diff --git a/.dive-ci.yml b/.dive-ci.yml new file mode 100644 index 0000000..f81d725 --- /dev/null +++ b/.dive-ci.yml @@ -0,0 +1,13 @@ +rules: + # If the efficiency is measured below X%, mark as failed. + # Expressed as a ratio between 0-1. + lowestEfficiency: 0.90 + + # If the amount of wasted space is at least X or larger than X, mark as failed. + # Expressed in B, KB, MB, and GB. + highestWastedBytes: 128MB + + # If the amount of wasted space makes up for X% or more of the image, mark as failed. + # Note: the base image layer is NOT included in the total image size. + # Expressed as a ratio between 0-1; fails if the threshold is met or crossed. + highestUserWastedPercent: 0.10 diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..4dacf66 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,6 @@ +.git* +*.md +*test*.* +Dockerfile +LICENSE +trivy-*.json diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 88679e2..b682ac9 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -1,37 +1,87 @@ -name: Build and Push to DockerHub +name: Build and Push -on: +on: + push: release: types: [published] +permissions: + contents: read + env: - REGISTRY: docker.io IMAGE_NAME: appwrite/base - TAG: ${{ github.event.release.tag_name }} + REGISTRY: docker.io +# https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/ +# https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/ jobs: - build: - runs-on: ubuntu-latest + build_and_push: + runs-on: ${{ matrix.os }} + strategy: + matrix: + include: + - os: ubuntu-24.04 + arch: amd64 + - os: ubuntu-24.04-arm + arch: arm64 steps: - name: Checkout the repo - uses: actions/checkout@v3 + uses: actions/checkout@v6.0.2 - name: Login to DockerHub - uses: docker/login-action@v2 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + - name: Build an image from Dockerfile + run: | + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}} . - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Push an image + run: | + docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}} - - name: Build and push - uses: docker/build-push-action@v4 + manifest_build_and_push_on_feature: + if: github.ref != 'refs/heads/main' + needs: build_and_push + runs-on: ubuntu-24.04 + steps: + - name: Login to DockerHub + uses: docker/login-action@v4 with: - context: . - platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Create manifest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 + + - name: Push manifest + run: | + docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + + manifest_build_and_push_on_main: + if: github.ref == 'refs/heads/main' + needs: build_and_push + runs-on: ubuntu-24.04 + steps: + - name: Login to DockerHub + uses: docker/login-action@v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Create manifest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 + + - name: Push manifest + run: | + docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} diff --git a/.github/workflows/dive.yml b/.github/workflows/dive.yml new file mode 100644 index 0000000..fea47d0 --- /dev/null +++ b/.github/workflows/dive.yml @@ -0,0 +1,27 @@ +name: Dive Test + +on: push + +permissions: + contents: read + +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io + +jobs: + dive: + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v6.0.2 + + - name: Build an image from Dockerfile + run: | + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . + + - name: Dive + uses: yuichielectric/dive-action@0.0.4 + with: + config-file: ${{ github.workspace }}/.dive-ci.yml + image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' diff --git a/.github/workflows/structure-test.yml b/.github/workflows/structure-test.yml new file mode 100644 index 0000000..6a32692 --- /dev/null +++ b/.github/workflows/structure-test.yml @@ -0,0 +1,28 @@ +# https://github.com/marketplace/actions/container-structure-test-action +name: Container Structure Test + +on: push + +permissions: + contents: read + +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io + +jobs: + structure_test: + runs-on: ubuntu-24.04 + steps: + - name: Checkout the repo + uses: actions/checkout@v6.0.2 + + - name: Build an image from Dockerfile + run: | + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . + + - name: Run container structure tests + uses: plexsystems/container-structure-test-action@v0.1.0 + with: + image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + config: tests.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 3712ce8..0000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Test container structure - -on: [pull_request] - -env: - REGISTRY: docker.io - IMAGE_NAME: appwrite/base - TAG: ${{ github.event.release.tag_name }} - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout the repo - uses: actions/checkout@v3 - - - name: Setup container structure test - run: | - curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 - chmod +x container-structure-test-linux-amd64 - sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test - - - name: Run container structure test - run: | - docker build -t appwrite-base-test . - container-structure-test test --image appwrite-base-test --config tests.yaml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6a876d7..b41ee89 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,9 +1,5 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: trivy +# https://github.com/aquasecurity/trivy-action +name: Trivy Scan on: push: @@ -15,34 +11,35 @@ on: - cron: '43 11 * * 6' permissions: - contents: read + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io jobs: - build: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build - runs-on: ubuntu-latest + scheduled_trivy: + runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6.0.2 - name: Build an image from Dockerfile run: | - docker build -t appwrite/docker-base:${{ github.sha }} . + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + - name: Run Trivy vulnerability scanner (sarif report) + uses: aquasecurity/trivy-action@0.35.0 with: - image-ref: 'appwrite/docker-base:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' + format: 'sarif' + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' + output: 'trivy-image-results.sarif' severity: 'CRITICAL,HIGH' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml + - name: Upload Trivy scan results + uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: 'trivy-results.sarif' + sarif_file: '.' diff --git a/CHANGES.md b/CHANGES.md new file mode 100644 index 0000000..b2c4c28 --- /dev/null +++ b/CHANGES.md @@ -0,0 +1,38 @@ +# CHANGELOG + +## Version 1.1.0 + +### Add + +* .dockerignore +* .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities +* base_image and php_build_date to container labels +* container image build action to publish image using commit sha +* container-structure-test to check PHP version (currently set to 8.5.3) +* container-structure-test to check swoole version (currently set to 6.2.0) +* SECURITY.md to align with appwrite/appwrite + +### Change + +* .github/*.yml steps updated to latest versions +* Better document use of `docker buildx ...` for local builds +* Better noted and organized the different build processes for PHP extensions +* Date component of PHP extension shared objects directory now a build argument +* Dockerfile base now based on `phpswoole/swoole:php8.5-alpine` +* Dockerfile compile and final stage system packages aligned +* GitHub action for container-structure-test now uses a marketplace action +* GitHub action runners pinned to Ubuntu 24.04 +* ImageMagick version bumped to 7.1.2.15 via APK +* PHP version bumped to 8.5 +* Refactored multi-arch build process to prevent cross-arch builds requiring long wait times + +### Fixes + +* README.md usage instructions more detailed + +### Miscellaneous + +### Removed + +* Build tools from final stage of Dockerfile +* GitHub action to Setup QEMU as GitHub now provides native ARM runners diff --git a/Dockerfile b/Dockerfile index 4dd57ce..77cfb0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,66 +1,73 @@ -ARG BASEIMAGE="php:8.4.18-cli-alpine3.23" +ARG BASE_IMAGE="phpswoole/swoole:php8.5-alpine" +ARG PHP_BUILD_DATE="20250925" -FROM $BASEIMAGE AS compile +FROM $BASE_IMAGE AS compile -ENV PHP_REDIS_VERSION="6.3.0" \ - PHP_SWOOLE_VERSION="v6.1.7" \ +ENV \ + PHP_BROTLI_VERSION="0.18.3" \ PHP_IMAGICK_VERSION="3.8.1" \ - PHP_MONGODB_VERSION="2.2.1" \ - PHP_YAML_VERSION="2.3.0" \ + PHP_LZ4_VERSION="0.6.0" \ PHP_MAXMINDDB_VERSION="v1.13.1" \ + PHP_MONGODB_VERSION="2.2.1" \ + PHP_OPENTELEMETRY_VERSION="1.2.1" \ + PHP_PROTOBUF_VERSION="5.34.0" \ + PHP_REDIS_VERSION="6.3.0" \ PHP_SCRYPT_VERSION="2.0.1" \ - PHP_ZSTD_VERSION="0.15.2" \ - PHP_BROTLI_VERSION="0.18.3" \ PHP_SNAPPY_VERSION="0.2.3" \ - PHP_LZ4_VERSION="0.6.0" \ PHP_XDEBUG_VERSION="3.5.1" \ - PHP_OPENTELEMETRY_VERSION="1.2.1" \ - PHP_PROTOBUF_VERSION="5.34.0" - -RUN apk update && apk upgrade && apk add --no-cache --virtual .deps \ - linux-headers \ - make \ - automake \ - autoconf \ - gcc \ - g++ \ - git \ - zlib-dev \ - openssl-dev \ - yaml-dev \ - imagemagick \ - imagemagick-dev \ - libjpeg-turbo-dev \ - jpeg-dev \ - libpng-dev \ - libjxl-dev \ - libmaxminddb-dev \ - zstd-dev \ - brotli-dev \ - lz4-dev \ - curl-dev - -RUN docker-php-ext-install sockets + PHP_YAML_VERSION="2.3.0" \ + PHP_ZSTD_VERSION="0.15.2" +RUN \ + apk update && \ + apk upgrade && \ + apk add --no-cache --virtual .deps \ + && apk add --no-cache \ + autoconf \ + automake \ + brotli-dev \ + certbot \ + curl-dev \ + docker-cli \ + docker-cli-compose \ + g++ \ + gcc \ + git \ + imagemagick \ + imagemagick-dev \ + imagemagick-heic \ + jpeg-dev \ + libavif \ + libgomp \ + libheif \ + libjpeg-turbo-dev \ + libjxl-dev \ + libmaxminddb-dev \ + libpng-dev \ + libstdc++ \ + libwebp \ + linux-headers \ + lz4-dev \ + make \ + openssl-dev \ + postgresql-dev \ + rsync \ + yaml-dev \ + zip \ + zlib-dev \ + zstd-dev + +# compile from source instals (least desirable method) + +# Redis Extension FROM compile AS redis RUN \ - # Redis Extension git clone --depth 1 --branch $PHP_REDIS_VERSION https://github.com/phpredis/phpredis.git && \ cd phpredis && \ phpize && \ ./configure && \ make && make install -## Swoole Extension -FROM compile AS swoole -RUN \ - git clone --depth 1 --branch $PHP_SWOOLE_VERSION https://github.com/swoole/swoole-src.git && \ - cd swoole-src && \ - phpize && \ - ./configure --enable-sockets --enable-http2 --enable-openssl --enable-swoole-curl && \ - make && make install && \ - cd .. - ## Imagick Extension FROM compile AS imagick RUN \ @@ -79,7 +86,7 @@ RUN \ ./configure && \ make && make install -## Maxminddb extension +## Maxminddb Extension FROM compile AS maxmind RUN \ git clone --depth 1 --branch $PHP_MAXMINDDB_VERSION https://github.com/maxmind/MaxMind-DB-Reader-php.git && \ @@ -153,81 +160,108 @@ RUN \ ./configure && \ make && make install +# PHP PECL installs (acceptable method) + FROM compile AS opentelemetry RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION} FROM compile AS protobuf RUN pecl install protobuf-${PHP_PROTOBUF_VERSION} -FROM compile AS gd -RUN docker-php-ext-install gd +FROM $BASE_IMAGE AS final + +# Pass in ARGS to use as label values and path components -FROM $BASEIMAGE AS final +ARG BASE_IMAGE +ARG PHP_BUILD_DATE +LABEL base_image=$BASE_IMAGE LABEL maintainer="team@appwrite.io" +LABEL php_build_date=$PHP_BUILD_DATE -RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ + echo $TZ > /etc/timezone RUN \ - apk update \ - && apk upgrade \ - && apk add --no-cache --virtual .deps \ - linux-headers \ - make \ - automake \ - autoconf \ - gcc \ - g++ \ - curl-dev \ - && apk add --no-cache \ - libstdc++ \ - rsync \ - brotli-dev \ - lz4-dev \ - yaml-dev \ - imagemagick \ - imagemagick-dev \ - libjpeg-turbo-dev \ - jpeg-dev \ - libjxl-dev \ - libavif \ - libheif \ - libwebp \ - imagemagick-heic \ - zlib-dev \ - libpng-dev \ - libmaxminddb-dev \ - certbot \ - docker-cli \ - docker-cli-compose \ - libgomp \ - git \ - zip \ - postgresql-dev \ - && docker-php-ext-install sockets pdo_mysql pdo_pgsql intl \ + apk update && \ + apk upgrade && \ + apk add --no-cache --virtual .deps \ + && apk add --no-cache \ + autoconf \ + automake \ + brotli-dev \ + certbot \ + curl-dev \ + docker-cli \ + docker-cli-compose \ + g++ \ + gcc \ + git \ + imagemagick \ + imagemagick-dev \ + imagemagick-heic \ + jpeg-dev \ + libavif \ + libgomp \ + libheif \ + libjpeg-turbo-dev \ + libjxl-dev \ + libmaxminddb-dev \ + libpng-dev \ + libstdc++ \ + libwebp \ + linux-headers \ + lz4-dev \ + make \ + openssl-dev \ + postgresql-dev \ + rsync \ + yaml-dev \ + zip \ + zstd-dev \ && apk del .deps \ && rm -rf /var/cache/apk/* +# extension installer (prefered method) + +RUN docker-php-ext-install \ + gd \ + intl \ + pdo_mysql \ + pdo_pgsql \ + sockets + WORKDIR /usr/src/code -COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-20240924/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-20240924/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=imagick /usr/local/lib/php/extensions/no-debug-non-zts-20240924/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-20240924/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=maxmind /usr/local/lib/php/extensions/no-debug-non-zts-20240924/maxminddb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-20240924/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-20240924/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-20240924/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-20240924/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-20240924/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-20240924/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-20240924/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=gd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/gd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-20240924/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=imagick /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=maxmind /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/maxminddb.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ # Enable Extensions -RUN docker-php-ext-enable swoole redis imagick yaml maxminddb scrypt zstd brotli lz4 snappy opentelemetry protobuf gd mongodb +RUN docker-php-ext-enable \ + brotli \ + gd \ + imagick \ + lz4 \ + maxminddb \ + mongodb \ + opentelemetry \ + protobuf \ + redis \ + scrypt \ + snappy \ + yaml \ + zstd EXPOSE 80 diff --git a/README.md b/README.md index 1b4e37c..bac9ffb 100644 --- a/README.md +++ b/README.md @@ -1,60 +1,86 @@ # Docker Base +[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base) [![Discord](https://img.shields.io/discord/564160730845151244?label=discord&style=flat-square)](https://appwrite.io/discord) [![Docker Pulls](https://img.shields.io/docker/pulls/appwrite/base?color=f02e65&style=flat-square)](https://hub.docker.com/r/appwrite/base) -[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base) -[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite) [![Follow Appwrite on StackShare](https://img.shields.io/badge/follow%20on-stackshare-blue?style=flat-square)](https://stackshare.io/appwrite) +[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite) [Appwrite](https://appwrite.io) base docker image with applications and extensions built and installed. ## Getting Started -These instructions will cover usage information to help your run Appwrite's base docker container. +This project contains Appwrite's PHP base container image. -### Prerequisites +### NOTE -In order to run this container you'll need docker installed. +* For example usage `latest` is stated in the commands. The Appwrite team recommends using pinned version releases outside of development. +* We use `Docker` but you may use any compatible container runtime in its place. + +## Prerequisites + +In order to run this container you'll need the Docker runtime installed. + +**Docker** -* [Windows](https://docs.docker.com/windows/started) -* [OS X](https://docs.docker.com/mac/started/) * [Linux](https://docs.docker.com/linux/started/) +* [OS X](https://docs.docker.com/mac/started/) +* [Windows](https://docs.docker.com/windows/started) -### Usage +* [Docker buildx](https://github.com/docker/buildx) -```shell -docker run appwrite/base -``` +**Optional** -### Testing +* [GoogleContainerTools/container-structure-test](https://github.com/GoogleContainerTools/container-structure-test) for testing +* [Trivy](https://trivy.dev/) for CVE scanning -We use [Container Structure Test](https://github.com/GoogleContainerTools/container-structure-test) to run test for the docker image. In order to run test first install Container strucutre test using the following command. +## Build -```bash -curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test +```shell +docker build --no-cache --tag appwrite/base:latest . +# exit code 0 ``` -### Run Test +## Scan -First build and tag the docker image and then run the test using the configuration file. - -```bash -docker build -t appwrite-base-test . -container-structure-test test --config tests.yaml --image appwrite-base-test +```shell +trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest +# success is a zero exit code ``` -### Build +## Test ```bash -docker build --tag appwrite/base:1.0.0 . - -docker push appwrite/base:1.0.0 +container-structure-test test --config tests.yaml --image appwrite/base:latest +# PASS +CI=true dive --confog .dive-ci.yml appwrite/base:latest +# Results: +# PASS: highestUserWastedPercent +# PASS: highestWastedBytes +# PASS: lowestEfficiency +# Result:PASS [Total:3] [Passed:3] [Failed:0] [Warn:0] [Skipped:0] ``` -Multi-arch build (using [buildx](https://github.com/docker/buildx)): +## Run +```shell +docker run appwrite/base:latest php -m +# ... +# yaml +# Zend OPcache +# zlib +# zstd +# +# [Zend Modules] +# Zend OPcache ``` -docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --tag appwrite/base:1.0.0 --push . + +## Push + +Pushing a built image to a repository should be handle by automation. + +```bash +docker push appwrite/base:latest | tee "push-$(date +%s).log" ``` ## Find Us diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..3c5864e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,102 @@ +# Security Policy + +## Supported Appwrite Versions + +| Version | Supported | +| --------- | ------------------ | +| <= 0.15.x | :x: | +| 1.0.x | :white_check_mark: | +| 1.1.x | :white_check_mark: | +| 1.2.x | :white_check_mark: | +| 1.3.x | :white_check_mark: | +| 1.4.x | :white_check_mark: | +| 1.5.x | :white_check_mark: | +| 1.6.x | :white_check_mark: | +| 1.7.x | :white_check_mark: | +| 1.8.x | :white_check_mark: | + +# Responsible Disclosure Policy + +Appwrite welcomes responsible security research and is committed to keeping our users, data, and infrastructure safe. + +## Contact + +We only accept **email** reports. Please use this address for all vulnerability reports: security@appwrite.io + +Do **not** open public GitHub issues for security problems. + +--- + +## In Scope + +| Category | Included | +|--------------------|----------| +| Production domains | `*.appwrite.io`, `*.appwrite.network`, `*.appwrite.run` | +| Open-source repos | Everything under `github.com/appwrite/*` or `github.com/utopia-php/*`| +| Official SDKs | All Appwrite-maintained SDKs and demo apps | + +--- + +## Out of Scope + +* Third-party integrations +* Rate-limit or brute-force findings +* Self-XSS or clickjacking on static marketing pages +* Missing SPF, DMARC, or DKIM records without an exploitable impact +* Vulnerabilities in dependencies with no viable exploit path + +--- + +## Safe Harbor + +We will not pursue legal action or law-enforcement involvement for research that: + +1. Targets only systems listed as in scope +2. Respects user privacy and does not exfiltrate data +3. Avoids service degradation or denial of service +4. Allows us reasonable time to remediate before public disclosure + +--- + +## Reporting Format + +Include the following for fastest triage: + +* Clear title and summary of the issue +* Step-by-step reproduction or proof-of-concept +* Impact assessment +* Affected endpoint, repo, or component +* Suggested remediation if known + +Screenshots and detailed logs are appreciated. + +--- + +## Recognition + +Discretionary swag bounties **may** be awarded, but are not guaranteed. + +--- + +## Duplicate Handling + +We will inform if a report is a duplicate and no further action will be taken. + +--- + +## Public Disclosure + +Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions can be arranged by mutual agreement. + +--- + +## Prohibited Actions + +* Social engineering Appwrite core team or customers +* Physical attacks on offices or data centers +* Volumetric denial of service +* Automated scanning that degrades service for other users + +--- + +Thank you for helping keep Appwrite secure. diff --git a/tests.yaml b/tests.yaml index 4f7b57a..0f8f8d0 100644 --- a/tests.yaml +++ b/tests.yaml @@ -1,10 +1,10 @@ schemaVersion: '2.0.0' - + commandTests: - name: 'Imagemagick command' command: "magick" args: ["--version"] - expectedOutput: [".*ImageMagick 7.1.*"] + expectedOutput: [".*ImageMagick 7.1.2.*"] - name: 'rsync command' command: "rsync" args: ["--version"] @@ -75,6 +75,11 @@ commandTests: - yaml - zlib - zstd + - name: 'PHP version' + command: "php" + args: ["-v"] + expectedOutput: + - "PHP 8.5.3 (cli)*" - name: 'ImageMagick supported formats' command: "php" args: ["-i"] @@ -85,8 +90,13 @@ commandTests: args: ["-r", 'print(\Normalizer::FORM_D);'] expectedOutput: - "4" + - name: 'Swoole version' + command: "php" + args: ["--re", "swoole"] + expectedOutput: + - ".*version 6.2.0.*" - name: 'ZIP' command: "zip" args: ["-v"] expectedOutput: - - "Zip 3.0 \\(July 5th 2008\\)" + - "Zip 3.0 \\(July 5th 2008\\)" \ No newline at end of file