performance tuning

.drone.star

@@ -0,0 +1,129 @@
+def main(ctx):
+    archs = ["amd64", "arm64"]   ## arm
+    glpi_version = "10.0.11"
+    alpine_version = "3.19"
+
+    out = []
+    for arch in archs:
+        out += onpush(ctx, glpi_version, alpine_version, arch)
+
+    for arch in archs:
+        out += build_publish(ctx, glpi_version, alpine_version, arch)
+
+    out += manifest_publish(ctx, glpi_version, archs)
+
+    return out
+
+def onpush(ctx, glpi_version, alpine_version, arch):
+    return [{
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "build-onpush-%s-%s" % (glpi_version, arch),
+        "platform": {
+            "arch": arch,
+            "os": "linux",
+        },
+        "steps": [{
+            "name": "build_on_push",
+            "image": "plugins/docker:linux-%s" % (arch),
+            "settings": {
+                "context": "src",
+                "dockerfile": "src/Dockerfile",
+                "dry_run": True,
+                "repo": "docker.asperti.com/paspo/glpi", 
+                "build_args": [
+                    "GLPI_VERSION=%s" % (glpi_version),
+                    "ALPINE_VERSION=%s" % (alpine_version)
+                ],
+            },
+        }],
+        "trigger": {
+            "event": ['push'],
+        }
+    }]
+
+def build_publish(ctx, glpi_version, alpine_version, arch):
+    major = glpi_version.partition(".")[0];	
+    return [{
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "build-publish-%s-%s" % (glpi_version, arch),
+        "platform": {
+            "arch": arch,
+            "os": "linux",
+        },
+        "steps": [{
+            "name": "build_on_push",
+            "image": "plugins/docker:linux-%s" % (arch),
+            "settings": {
+                "context": "src",
+                "dockerfile": "src/Dockerfile",
+                "build_args": [
+                    "GLPI_VERSION=%s" % (glpi_version),
+                    "ALPINE_VERSION=%s" % (alpine_version)
+                ],
+                "username": {
+                    "from_secret": "docker_username",
+                },
+                "password": {
+                    "from_secret": "docker_password",
+                },
+                "registry": "docker.asperti.com",
+                "repo": "docker.asperti.com/paspo/glpi",    
+                "tags": [ 
+                    "latest-%s" % (arch), 
+                    "%s-%s" % (major, arch), 
+                    "%s-%s" % (glpi_version, arch)
+                ],
+                "auto_tag": False,
+                "force_tag": True,
+                "daemon_off": False,            
+            },
+        }],
+        "trigger": {
+            "ref": [
+                "refs/heads/master",
+                "refs/tags/**",
+            ],
+        },
+    }]
+
+def manifest_publish(ctx, glpi_version, archs):
+    major = glpi_version.partition(".")[0];	
+    return [{
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "manifest-%s" % (glpi_version),
+        "platform": {
+            "arch": archs[0],
+            "os": "linux",
+        },
+        "steps": [{
+            "name": "manifest",
+            "image": "plugins/manifest",
+            "settings": {
+                "spec": "manifest.tmpl",
+                "username": {
+                    "from_secret": "docker_username",
+                },
+                "password": {
+                    "from_secret": "docker_password",
+                }, 
+                "tags": [ 
+                    "latest", 
+                    major, 
+                    glpi_version
+                ],
+                "ignore_missing": True,
+                "force_tag": True,
+            },
+        }],
+        "trigger": {
+            "ref": [
+                "refs/heads/master",
+                "refs/tags/**",
+            ],
+        },
+        "depends_on": ["build-publish-%s-%s" % (glpi_version, arch) for arch in archs]
+    }]
+

.drone.yaml

@@ -1,49 +0,0 @@
-kind: pipeline
-type: docker
-name: default
-
-steps:
-  - name: build_and_publish_tag
-    image: plugins/docker:linux-amd64
-    settings:
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/glpi
-      context: .
-      dockerfile: ./Dockerfile
-      build_args:
-        - GLPI_VERSION=10.0.7
-      username:
-        from_secret: docker_username
-      tags:
-        - latest
-        - ${DRONE_TAG}
-        - ${DRONE_SEMVER_MAJOR}.${DRONE_SEMVER_MINOR}
-    when:
-      event:
-        - tag
-
-  - name: build_and_publish
-    image: plugins/docker:linux-amd64
-    settings:
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/glpi
-      context: .
-      dockerfile: ./Dockerfile
-      build_args:
-        - GLPI_VERSION=10.0.7
-      username:
-        from_secret: docker_username
-      tags:
-        - latest
-    when:
-      branch:
-        - master
-      event:
-        - push
-        - cron

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,29 @@
+name: Vulnerability Scan
+
+on:
+  schedule:
+    - cron: "0 14 * * *"
+  workflow_dispatch:
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Pull docker image
+        run: docker pull docker.asperti.com/paspo/glpi:latest
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "docker.asperti.com/paspo/glpi:latest"
+          format: "json"
+          output: "trivy-results.json"
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        run: if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi

Dockerfile

@@ -1,17 +0,0 @@
-FROM alpine:3.17
-ARG GLPI_VERSION=10.0.7
-
-RUN \
-  mkdir -p /logs /config /files /marketplace && \
-  apk -U upgrade && \
-  apk add curl nginx php81 php81-bz2 php81-ctype php81-curl php81-dom php81-exif php81-fileinfo php81-fpm php81-gd php81-iconv php81-intl php81-ldap php81-mysqli php81-opcache php81-openssl php81-pecl-apcu php81-pecl-redis php81-phar php81-session php81-simplexml php81-sodium php81-xml php81-zip && \
-  wget -O - https://github.com/glpi-project/glpi/releases/download/${GLPI_VERSION}/glpi-${GLPI_VERSION}.tgz | tar xz -C /var/www
-
-COPY rootfs /
-
-# config test
-RUN nginx -t
-
-HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1:80/fpm-ping
-
-ENTRYPOINT [ "/bin/sh", "/start.sh" ]

README.md

@@ -7,10 +7,22 @@ Web server for GLPI deployment
 ## build
 
 ```bash
-git submodule update --init --remote
-docker build -t docker.asperti.com/paspo/glpi .
+cd src
+docker build -t docker.asperti.com/paspo/glpi --build-arg "ALPINE_VERSION=3.19" --build-arg "GLPI_VERSION=10.0.11" .
 ```
 
 ## run
 
 see [docker-compose.yaml](docker-compose.yaml)
+
+## test drone config
+
+```sh
+drone starlark --format --stdout 
+```
+
+## run vulnscan locally
+
+```bash
+act -W .gitea/workflows/vulnscan.yaml -j scan
+```

docker-compose.yaml

@@ -10,9 +10,16 @@ services:
       - MARIADB_DATABASE=${MARIADB_DATABASE}
       - MARIADB_USER=${MARIADB_USER}
       - MARIADB_PASSWORD=${MARIADB_PASSWORD}
+      - MARIADB_AUTO_UPGRADE=1
+    logging:
+      options:
+        max-size: 10m
 
   redis:
-    image: redis:latest
+    image: redis:alpine
+    logging:
+      options:
+        max-size: 10m
 
   glpi:
     build: .
@@ -29,3 +36,6 @@ services:
       - ./glpi/files:/files
       - ./glpi/marketplace:/marketplace
       - ./glpi/plugins:/var/www/glpi/plugins
+    logging:
+      options:
+        max-size: 10m      

manifest.tmpl

@@ -0,0 +1,25 @@
+image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  -
+    image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm64
+    platform:
+      variant: v8
+      architecture: arm64
+      os: linux
+  -
+    image: docker.asperti.com/paspo/glpi:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm
+    platform:
+      variant: v7
+      architecture: arm
+      os: linux

src/Dockerfile

@@ -0,0 +1,27 @@
+ARG ALPINE_VERSION
+FROM alpine:${ALPINE_VERSION}
+ARG GLPI_VERSION
+
+RUN \
+  mkdir -p /logs /config /files /marketplace && \
+  apk -U upgrade && \
+  apk add --no-cache curl nginx php82 php82-bz2 php82-ctype php82-curl php82-dom php82-exif \
+    php82-fileinfo php82-fpm php82-gd php82-iconv php82-intl php82-ldap php82-mysqli \
+    php82-opcache php82-openssl php82-pecl-apcu php82-pecl-redis php82-phar php82-session \
+    php82-simplexml php82-sodium php82-tokenizer php82-xml php82-zip php82-xmlreader php82-xmlwriter && \
+  wget -O /usr/local/bin/composer https://getcomposer.org/download/2.5.8/composer.phar && \
+  chmod +x /usr/local/bin/composer && \
+  wget -O - https://github.com/glpi-project/glpi/releases/download/${GLPI_VERSION}/glpi-${GLPI_VERSION}.tgz | tar xz -C /var/www
+
+# this are needed if you want to manually install GLPI from git
+# RUN \
+#   apk add patch npm gettext
+
+COPY rootfs /
+
+# config test
+RUN nginx -t
+
+HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1:80/fpm-ping
+
+ENTRYPOINT [ "/bin/sh", "/start.sh" ]

src/rootfs/etc/crontabs/nginx

@@ -0,0 +1,2 @@
+# min	hour	day	month	weekday	command
+*	*	*	*	*	/usr/bin/php /var/www/glpi/front/cron.php 

src/rootfs/etc/php82/conf.d/php.ini

@@ -1,6 +1,8 @@
 session.cookie_httponly = on
-memory_limit = 64M
+memory_limit = 512M
 file_uploads = on
 max_execution_time = 600
 session.auto_start = off
 session.use_trans_sid = 0
+expose_php = Off
+opcache.memory_consumption = 256

src/rootfs/start.sh

@@ -9,5 +9,6 @@ if [ "$INSTALL_OK" = "1" ] ; then
   fi
 fi
 
+/usr/sbin/crond -b
 /usr/sbin/php-fpm*
 /usr/sbin/nginx