sclorg / httpd-container Goto Github PK

Resulted from conversation in #138

I try to use this image on multiple Openshift 4.7 platforms, where the httpd service needs to be configured independently, and I can't afford rebuilding a new image for each cluster (all clusters are supposed to use the same images for alignment sake)

Therefore I'm trying to mount ConfigMaps volumes at pod runtime, containing httpd-configuration files and httpd-pre-init scripts so that the specific configuration is provided at runtime (similarly to what is described here https://github.com/sclorg/httpd-container/tree/master/2.4#direct-usage-with-a-mounted-directory )

When mounting a first ConfigMap into /opt/app-root/src/httpd-cfg with .conf files, the script run-httpd > pre-init/20-copy-config.sh > process_config_files fails when trying to delete the read only files [1].

When mounting a second ConfigMap into /opt/app-root/src/httpd-pre-init with .sh files, the script run-httpd > process_extending_files only lists actual files (not symlinks) [2] while ConfigMap volumes rather provide symlinks to the actual files in a timestamped subfolder [3].

This makes the image difficult to configure at runtime, and prevents my current usecase to be implemented.

Would it be possible to update the way configuration is processed so that use of ConfigMaps can work?
Thanks for your help

Refs:
[1] rm fails on readonly volumes
https://github.com/sclorg/httpd-container/blob/master/2.4/root/usr/share/container-scripts/httpd/common.sh#L164

[2] only files are listed
https://github.com/sclorg/httpd-container/blob/master/2.4/root/usr/share/container-scripts/httpd/common.sh#L117-L142

[3] ConfigMap mount example

bash-4.4# ls -al /configs/
total 12
drwxrwxrwx    3 root     root          4096 Jun  4 14:47 .
drwxr-xr-x    1 root     root          4096 Jun  4 14:47 ..
drwxr-xr-x    2 root     root          4096 Jun  4 14:47 ..2018_06_04_14_47_03.291041453
lrwxrwxrwx    1 root     root            31 Jun  4 14:47 ..data -> ..2018_06_04_14_47_03.291041453
lrwxrwxrwx    1 root     root            18 Jun  4 14:47 stripe1.xml -> ..data/stripe1.xml
lrwxrwxrwx    1 root     root            18 Jun  4 14:47 stripe2.xml -> ..data/stripe2.xml

Hi,

When I run docker run --rm -u root --cap-add net_bind_service --network=vlan2656 --ip=22.0.56.7 apigw:1.0 I have this error :

AH00526: Syntax error on line 66 of /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf:
Error:\tApache has not been designed to serve pages while\n\trunning as root.  There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n

If I run in debug

bash-4.2# /usr/libexec/s2i/run
+ export HTTPD_RUN_BY_S2I=1
+ HTTPD_RUN_BY_S2I=1
+ exec run-httpd
+ '[' -v HTTPD_RUN_BY_S2I ']'
+ config_non_privileged

If I run manually /usr/bin/run-httpd all is working (privileged mode is detected)

 /usr/bin/run-httpd 
+ set -eu
+ source /usr/share/container-scripts/httpd//common.sh
++ set -x
+ '[' -v HTTPD_RUN_BY_S2I ']'
+ runs_privileged
++ id -u
+ test 0 == 0
+ return 0
+ config_privileged

I don't understand why we have this test in /usr/bin/run-httpd

if ! [ -v HTTPD_RUN_BY_S2I ] && runs_privileged ; then

and not

if runs_privileged ; then

Also, it should be nice to allow to skip config_general() when running as privileged user or to allow to configure the listening ports via environment variables.

Best regards,

this issue is created for the testing purpose no action required

Would it be possible to add support for wildcard routing? That is, all requests would be redirected to index.html using mod_rewrite, and a client-side JavaScript router would pick up from there.

Many client-side application frameworks recommend this setup:

• Vue Router
• React Router
• Angular Router

It would be nice if this feature was off by default but could be enabled via an environment variable.

If you think this feature would be useful, I'd be happy to put together a PR. Thank you so much in advance for your time! :)

I get an "Operation not permitted" error when running make test TARGET=centos7 VERSIONS=2.4. Here's the log:

[....] Running command 'chown -R 1001:1001 /tmp/httpd-test-volume-nTwxxO'
chown: changing ownership of '/tmp/httpd-test-volume-nTwxxO': Operation not permitted
[FAIL] Running command 'chown -R 1001:1001 /tmp/httpd-test-volume-nTwxxO'
Stopping and removing container 0f837afd7cf328e8cf9b44aea4b0a0caf33d581b52ef68d5208531cf5ca9ec20...
0f837afd7cf328e8cf9b44aea4b0a0caf33d581b52ef68d5208531cf5ca9ec20
0f837afd7cf328e8cf9b44aea4b0a0caf33d581b52ef68d5208531cf5ca9ec20
Done.
Stopping and removing container 13d7cc5abdbcae6807414b967ad7ef074b6fe2d7ed4e695e73b8cc745841a0bb...
13d7cc5abdbcae6807414b967ad7ef074b6fe2d7ed4e695e73b8cc745841a0bb
13d7cc5abdbcae6807414b967ad7ef074b6fe2d7ed4e695e73b8cc745841a0bb
Done.
Stopping and removing container e6fdd05cddd02c46da161c96b7355a0e85be48d35ce2fc38d0c55514971c11e2...
e6fdd05cddd02c46da161c96b7355a0e85be48d35ce2fc38d0c55514971c11e2
Dumping logs for e6fdd05cddd02c46da161c96b7355a0e85be48d35ce2fc38d0c55514971c11e2
Error: Option HTTPD_LOG_TO_VOLUME is only valid for privileged runs (as UID 0).
e6fdd05cddd02c46da161c96b7355a0e85be48d35ce2fc38d0c55514971c11e2
Done.
Stopping and removing container 1abcc151edd993701586023ed7934fe627f563522638f0430c0044e5ffdc5f93...
1abcc151edd993701586023ed7934fe627f563522638f0430c0044e5ffdc5f93
1abcc151edd993701586023ed7934fe627f563522638f0430c0044e5ffdc5f93
Done.
[FAIL] Tests failed.
make: *** [common/common.mk:89: test] Error 1

I'm running the test script with Fedora 29 and Docker 18.09.3. I ran dnf install go-md2man before running the script to install the required tooling.

Any thoughts on why this might be happening? Is anyone else able to reproduce this failure?

Thank you!!

How would we go about finding out what changed between docker image rhel8/httpd-24:1-160 and rhel8/httpd-24:1-166 ?
Is there a changelog available somewhere?

Thanks in advance.

I host a couple of sites on the same host by running this container image along with my own certs, which are on the host and mounted into the container like so:

podman ... -v /etc/pki/tls:/etc/pki/tls ...

This doesn't work anymore. Running the container by hand, it exits after this...

=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
---> Generating SSL key pair for httpd...

What's the preferred way to handle this now?

Update oc new-app example to latest imagestream tag name. The current command in the README.md is:

oc new-app httpd:24~https://github.com/sclorg/httpd-ex.git

On OpenShift 4.9 this results in the following message:

oc new-app httpd:24~https://github.com/sclorg/httpd-ex.git
error: multiple images or templates matched "httpd:24"

The argument "httpd:24" could apply to the following container images, OpenShift image streams, or templates:

* Image stream "httpd" (tag "2.4-el7") in project "openshift"
  Use --image-stream="openshift/httpd:2.4-el7" to specify this image or template

* Image stream "httpd" (tag "2.4-el8") in project "openshift"
  Use --image-stream="openshift/httpd:2.4-el8" to specify this image or template

* Image stream "httpd" (tag "latest") in project "openshift"
  Use --image-stream="openshift/httpd:latest" to specify this image or template

Changing the command to the latest imagestream tag name resolves this issue:

oc new-app openshift/httpd:2.4-el8~https://github.com/sclorg/httpd-ex.git

I try to use this image on multiple Openshift 4.7 platforms, where the httpd service handles the SSL termination (each cluster coming with different domain).

In order to achieve this I'd like to provide the SSL key/cert pair at pod runtime using a Secret of type "kubernetes.io/tls", coming with tls.crt and tls.crt keys

Unfortunately, because of the current way certs are sourced in the httpd-container, I can't mount this secret to any pod folder and get the pair picked up by the container at runtime.

--> Would it be possible to change the way SSL cert/key pair are sourced so that Secrets can be used?
Thanks

• Ref: https://github.com/sclorg/httpd-container/tree/master/2.4#source-to-image-framework-and-scripts
  ./httpd-ssl
  Can contain user's own SSL certificate (in the certs/ subdirectory) and a key (in the private/ subdirectory)
• Ref2: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets

What is the recommended way to add apache modules?

The latest path (#86) breaks our build with the following message: package httpd24-mod_security is not installed while executing:

/bin/sh -c yum install -y yum-utils &&     prepare-yum-repositories rhel-server-rhscl-7-rpms &&     INSTALL_PKGS="gettext hostname nss_wrapper bind-utils httpd24 httpd24-mod_ssl httpd24-mod_auth_mellon httpd24-mod_security" &&     yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS &&     rpm -V $INSTALL_PKGS &&     yum -y clean all --enablerepo='*'

Any ideas?

This is for testing of automation workflow. No further action is required.

Software Collections provides httpd 2.4.27, but Docker image centos/httpd-24-centos7 contains only version 2.4.25. Any chance of an update? Running yum update within the container is troublesome, because the work of script httpd-prepare gets undone.

Hi,

It seems SSLSessionCache has not been set in the image (correct me if I'm wrong), but according to the official document, this option should be beneficial for performance. Here is doc (https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessioncache):

This configures the storage type of the global/inter-process SSL Session Cache. This cache is an optional facility which speeds up parallel request processing. For requests to the same server process (via HTTP keep-alive), OpenSSL already caches the SSL session information locally. But because modern clients request inlined images and other data via parallel requests (usually up to four parallel requests are common) those requests are served by different pre-forked server processes. Here an inter-process cache helps to avoid unnecessary session handshakes.

Let me know your opinion. Thanks!

Best,
CC

For the custom config files that go under httpd-cfg the README says to use *.cfg I was blindly following the instructions and my config didn't load, realized what I did and switched to *.conf and my config did load. I assume this is just a typo on the README?

I want to use sendmail or whatever mailserver with centos/httpd-24-centos7 from DockerHub.
How would be the proper way I to set this up?

This image declares a VOLUME which means it can't be run as an s2i builder because it is impossible to run images on openshift online if they declare a volume and you do not map that volume to a mount point.

For running an image it's fine because the user can map the volume.

But when the image is run as a builder via s2i, there is no opportunity for the user to map a mount to the VOLUME and openshift online fails the build because the volume can't be written to.

I think the VOLUME declaration should be removed from the image, it's not like users can't still map a volume if they want to anyway.

@hhorak @sspeiche fyi.

IOW script test/run-openshift, similarly to nginx.

Hello,

I finally was able to use your s2i :)
Now I noticed that there are lot of log in console. How it is possible to disable logging?

Hi
I have built container on the base of centos
When I try it locally on my PC (docker Windows 10) it works fine. I can see RedHat page on localhost:8080,
but when I deploy it to IBM Cirrus cloud, based on OpenShift, do not see the page, and can see error message in the log:
/usr/share/container-scripts/httpd//common.sh: line 150: /opt/app-root/etc/passwd: Permission denied

Appreciate any advice.

Hi, We want to use Apache as a Reverse proxy but with Form based authentication enabled. We can see the base image doesn't have the below modules.

1. LDAP
2. Session
   Currently I'm adding this module manually but since our build server doesn't have connectivity to internet i'm copying the RPM file as part of the build process.

Question

1. Are we allowed to do this ?
2. How we can avoid looking up the red hat repo and ubi repo during the build process (Currently renamed the file )

Any suggestions. Thanks for your help!

Hello,

Maybe I am doing something wrong but I am not able to access my files through openshift v3

I browsed the catalogue and got the 2.4.

My root is webstatics.mydomain.com. I am using a git repository where all the files are at the root of the project "./"

I accessed my pod with:

oc exec -it -p web-statics-1-ltlmv /bin/bash

Then if I do an ls I can see my files. However I cannot see my files in /var/www

Did I missed something?

After pulling the image we notice in the config file that EnableSendfile is set to on in /etc/httpd/conf/httpd.conf, whose default is Off.

However, the HttpD official document recommends to set EnableSendfile to Off to avoid operational problems when:

• Some platforms may have broken sendfile support that the build system did not detect, especially if the binaries were built on another box and moved to such a machine with broken sendfile support.
• On Linux the use of sendfile triggers TCP-checksum offloading bugs on certain networking cards when using IPv6.
• On Linux on Itanium, sendfile may be unable to handle files over 2GB in size.
• With a network-mounted DocumentRoot (e.g., NFS, SMB, CIFS, FUSE), the kernel may be unable to serve the network file through its own cache.

So I wonder if EnableSendfile should be changed back to "off" as default.

The latest version of the image isn't able to copy any *.conf files due to permission issues creating the files.

Cloning "https://github.com/jwforres/origin-web-console.git" ...
	Commit:	39b5fc03226ee912017aa362202830c15f0a578e (Take out custom assemble script to verify bug exists in latest image)
	Author:	Jessica Forrester <[email protected]>
	Date:	Fri Apr 7 12:09:12 2017 -0400
---> Enabling s2i support in httpd24 image
AllowOverride All
---> Installing application source
---> Copying httpd configuration files...
'./httpd-cfg/openshift-web-console.conf' -> '/etc/httpd.d/openshift-web-console.conf'
cp: cannot create regular file '/etc/httpd.d/openshift-web-console.conf': Permission denied
error: build error: non-zero (13) exit code from 172.30.1.1:5000/console-test/origin-web-console-build@sha256:1a2605237a2878f14ac1d1dc05c30f95d8de6703d5dc1ffd78816f2c4d570463

You can see this on my https://github.com/jwforres/origin-web-console.git repo and branch httpd-image-bug-test

Just noticed this today on my OCP clusters (both 4.10.x and 4.11.x) when running a container with the image: registry.access.redhat.com/ubi8/httpd-24

Error:

[ec2-user@bastion multicloud-gitops]$ oc logs -n config-demo config-demo-c4995556-7nbzf
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
---> Generating SSL key pair for httpd...
Could not write to /opt/app-root/src/dhparams.pem. Check directory permissions.

The previous version (1-226 works fine, I just tested it). I assume 5be03ef is somewhat related. No big deal I guess, but I thought I'd at least mention it as it might affect others. The full deployment yaml we use is here https://github.com/hybrid-cloud-patterns/multicloud-gitops/blob/main/charts/all/config-demo/templates/config-demo-deployment.yaml

In investigating a failure of the run_mpm_config_test, I noticed that no matter how I set the HTTPD_MTM environment variable, MTM is still defaulting to prefork.

i.e.:

$ docker run -d -e HTTPD_MPM=event --name httpd rhscl/httpd-24-rhel7
c1b759f93b40ac239a0a22ae246adb6a4f1a273281e84375efbfe9ceebb4234f

$ docker exec -it httpd /usr/bin/bash

bash-4.2$ httpd -V |grep MPM
Server MPM:     prefork

bash-4.2$ cat /etc/httpd/conf.modules.d/00-mpm.conf |grep -v "^#"|grep -v "^$"
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

bash-4.2$ 

Here's what I see regarding MTM in the logs:

$ docker logs httpd |grep mpm
[Wed Aug 29 14:30:07.720003 2018] [http2:warn] [pid 1] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Wed Aug 29 14:30:07.724628 2018] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.27 (Red Hat) OpenSSL/1.0.1e-fips configured -- resuming normal operations

When using the container to deploy to a clustered environment, the mechanism for mounting content may differ.

It could be that content is bundled with the image through a new image build process, for example docker build or using an OpenShift S2I technique. A common use-case is for static websites to be built using some toolset and framework, for example Python Sphinx, or a Node.js build (ng build --prod). In these cases we might want to create a build pipeline that generates a new container image based on httpd-container and including the static content.

The main challenge with the existing container is where do I put this content? The /var/www directory, which can be used as a volume mount point, works fine for mounted content, but has some unexpected behaviour if used to drop-in content during a container build (I think this technique may work if content is dropped to /opt/rh/httpd24/root/var/www).

One technique that I adopted for an OpenShift S2I build was to use the default location /opt/app-root/src and drop in a static.conf file to /etc/httpd/conf.d that adds this location using a <Directory> directive.

Hey @hhorak @notroj

Any way possible we could add rsync to this container?

As part of the openshift/odo project (see redhat-developer/odo#1609)

We've been using rsync extensively in order to transfer files over to s2i / OpenShift cluster images.

Now, each s2i image (most of them, php, ruby, python, etc.) use: s2i-base-centos7 https://github.com/sclorg/s2i-php-container/blob/master/7.2/Dockerfile#L1

Which I believe includes rsync.

However, httpd, uses core: https://github.com/sclorg/httpd-container/blob/master/2.4/Dockerfile#L1 which I believe does not.

Is there any way possible we could add rsync to the list of packages located here: https://github.com/sclorg/httpd-container/blob/master/2.4/Dockerfile#L37 ?

Hi,

I don't find anyway to overload ssl.conf (without rebuilding the original image, removing "rpm -V" in the Dockerfile), (creating a new file with SSLProtocol/CiperSuite/... in conf.d don't overload the parameter, apache keep the first parameter value found) this is problematic because when you want to harden your SSL configuration you can only do it for virtualhost.

Best regards

Since the USER instruction is currently commented out, the image cannot be used with the Source to Image mechanism

This is for testing of automation workflow. No further action is required.

When I try to add PHP to new image, based on this one I get a conflict.
PHP pulls httpd as dependency, and it conflicts with httpd24-httpd that is already present.
Any advice on how to add php into this container?