Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Disable unused PHP modules in Docker image #5993

Closed
daberlin opened this issue Dec 28, 2023 · 3 comments · Fixed by #5994
Closed

[Feature] Disable unused PHP modules in Docker image #5993

daberlin opened this issue Dec 28, 2023 · 3 comments · Fixed by #5994
Labels
Docker Everything related to Docker
Milestone
1.24.0

Comments

@daberlin
Copy link

Is your feature request related to a problem? Please describe.
PHP in the Docker image loads several modules that are not needed and (1) consume memory and (2) enlarge the attack surface security-wise.

Describe the solution you’d like

RUN phpdismod calendar exif ftp gettext gmp iconv intl phar posix readline shmop sockets \
              sysvmsg sysvshm tokenizer xmlreader xmlwriter xsl

Describe alternatives you’ve considered
None

Additional context
None
@Frenzie
Copy link
Member

Frenzie commented Dec 28, 2023
edited

I don't know about all of those but most of them are definitely needed. Strictly speaking some aren't needed in the sense that things will mostly work without but purposefully installing them and then disabling them is a bit backwards. ;-D And yes, I'm pretty sure we do indeed want to also install the optional ones like iconv.

FreshRSS/.devcontainer/Dockerfile

Lines 6 to 12 in 08345d0

RUN apk add --no-cache \
tzdata \
apache2 php-apache2 \
php php-curl php-gmp php-intl php-mbstring php-xml php-zip \
php-ctype php-dom php-fileinfo php-iconv php-json php-opcache php-openssl php-phar php-session php-simplexml php-xmlreader php-xmlwriter php-xml php-tokenizer php-zlib \
php-pdo_sqlite php-pdo_mysql php-pdo_pgsql \
bash composer curl docker-cli-buildx git gpg make nodejs npm shellcheck shfmt sudo

@Alkarex Alkarex added the Docker Everything related to Docker label Dec 28, 2023
@Alkarex
Copy link
Member

Alkarex commented Dec 28, 2023
edited

Debian version:

FreshRSS/Docker/Dockerfile

Lines 12 to 13 in 2bd9f63

php-curl php-gmp php-intl php-mbstring php-xml php-zip \
php-sqlite3 php-mysql php-pgsql && \

Alpine version:

FreshRSS/Docker/Dockerfile-Alpine

Lines 9 to 11 in 2bd9f63

php php-curl php-gmp php-intl php-mbstring php-xml php-zip \
php-ctype php-dom php-fileinfo php-iconv php-json php-opcache php-openssl php-phar php-session php-simplexml php-xmlreader php-xmlwriter php-xml php-tokenizer php-zlib \
php-pdo_sqlite php-pdo_mysql php-pdo_pgsql

  1. As Frenzie is writing already, I do not believe we install any package that we do not need;
  2. but we might want to disable some extensions though (especially in Debian, which has more extensions enabled by default)

Concrete PR welcome so we can discuss the details

@Alkarex Alkarex added this to the 1.24.0 milestone Dec 29, 2023
Alkarex added a commit to Alkarex/FreshRSS that referenced this issue Dec 29, 2023
@Alkarex
Docker Debian disable unused PHP modules
5eba10f 
FreshRSS#5993
@Alkarex Alkarex mentioned this issue Dec 29, 2023
Merged
@Alkarex
Copy link
Member

Alkarex commented Dec 29, 2023

Please check #5994

Alkarex added a commit that referenced this issue Dec 30, 2023
@Alkarex
Docker Debian disable unused PHP modules (#5994)
a3ebfe7 
#5993
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Docker Everything related to Docker
Projects
None yet
Milestone
1.24.0
Development

Successfully merging a pull request may close this issue.

Docker Debian disable unused PHP modules Alkarex/FreshRSS
3 participants
@Frenzie @Alkarex @daberlin