glpi upgrade

.dockerignore

@@ -1,6 +0,0 @@
-db/
-glpi/
-docker-compose.yaml
-.drone.yaml
-.env
-.gitignore

.drone.star

@@ -1,126 +0,0 @@
-def main(ctx):
-    archs = ["amd64", "arm64"]   ## arm
-    glpi_version = "10.0.10"
-
-    out = []
-    for arch in archs:
-        out += onpush(ctx, glpi_version, arch)
-
-    for arch in archs:
-        out += build_publish(ctx, glpi_version, arch)
-
-    out += manifest_publish(ctx, glpi_version, archs)
-
-    return out
-
-def onpush(ctx, glpi_version, arch):
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "build-onpush-%s-%s" % (glpi_version, arch),
-        "platform": {
-            "arch": arch,
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "build_on_push",
-            "image": "plugins/docker:linux-%s" % (arch),
-            "settings": {
-                "context": ".",
-                "dockerfile": "./Dockerfile",
-                "dry_run": True,
-                "repo": "docker.asperti.com/paspo/glpi", 
-                "build_args": [
-                    "GLPI_VERSION=%s" % (glpi_version)
-                ],
-            },
-        }],
-        "trigger": {
-            "event": ['push'],
-        }
-    }]
-
-def build_publish(ctx, glpi_version, arch):
-    major = glpi_version.partition(".")[0];	
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "build-publish-%s-%s" % (glpi_version, arch),
-        "platform": {
-            "arch": arch,
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "build_on_push",
-            "image": "plugins/docker:linux-%s" % (arch),
-            "settings": {
-                "context": ".",
-                "dockerfile": "./Dockerfile",
-                "build_args": [
-                    "GLPI_VERSION=%s" % (glpi_version)
-                ],
-                "username": {
-                    "from_secret": "docker_username",
-                },
-                "password": {
-                    "from_secret": "docker_password",
-                },
-                "registry": "docker.asperti.com",
-                "repo": "docker.asperti.com/paspo/glpi",    
-                "tags": [ 
-                    "latest-%s" % (arch), 
-                    "%s-%s" % (major, arch), 
-                    "%s-%s" % (glpi_version, arch)
-                ],
-                "auto_tag": False,
-                "force_tag": True,
-                "daemon_off": False,            
-            },
-        }],
-        "trigger": {
-            "ref": [
-                "refs/heads/master",
-                "refs/tags/**",
-            ],
-        },
-    }]
-
-def manifest_publish(ctx, glpi_version, archs):
-    major = glpi_version.partition(".")[0];	
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "manifest-%s" % (glpi_version),
-        "platform": {
-            "arch": archs[0],
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "manifest",
-            "image": "plugins/manifest",
-            "settings": {
-                "spec": "manifest.tmpl",
-                "username": {
-                    "from_secret": "docker_username",
-                },
-                "password": {
-                    "from_secret": "docker_password",
-                }, 
-                "tags": [ 
-                    "latest", 
-                    major, 
-                    glpi_version
-                ],
-                "ignore_missing": True,
-                "force_tag": True,
-            },
-        }],
-        "trigger": {
-            "ref": [
-                "refs/heads/master",
-                "refs/tags/**",
-            ],
-        },
-        "depends_on": ["build-publish-%s-%s" % (glpi_version, arch) for arch in archs]
-    }]
-

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,98 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/glpi
+
+on:
+  push:
+    tags:
+      - '*'
+  schedule:
+    - cron: "0 12 3 * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          cd src && \
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10-${{ matrix.arch }} \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10.0.20-${{ matrix.arch }} \
+            --build-arg "GLPI_VERSION=10.0.20" \
+            --build-arg "ALPINE_VERSION=3.21" \
+            --platform linux/${{ matrix.arch }} -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10-${{ matrix.arch }}
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10.0.20-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+
+      - name: "10"
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10
+
+      - name: "10.0.20"
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10.0.20 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10.0.20-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10.0.20-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:10.0.20

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,64 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/glpi
+
+on:
+  schedule:
+    - cron: "0 14 * * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`

README.md

@@ -7,8 +7,8 @@ Web server for GLPI deployment
 ## build
 
 ```bash
-git submodule update --init --remote
-docker build -t docker.asperti.com/paspo/glpi .
+cd src
+docker build -t docker.asperti.com/paspo/glpi --build-arg "ALPINE_VERSION=3.19" --build-arg "GLPI_VERSION=10.0.11" .
 ```
 
 ## run
@@ -18,5 +18,11 @@ see [docker-compose.yaml](docker-compose.yaml)
 ## test drone config
 
 ```sh
-drone starlark --format  --stdout 
+drone starlark --format --stdout 
+```
+
+## run vulnscan locally
+
+```bash
+act -W .gitea/workflows/vulnscan.yaml -j scan
 ```

docker-compose.yaml

@@ -10,9 +10,16 @@ services:
       - MARIADB_DATABASE=${MARIADB_DATABASE}
       - MARIADB_USER=${MARIADB_USER}
       - MARIADB_PASSWORD=${MARIADB_PASSWORD}
+      - MARIADB_AUTO_UPGRADE=1
+    logging:
+      options:
+        max-size: 10m
 
   redis:
-    image: redis:latest
+    image: redis:alpine
+    logging:
+      options:
+        max-size: 10m
 
   glpi:
     build: .
@@ -29,3 +36,6 @@ services:
       - ./glpi/files:/files
       - ./glpi/marketplace:/marketplace
       - ./glpi/plugins:/var/www/glpi/plugins
+    logging:
+      options:
+        max-size: 10m      

manifest.tmpl

@@ -1,25 +0,0 @@
-image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
-{{#if build.tags}}
-tags:
-{{#each build.tags}}
-  - {{this}}
-{{/each}}
-{{/if}}
-manifests:
-  -
-    image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  -
-    image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm64
-    platform:
-      variant: v8
-      architecture: arm64
-      os: linux
-  -
-    image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm
-    platform:
-      variant: v7
-      architecture: arm
-      os: linux

src/Dockerfile

@@ -1,18 +1,21 @@
-FROM alpine:3.18
+ARG ALPINE_VERSION
+FROM alpine:${ALPINE_VERSION}
 ARG GLPI_VERSION
 
 RUN \
   mkdir -p /logs /config /files /marketplace && \
   apk -U upgrade && \
-  apk add curl nginx php82 php82-bz2 php82-ctype php82-curl php82-dom php82-exif \
-    php82-fileinfo php82-fpm php82-gd php82-iconv php82-intl php82-ldap php82-mysqli \
-    php82-opcache php82-openssl php82-pecl-apcu php82-pecl-redis php82-phar php82-session \
-    php82-simplexml php82-sodium php82-tokenizer php82-xml php82-zip php82-xmlreader php82-xmlwriter && \
+  apk add --no-cache curl nginx php83 php83-bz2 php83-ctype php83-curl php83-dom php83-exif \
+    php83-fileinfo php83-fpm php83-gd php83-iconv php83-intl php83-ldap php83-mysqli \
+    php83-opcache php83-openssl php83-pecl-apcu php83-pecl-redis php83-phar php83-session \
+    php83-simplexml php83-sodium php83-tokenizer php83-xml php83-zip php83-xmlreader php83-xmlwriter && \
   wget -O /usr/local/bin/composer https://getcomposer.org/download/2.5.8/composer.phar && \
   chmod +x /usr/local/bin/composer && \
-  ln -s /usr/bin/php82 /usr/bin/php && \ 
   wget -O - https://github.com/glpi-project/glpi/releases/download/${GLPI_VERSION}/glpi-${GLPI_VERSION}.tgz | tar xz -C /var/www
 
+# GLPI 10.x will work only with PHP up to 8.3.
+# do not trust README.md from glpi github (it says it works with 8.4, but it dies if >=8.4.0)
+
 # this are needed if you want to manually install GLPI from git
 # RUN \
 #   apk add patch npm gettext

src/rootfs/etc/crontabs/nginx

@@ -0,0 +1,2 @@
+# min	hour	day	month	weekday	command
+*	*	*	*	*	/usr/bin/php /var/www/glpi/front/cron.php 

src/rootfs/etc/php83/conf.d/php.ini

@@ -1,6 +1,8 @@
 session.cookie_httponly = on
-memory_limit = 256M
+memory_limit = 512M
 file_uploads = on
 max_execution_time = 600
 session.auto_start = off
 session.use_trans_sid = 0
+expose_php = Off
+opcache.memory_consumption = 256

src/rootfs/start.sh

@@ -1,13 +1,16 @@
 #!/bin/sh
 
+INSTALL_OK=${INSTALL_OK:-0}
+
 chown -R nginx:www-data /logs /config /files /marketplace
 chmod -R a-x,a=rX,ug+w  /logs /config /files /marketplace
 
-if [ "$INSTALL_OK" = "1" ] ; then
+if [ "${INSTALL_OK}" = "1" ] ; then
   if [ -f /var/www/glpi/install/install.php ] ; then 
     rm /var/www/glpi/install/install.php
   fi
 fi
 
+/usr/sbin/crond -b
 /usr/sbin/php-fpm*
 /usr/sbin/nginx