Merge branch 'master' of gitlab.brainfood.com:brainfood/docker-image-recipes

+The MIT License (MIT)
+
+Copyright (c) 2017 brainfood.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

+This repository contains a series of simple docker image recipes.  These are
+meant to be referenced via docker-compose, and built for each project
+separately.  No sharing of images.  This provides sanity for each project, as
+you don't have to worry about an image changing underneath you.  It also means
+that you can be certain you can rebuild on your own whenever the situation
+calls for it.
+
+Here are the best practices in these files:
+
+* Generally, any image listed here should run without any external
+  dependencies.  No includes from other images, etc.  This makes it easier to
+  understand and extend.
+
+* Each Dockerfile is designed to have minimal layers.  This makes rebuilds
+  faster, as there are less docker-runs.  It also makes many things easier to
+  accomplish, as there is a real shell script that can do sophisticated
+  things.
+
+* Images also tend to make use of standard, unmodified debian packages.  Let
+  someone else do the hard-work of system integration, while these recipes
+  then just do slight tweaks.
+
+* Any files that need to be shared between a host and a container should make
+  use of UID/GID being sent in from the host.  The daemon in the container
+  should run as the UID/GID, and it's files changed to have that ownership.
+
+  During entrypoint, the target container user is then modified to have the
+  correct uid/gid setting.  If there is no target user, then one should be
+  added during the image build, generally calling it hostuser/hostgroup.
+
+* Daemons that have complex binary file setups should have those files created
+  during image build, then the entire structure placed in a tarball.  The
+  entrypoint can then extract this seed tarball, but only if the target
+  directory is empty.  This allows for the volume mounting of these
+  directories from the host.  Make certain the uid/gid mapping is sane when
+  this occurs.

@@ -4,12 +4,12 @@ set -ex
 
 
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 
 
-if [[ $GID ]]; then
+if [[ $GID && $GID -ne 0 ]]; then
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	groupmod -g $GID hostgroup
 	groupmod -g $GID hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 fi
 fi
-if [[ $UID ]]; then
+if [[ $UID && $UID -ne 0 ]]; then
 	usermod -u $UID hostuser
 	usermod -u $UID hostuser
 fi
 fi
 
 

+FROM debian:stretch-slim
+
+ARG JAVA_EXTRA_PACKAGES
+
+COPY files/ /tmp/files/
+RUN /tmp/files/configure
+
+ENTRYPOINT ["/sbin/entrypoint"]

+#!/bin/sh
+
+set -e
+apt-get update
+mkdir -p /usr/share/man/man1
+apt-get install -y ssmtp sudo openjdk-8-jdk $JAVA_EXTRA_PACKAGES
+
+cp /tmp/files/entrypoint /sbin/entrypoint
+
+addgroup hostgroup
+adduser --gecos 'Host User' --ingroup hostgroup --disabled-password hostuser
+
+rm -rf /tmp/files

+#!/bin/bash
+
+set -ex
+
+TARGET_USER=hostuser
+TARGET_GROUP=hostgroup
+
+target_home="$(getent passwd "$TARGET_USER" | cut -f 6 -d :)"
+
+if [[ $GID && $GID -ne 0 ]]; then
+	groupmod -g $GID "$TARGET_GROUP"
+fi
+if [[ $UID && $UID -ne 0 ]]; then
+	usermod -u $UID "$TARGET_USER"
+fi
+
+find "$target_home" \
+	'(' -not -user "$TARGET_USER" -a -not -group "$TARGET_GROUP" -exec chown "$TARGET_USER:$TARGET_GROUP" '{}' + ')' -o \
+	'(' -not -user "$TARGET_USER" -exec chown "$TARGET_USER" '{}' + ')' -o \
+	'(' -not -group "$TARGET_GROUP" -exec chgrp "$TARGET_GROUP" '{}' + ')' -o \
+	-true
+
+if [[ $http_proxy =~ ^([^:]+)://([^/:]*)(:([0-9]+?))?(/.*)?$ ]]; then
+	http_proxy_protocol="${BASH_REMATCH[1]}"
+	http_proxy_domain="${BASH_REMATCH[2]}"
+	http_proxy_port="${BASH_REMATCH[4]}"
+fi
+
+if [[ $http_proxy ]]; then
+	mkdir -p "$target_home/.m2"
+	cat > "$target_home/.m2/settings.xml" << _EOF_
+<settings>
+  <proxies>
+   <proxy>
+      <id>app-build-proxy</id>
+      <active>true</active>
+      <protocol>${http_proxy_protocol}</protocol>
+      <host>${http_proxy_domain}</host>
+      <port>${http_proxy_port}</port>
+    </proxy>
+  </proxies>
+</settings>
+_EOF_
+fi
+
+exec "$@"

+FROM debian:stretch-slim
+
+COPY files/ /tmp/files/
+RUN /tmp/files/configure
+
+ENTRYPOINT ["/sbin/entrypoint"]
+VOLUME "/data"
+CMD ["sudo", "-u", "mongodb", "/usr/bin/mongod", "--nounixsocket", "--dbpath", "/var/lib/mongodb"]

+#!/bin/sh
+
+set -e
+apt-get update
+apt-get install -y sudo ssmtp mongodb-server
+
+cp /tmp/files/entrypoint /sbin/entrypoint
+
+rm -rf /tmp/files

+#!/bin/bash
+
+set -ex
+
+TARGET_USER=mongodb
+TARGET_GROUP=mongodb
+
+target_home="$(getent passwd "$TARGET_USER" | cut -f 6 -d :)"
+
+if [[ $GID && $GID -ne 0 ]]; then
+	groupmod -g $GID "$TARGET_GROUP"
+fi
+if [[ $UID && $UID -ne 0 ]]; then
+	usermod -u $UID "$TARGET_USER"
+fi
+
+find "$target_home" \
+	'(' -not -user "$TARGET_USER" -a -not -group "$TARGET_GROUP" -exec chown "$TARGET_USER:$TARGET_GROUP" '{}' + ')' -o \
+	'(' -not -user "$TARGET_USER" -exec chown "$TARGET_USER" '{}' + ')' -o \
+	'(' -not -group "$TARGET_GROUP" -exec chgrp "$TARGET_GROUP" '{}' + ')' -o \
+	-true
+
+exec "$@"

+FROM debian:stretch-slim
+
+COPY files/ /tmp/files/
+RUN /tmp/files/configure
+
+ENTRYPOINT ["/sbin/entrypoint"]
+CMD ["/usr/bin/mysqld_safe"]

+#!/bin/sh
+
+set -e
+apt-get update
+apt-get install -y ssmtp mysql-server
+
+mkdir /var/lib/container
+tar -cC /var/lib/mysql/ . | gzip -9v > /var/lib/container/var_lib_mysql.tar.gz
+rm -rf /var/lib/mysql
+mkdir /var/lib/mysql
+
+cp -a /tmp/files/entrypoint /sbin
+
+rm -rf /tmp/files

+#!/bin/bash
+
+set -ex
+
+_mysql() {
+	mysqld_safe "$@"
+}
+
+if [[ $GID && $GID -ne 0 ]]; then
+	old_gid=$(getent group mysql | cut -f 3 -d :)
+	groupmod -g $GID mysql
+fi
+
+if [[ $UID && $UID -ne 0 ]]; then
+	usermod -u $UID mysql
+fi
+
+if [[ $(find /var/lib/mysql -maxdepth 1 -mindepth 1|wc -l) = 0 ]]; then
+	mkdir -p /var/lib/mysql
+	zcat /var/lib/container/var_lib_mysql.tar.gz | tar -C /var/lib/mysql -xf -
+fi
+
+declare -i i=0
+mysqld_safe --skip-networking &
+while eval [[ \$DB_INFO_$i ]]; do
+	IFS=: eval declare -a DB_INFO=\(\$DB_INFO_$i\)
+	echo "database=${DB_INFO[0]} user=${DB_INFO[1]} password=${DB_INFO[2]}" 1>&2
+	mysql --defaults-extra-file=/etc/mysql/debian.cnf -e "CREATE DATABASE IF NOT EXISTS \`${DB_INFO[0]}\` DEFAULT CHARACTER SET \`utf8mb4\` COLLATE \`utf8mb4_ci\`;"
+	mysql --defaults-extra-file=/etc/mysql/debian.cnf -e "GRANT ALL PRIVILEGES ON \`${DB_INFO[0]}\`.* TO '${DB_INFO[1]}' IDENTIFIED BY '${DB_INFO[2]}';"
+	i=$(($i + 1))
+done
+mysql --defaults-extra-file=/etc/mysql/debian.cnf -e "shutdown;"
+wait
+
+exec "$@"

-FROM debian:stretch
+FROM debian:stretch-slim
 
 
 ARG NGINX_EXTRA_PACKAGES
 ARG NGINX_EXTRA_PACKAGES
 
 
 COPY files/ /tmp/files/
 COPY files/ /tmp/files/
 RUN /tmp/files/configure
 RUN /tmp/files/configure
 
 
-ENTRYPOINT ["/sbin/entrypoint.sh"]
+ENTRYPOINT ["/sbin/entrypoint"]
 CMD ["nginx", "-g", "daemon off;"]
 CMD ["nginx", "-g", "daemon off;"]

@@ -4,6 +4,6 @@ set -e
 apt-get update
 apt-get update
 apt-get install -y ssmtp nginx libnginx-mod-http-subs-filter $NGINX_EXTRA_PACKAGES
 apt-get install -y ssmtp nginx libnginx-mod-http-subs-filter $NGINX_EXTRA_PACKAGES
 rm /etc/nginx/sites-enabled/default
 rm /etc/nginx/sites-enabled/default
-cp -a /tmp/files/entrypoint.sh /sbin
+cp -a /tmp/files/entrypoint /sbin
 
 
 rm -rf /tmp/files
 rm -rf /tmp/files

-FROM node
+FROM debian:stretch-slim
 
 
 ARG NODE_EXTRA_PACKAGES
 ARG NODE_EXTRA_PACKAGES
 
 
 COPY files/ /tmp/files/
 COPY files/ /tmp/files/
 RUN /tmp/files/configure
 RUN /tmp/files/configure
 
 
-#ADD https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar /usr/local/bin/wp
-#RUN ["chmod", "755", "/usr/local/bin/wp"]
-
-ENTRYPOINT ["/root/entrypoint"]
-#CMD ["/usr/sbin/php5-fpm", "--nodaemonize", "--force-stderr", "--fpm-config", "/etc/php5/fpm/php-fpm.conf"]
+ENTRYPOINT ["/sbin/entrypoint"]

-; Per pool prefix
-; It only applies on the following directives:
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-prefix = /srv/$pool
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses on a
-;                            specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = 9000
-
-; Set listen(2) backlog.
-; Default Value: 128 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 128
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0666
-;listen.owner = www-data
-;listen.group = www-data
-;listen.mode = 0666
-
-; List of ipv4 addresses of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-;listen.allowed_clients = 127.0.0.1
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = ondemand
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 10
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 1
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
-
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: ${prefix}/share/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;pm.status_path = /status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: ouput header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-; chroot = $prefix
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-; chdir = /
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-;catch_workers_output = yes
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; exectute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/php5-fpm/error.log
-php_admin_value[error_log] = /dev/stderr
-php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M

@@ -2,9 +2,20 @@
 
 
 set -e
 set -e
 apt-get update
 apt-get update
-apt-get install -y ssmtp sudo $NODE_EXTRA_PACKAGES
-#npm install -g gulp grunt
+apt-get install -y apt-transport-https gnupg
+cp /tmp/files/nodesource.list /etc/apt/sources.list.d
+cp /tmp/files/nodesource.gpg.key /etc/apt/trusted.gpg.d/nodesource.asc
+apt-get update
+
+apt-get install -y ssmtp sudo nodejs npm $NODE_EXTRA_PACKAGES
+
+if ! [ "z$NPM_GLOBAL_INSTALL" = "z" ]; then
+	npm install -g $NPM_GLOBAL_INSTALL
+fi
+
+addgroup node
+adduser --gecos 'node' --ingroup node --disabled-password node
 
 
-cp /tmp/files/entrypoint /root/entrypoint
+cp /tmp/files/entrypoint /sbin/entrypoint
 
 
 rm -rf /tmp/files
 rm -rf /tmp/files

@@ -4,14 +4,24 @@ set -ex
 
 
 node_home="$(getent passwd node | cut -f 6 -d :)"
 node_home="$(getent passwd node | cut -f 6 -d :)"
 
 
-if [[ $GID ]]; then
-	old_gid=$(getent group node | cut -f 3 -d :)
+if [[ $GID && $GID -ne 0 ]]; then
 	groupmod -g $GID node
 	groupmod -g $GID node
-	find "$node_home" -gid $old_gid -print0 | xargs -0r chgrp node
 fi
 fi
-if [[ $UID ]]; then
+if [[ $UID && $UID -ne 0 ]]; then
 	usermod -u $UID node
 	usermod -u $UID node
 fi
 fi
+
+find "$node_home" \
+	'(' -not -user node -a -not -group node -exec chown node:node '{}' + ')' -o \
+	'(' -not -user node -exec chown node '{}' + ')' -o \
+	'(' -not -group node -exec chgrp node '{}' + ')' -o \
+	-true
+
+npm -g config set http_proxy "$http_proxy"
+npm -g config set https_proxy "$http_proxy"
+sudo -u node npm config set http_proxy "$http_proxy"
+sudo -u node npm config set https_proxy "$http_proxy"
+
 if [[ -e package.json ]]; then
 if [[ -e package.json ]]; then
 	sudo -u node npm install
 	sudo -u node npm install
 fi
 fi

+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+Comment: GPGTools - https://gpgtools.org
+
+mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+
+W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs
+fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy
+qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7
+89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD
+Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7
+C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/
+G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc
+Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft
+qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm
+EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB
+tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2
+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy
+jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ
+kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1
+GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm
+XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU
+VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka
+1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI
+IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc
+pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn
+xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y
+gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI
+AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ
+fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ
+Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh
+41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea
+JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD
+xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi
+vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/
+aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o
+QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK
+yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3
+QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek
+fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK
+CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec
+0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1
+PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh
+qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15
+ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac
+hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb
+DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4
+xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu
+G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd
+sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy
+/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g==
+=CLGF
+-----END PGP PUBLIC KEY BLOCK-----

+deb https://deb.nodesource.com/node_8.x stretch main

-FROM debian:stretch
+FROM debian:stretch-slim
 
 
 ARG PHPFPM_EXTRA_PACKAGES
 ARG PHPFPM_EXTRA_PACKAGES
 
 
@@ -8,5 +8,5 @@ RUN /tmp/files/configure
 ADD https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar /usr/local/bin/wp
 ADD https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar /usr/local/bin/wp
 RUN ["chmod", "755", "/usr/local/bin/wp"]
 RUN ["chmod", "755", "/usr/local/bin/wp"]
 
 
-ENTRYPOINT ["/root/entrypoint"]
+ENTRYPOINT ["/sbin/entrypoint"]
 CMD ["/usr/sbin/php-fpm7.0", "--nodaemonize", "--force-stderr", "--fpm-config", "/etc/php/7.0/fpm/php-fpm.conf"]
 CMD ["/usr/sbin/php-fpm7.0", "--nodaemonize", "--force-stderr", "--fpm-config", "/etc/php/7.0/fpm/php-fpm.conf"]

@@ -7,7 +7,7 @@ apt-get install -y sudo ssmtp php7.0-fpm php7.0-mysql php7.0-curl php7.0-imagick
 rm /etc/php/7.0/fpm/pool.d/www.conf
 rm /etc/php/7.0/fpm/pool.d/www.conf
 cp -a /tmp/files/app-defaults.conf /etc/php/7.0/fpm
 cp -a /tmp/files/app-defaults.conf /etc/php/7.0/fpm
 
 
-cp /tmp/files/entrypoint /root/entrypoint
+cp /tmp/files/entrypoint /sbin/entrypoint
 
 
 addgroup hostgroup
 addgroup hostgroup
 adduser --gecos 'Host User' --ingroup hostgroup --disabled-password hostuser
 adduser --gecos 'Host User' --ingroup hostgroup --disabled-password hostuser

@@ -4,12 +4,12 @@ set -ex
 
 
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 
 
-if [[ $GID ]]; then
+if [[ $GID && $GID -ne 0 ]]; then
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	groupmod -g $GID hostgroup
 	groupmod -g $GID hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 fi
 fi
-if [[ $UID ]]; then
+if [[ $UID && $GID -ne 0 ]]; then
 	usermod -u $UID hostuser
 	usermod -u $UID hostuser
 fi
 fi
 mkdir -p /run/php
 mkdir -p /run/php

@@ -4,12 +4,12 @@ set -ex
 
 
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 
 
-if [[ $GID ]]; then
+if [[ $GID && $GID -ne 0 ]]; then
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	groupmod -g $GID hostgroup
 	groupmod -g $GID hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 fi
 fi
-if [[ $UID ]]; then
+if [[ $UID && $UID -ne 0 ]]; then
 	usermod -u $UID hostuser
 	usermod -u $UID hostuser
 fi
 fi
 
 

+FROM debian:stretch-slim
+
+ARG POSTGRESQL_EXTRA_PACKAGES
+
+COPY files/ /tmp/files
+RUN /tmp/files/configure
+
+ENTRYPOINT ["/sbin/entrypoint"]
+CMD ["pg_ctlcluster", "9.6", "main", "start", "--foreground"]

+#!/bin/sh
+
+set -e
+
+mkdir /usr/share/man/man1 /usr/share/man/man7
+cp /tmp/files/no-suggests-recommends.conf /etc/apt/apt.conf.d/no-suggests-recommends
+apt-get update
+apt-get install -y postgresql-9.6 \
+	$POSTGRESQL_EXTRA_PACKAGES \
+	&& true
+
+rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
+
+mkdir /var/lib/container
+tar -cC /var/lib/postgresql/ . | gzip -9v > /var/lib/container/var_lib_postgresql.tar.gz
+rm -rf /var/lib/postgresql
+mkdir /var/lib/postgresql
+
+cp -a /tmp/files/entrypoint /sbin
+
+rm -rf /tmp/files

+#!/bin/bash
+
+set -ex
+
+if [[ $(find /var/lib/postgresql -maxdepth 1 -mindepth 1|wc -l) = 0 ]]; then
+	zcat /var/lib/container/var_lib_postgresql.tar.gz | tar xf - -C /var/lib/postgresql
+fi
+
+postgres_home="$(getent passwd postgres | cut -f 6 -d :)"
+
+if [[ $GID && $GID -ne 0 ]]; then
+	old_gid=$(getent group postgres | cut -f 3 -d :)
+	groupmod -g $GID postgres
+	find "$postgres_home" /etc/postgresql /var/run/postgresql -gid $old_gid -print0 | xargs -0r chgrp postgres
+fi
+
+if [[ $UID && $UID -ne 0 ]]; then
+	old_uid=$(getent passwd postgres | cut -f 3 -d :)
+	usermod -u $UID postgres
+	find /etc/postgresql /var/run/postgresql -uid $old_uid -print0 | xargs -0r chown postgres
+fi
+
+exec "$@"

+APT::Install-Suggests false;
+APT::Install-Recommends false;

+FROM debian:stretch-slim
+
+COPY files/ /tmp/files/
+RUN /tmp/files/configure
+
+ENTRYPOINT ["/sbin/entrypoint"]
+VOLUME "/data"
+CMD ["sudo", "-u", "redis", "redis-server", "/etc/redis/redis.conf"],

+#!/bin/sh
+
+set -e
+apt-get update
+apt-get install -y sudo ssmtp redis-server
+
+cp /tmp/files/entrypoint /sbin/entrypoint
+
+rm -rf /tmp/files

+#!/bin/bash
+
+set -ex
+
+TARGET_GROUP=redis
+TARGET_USER=redis
+
+target_home="$(getent passwd "$TARGET_USER" | cut -f 6 -d :)"
+
+if [[ $GID && $GID -ne 0 ]]; then
+	groupmod -g $GID "$TARGET_GROUP"
+fi
+if [[ $UID && $UID -ne 0 ]]; then
+	usermod -u $UID "$TARGET_USER"
+fi
+
+find "$target_home" \
+	'(' -not -user "$TARGET_USER" -a -not -group "$TARGET_GROUP" -exec chown "$TARGET_USER:$TARGET_GROUP" '{}' + ')' -o \
+	'(' -not -user "$TARGET_USER" -exec chown "$TARGET_USER" '{}' + ')' -o \
+	'(' -not -group "$TARGET_GROUP" -exec chgrp "$TARGET_GROUP" '{}' + ')' -o \
+	-true
+
+exec "$@"

@@ -4,12 +4,12 @@ set -ex
 
 
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 hostuser_home="$(getent passwd hostuser | cut -f 6 -d :)"
 
 
-if [[ $GID ]]; then
+if [[ $GID && $GID -ne 0 ]]; then
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	old_gid=$(getent group hostgroup | cut -f 3 -d :)
 	groupmod -g $GID hostgroup
 	groupmod -g $GID hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 	find "$hostuser_home" -gid $old_gid -print0 | xargs -0r chgrp hostgroup
 fi
 fi
-if [[ $UID ]]; then
+if [[ $UID && $UID -ne 0 ]]; then
 	usermod -u $UID hostuser
 	usermod -u $UID hostuser
 fi
 fi