From 2f9f6f09d0180537a61c73c626008bf4826c9ab3 Mon Sep 17 00:00:00 2001
From: Leonard Jonathan Oh <leonardjonathanoh@live.com>
Date: Thu, 29 Sep 2022 08:43:44 +0000
Subject: [PATCH] Fix: Fix setting of permissions in Dockerfile.*.prod and use
 config file for php-fpm

---
 Dockerfile.nginx.prod                      | 10 +++++-----
 Dockerfile.php.prod                        | 13 +++++++------
 README.md                                  | 19 ++++++++++++++++++-
 config/php-fpm.d/www.conf                  | 10 ++++++++++
 config/php/php-fpm.d/php_fpm_exporter.conf |  3 ---
 docker-compose.example.yml                 | 13 +++++++------
 docker-compose.yml                         |  5 +++--
 7 files changed, 50 insertions(+), 23 deletions(-)
 create mode 100644 config/php-fpm.d/www.conf
 delete mode 100644 config/php/php-fpm.d/php_fpm_exporter.conf

diff --git a/Dockerfile.nginx.prod b/Dockerfile.nginx.prod
index aa00766c..253e0c34 100644
--- a/Dockerfile.nginx.prod
+++ b/Dockerfile.nginx.prod
@@ -1,17 +1,17 @@
-FROM alpine:latest AS build
+FROM nginx:1.21-alpine AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
 
-# Set permissions for nginx's 'nginx' user
+# Set permissions for 'nginx' user
 COPY ./src /src
 WORKDIR /src
-RUN chown -R 101:101 . \
+RUN chown -R nginx:nginx . \
     && find . -type d -exec chmod 750 {} \; \
     && find . -type f -exec chmod 640 {} \;
 
-FROM nginx:1.21-alpine
+FROM nginx:1.21-alpine AS final
 
 # Add default configs
-COPY config/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY --from=build /src /src
+COPY config/nginx/nginx.conf /etc/nginx/nginx.conf
diff --git a/Dockerfile.php.prod b/Dockerfile.php.prod
index 3c83eec0..9940e283 100644
--- a/Dockerfile.php.prod
+++ b/Dockerfile.php.prod
@@ -1,16 +1,16 @@
-FROM alpine:latest AS build
+FROM php:7.4-fpm AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
 
-# Set permissions for php-fpm-alpine's 'www-data' user
+# Set permissions for 'www-data' user
 COPY ./src /src
 WORKDIR /src
-RUN chown -R 82:82 . \
+RUN chown -R www-data:www-data . \
     && find . -type d -exec chmod 750 {} \; \
     && find . -type f -exec chmod 640 {} \;
 
-FROM php:7.4-fpm
+FROM php:7.4-fpm AS final
 
 # opcache
 RUN docker-php-ext-install opcache
@@ -22,6 +22,7 @@ RUN php -i
 RUN php -m
 
 # Add default configs
-COPY ./config/php/php-fpm.d/php_fpm_exporter.conf /usr/local/etc/php-fpm.d/php_fpm_exporter.conf
-COPY ./config/php/conf.d/php.ini /usr/local/etc/php/conf.d/php.ini
+
 COPY --from=build /src /src
+COPY ./config/php/conf.d/php.ini /usr/local/etc/php/conf.d/php.ini
+COPY ./config/php-fpm.d/www.conf /usr/local/etc/php-fpm.d/www.conf
diff --git a/README.md b/README.md
index 36771a1c..a42ffd59 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ The new BF2Statistics 3.0 ASP, currently in public Beta. The GameSpy server to m
 See [docker-compose.example.yml](docker-compose.example.yml) example showing how to deploy BF2Statistics using `docker-compose`.
 
 Notes:
-- Mount the [`config.php`](./config/ASP/config.php) with write permissions, or else `ASP` will throw an error. Use `System > Edit Configuration` as reference to customize the config file.
+- Mount the [`config.php`](./config/ASP/config.php) with write permissions, or else `ASP` dashboard will throw an error. Use `System > Edit Configuration` as reference to customize the config file.
 - Optional: Mount your customized [`armyAbbreviationMap.php`](./config/ASP/armyAbbreviationMap.php), [`backendAwards.php`](./config/ASP/backendAwards.php), and [`ranks.php`](./config/ASP/ranks.php) config files if you are using a customized mod. Unlike `config.php`, they don't need write permissions.
 - Seed the `db` service with `schema.sql` and `data.sql` so that the database is populated on the first run. The `System > System Installation` doesn't need to be used.
 - [Backup the DB](#development) using `mysqldump` instead of the ASP. `System > Backup Stats Database` will not be allowed since the DB is on remote host. This means there is no need for provisioning a `backups-volume` volume.
@@ -33,6 +33,11 @@ iptables -A INPUT -i br+ -j ACCEPT
 # Test routes
 docker-compose -f docker-compose.test.yml up
 
+# Test production builds locally
+docker build -t startersclan/asp:nginx -f Dockerfile.nginx.prod .
+docker build -t startersclan/asp:php -f Dockerfile.php.prod .
+docker-compose -f docker-compose.example.yml up
+
 # Dump the DB
 docker exec $( docker-compose ps | grep db | awk '{print $1}' ) mysqldump -uroot -pascent bf2stats | gzip > bf2stats.sql.gz
 
@@ -50,3 +55,15 @@ docker volume rm asp_logs-volume
 docker volume rm asp_snapshots-volume
 docker volume rm asp_db-volume
 ```
+
+## FAQ
+
+### Q: ASP dashboard shows `Parse error: syntax error, unexpected 'admin' (T_STRING) in /src/ASP/system/framework/View.php(346) : eval()'d code on line 153`
+
+Solution: Grant `php`'s `www-data` user write permission for `config.php`.
+
+```sh
+chown 33:33 ./config/ASP/config.php
+chmod 666 ./config/ASP/config.php
+docker-compose restart php
+```
diff --git a/config/php-fpm.d/www.conf b/config/php-fpm.d/www.conf
new file mode 100644
index 00000000..b931b2cf
--- /dev/null
+++ b/config/php-fpm.d/www.conf
@@ -0,0 +1,10 @@
+[www]
+user = www-data
+group = www-data
+security.limit_extensions = .php
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.status_path = /status.php
diff --git a/config/php/php-fpm.d/php_fpm_exporter.conf b/config/php/php-fpm.d/php_fpm_exporter.conf
deleted file mode 100644
index ef0a6ea9..00000000
--- a/config/php/php-fpm.d/php_fpm_exporter.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[www]
-security.limit_extensions = .php
-pm.status_path = /status.php
diff --git a/docker-compose.example.yml b/docker-compose.example.yml
index 00251c8e..f4a7aa07 100644
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -15,16 +15,16 @@ services:
       - |
           set -eu
 
-          echo "Granting php write permissions"
-          chown -R 82:82 /src/ASP/system/backups
+          echo "Granting php's 'www-data' user write permissions"
+          chown -R 33:33 /src/ASP/system/backups
           find /src/ASP/system/backups -type d -exec chmod 750 {} \;
           find /src/ASP/system/backups -type f -exec chmod 640 {} \;
 
-          chown -R 82:82 /src/ASP/system/cache
+          chown -R 33:33 /src/ASP/system/cache
           find /src/ASP/system/cache -type d -exec chmod 750 {} \;
           find /src/ASP/system/cache -type f -exec chmod 640 {} \;
 
-          chown -R 82:82 /src/ASP/system/logs
+          chown -R 33:33 /src/ASP/system/logs
           find /src/ASP/system/logs -type d -exec chmod 750 {} \;
           find /src/ASP/system/logs -type f -exec chmod 640 {} \;
 
@@ -32,11 +32,11 @@ services:
           mkdir -p /src/ASP/system/snapshots/processed
           mkdir -p /src/ASP/system/snapshots/unauthorized
           mkdir -p /src/ASP/system/snapshots/unprocessed
-          chown -R 82:82 /src/ASP/system/snapshots
+          chown -R 33:33 /src/ASP/system/snapshots
           find /src/ASP/system/snapshots -type d -exec chmod 750 {} \;
           find /src/ASP/system/snapshots -type f -exec chmod 640 {} \;
 
-          echo "Granting db write permissions"
+          echo "Granting db's 'mysql' user write permissions"
           chown -R 999:999 /var/lib/mysql
 
   nginx:
@@ -60,6 +60,7 @@ services:
       # - ./config/ASP/backendAwards.php:/src/ASP/system/config/backendAwards.php:ro              # Optional: Customize as needed if using a custom mod
       # - ./config/ASP/ranks.php:/src/ASP/system/config/ranks.php:ro                              # Optional: Customize as needed if using a custom mod
       - ./config/php/conf.d/php.ini:/usr/local/etc/php/conf.d/php.ini:ro # Customize as needed
+      - ./config/php-fpm.d/www.conf:/usr/local/etc/php-fpm.d/www.conf:ro # Customize as needed
       - backups-volume:/src/ASP/system/backups # This volume is effectively unused since ASP doesn't allow DB backups for a remote DB, but mount it anyway to avoid errors.
       - cache-volume:/src/ASP/system/cache
       - logs-volume:/src/ASP/system/logs
diff --git a/docker-compose.yml b/docker-compose.yml
index fff22216..786bff04 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,8 +18,8 @@ services:
           set -eu
 
           echo "Granting nginx and php read permissions"
-          find /src -type f -exec chmod +r {} \;
-          find /src -type d -exec chmod +x {} \; # Ensure nginx and php have permissions to read directories
+          find /src -type d -exec chmod 755 {} \;
+          find /src -type f -exec chmod 644 {} \;
 
           echo "Granting php write permissions"
           find /src/ASP/system/backups -type d -exec chmod 777 {} \;
@@ -67,6 +67,7 @@ services:
       # - ./config/ASP/backendAwards.php:/src/ASP/system/config/backendAwards.php:ro              # Optional: Customize as needed if using a custom mod
       # - ./config/ASP/ranks.php:/src/ASP/system/config/ranks.php:ro                              # Optional: Customize as needed if using a custom mod
       - ./config/php/conf.d/php.ini:/usr/local/etc/php/conf.d/php.ini:ro
+      - ./config/php-fpm.d/www.conf:/usr/local/etc/php-fpm.d/www.conf:ro
       - backups-volume:/src/ASP/system/backups # This volume is effectively unused since ASP doesn't allow DB backups for a remote DB, but mount it anyway to avoid errors.
       - cache-volume:/src/ASP/system/cache
       - logs-volume:/src/ASP/system/logs