Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 2 (v2) #5

Closed
rija opened this issue Jul 28, 2016 · 1 comment
Closed

Release 2 (v2) #5

rija opened this issue Jul 28, 2016 · 1 comment
Assignees
@rija

Comments

@rija
Copy link
Owner

rija commented Jul 28, 2016
edited

I'm currently preparing release 2 for this project.

Release content (headlines):

  • Upgraded PHP to PHP 7.0 for much improved performance
  • Upgraded base OS to Ubuntu 16.04 LTS
  • Deployed Nginx from the stable line, compiled with ngx_cache_purge, currently 1.10.1
  • HTTP/2 and SSL enabled by default
  • Use of Ubuntu packages for Supervisord and LetsEncrypt
  • Enabled automated security updates using the Ubuntu unattended-upgrades package
  • Minimised the number of processes running as root inside the container
  • LetsEncrypt certificate for nginx is automatically renewed
  • The Wordpress container communicates with its host's Docker API to find the database container's address
  • Made better usage of Supervisord, for consolidating process logs, and as the ID 1 process
  • docker compose YAML file to easilily deploy the full stack

Status:

I need to finish the last point regarding Supervisord as ID 1 process, use the Docker image on a staging site for testing and then tag a new release.
@rija rija self-assigned this Jul 28, 2016
rija pushed a commit that referenced this issue May 22, 2017
Tweaks to build and boostrapping
8be98bd 
Moved the nginx logging initialisastion from bootstrap_container to Dockerfile to
avoid race condition with processes also spawn by Supervisord and needing access to those logs.
Create ENV variable for software version as much as possible and place them near top of Dockerfile to
make upgrade to the more recent version easier.
Removed php extensions that are not strictly necessary for Wordpress to run or that don't server my use-case.
Removed the apt package pwgen as wordpress secret key salts are now generated with Wordpress.org API
Further hardened Wordpress install by disallowing files modification:
(editing from dashboard, themes, plugins and core update)
as update can be performed with WP-CLI
This has led to introducing a new Dockerfile contrib file for a sample wp-config.php.
Further optimised layers by aggregating RUN instrucions whenever it makes sense.
Better inline documentation of the Dockerfile instructions.
Added logrotate apt package for automated log rotation.
Removed (commented out) some nginx compile option that are not useful to my use-case
Better organisation of the Dockerfile
Replaced default Wordpress password management with
bcrypt based alternative (wp-password-bcrypt) that use PHP 5.5+'s password_hash and password_verify.

Changes bring resolution of #5 closer.
@rija rija closed this as completed in d837ddf Aug 14, 2017
@rija rija reopened this Aug 14, 2017
@rija rija closed this as completed in 134f841 Aug 14, 2017
@rija
Copy link
Owner Author

rija commented Aug 14, 2017

Final changelog:

  • Supervisord 3.0 is PID 1 and properly manages all the processes in the container
  • Uses PHP 7.1
  • TLS encryption with Let's Encrypt and automated certificate renewal, configured using Mozilla intermediary profile for server side TLS
  • Use Nginx 1.13.0 with real_ip, HTTP/2 and TLSv1.3 configured
  • FastCGI page caching and cache purge compiled in Nginx
  • docker-compose is now the preferred way to use this Dockerfile, directly or through Ansible
  • The deployment now relies on git for installing vanilla Wordpress or a Wordpress based web site
  • Security has been improved on many layers:
    • Setup of Fail2ban for black-listing ip addresses of attackers
    • Tightening of file permissions and configuration of server processess and bootstrapping scripts
    • Security headers in Nginx responses
    • Pre-installed WP Plugins for using Fail2Ban, reducing XML-RPC attack surface, and enabling Content Security Policy
    • PGP signature verification of downloaded package through APT or CURL
  • The Docker image size has been significantly reduced (from 599MB/46layers to 186.1MB/25layers)
  • uses WP-CLI for managing Wordpress

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rija rija

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rija