From e90dd4fd35cdc7a156cf47d7a5b9322e6ea6ca58 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 19 Aug 2022 17:33:28 +0100 Subject: [PATCH] Rebase to 3.15, validate gpg signatures, change version detection. --- .github/workflows/external_trigger.yml | 2 +- Dockerfile | 67 ++++++++++++++++--------- Dockerfile.aarch64 | 68 +++++++++++++++++--------- Dockerfile.armhf | 68 +++++++++++++++++--------- Jenkinsfile | 2 +- README.md | 5 +- jenkins-vars.yml | 2 +- readme-vars.yml | 7 ++- 8 files changed, 143 insertions(+), 78 deletions(-) diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml index 6de181c..0370f0e 100644 --- a/.github/workflows/external_trigger.yml +++ b/.github/workflows/external_trigger.yml @@ -18,7 +18,7 @@ jobs: fi echo "**** External trigger running off of main branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_PHPMYADMIN_MAIN\". ****" echo "**** Retrieving external version ****" - EXT_RELEASE=$(curl -u ${{ secrets.CR_USER }}:${{ secrets.CR_PAT }} -sX GET 'https://api.github.com/repos/phpmyadmin/phpmyadmin/releases' | jq -r '.[] | select (.prerelease==false)' | jq -rs 'max_by(.name | split(".") | map(tonumber)) | .name') + EXT_RELEASE=$(curl -sL 'https://www.phpmyadmin.net/home_page/version.txt' | head -n 1 | cut -d ' ' -f 1) if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then echo "**** Can't retrieve external version, exiting ****" FAILURE_REASON="Can't retrieve external version for phpmyadmin branch main" diff --git a/Dockerfile b/Dockerfile index 54753da..4fcd0fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.14 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.15 ARG BUILD_DATE ARG VERSION @@ -6,35 +6,45 @@ ARG PHPMYADMIN_VERSION LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" LABEL maintainer="TheSpad" +ARG PHPMYADMIN_RELEASE_GPG_KEY="3D06A59ECE730EB71B511C17CE752F178259BD92" ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 8192K RUN \ + apk add --no-cache --virtual=build-dependencies \ + gpg \ + gpg-agent \ + gnupg-dirmngr && \ apk add -U --upgrade --no-cache \ curl \ jq \ - php7-gd \ - php7-bz2 \ - php7-mysqli \ - php7-opcache \ - php7-iconv \ - php7-dom \ - php7-tokenizer \ - php7-curl \ - php7-zip && \ + php8-gd \ + php8-bz2 \ + php8-mysqli \ + php8-opcache \ + php8-iconv \ + php8-dom \ + php8-tokenizer \ + php8-curl \ + php8-zip && \ + echo "**** configure php-fpm to pass env vars ****" && \ + sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php8/php-fpm.d/www.conf && \ + grep -qxF 'clear_env = no' /etc/php8/php-fpm.d/www.conf || echo 'clear_env = no' >> /etc/php8/php-fpm.d/www.conf && \ + echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php8/php-fpm.conf && \ + echo "**** setup php opcache ****" && \ { \ echo 'opcache.memory_consumption=128'; \ echo 'opcache.interned_strings_buffer=8'; \ echo 'opcache.max_accelerated_files=4000'; \ echo 'opcache.revalidate_freq=2'; \ echo 'opcache.fast_shutdown=1'; \ - } > /etc/php7/conf.d/opcache-recommended.ini; \ + } > /etc/php8/conf.d/opcache-recommended.ini; \ \ { \ echo 'session.cookie_httponly=1'; \ echo 'session.use_strict_mode=1'; \ - } > /etc/php7/conf.d/session-strict.ini; \ + } > /etc/php8/conf.d/session-strict.ini; \ \ { \ echo 'allow_url_fopen=Off'; \ @@ -43,27 +53,38 @@ RUN \ echo 'memory_limit=${MEMORY_LIMIT}'; \ echo 'post_max_size=${UPLOAD_LIMIT}'; \ echo 'upload_max_filesize=${UPLOAD_LIMIT}'; \ - } > /etc/php7/conf.d/phpmyadmin-misc.ini && \ + } > /etc/php8/conf.d/phpmyadmin-misc.ini && \ echo "**** install phpmyadmin ****" && \ - mkdir -p /app/phpmyadmin && \ + mkdir -p /app/www/public && \ if [ -z ${PHPMYADMIN_VERSION+x} ]; then \ - PHPMYADMIN_VERSION=$(curl -sX GET 'https://api.github.com/repos/phpmyadmin/phpmyadmin/releases' \ - | jq -r '.[] | select (.prerelease==false)' \ - | jq -rs 'max_by(.name | split(".") | map(tonumber)) | .name'); \ + PHPMYADMIN_VERSION=$(curl -sL 'https://www.phpmyadmin.net/home_page/version.txt' \ + | head -n 1 | cut -d ' ' -f 1); \ fi && \ curl -s -o \ /tmp/phpmyadmin.tar.xz -L \ "https://files.phpmyadmin.net/phpMyAdmin/${PHPMYADMIN_VERSION}/phpMyAdmin-${PHPMYADMIN_VERSION}-all-languages.tar.xz" && \ + curl -s -o \ + "/tmp/phpmyadmin.tar.xz.asc" -L \ + "https://files.phpmyadmin.net/phpMyAdmin/${PHPMYADMIN_VERSION}/phpMyAdmin-${PHPMYADMIN_VERSION}-all-languages.tar.xz.asc" && \ + export GNUPGHOME="$(mktemp -d)" && \ + gpg --batch -q --keyserver keyserver.ubuntu.com --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver pgp.mit.edu --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver keyserver.pgp.com --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver keys.openpgp.org --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" && \ + if ! gpg --batch -q --verify "/tmp/phpmyadmin.tar.xz.asc" "/tmp/phpmyadmin.tar.xz"; then \ + echo "File signature mismatch" \ + exit 1; \ + fi && \ tar xf \ /tmp/phpmyadmin.tar.xz -C \ - /app/phpmyadmin/ --strip-components=1 && \ - sed -i "s@'configFile' =>.*@'configFile' => '/config/phpmyadmin/config.inc.php',@" "/app/phpmyadmin/libraries/vendor_config.php" && \ - sed -i 's@;clear_env = no@clear_env = no@' "/etc/php7/php-fpm.d/www.conf" && \ + /app/www/public/ --strip-components=1 && \ + sed -i "s@'configFile' =>.*@'configFile' => '/config/phpmyadmin/config.inc.php',@" "/app/www/public/libraries/vendor_config.php" && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ rm -rf \ /tmp/* COPY root/ / -EXPOSE 80 - -VOLUME /config \ No newline at end of file +EXPOSE 80 443 diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 61cd838..145bf0e 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,40 +1,49 @@ -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.14 - +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.15 ARG BUILD_DATE ARG VERSION ARG PHPMYADMIN_VERSION LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" LABEL maintainer="TheSpad" +ARG PHPMYADMIN_RELEASE_GPG_KEY="3D06A59ECE730EB71B511C17CE752F178259BD92" ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 8192K RUN \ + apk add --no-cache --virtual=build-dependencies \ + gpg \ + gpg-agent \ + gnupg-dirmngr && \ apk add -U --upgrade --no-cache \ curl \ jq \ - php7-gd \ - php7-bz2 \ - php7-mysqli \ - php7-opcache \ - php7-iconv \ - php7-dom \ - php7-tokenizer \ - php7-curl \ - php7-zip && \ + php8-gd \ + php8-bz2 \ + php8-mysqli \ + php8-opcache \ + php8-iconv \ + php8-dom \ + php8-tokenizer \ + php8-curl \ + php8-zip && \ + echo "**** configure php-fpm to pass env vars ****" && \ + sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php8/php-fpm.d/www.conf && \ + grep -qxF 'clear_env = no' /etc/php8/php-fpm.d/www.conf || echo 'clear_env = no' >> /etc/php8/php-fpm.d/www.conf && \ + echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php8/php-fpm.conf && \ + echo "**** setup php opcache ****" && \ { \ echo 'opcache.memory_consumption=128'; \ echo 'opcache.interned_strings_buffer=8'; \ echo 'opcache.max_accelerated_files=4000'; \ echo 'opcache.revalidate_freq=2'; \ echo 'opcache.fast_shutdown=1'; \ - } > /etc/php7/conf.d/opcache-recommended.ini; \ + } > /etc/php8/conf.d/opcache-recommended.ini; \ \ { \ echo 'session.cookie_httponly=1'; \ echo 'session.use_strict_mode=1'; \ - } > /etc/php7/conf.d/session-strict.ini; \ + } > /etc/php8/conf.d/session-strict.ini; \ \ { \ echo 'allow_url_fopen=Off'; \ @@ -43,27 +52,38 @@ RUN \ echo 'memory_limit=${MEMORY_LIMIT}'; \ echo 'post_max_size=${UPLOAD_LIMIT}'; \ echo 'upload_max_filesize=${UPLOAD_LIMIT}'; \ - } > /etc/php7/conf.d/phpmyadmin-misc.ini && \ + } > /etc/php8/conf.d/phpmyadmin-misc.ini && \ echo "**** install phpmyadmin ****" && \ - mkdir -p /app/phpmyadmin && \ + mkdir -p /app/www/public && \ if [ -z ${PHPMYADMIN_VERSION+x} ]; then \ - PHPMYADMIN_VERSION=$(curl -sX GET 'https://api.github.com/repos/phpmyadmin/phpmyadmin/releases' \ - | jq -r '.[] | select (.prerelease==false)' \ - | jq -rs 'max_by(.name | split(".") | map(tonumber)) | .name'); \ + PHPMYADMIN_VERSION=$(curl -sL 'https://www.phpmyadmin.net/home_page/version.txt' \ + | head -n 1 | cut -d ' ' -f 1); \ fi && \ curl -s -o \ /tmp/phpmyadmin.tar.xz -L \ "https://files.phpmyadmin.net/phpMyAdmin/${PHPMYADMIN_VERSION}/phpMyAdmin-${PHPMYADMIN_VERSION}-all-languages.tar.xz" && \ + curl -s -o \ + "/tmp/phpmyadmin.tar.xz.asc" -L \ + "https://files.phpmyadmin.net/phpMyAdmin/${PHPMYADMIN_VERSION}/phpMyAdmin-${PHPMYADMIN_VERSION}-all-languages.tar.xz.asc" && \ + export GNUPGHOME="$(mktemp -d)" && \ + gpg --batch -q --keyserver keyserver.ubuntu.com --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver pgp.mit.edu --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver keyserver.pgp.com --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver keys.openpgp.org --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" && \ + if ! gpg --batch -q --verify "/tmp/phpmyadmin.tar.xz.asc" "/tmp/phpmyadmin.tar.xz"; then \ + echo "File signature mismatch" \ + exit 1; \ + fi && \ tar xf \ /tmp/phpmyadmin.tar.xz -C \ - /app/phpmyadmin/ --strip-components=1 && \ - sed -i "s@'configFile' =>.*@'configFile' => '/config/phpmyadmin/config.inc.php',@" "/app/phpmyadmin/libraries/vendor_config.php" && \ - sed -i 's@;clear_env = no@clear_env = no@' "/etc/php7/php-fpm.d/www.conf" && \ + /app/www/public/ --strip-components=1 && \ + sed -i "s@'configFile' =>.*@'configFile' => '/config/phpmyadmin/config.inc.php',@" "/app/www/public/libraries/vendor_config.php" && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ rm -rf \ /tmp/* COPY root/ / -EXPOSE 80 - -VOLUME /config \ No newline at end of file +EXPOSE 80 443 diff --git a/Dockerfile.armhf b/Dockerfile.armhf index b9b15a2..b50938e 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -1,40 +1,49 @@ -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.14 - +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm32v7-3.15 ARG BUILD_DATE ARG VERSION ARG PHPMYADMIN_VERSION LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" LABEL maintainer="TheSpad" +ARG PHPMYADMIN_RELEASE_GPG_KEY="3D06A59ECE730EB71B511C17CE752F178259BD92" ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 8192K RUN \ + apk add --no-cache --virtual=build-dependencies \ + gpg \ + gpg-agent \ + gnupg-dirmngr && \ apk add -U --upgrade --no-cache \ curl \ jq \ - php7-gd \ - php7-bz2 \ - php7-mysqli \ - php7-opcache \ - php7-iconv \ - php7-dom \ - php7-tokenizer \ - php7-curl \ - php7-zip && \ + php8-gd \ + php8-bz2 \ + php8-mysqli \ + php8-opcache \ + php8-iconv \ + php8-dom \ + php8-tokenizer \ + php8-curl \ + php8-zip && \ + echo "**** configure php-fpm to pass env vars ****" && \ + sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php8/php-fpm.d/www.conf && \ + grep -qxF 'clear_env = no' /etc/php8/php-fpm.d/www.conf || echo 'clear_env = no' >> /etc/php8/php-fpm.d/www.conf && \ + echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php8/php-fpm.conf && \ + echo "**** setup php opcache ****" && \ { \ echo 'opcache.memory_consumption=128'; \ echo 'opcache.interned_strings_buffer=8'; \ echo 'opcache.max_accelerated_files=4000'; \ echo 'opcache.revalidate_freq=2'; \ echo 'opcache.fast_shutdown=1'; \ - } > /etc/php7/conf.d/opcache-recommended.ini; \ + } > /etc/php8/conf.d/opcache-recommended.ini; \ \ { \ echo 'session.cookie_httponly=1'; \ echo 'session.use_strict_mode=1'; \ - } > /etc/php7/conf.d/session-strict.ini; \ + } > /etc/php8/conf.d/session-strict.ini; \ \ { \ echo 'allow_url_fopen=Off'; \ @@ -43,27 +52,38 @@ RUN \ echo 'memory_limit=${MEMORY_LIMIT}'; \ echo 'post_max_size=${UPLOAD_LIMIT}'; \ echo 'upload_max_filesize=${UPLOAD_LIMIT}'; \ - } > /etc/php7/conf.d/phpmyadmin-misc.ini && \ + } > /etc/php8/conf.d/phpmyadmin-misc.ini && \ echo "**** install phpmyadmin ****" && \ - mkdir -p /app/phpmyadmin && \ + mkdir -p /app/www/public && \ if [ -z ${PHPMYADMIN_VERSION+x} ]; then \ - PHPMYADMIN_VERSION=$(curl -sX GET 'https://api.github.com/repos/phpmyadmin/phpmyadmin/releases' \ - | jq -r '.[] | select (.prerelease==false)' \ - | jq -rs 'max_by(.name | split(".") | map(tonumber)) | .name'); \ + PHPMYADMIN_VERSION=$(curl -sL 'https://www.phpmyadmin.net/home_page/version.txt' \ + | head -n 1 | cut -d ' ' -f 1); \ fi && \ curl -s -o \ /tmp/phpmyadmin.tar.xz -L \ "https://files.phpmyadmin.net/phpMyAdmin/${PHPMYADMIN_VERSION}/phpMyAdmin-${PHPMYADMIN_VERSION}-all-languages.tar.xz" && \ + curl -s -o \ + "/tmp/phpmyadmin.tar.xz.asc" -L \ + "https://files.phpmyadmin.net/phpMyAdmin/${PHPMYADMIN_VERSION}/phpMyAdmin-${PHPMYADMIN_VERSION}-all-languages.tar.xz.asc" && \ + export GNUPGHOME="$(mktemp -d)" && \ + gpg --batch -q --keyserver keyserver.ubuntu.com --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver pgp.mit.edu --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver keyserver.pgp.com --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" \ + || gpg --batch -q --keyserver keys.openpgp.org --recv-keys "$PHPMYADMIN_RELEASE_GPG_KEY" && \ + if ! gpg --batch -q --verify "/tmp/phpmyadmin.tar.xz.asc" "/tmp/phpmyadmin.tar.xz"; then \ + echo "File signature mismatch" \ + exit 1; \ + fi && \ tar xf \ /tmp/phpmyadmin.tar.xz -C \ - /app/phpmyadmin/ --strip-components=1 && \ - sed -i "s@'configFile' =>.*@'configFile' => '/config/phpmyadmin/config.inc.php',@" "/app/phpmyadmin/libraries/vendor_config.php" && \ - sed -i 's@;clear_env = no@clear_env = no@' "/etc/php7/php-fpm.d/www.conf" && \ + /app/www/public/ --strip-components=1 && \ + sed -i "s@'configFile' =>.*@'configFile' => '/config/phpmyadmin/config.inc.php',@" "/app/www/public/libraries/vendor_config.php" && \ + echo "**** cleanup ****" && \ + apk del --purge \ + build-dependencies && \ rm -rf \ /tmp/* COPY root/ / -EXPOSE 80 - -VOLUME /config \ No newline at end of file +EXPOSE 80 443 diff --git a/Jenkinsfile b/Jenkinsfile index 1bd26ab..3edf614 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -107,7 +107,7 @@ pipeline { steps{ script{ env.EXT_RELEASE = sh( - script: ''' curl -sX GET 'https://api.github.com/repos/phpmyadmin/phpmyadmin/releases' | jq -r '.[] | select (.prerelease==false)' | jq -rs 'max_by(.name | split(".") | map(tonumber)) | .name' ''', + script: ''' curl -sL 'https://www.phpmyadmin.net/home_page/version.txt' | head -n 1 | cut -d ' ' -f 1 ''', returnStdout: true).trim() env.RELEASE_LINK = 'custom_command' } diff --git a/README.md b/README.md index 8a56dbf..fb1cb7b 100644 --- a/README.md +++ b/README.md @@ -60,11 +60,11 @@ The architectures supported by this image are: ## Application Setup -For more information check out the [phpmyadmin documentation](https://www.phpmyadmin.net/docs/). +This image uses nginx, in contrast to the official images which offer fpm-only or Apache variants. We support all of the official [environment variables](https://docs.phpmyadmin.net/en/latest/setup.html#docker-environment-variables) for configuration as well as directly editing the config files. -# changelog +For more information check out the [phpmyadmin documentation](https://www.phpmyadmin.net/docs/). ## Usage @@ -231,5 +231,6 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **20.08.22:** - Rebasing to Alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base)). * **23.01.22:** - Pin versions to 5.x.x. * **14.06.21:** - Initial Release. diff --git a/jenkins-vars.yml b/jenkins-vars.yml index cce248f..16b5a66 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -3,7 +3,7 @@ # jenkins variables project_name: docker-phpmyadmin external_type: na -custom_version_command: "curl -sX GET 'https://api.github.com/repos/phpmyadmin/phpmyadmin/releases' | jq -r '.[] | select (.prerelease==false)' | jq -rs 'max_by(.name | split(\".\") | map(tonumber)) | .name'" +custom_version_command: "curl -sL 'https://www.phpmyadmin.net/home_page/version.txt' | head -n 1 | cut -d ' ' -f 1" release_type: stable release_tag: latest ls_branch: main diff --git a/readme-vars.yml b/readme-vars.yml index fd29643..891490b 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -39,11 +39,14 @@ param_volumes: # application setup block app_setup_block_enabled: true app_setup_block: | - For more information check out the [phpmyadmin documentation](https://www.phpmyadmin.net/docs/). + This image uses nginx, in contrast to the official images which offer fpm-only or Apache variants. We support all of the official [environment variables](https://docs.phpmyadmin.net/en/latest/setup.html#docker-environment-variables) for configuration as well as directly editing the config files. - # changelog + For more information check out the [phpmyadmin documentation](https://www.phpmyadmin.net/docs/). + +# changelog changelogs: + - { date: "20.08.22:", desc: "Rebasing to Alpine 3.15 with php8. Restructure nginx configs ([see changes announcement](https://info.linuxserver.io/issues/2022-08-20-nginx-base))." } - { date: "23.01.22:", desc: "Pin versions to 5.x.x." } - { date: "14.06.21:", desc: "Initial Release." } \ No newline at end of file