From c8ab498a0ed7efd935e0a402fa59f63121cddf7d Mon Sep 17 00:00:00 2001 From: James Deathe Date: Wed, 17 Jul 2019 22:02:59 +0100 Subject: [PATCH] #178: Updates documentation and related info for clarity and to simplify maintenance. --- CHANGELOG.md | 13 ++- Dockerfile | 2 +- README-short.txt | 2 +- README.md | 280 ++++++++++++----------------------------------- command-keys.md | 67 ------------ 5 files changed, 81 insertions(+), 283 deletions(-) delete mode 100644 command-keys.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 527feab..05612c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,18 @@ # Change Log -## centos-7 +## 2 - centos-7 -Summary of release changes for Version 2. - -CentOS-7 7.5.1804 x86_64, Apache 2.4, PHP-CGI 5.4 (FastCGI), PHP memcached 2.2, Zend Opcache 7.0. +Summary of release changes. ### 2.2.0 - Unreleased - Updates description in centos-ssh-apache-php-fcgi.register@.service. -- Updates Dockerfile `org.deathe.description` metadata LABEL to include PHP redis module. -- Removes unused `DOCKER_PORT_MAP_TCP_22` variable from environment includes. - Updates Apache configuration to use DSO Module identifiers for consistency. +- Updates CHANGELOG.md to simplify maintenance. +- Updates README.md to simplify contents and improve readability. +- Updates README-short.txt to apply to all image variants. +- Updates Dockerfile `org.deathe.description` metadata LABEL for consistency + include PHP redis module. +- Removes unused `DOCKER_PORT_MAP_TCP_22` variable from environment includes. ### 2.1.0 - 2019-04-14 diff --git a/Dockerfile b/Dockerfile index 301ac3b..dbd4ee1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -283,7 +283,7 @@ jdeathe/centos-ssh-apache-php-fcgi:${RELEASE_VERSION} \ org.deathe.license="MIT" \ org.deathe.vendor="jdeathe" \ org.deathe.url="https://github.com/jdeathe/centos-ssh-apache-php-fcgi" \ - org.deathe.description="CentOS-7 7.5.1804 x86_64 - Apache 2.4, PHP-CGI 5.4 (FastCGI), PHP memcached 2.2, PHP redis 2.2, Zend Opcache 7.0." + org.deathe.description="Apache 2.4, PHP-CGI 5.4 (FastCGI), PHP memcached 2.2, PHP redis 2.2, Zend Opcache 7.0 - CentOS-7 7.5.1804 x86_64." HEALTHCHECK \ --interval=1s \ diff --git a/README-short.txt b/README-short.txt index 7253bbc..036f109 100644 --- a/README-short.txt +++ b/README-short.txt @@ -1 +1 @@ -CentOS-7 7.5.1804 x86_64 - Apache / PHP-CGI (FastCGI) / PHP memcached / Zend Opcache. \ No newline at end of file +Apache PHP-CGI (FastCGI) - CentOS. \ No newline at end of file diff --git a/README.md b/README.md index ebcea60..74b81a5 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,22 @@ -centos-ssh-apache-php-fcgi -========================== - -Docker Image including: -- CentOS-6 6.10 x86_64, Apache 2.2, PHP-CGI 5.3 (FastCGI), PHP memcached 1.0, PHP redis 2.2, PHP APC 3.1. -- CentOS-7 7.5.1804 x86_64, Apache 2.4, PHP-CGI 5.4 (FastCGI), PHP memcached 2.2, PHP redis 2.2, Zend Opcache 7.0. - -Apache PHP web server, loading only a minimal set of Apache modules by default. Supports custom configuration via environment variables. - -## Overview & links +### Tags and respective `Dockerfile` links - `centos-7`, `centos-7-2.1.0`, `2.1.0` [(centos-7/Dockerfile)](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-7/Dockerfile) - `centos-6`, `centos-6-1.12.0`, `1.12.0` [(centos-6/Dockerfile)](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-6/Dockerfile) -#### centos-6 - -The latest CentOS-6 based release can be pulled from the centos-6 Docker tag. It is recommended to select a specific release tag - the convention is `centos-6-1.12.0` or `1.12.0` for the [1.12.0](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/tree/1.12.0) release tag. +## Overview -#### centos-7 +Apache PHP (FastCGI) web server, loading only a minimal set of Apache modules by default. -The latest CentOS-7 based release can be pulled from the centos-7 Docker tag. It is recommended to select a specific release tag - the convention is `centos-7-2.1.0` or `2.1.0` for the [2.1.0](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/tree/2.1.0) release tag. +This build uses the base image [jdeathe/centos-ssh](https://github.com/jdeathe/centos-ssh) so inherits it's features but with `sshd` disabled by default. [Supervisor](http://supervisord.org/) is used to start the Apache [`httpd`](https://httpd.apache.org/) daemon when a docker container based on this image is run. -This build of [Apache](https://httpd.apache.org/), (httpd CentOS package), uses the [mod_fcgid](https://httpd.apache.org/mod_fcgid/) module to run [PHP](http://php.net/) as a [FastCGI](http://www.fastcgi.com/) process. +### Image variants -Included in the build are the [SCL](https://www.softwarecollections.org/), [EPEL](http://fedoraproject.org/wiki/EPEL) and [IUS](https://ius.io) repositories. Installed packages include [OpenSSH](http://www.openssh.com/portable.html) secure shell, [vim-minimal](http://www.vim.org/), [elinks](http://elinks.or.cz) (for fullstatus support), PHP [APC](http://pecl.php.net/package/APC), PHP [Memcached](http://pecl.php.net/package/memcached) are installed along with python-setuptools, [supervisor](http://supervisord.org/) and [supervisor-stdout](https://github.com/coderanger/supervisor-stdout). +- [Apache 2.4, PHP-CLI 5.4 (FastCGI), PHP memcached 2.2, PHP redis 2.2, Zend Opcache 7.0 - CentOS-7](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-7) +- [Apache 2.2, PHP-CGI 5.3 (FastCGI), PHP memcached 1.0, PHP redis 2.2, PHP APC 3.1 - CentOS-6](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-6) -Supervisor is used to start httpd.worker daemon when a docker container based on this image is run. To enable simple viewing of stdout for the service's subprocess, supervisor-stdout is included. This allows you to see output from the supervisord controlled subprocesses with `docker logs {docker-container-name}`. +## Quick start -If enabling and configuring SSH access, it is by public key authentication and, by default, the [Vagrant](http://www.vagrantup.com/) [insecure private key](https://github.com/mitchellh/vagrant/blob/master/keys/vagrant) is required. - -### SSH Alternatives - -SSH is not required in order to access a terminal for the running container. The simplest method is to use the docker exec command to run bash (or sh) as follows: - -``` -$ docker exec -it {docker-name-or-id} bash -``` - -For cases where access to docker exec is not possible the preferred method is to use Command Keys and the nsenter command. See [command-keys.md](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-6/command-keys.md) for details on how to set this up. - -## Quick Example +> For production use, it is recommended to select a specific release tag as shown in the examples. Run up a container named `apache-php.1` from the docker image `jdeathe/centos-ssh-apache-php-fcgi` on port 8080 of your docker host. @@ -50,180 +28,68 @@ $ docker run -d \ jdeathe/centos-ssh-apache-php-fcgi:2.1.0 ``` -Now point your browser to `http://{docker-host}:8080` where `{docker-host}` is the host name of your docker server and, if all went well, you should see the "Hello, world!" page. +Go to `http://{{docker-host}}:8080` using a browser where `{{docker-host}}` is the host name of your docker server and, if all went well, you should see the "Hello, world!" page. + +![PHP "Hello, world!" - Chrome screenshot](https://raw.github.com/jdeathe/centos-ssh-apache-php-fcgi/centos-7/images/php-hello-world-chrome-fcgi.png) -![PHP "Hello, world!" - Chrome screenshot](https://raw.github.com/jdeathe/centos-ssh-apache-php-fcgi/centos-6/images/php-hello-world-chrome-fcgi.png) +To be able to access the server using the "app-1.local" domain name you need to add a hosts file entry locally; such that the IP address of the Docker host resolves to the name "app-1.local". Alternatively, you can use the `elinks` browser installed in the container. -To be able to access the server using the "app-1.local" domain name you need to add a hosts file entry locally; such that the IP address of the Docker host resolves to the name "app-1.local". Alternatively, you can use the elinks browser installed in the container. Note that because you are using the browser from the container you access the site over port 80. +> Note that because you are using the browser from the container you access the site over the standard port 80. ``` $ docker exec -it apache-php.1 \ elinks http://app-1.local ``` -![PHP "Hello, world!" - eLinks screenshot](https://raw.github.com/jdeathe/centos-ssh-apache-php-fcgi/centos-6/images/php-hello-world-elinks-fcgi.png) +![PHP "Hello, world!" - eLinks screenshot](https://raw.github.com/jdeathe/centos-ssh-apache-php-fcgi/centos-7/images/php-hello-world-elinks-fcgi.png) + +Verify the named container's process status and health. -To verify the container is initialised and running successfully by inspecting the container's logs. +``` +$ docker ps -a \ + -f "name=apache-php.1" +``` + +Verify successful initialisation of the named container. ``` $ docker logs apache-php.1 ``` -On first run, the bootstrap script, ([/usr/sbin/httpd-bootstrap](https://github.com/jdeathe/centos-ssh-apache-php/blob/centos-6/src/usr/sbin/httpd-bootstrap)), will check if the DocumentRoot directory is empty and, if so, will populate it with the example app scripts and VirtualHost configuration files. +On first run, if the DocumentRoot directory is empty, it will be populated with the example app scripts and app specific configuration files. The `apachectl` command can be accessed as follows. ``` $ docker exec -it apache-php.1 \ - bash -c "apachectl -h" + apachectl -h ``` ## Instructions ### Running -To run the a docker container from this image you can use the standard docker commands. Alternatively, you can use the embedded (Service Container Manager Interface) [scmi](https://github.com/jdeathe/centos-ssh/blob/centos-6/src/usr/sbin/scmi) that is included in the image since `centos-6-1.7.1` or, if you have a checkout of the [source repository](https://github.com/jdeathe/centos-ssh-apache-php-fcgi), and have make installed the Makefile provides targets to build, install, start, stop etc. where environment variables can be used to configure the container options and set custom docker run parameters. - -#### SCMI Installation Examples +To run the a docker container from this image you can use the standard docker commands as shown in the example below. Alternatively, there's a [docker-compose](https://github.com/jdeathe/centos-ssh-apache-php-fcgi/blob/centos-7/docker-compose.yml) example. -The following example uses docker to run the SCMI install command to create and start a container named `apache-php.1`. To use SCMI it requires the use of the `--privileged` docker run parameter and the docker host's root directory mounted as a volume with the container's mount directory also being set in the `scmi` `--chroot` option. The `--setopt` option is used to add extra parameters to the default docker run command template; in the following example a named configuration volume is added which allows the SSH host keys to persist after the first container initialisation. Not that the placeholder `{{NAME}}` can be used in this option and is replaced with the container's name. - -##### SCMI Install - -``` -$ docker run \ - --rm \ - --privileged \ - --volume /:/media/root \ - --env BASH_ENV="" \ - --env ENV="" \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 \ - /usr/sbin/scmi install \ - --chroot=/media/root \ - --tag=2.1.0 \ - --name=apache-php.1 -``` - -##### SCMI Uninstall - -To uninstall the previous example simply run the same docker run command with the scmi `uninstall` command. - -``` -$ docker run \ - --rm \ - --privileged \ - --volume /:/media/root \ - --env BASH_ENV="" \ - --env ENV="" \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 \ - /usr/sbin/scmi uninstall \ - --chroot=/media/root \ - --tag=2.1.0 \ - --name=apache-php.1 -``` +For production use, it is recommended to select a specific release tag as shown in the examples. -##### SCMI Systemd Support +#### Using environment variables -If your docker host has systemd (and optionally etcd) installed then `scmi` provides a method to install the container as a systemd service unit. This provides some additional features for managing a group of instances on a single docker host and has the option to use an etcd backed service registry. Using a systemd unit file allows the System Administrator to use a Drop-In to override the settings of a unit-file template used to create service instances. To use the systemd method of installation use the `-m` or `--manager` option of `scmi` and to include the optional etcd register companion unit use the `--register` option. - -``` -$ docker run \ - --rm \ - --privileged \ - --volume /:/media/root \ - --env BASH_ENV="" \ - --env ENV="" \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 \ - /usr/sbin/scmi install \ - --chroot=/media/root \ - --tag=1.12.0 \ - --name=apache-php.1 \ - --manager=systemd \ - --register \ - --env='APACHE_MOD_SSL_ENABLED=true' \ - --setopt='--volume {{NAME}}.data-tls:/etc/pki/tls' -``` - -##### SCMI Fleet Support - -**_Deprecation Notice:_** The fleet project is no longer maintained. The fleet `--manager` option has been deprecated in `scmi`. - -If your docker host has systemd, fleetd (and optionally etcd) installed then `scmi` provides a method to schedule the container to run on the cluster. This provides some additional features for managing a group of instances on a [fleet](https://github.com/coreos/fleet) cluster and has the option to use an etcd backed service registry. To use the fleet method of installation use the `-m` or `--manager` option of `scmi` and to include the optional etcd register companion unit use the `--register` option. - -##### SCMI Image Information - -Since release `centos-6-1.7.1` the install template has been added to the image metadata. Using docker inspect you can access `scmi` to simplify install/uninstall tasks. - -To see detailed information about the image run `scmi` with the `--info` option. To see all available `scmi` options run with the `--help` option. - -``` -$ eval "sudo -E $( - docker inspect \ - -f "{{.ContainerConfig.Labels.install}}" \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 - ) --info" -``` - -To perform an installation using the docker name `apache-php.2` simply use the `--name` or `-n` option. - -``` -$ eval "sudo -E $( - docker inspect \ - -f "{{.ContainerConfig.Labels.install}}" \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 - ) --name=apache-php.2" -``` - -To uninstall use the *same command* that was used to install but with the `uninstall` Label. - -``` -$ eval "sudo -E $( - docker inspect \ - -f "{{.ContainerConfig.Labels.uninstall}}" \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 - ) --name=apache-php.2" -``` - -##### SCMI on Atomic Host - -With the addition of install/uninstall image labels it is possible to use [Project Atomic's](http://www.projectatomic.io/) `atomic install` command to simplify install/uninstall tasks on [CentOS Atomic](https://wiki.centos.org/SpecialInterestGroup/Atomic) Hosts. - -_NOTE:_ A prerequisite of the following examples is that the image has been pulled (or loaded from the release package). - -``` -$ docker pull jdeathe/centos-ssh-apache-php-fcgi:2.1.0 ``` - -To see detailed information about the image run `scmi` with the `--info` option. To see all available `scmi` options run with the `--help` option. - -``` -$ sudo -E atomic install \ - -n apache-php.3 \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 \ - --info -``` - -To perform an installation using the docker name `apache-php.3` simply use the `-n` option of the `atomic install` command. - -``` -$ sudo -E atomic install \ - -n apache-php.3 \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 -``` - -Alternatively, you could use the `scmi` options `--name` or `-n` for naming the container. - -``` -$ sudo -E atomic install \ - jdeathe/centos-ssh-apache-php-fcgi:2.1.0 \ - --name apache-php.3 -``` - -To uninstall use the *same command* that was used to install but with the `uninstall` Label. - -``` -$ sudo -E atomic uninstall \ - -n apache-php.3 \ +$ docker stop apache-php.1 && \ + docker rm apache-php.1; \ + docker run -d \ + --name apache-php.1 \ + --publish 8080:80 \ + --publish 9443:443 \ + --env "APACHE_CUSTOM_LOG_LOCATION=/dev/stdout" \ + --env "APACHE_ERROR_LOG_LOCATION=/dev/stderr" \ + --env "APACHE_EXTENDED_STATUS_ENABLED=true" \ + --env "APACHE_LOAD_MODULES=env_module rewrite_module" \ + --env "APACHE_MOD_SSL_ENABLED=true" \ + --env "APACHE_SERVER_NAME=app-1.local" \ + --env "APACHE_SSL_PROTOCOL=All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" \ + --env "PHP_OPTIONS_DATE_TIMEZONE=Europe/London" \ jdeathe/centos-ssh-apache-php-fcgi:2.1.0 ``` @@ -231,26 +97,13 @@ $ sudo -E atomic uninstall \ There are environmental variables available which allows the operator to customise the running container. -##### APACHE_AUTOSTART_HTTPD_BOOTSTRAP & APACHE_AUTOSTART_HTTPD_WRAPPER - -It may be desirable to prevent the startup of the httpd-bootstrap and/or httpd-wrapper scripts. For example, when using an image built from this Dockerfile as the source for another Dockerfile you could disable services from startup by setting `APACHE_AUTOSTART_HTTPD_WRAPPER` to `false`. The benefit of this is to reduce the number of running processes in the final container. Another use for this would be to make use of the packages installed in the image such as `ab`, `curl`, `elinks`, `php-cli` etc. +##### ENABLE_HTTPD_BOOTSTRAP, ENABLE_HTTPD_WRAPPER & ENABLE_PHP_FPM_WRAPPER -##### APACHE_SERVER_NAME & APACHE_SERVER_ALIAS - -The `APACHE_SERVER_NAME` and `APACHE_SERVER_ALIAS` environmental variables are used to set the VirtualHost `ServerName` and `ServerAlias` values respectively. If the value contains the placeholder `{{HOSTNAME}}` it will be replaced with the system `hostname` value; by default this is the container id but the hostname can be modified using the `--hostname` docker create|run parameter. - -In the following example the running container would respond to the host names `app-1.local` or `app-1`. - -``` -... - --env "APACHE_SERVER_ALIAS=app-1" \ - --env "APACHE_SERVER_NAME=app-1.local" \ -... -``` +It may be desirable to prevent the startup of the `httpd-bootstrap` and/or `httpd-wrapper` scripts. For example, when using an image built from this Dockerfile as the source for another Dockerfile you could disable services from startup by setting `ENABLE_HTTPD_WRAPPER` to `false`. The benefit of this is to reduce the number of running processes in the final container. Another use for this would be to make use of the packages installed in the image such as `ab`, `curl`, `elinks`, `php-cli` etc. ##### APACHE_CONTENT_ROOT -The home directory of the service user and parent directory of the Apache DocumentRoot is /var/www/app by default but can be changed if necessary using the `APACHE_CONTENT_ROOT` environment variable. +The home directory of the service user and parent directory of the Apache DocumentRoot is `/var/www/app` by default but can be changed if necessary using the `APACHE_CONTENT_ROOT` environment variable. ``` ... @@ -258,8 +111,6 @@ The home directory of the service user and parent directory of the Apache Docume ... ``` -from your browser you can then access it with `http://app-1.local:8080` assuming you have the IP address of your docker mapped to the hostname using your DNS server or a local hosts entry. - ##### APACHE_CUSTOM_LOG_LOCATION & APACHE_CUSTOM_LOG_FORMAT The Apache CustomLog can be defined using `APACHE_CUSTOM_LOG_LOCATION` to set a file, (or pipe), location and `APACHE_CUSTOM_LOG_FORMAT` to specify the required LogFormat nickname. @@ -304,17 +155,19 @@ The variable `APACHE_EXTENDED_STATUS_ENABLED` allows you to turn ExtendedStatus ``` ... - --env "APACHE_EXTENDED_STATUS_ENABLED=true" + --env "APACHE_EXTENDED_STATUS_ENABLED=true" \ ... ``` -You can view the output from Apache server-status either using the elinks browser from onboard the container or by using `watch` and `curl` to monitor status over time. The following command shows the server-status updated at a 1 second interval given an `APACHE_SERVER_NAME` or `APACHE_SERVER_ALIAS` of "app-1.local". +You can view the output from Apache server-status either using the `elinks` browser from onboard the container or by using `watch` and `curl` to monitor status over time. The following command shows the server-status updated at a 1 second interval given an `APACHE_SERVER_NAME` or `APACHE_SERVER_ALIAS` of "app-1.local". ``` $ docker exec -it apache-php.1 \ env TERM=xterm \ watch -n 1 \ - -d "curl -sH 'Host: app-1.local' http://127.0.0.1/server-status?auto" + -d "curl -s \ + -H 'Host: app-1.local' \ + http://127.0.0.1/server-status?auto" ``` ##### APACHE_HEADER_X_SERVICE_UID @@ -329,8 +182,7 @@ The `APACHE_HEADER_X_SERVICE_UID` environmental variable is used to set a respon ##### APACHE_LOAD_MODULES -By default, the image loads a minimal set of required Apache modules. To load additional modules the -`APACHE_LOAD_MODULES` can be used. To load both the `mod_env` and `mod_rewrite` Apache Modules use the respective module identifiers. i.e. `env_module` and `rewrite_module`. +By default, the image loads a minimal set of required Apache modules. To load additional modules the `APACHE_LOAD_MODULES` can be used. To load both the `mod_env` and `mod_rewrite` Apache Modules use the respective module identifiers. i.e. `env_module` and `rewrite_module`. ``` ... @@ -344,15 +196,14 @@ By default SSL support is disabled but a second port, (mapped to 8443), is avail ``` $ docker stop apache-php.1 && \ - docker rm apache-php.1 -$ docker run -d \ + docker rm apache-php.1; \ + docker run -d \ --name apache-php.1 \ --publish 8080:80 \ --publish 9443:443 \ --env "APACHE_SERVER_ALIAS=app-1" \ --env "APACHE_SERVER_NAME=app-1.local" \ --env "APACHE_MOD_SSL_ENABLED=true" \ - --volume apache-php.1.data-tls:/etc/pki/tls \ jdeathe/centos-ssh-apache-php-fcgi:2.1.0 ``` @@ -387,6 +238,19 @@ The public directory is relative to the `APACHE_CONTENT_ROOT` and together they ... ``` +##### APACHE_SERVER_ALIAS & APACHE_SERVER_NAME + +The `APACHE_SERVER_NAME` and `APACHE_SERVER_ALIAS` environmental variables are used to set the VirtualHost `ServerName` and `ServerAlias` values respectively. If the value contains the placeholder `{{HOSTNAME}}` it will be replaced with the system `hostname` value; by default this is the container id but the hostname can be modified using the `--hostname` docker create|run parameter. + +In the following example the running container would respond to the host names `app-1.local` or `app-1`. + +``` +... + --env "APACHE_SERVER_ALIAS=app-1" \ + --env "APACHE_SERVER_NAME=app-1.local" \ +... +``` + ##### APACHE_SSL_CERTIFICATE The `APACHE_SSL_CERTIFICATE` environment variable is used to define a PEM encoded certificate bundle. To make a compatible certificate bundle use the `cat` command to combine the certificate files together. @@ -400,7 +264,7 @@ $ cat /usr/share/private/server-key.pem \ Base64 encoding of the PEM file contents is recommended if not using the file path method. -*Note:* The `base64` command on Mac OSX will encode a file without line breaks by default but if using the command on Linux you need to include use the `-w` option to prevent wrapping lines at 80 characters. i.e. `base64 -w 0 -i {certificate-path}`. +> *Note:* The `base64` command on Mac OSX will encode a file without line breaks by default but if using the command on Linux you need to include use the `-w` option to prevent wrapping lines at 80 characters. i.e. `base64 -w 0 -i {{certificate-path}}`. ``` ... @@ -426,7 +290,7 @@ References: - [OpenSSL ciphers documentation](https://www.openssl.org/docs/manmaster/man1/ciphers.html). - [Mozilla Security/Server Side TLS guidance](https://wiki.mozilla.org/Security/Server_Side_TLS). -*Note:* The value show is using space separated values to allow for readablity in the documentation; this is valid syntax however using the colon separator is the recommended form. +> *Note:* The value show is using space separated values to allow for readablity in the documentation; this is valid syntax however using the colon separator is the recommended form. ``` ... @@ -473,15 +337,15 @@ To set the timezone for the UK and account for British Summer Time you would use ##### PHP_OPTIONS_SESSION_NAME, PHP_OPTIONS_SESSION_SAVE_HANDLER & PHP_OPTIONS_SESSION_SAVE_PATH -Using `PHP_OPTIONS_SESSION_SAVE_HANDLER` and `PHP_OPTIONS_SESSION_SAVE_PATH` together it's possible to configure PHP to use an alternative `session.save_handler` and `session.save_path`. For example if you have a Memcached server running on the host `memcached-server` on the default port `11211` the following configuration will allow session data to be stored in Memcached, allowing session data to be shared between multiple PHP containers. +Using `PHP_OPTIONS_SESSION_SAVE_HANDLER` and `PHP_OPTIONS_SESSION_SAVE_PATH` together it's possible to configure PHP to use an alternative `session.save_handler` and `session.save_path`. For example if you have a Redis server running on the host `redis-server` on the default port `6379` the following configuration will allow session data to be stored in Redis, allowing session data to be shared between multiple PHP containers. Using `PHP_OPTIONS_SESSION_NAME` a session name can be defined - otherwise the default name "PHPSESSID" is used. ``` ... - --env "PHP_OPTIONS_SESSION_NAME=app-session" \ - --env "PHP_OPTIONS_SESSION_SAVE_HANDLER=memcached" \ - --env "PHP_OPTIONS_SESSION_SAVE_PATH=memcached-server:11211" \ + --env "PHP_OPTIONS_SESSION_NAME=APPSESSID" \ + --env "PHP_OPTIONS_SESSION_SAVE_HANDLER=redis" \ + --env "PHP_OPTIONS_SESSION_SAVE_PATH=redis-server:6379" \ ... ``` diff --git a/command-keys.md b/command-keys.md deleted file mode 100644 index 098f7fa..0000000 --- a/command-keys.md +++ /dev/null @@ -1,67 +0,0 @@ -# Command Keys - -Using command keys to access containers (without sshd). - -Access docker containers using docker host SSH public key authentication and nsenter command to start up a bash terminal inside a container. In the following example the container name is "apache-php.app-1.1.1" - -## Create a unique public/private key pair for each container - -``` -$ cd ~/.ssh/ && ssh-keygen -q -t rsa -f id-rsa.apache-php.app-1.1.1 -``` - -## Prefix the public key with the nsenter command - -``` -$ sed -i '' \ - '1s#^#command="sudo nsenter -m -u -i -n -p -t $(docker inspect --format \\\"{{ .State.Pid }}\\\" apache-php.app-1.1.1) /bin/bash" #' \ - ~/.ssh/id-rsa.apache-php.app-1.1.1.pub -``` - -## Upload the public key to the docker host VM - -The host in this example is core-01.local that has SSH public key authentication enabled using the Vagrant insecure private key. - -### Generic Linux Host Example - -``` -$ cat ~/.ssh/id-rsa.apache-php.app-1.1.1.pub | ssh -i ~/.vagrant.d/insecure_private_key \ - core@core-01.local \ - "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" -``` - -### CoreOS Host Example - -``` -$ cat ~/.ssh/id-rsa.apache-php.app-1.1.1.pub | ssh -i ~/.vagrant.d/insecure_private_key \ - core@core-01.local \ - update-ssh-keys -a core@apache-php.app-1.1.1 -``` - -### Usage - -``` -$ ssh -i ~/.ssh/id-rsa.apache-php.app-1.1.1 \ - core@core-01.local \ - -o StrictHostKeyChecking=no -``` - -#### SSH Config - -To simplify the command required to access the running container we can add an entry to the SSH configuration file ```~/.ssh/config``` as follows: - -``` -Host core-01.apache-php.app-1.1.1 - HostName core-01.local - Port 22 - User core - StrictHostKeyChecking no - IdentitiesOnly yes - IdentityFile ~/.ssh/id-rsa.apache-php.app-1.1.1 -``` - -With the above entry in place we can now run the following to access the running container: - -``` -$ ssh core-01.apache-php.app-1.1.1 -```