Move setup to a separate script

This allows us to use fewer temporary Docker containers, and to have a more readable script than just a single giant RUN line in the Dockerfile.

Move setup to a separate script
fdd7870c · ale · f7c7d703 · fdd7870c · fdd7870c · fdd7870c
Commit fdd7870c authored 7 years ago by ale
--- a/Dockerfile
+++ b/Dockerfile
 FROM bitnami/minideb:stretch

 COPY ai.list /etc/apt/sources.list.d/ai.list
-
-RUN install_packages curl gnupg && \
-    curl -s http://deb.autistici.org/repo.key | apt-key add - && \
-    apt-get -q update && \
-    install_packages \
-        apache2 ai-webtools gostatic git rsync \
-        python3-pip python3-setuptools python3-wheel && \
-    apt-get clean
+COPY conf /tmp/conf
+COPY build.sh /tmp/build.sh

 # In this first, simple version, we treat the website content as a
 # binary component and we make it part of the Docker image itself.
 # Just pull the latest version from git and build it inside the image.
-RUN mkdir -p /tmp/build /var/lib/sitesearch && \
-    git clone https://git.autistici.org/ai/website.git /tmp/build/src && \
-    cd /tmp/build/src && \
-    umask 022 && \
-    ./scripts/update.sh && \
-    cp -ar /tmp/build/src/public /var/www/autistici.org && \
-    cp -ar /tmp/build/src/index /var/lib/sitesearch/ && \
-    cp -ar /tmp/build/src/templates /var/lib/sitesearch/ && \
-    chown -R www-data /var/lib/sitesearch
-
-COPY conf/autistici.org.conf /etc/apache2/sites-available/default
-RUN mkdir /var/run/apache2 /var/lock/apache2
-
-# Set up chaperone (a tiny init).
-RUN pip3 install chaperone && \
-    rm -fr /root/.cache/pip && \
-    mkdir /etc/chaperone.d
-COPY chaperone.conf /etc/chaperone.d/chaperone.conf

-# Remove packages that are only used to build the site.
-RUN apt-get remove -y --purge curl gnupg git gostatic rsync && \
-    apt-get autoremove -y && \
-    rm -fr /var/lib/apt/lists/* && \
-    rm -fr /tmp/build
+# The setup commands are all on a huge single RUN line so that Docker
+# does not create temporary container images in between, thus letting
+# us effectively recover the unused disk space at the end.
+RUN /tmp/build.sh && rm /tmp/build.sh

 EXPOSE 80
 ENTRYPOINT ["/usr/local/bin/chaperone"]
--- a/build.sh
+++ b/build.sh
+#!/bin/sh
+#
+# Install script for git.autistici.org/ai/website
+# inside a Docker container.
+#
+# The installation procedure requires installing some
+# dedicated packages, so we have split it out to a script
+# for legibility.
+
+# Packages that are only used to build the site. These will be
+# removed once we're done.
+BUILD_PACKAGES="git rsync gostatic"
+
+# Packages required to serve the website and run the services.
+# We have to keep the python3 packages around in order to run
+# chaperone (installed via pip).
+PACKAGES="apache2 ai-webtools python3-pip python3-setuptools python3-wheel"
+
+# The default bitnami/minideb image defines an 'install_packages'
+# command which is just a convenient helper. Define our own in
+# case we are using some other Debian image.
+if [ "x$(which install_packages)" = "x" ]; then
+    install_packages() {
+        env DEBIAN_FRONTEND=noninteractive apt-get install -qqy --no-install-recommends "$@"
+    }
+fi
+
+set -e
+
+# Install the main A/I package repository.
+install_packages curl gnupg
+curl -s http://deb.autistici.org/repo.key | apt-key add -
+apt-get -q update
+
+install_packages ${BUILD_PACKAGES} ${PACKAGES}
+
+# Clone the website source repository, build it and
+# copy the results in the web root directory.
+mkdir -p /tmp/site
+git clone https://git.autistici.org/ai/website.git /tmp/site
+
+(cd /tmp/site && umask 022 && ./scripts/update.sh)
+
+cp -ar /tmp/site/public /var/www/autistici.org
+cp -ar /tmp/site/index /var/lib/sitesearch/
+cp -ar /tmp/site/templates /var/lib/sitesearch/
+chown -R www-data /var/lib/sitesearch
+rm -fr /tmp/site
+
+# Create the directories that Apache will need at runtime,
+# since we won't be using the init script.
+mkdir /var/run/apache2 /var/lock/apache2
+
+# Configure Apache.
+cp /tmp/conf/autistici.org.conf /etc/apache2/sites-available/000-default.conf
+cp /tmp/conf/security.conf /etc/apache2/conf-available/security.conf
+:> /etc/apache2/conf-available/other-vhosts-access-log.conf
+
+a2enmod -q headers
+a2enmod -q rewrite
+a2enmod -q negotiation
+a2enmod -q proxy
+a2enmod -q proxy_http
+a2dismod -q ssl
+a2dismod -q -f deflate
+
+# Install Chaperone (minimalistic init service).
+pip3 install chaperone
+rm -fr /root/.cache/pip
+mkdir /etc/chaperone.d
+
+cp /tmp/conf/chaperone.conf /etc/chaperone.d/chaperone.conf
+
+# Remove packages used for installation.
+apt-get remove -y --purge curl gnupg ${BUILD_PACKAGES}
+apt-get autoremove -y
+apt-get clean
+rm -fr /var/lib/apt/lists/*
+rm -fr /tmp/conf
+
--- a/conf/autistici.org.conf
+++ b/conf/autistici.org.conf
@@ -18,9 +18,6 @@
 		Allow from all
 	</Directory>

-	# PHP config (roundcube, mysql).
-	FcgidWrapper /usr/lib/cgi-bin/php5.fcgi .php
-
 	#AddDefaultCharset utf-8

 	# Make the 'site_language' cookie override the Accept-Language header.

--- a/chaperone.conf
+++ b/chaperone.conf
@@ -9,3 +9,8 @@ search.service: {
  restart: true,
 }

+console.logging: {
+  selector: '*.info',
+  stdout: true,
+}
+
--- a/conf/security.conf
+++ b/conf/security.conf
+# cat conf-available/security.conf
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages.
+#
+<Directory />
+   AllowOverride None
+   Require all denied
+</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens Minimal
+#ServerTokens OS
+#ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+ServerSignature Off
+#ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories. For example, for subversion:
+#
+#<DirectoryMatch "/\.svn">
+#   Require all denied
+#</DirectoryMatch>
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Frame-Options: "sameorigin"
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet