Improve the docker layers (#251)

* Improve build layers
* Switch latest commit of wait-for-it.sh to avoid a security bug
* Drop dirmngr ipv6 workaround
* Use the same build process on Alpine for php extensions
* Remove ldd check for Alpine
* Move COPY before source and indent using tabs
* Add a .editorconfig to make templates show up as Dockerfile

.editorconfig

@@ -0,0 +1,18 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[templates/*.templ]
+indent_style = tab
+
+[Dockerfile]
+indent_style = tab

.gitattributes

@@ -0,0 +1 @@
+templates/*.templ linguist-language=Dockerfile

apache/Dockerfile

@@ -3,6 +3,7 @@ LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
 RUN set -ex; \
+	if [ "apache" = "apache" ]; then a2enmod rewrite; fi; \
 	apt-get update; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
@@ -21,7 +22,17 @@ RUN set -ex; \
 		libonig-dev \
 		libldap-common \
 	; \
+# installto.sh & web install dependencies
+	fetchDeps="gnupg locales libc-l10n"; \
+	installDeps="aspell aspell-en rsync unzip"; \
+	apt-get install -y --no-install-recommends \
+			$installDeps \
+			$fetchDeps \
+	; \
 	\
+# Extract sources to avoid using pecl (https://github.com/docker-library/php/issues/374#issuecomment-690698974)
+	pecl bundle -d /usr/src/php/ext imagick; \
+	pecl bundle -d /usr/src/php/ext redis; \
 	debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
 	docker-php-ext-configure gd --with-jpeg --with-freetype; \
 	docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
@@ -35,13 +46,20 @@ RUN set -ex; \
 		pdo_sqlite \
 		zip \
 		pspell \
+		imagick \
+		redis \
 	; \
-	pecl install imagick redis; \
 	docker-php-ext-enable imagick opcache redis; \
+	docker-php-source delete; \
+# Header files ".h"
+	rm -r /usr/local/include/php/ext; \
+	rm -r /tmp/pear; \
+# Display installed modules
+	php -m; \
 	\
 # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
 	apt-mark auto '.*' > /dev/null; \
-	apt-mark manual $savedAptMark; \
+	apt-mark manual $savedAptMark $installDeps $fetchDeps; \
 	extdir="$(php -r 'echo ini_get("extension_dir");')"; \
 	ldd "$extdir"/*.so \
 		| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
@@ -53,28 +71,20 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
-    ldd "$extdir"/*.so | grep -qzv "=> not found" || (echo "Sanity check failed: missing libraries:"; ldd "$extdir"/*.so | grep " => not found"; exit 1); \
-    ldd "$extdir"/*.so | grep -q "libzip.so.* => .*/libzip.so.*" || (echo "Sanity check failed: libzip.so is not referenced"; ldd "$extdir"/*.so; exit 1); \
-    err="$(php --version 3>&1 1>&2 2>&3)"; \
-    [ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;);
-
-
-# installto.sh dependencies
-RUN set -ex; \
-	\
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-			aspell \
-			aspell-en \
-			rsync \
-			unzip \
-	; \
-	rm -rf /var/lib/apt/lists/*
+	ldd "$extdir"/*.so | grep -qzv "=> not found" || (echo "Sanity check failed: missing libraries:"; ldd "$extdir"/*.so | grep " => not found"; exit 1); \
+	ldd "$extdir"/*.so | grep -q "libzip.so.* => .*/libzip.so.*" || (echo "Sanity check failed: libzip.so is not referenced"; ldd "$extdir"/*.so; exit 1); \
+	err="$(php --version 3>&1 1>&2 2>&3)"; \
+	[ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;); \
+# include the wait-for-it.sh script (latest commit)
+	curl -fL https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh -o /wait-for-it.sh; \
+	chmod +x /wait-for-it.sh;
 
 COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
 
+# use custom PHP settings
+COPY php.ini /usr/local/etc/php/conf.d/roundcube-defaults.ini
 
-RUN a2enmod rewrite
+COPY --chmod=0755 docker-entrypoint.sh /
 
 # Define Roundcubemail version
 ENV ROUNDCUBEMAIL_VERSION 1.6.9
@@ -84,14 +94,9 @@ ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4  5F7F 5AB2 BAA1 41C4 F7D5"
 
 # Download package and extract to web volume
 RUN set -ex; \
-	fetchDeps="gnupg dirmngr locales libc-l10n"; \
-	apt-get -qq update; \
-	apt-get install -y --no-install-recommends $fetchDeps; \
 	curl -o roundcubemail.tar.gz -fSL https://github.com/roundcube/roundcubemail/releases/download/${ROUNDCUBEMAIL_VERSION}/roundcubemail-${ROUNDCUBEMAIL_VERSION}-complete.tar.gz; \
 	curl -o roundcubemail.tar.gz.asc -fSL https://github.com/roundcube/roundcubemail/releases/download/${ROUNDCUBEMAIL_VERSION}/roundcubemail-${ROUNDCUBEMAIL_VERSION}-complete.tar.gz.asc; \
 	export GNUPGHOME="$(mktemp -d)"; \
-	# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
-	echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
 	curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
 	LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
 	LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
@@ -103,17 +108,9 @@ RUN set -ex; \
 	tar -xf roundcubemail.tar.gz -C /usr/src/roundcubemail --strip-components=1 --no-same-owner; \
 	rm -r "$GNUPGHOME" roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
 	rm -rf /usr/src/roundcubemail/installer; \
-	chown -R www-data:www-data /usr/src/roundcubemail/logs
-
-# include the wait-for-it.sh script
-RUN curl -fL https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh > /wait-for-it.sh && chmod +x /wait-for-it.sh
-
-# use custom PHP settings
-COPY php.ini /usr/local/etc/php/conf.d/roundcube-defaults.ini
-
-COPY --chmod=0755 docker-entrypoint.sh /
-
-RUN mkdir -p /var/roundcube/config
+	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
+# Create the config dir
+	mkdir -p /var/roundcube/config
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["apache2-foreground"]

fpm-alpine/Dockerfile

@@ -2,8 +2,8 @@ FROM php:8.1-fpm-alpine
 LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
-# entrypoint.sh and installto.sh dependencies
 RUN set -ex; \
+	if [ "fpm-alpine" = "apache" ]; then a2enmod rewrite; fi; \
 	\
 	apk add --no-cache \
 		bash \
@@ -31,6 +31,9 @@ RUN set -ex; \
 		aspell-dev \
 	; \
 	\
+# Extract sources to avoid using pecl (https://github.com/docker-library/php/issues/374#issuecomment-690698974)
+	pecl bundle -d /usr/src/php/ext imagick; \
+	pecl bundle -d /usr/src/php/ext redis; \
 	docker-php-ext-configure gd --with-jpeg --with-freetype; \
 	docker-php-ext-configure ldap; \
 	docker-php-ext-install \
@@ -43,21 +46,38 @@ RUN set -ex; \
 		pdo_sqlite \
 		zip \
 		pspell \
+		imagick \
+		redis \
 	; \
-	pecl install imagick redis; \
 	docker-php-ext-enable imagick opcache redis; \
+	docker-php-source delete; \
+# Header files ".h"
+	rm -r /usr/local/include/php/ext; \
+	rm -r /tmp/pear; \
+# Display installed modules
+	php -m; \
 	\
+	extdir="$(php -r 'echo ini_get("extension_dir");')"; \
 	runDeps="$( \
-		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
+		scanelf --needed --nobanner --format '%n#p' --recursive $extdir \
 		| tr ',' '\n' \
 		| sort -u \
 		| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 		)"; \
 	apk add --virtual .roundcubemail-phpext-rundeps imagemagick $runDeps; \
-	apk del .build-deps
+	apk del .build-deps; \
+	err="$(php --version 3>&1 1>&2 2>&3)"; \
+	[ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;); \
+# include the wait-for-it.sh script (latest commit)
+	curl -fL https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh -o /wait-for-it.sh; \
+	chmod +x /wait-for-it.sh;
 
 COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
 
+# use custom PHP settings
+COPY php.ini /usr/local/etc/php/conf.d/roundcube-defaults.ini
+
+COPY --chmod=0755 docker-entrypoint.sh /
 
 # Define Roundcubemail version
 ENV ROUNDCUBEMAIL_VERSION 1.6.9
@@ -74,8 +94,6 @@ RUN set -ex; \
 	curl -o roundcubemail.tar.gz -fSL https://github.com/roundcube/roundcubemail/releases/download/${ROUNDCUBEMAIL_VERSION}/roundcubemail-${ROUNDCUBEMAIL_VERSION}-complete.tar.gz; \
 	curl -o roundcubemail.tar.gz.asc -fSL https://github.com/roundcube/roundcubemail/releases/download/${ROUNDCUBEMAIL_VERSION}/roundcubemail-${ROUNDCUBEMAIL_VERSION}-complete.tar.gz.asc; \
 	export GNUPGHOME="$(mktemp -d)"; \
-	# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
-	echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
 	curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
 	LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
 	LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
@@ -88,17 +106,9 @@ RUN set -ex; \
 	rm -r "$GNUPGHOME" roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
 	rm -rf /usr/src/roundcubemail/installer; \
 	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
-	apk del .fetch-deps
-
-# include the wait-for-it.sh script
-RUN curl -fL https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh > /wait-for-it.sh && chmod +x /wait-for-it.sh
-
-# use custom PHP settings
-COPY php.ini /usr/local/etc/php/conf.d/roundcube-defaults.ini
-
-COPY --chmod=0755 docker-entrypoint.sh /
-
-RUN mkdir -p /var/roundcube/config
+	apk del .fetch-deps; \
+# Create the config dir
+	mkdir -p /var/roundcube/config
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["php-fpm"]

fpm/Dockerfile

@@ -3,6 +3,7 @@ LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
 RUN set -ex; \
+	if [ "fpm" = "apache" ]; then a2enmod rewrite; fi; \
 	apt-get update; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
@@ -21,7 +22,17 @@ RUN set -ex; \
 		libonig-dev \
 		libldap-common \
 	; \
+# installto.sh & web install dependencies
+	fetchDeps="gnupg locales libc-l10n"; \
+	installDeps="aspell aspell-en rsync unzip"; \
+	apt-get install -y --no-install-recommends \
+			$installDeps \
+			$fetchDeps \
+	; \
 	\
+# Extract sources to avoid using pecl (https://github.com/docker-library/php/issues/374#issuecomment-690698974)
+	pecl bundle -d /usr/src/php/ext imagick; \
+	pecl bundle -d /usr/src/php/ext redis; \
 	debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
 	docker-php-ext-configure gd --with-jpeg --with-freetype; \
 	docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
@@ -35,13 +46,20 @@ RUN set -ex; \
 		pdo_sqlite \
 		zip \
 		pspell \
+		imagick \
+		redis \
 	; \
-	pecl install imagick redis; \
 	docker-php-ext-enable imagick opcache redis; \
+	docker-php-source delete; \
+# Header files ".h"
+	rm -r /usr/local/include/php/ext; \
+	rm -r /tmp/pear; \
+# Display installed modules
+	php -m; \
 	\
 # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
 	apt-mark auto '.*' > /dev/null; \
-	apt-mark manual $savedAptMark; \
+	apt-mark manual $savedAptMark $installDeps $fetchDeps; \
 	extdir="$(php -r 'echo ini_get("extension_dir");')"; \
 	ldd "$extdir"/*.so \
 		| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
@@ -53,26 +71,20 @@ RUN set -ex; \
 	\
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	rm -rf /var/lib/apt/lists/*; \
-    ldd "$extdir"/*.so | grep -qzv "=> not found" || (echo "Sanity check failed: missing libraries:"; ldd "$extdir"/*.so | grep " => not found"; exit 1); \
-    ldd "$extdir"/*.so | grep -q "libzip.so.* => .*/libzip.so.*" || (echo "Sanity check failed: libzip.so is not referenced"; ldd "$extdir"/*.so; exit 1); \
-    err="$(php --version 3>&1 1>&2 2>&3)"; \
-    [ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;);
-
-
-# installto.sh dependencies
-RUN set -ex; \
-	\
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-			aspell \
-			aspell-en \
-			rsync \
-			unzip \
-	; \
-	rm -rf /var/lib/apt/lists/*
+	ldd "$extdir"/*.so | grep -qzv "=> not found" || (echo "Sanity check failed: missing libraries:"; ldd "$extdir"/*.so | grep " => not found"; exit 1); \
+	ldd "$extdir"/*.so | grep -q "libzip.so.* => .*/libzip.so.*" || (echo "Sanity check failed: libzip.so is not referenced"; ldd "$extdir"/*.so; exit 1); \
+	err="$(php --version 3>&1 1>&2 2>&3)"; \
+	[ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;); \
+# include the wait-for-it.sh script (latest commit)
+	curl -fL https://raw.githubusercontent.com/vishnubob/wait-for-it/81b1373f17855a4dc21156cfe1694c31d7d1792e/wait-for-it.sh -o /wait-for-it.sh; \
+	chmod +x /wait-for-it.sh;
 
 COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
 
+# use custom PHP settings
+COPY php.ini /usr/local/etc/php/conf.d/roundcube-defaults.ini
+
+COPY --chmod=0755 docker-entrypoint.sh /
 
 # Define Roundcubemail version
 ENV ROUNDCUBEMAIL_VERSION 1.6.9
@@ -82,14 +94,9 @@ ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4  5F7F 5AB2 BAA1 41C4 F7D5"
 
 # Download package and extract to web volume
 RUN set -ex; \
-	fetchDeps="gnupg dirmngr locales libc-l10n"; \
-	apt-get -qq update; \
-	apt-get install -y --no-install-recommends $fetchDeps; \
 	curl -o roundcubemail.tar.gz -fSL https://github.com/roundcube/roundcubemail/releases/download/${ROUNDCUBEMAIL_VERSION}/roundcubemail-${ROUNDCUBEMAIL_VERSION}-complete.tar.gz; \
 	curl -o roundcubemail.tar.gz.asc -fSL https://github.com/roundcube/roundcubemail/releases/download/${ROUNDCUBEMAIL_VERSION}/roundcubemail-${ROUNDCUBEMAIL_VERSION}-complete.tar.gz.asc; \
 	export GNUPGHOME="$(mktemp -d)"; \
-	# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
-	echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
 	curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
 	LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
 	LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
@@ -101,17 +108,9 @@ RUN set -ex; \
 	tar -xf roundcubemail.tar.gz -C /usr/src/roundcubemail --strip-components=1 --no-same-owner; \
 	rm -r "$GNUPGHOME" roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
 	rm -rf /usr/src/roundcubemail/installer; \
-	chown -R www-data:www-data /usr/src/roundcubemail/logs
-
-# include the wait-for-it.sh script
-RUN curl -fL https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh > /wait-for-it.sh && chmod +x /wait-for-it.sh
-
-# use custom PHP settings
-COPY php.ini /usr/local/etc/php/conf.d/roundcube-defaults.ini
-
-COPY --chmod=0755 docker-entrypoint.sh /
-
-RUN mkdir -p /var/roundcube/config
+	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
+# Create the config dir
+	mkdir -p /var/roundcube/config
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["php-fpm"]