stable ngx_pagespeed-latest-stable \ && cd ngx_pagespeed-latest-stable \ && curl -SL https://dl.google.com/dl/page-speed/psol/${NGINX_PSOL_VERSION}-x64.tar.gz -o ${NGINX_PSOL_VERSION}.tar.gz \ && tar -xzf ${NGINX_PSOL_VERSION}.tar.gz \ - -# get build dependencies && apt-get build-dep nginx -y \ && cd ${NGINX_BUILD_DIR}/nginx-${NGINX_VERSION}; dpkg-buildpackage -uc -us -b \ - && cd ${NGINX_BUILD_DIR} \ - -# install new nginx package && dpkg -i nginx_${NGINX_VERSION}-1~xenial_amd64.deb \ - -# install php && apt-get install -yq php5.6-mbstring php5.6-cgi php5.6-cli php5.6-dev php5.6-geoip php5.6-common php5.6-xmlrpc php5.6-sybase \ php5.6-curl php5.6-enchant php5.6-imap php5.6-xsl php5.6-mysql php5.6-mysqlnd php5.6-pspell php5.6-gd php5.6-zip \ php5.6-tidy php5.6-opcache php5.6-json php5.6-bz2 php5.6-pgsql php5.6-mcrypt php5.6-readline php5.6-imagick \ php5.6-intl php5.6-sqlite3 php5.6-ldap php5.6-xml php5.6-redis php5.6-dev php5.6-fpm php5.6-soap \ - && apt-get install -yq php7.0-mbstring php7.0-cgi php7.0-cli php7.0-dev php7.0-geoip php7.0-common php7.0-xmlrpc php7.0-sybase \ php7.0-curl php7.0-enchant php7.0-imap php7.0-xsl php7.0-mysql php7.0-mysqlnd php7.0-pspell php7.0-gd php7.0-zip \ php7.0-tidy php7.0-opcache php7.0-json php7.0-bz2 php7.0-pgsql php7.0-mcrypt php7.0-readline php7.0-imagick \ php7.0-intl php7.0-sqlite3 php7.0-ldap php7.0-xml php7.0-redis php7.0-dev php7.0-fpm php7.0-sodium php7.0-soap \ - && apt-get install -yq php7.1-mbstring php7.1-cgi php7.1-cli php7.1-dev php7.1-geoip php7.1-common php7.1-xmlrpc php7.1-sybase \ php7.1-curl php7.1-enchant php7.1-imap php7.1-xsl php7.1-mysql php7.1-mysqlnd php7.1-pspell php7.1-gd php7.1-zip \ php7.1-tidy php7.1-opcache php7.1-json php7.1-bz2 php7.1-pgsql php7.1-mcrypt php7.1-readline php7.1-imagick \ php7.1-intl php7.1-sqlite3 php7.1-ldap php7.1-xml php7.1-redis php7.1-dev php7.1-fpm php7.1-sodium php7.1-soap \ - && apt-get install -yq php7.2-mbstring php7.2-cgi php7.2-cli php7.2-dev php7.2-geoip php7.2-common php7.2-xmlrpc php7.2-sybase \ php7.2-curl php7.2-enchant php7.2-imap php7.2-xsl php7.2-mysql php7.2-mysqlnd php7.2-pspell php7.2-gd php7.2-zip \ php7.2-tidy php7.2-opcache php7.2-json php7.2-bz2 php7.2-pgsql php7.2-readline php7.2-imagick \ php7.2-intl php7.2-sqlite3 php7.2-ldap php7.2-xml php7.2-redis php7.2-dev php7.2-fpm php7.2-soap \ - -# put back old source list for vesta && rm -f /etc/apt/sources.list && mv /etc/apt/sources.list.bak /etc/apt/sources.list \ - -# finish cleaning up && rm -rf /usr/src/nginx \ && rm -rf /tmp/* \ && apt-get -yf autoremove \ && apt-get clean -# begin VestaCP install RUN \ cd /tmp \ @@ -191,6 +154,7 @@ COPY rootfs/. / RUN \ cd /tmp \ + # tweaks && chmod +x /etc/init.d/dovecot \ && chmod +x /etc/service/sshd/run \