Commit 5e25a1aa authored by Konstantinos Samaras-Tsakiris's avatar Konstantinos Samaras-Tsakiris
Browse files

Merge branch 'unix-socket' into 'master'

Change from tcp to unix socket for communication b/w php-fpm & nginx

Closes #35

See merge request !22
parents 55046409 d1734dd6
Pipeline #2309747 failed with stages
in 2 minutes and 46 seconds
upstream php {
server unix:/var/run/drupal.sock;
}
server {
#listen 8080 ssl;
listen 8080;
#ssl_certificate /etc/ssl/certs/ca-certificates.crt;
#ssl_certificate_key /etc/ssl/certs/ca-cert-COMODO_Certification_Authority.pem;
#ssl_session_cache shared:SSL:20m;
#ssl_session_timeout 4h;
root /app/web;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Status page of PHP. Commenting to avoid access from outside the cluster
# location = /status {
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_pass php;
# allow all;
# }
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
# https://drupal.stackexchange.com/questions/192151/cannot-install-any-theme
rewrite ^/core/authorize.php/core/authorize.php(.*)$ /core/authorize.php$1;
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to scripts in site files directory
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
# Don't allow direct access to PHP files in the vendor directory.
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
# In Drupal 8, we must also match new paths where the '.php' appears in
# the middle, such as update.php/selection. The rule we use is strict,
# and only allows this pattern with the update.php front controller.
# This allows legacy path aliases in the form of
# blog/index.php/legacy-path to continue to route to Drupal nodes. If
# you do not have any paths like that, then you might prefer to use a
# laxer rule, such as:
# location ~ \.php(/|$) {
# The laxer rule will continue to work if Drupal uses this new URL
# pattern with front controllers other than update.php in a future
# release.
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Security note: If you're running a version of PHP older than the
# latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
# See http://serverfault.com/q/627903/94922 for details.
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/ .
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
# PHP 5 socket location.
#fastcgi_pass unix:/var/run/php5-fpm.sock;
# PHP 7 socket location.
fastcgi_pass php;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri @rewrite;
}
# Handle private files through Drupal. Private file's path can come
# with a language prefix.
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri @rewrite;
expires max;
log_not_found off;
}
location ^~ /simplesaml {
alias /app/vendor/simplesamlphp/simplesamlphp/www;
location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include fastcgi_params;
fastcgi_pass php;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+?\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
}
}
\ No newline at end of file
[www]
listen = 9000
listen = /var/run/drupal.sock
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
......@@ -8,4 +8,7 @@ pm.max_spare_servers = 3
catch_workers_output = yes
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
access.log = /proc/self/fd/2
\ No newline at end of file
access.log = /proc/self/fd/2
[global]
daemonize = no
\ No newline at end of file
......@@ -174,9 +174,12 @@ func (r *DrupalSiteReconciler) ensureResources(drp *webservicesv1a1.DrupalSite,
}
// 3. Serving layer
if transientErr := r.ensureResourceX(ctx, drp, "fpm_cm", log); transientErr != nil {
if transientErr := r.ensureResourceX(ctx, drp, "cm_php", log); transientErr != nil {
return transientErr.Wrap("%v: for PHP-FPM CM")
}
if transientErr := r.ensureResourceX(ctx, drp, "cm_nginx", log); transientErr != nil {
return transientErr.Wrap("%v: for Nginx CM")
}
if transientErr := r.ensureResourceX(ctx, drp, "dc_drupal", log); transientErr != nil {
return transientErr.Wrap("%v: for Drupal DC")
}
......@@ -603,10 +606,21 @@ func deploymentConfigForDrupalSite(d *webservicesv1a1.DrupalSite) *appsv1.Deploy
},
},
},
VolumeMounts: []corev1.VolumeMount{{
Name: "drupal-directory-" + d.Name,
MountPath: "/drupal-data",
}},
VolumeMounts: []corev1.VolumeMount{
{
Name: "drupal-directory-" + d.Name,
MountPath: "/drupal-data",
},
{
Name: "nginx-config-volume",
MountPath: "/etc/nginx/conf.d/default.conf",
SubPath: "default.conf",
},
{
Name: "empty-dir",
MountPath: "/var/run/",
},
},
},
{
Image: imageStreamForDrupalSitePHP(d).Name + ":" + d.Spec.DrupalVersion,
......@@ -638,10 +652,15 @@ func deploymentConfigForDrupalSite(d *webservicesv1a1.DrupalSite) *appsv1.Deploy
MountPath: "/drupal-data",
},
{
Name: "config-volume",
MountPath: "/usr/local/etc/php-fpm.d/www.conf",
SubPath: "www.conf",
}},
Name: "php-config-volume",
MountPath: "/usr/local/etc/php-fpm.d/zz-docker.conf",
SubPath: "zz-docker.conf",
},
{
Name: "empty-dir",
MountPath: "/var/run/",
},
},
}},
Volumes: []corev1.Volume{
{
......@@ -652,7 +671,7 @@ func deploymentConfigForDrupalSite(d *webservicesv1a1.DrupalSite) *appsv1.Deploy
},
}},
{
Name: "config-volume",
Name: "php-config-volume",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
......@@ -661,6 +680,20 @@ func deploymentConfigForDrupalSite(d *webservicesv1a1.DrupalSite) *appsv1.Deploy
},
},
},
{
Name: "nginx-config-volume",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "nginx-cm-" + d.Name,
},
},
},
},
{
Name: "empty-dir",
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
},
},
},
},
......@@ -790,7 +823,7 @@ func routeForDrupalSite(d *webservicesv1a1.DrupalSite) *routev1.Route {
}
route := &routev1.Route{
ObjectMeta: metav1.ObjectMeta{
Name: "drupal" + d.Name,
Name: "drupal-" + d.Name,
Namespace: d.Namespace,
Labels: labels,
},
......@@ -908,7 +941,34 @@ func configMapForPHPFPM(d *webservicesv1a1.DrupalSite, log logr.Logger) *corev1.
Namespace: d.Namespace,
},
Data: map[string]string{
"www.conf": string(content),
"zz-docker.conf": string(content),
},
}
// Set DrupalSite instance as the owner and controller
// ctrl.SetControllerReference(d, dep, r.Scheme)
// Add owner reference
addOwnerRefToObject(cm, asOwner(d))
return cm
}
// configMapForNginx returns a job object thats runs drush
func configMapForNginx(d *webservicesv1a1.DrupalSite, log logr.Logger) *corev1.ConfigMap {
ls := labelsForDrupalSite(d.Name)
ls["app"] = "nginx"
content, err := ioutil.ReadFile("config/default.conf")
if err != nil {
log.Error(err, fmt.Sprintf("read failed"))
return nil
}
cm := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "nginx-cm-" + d.Name,
Namespace: d.Namespace,
},
Data: map[string]string{
"default.conf": string(content),
},
}
// Set DrupalSite instance as the owner and controller
......@@ -990,7 +1050,8 @@ ensureResourceX ensure the requested resource is created, with the following val
- bc_nginx: BuildConfig for Nginx
- dc_drupal: DeploymentConfig for Nginx & PHP-FPM
- svc_nginx: Service for Nginx
- fpm_cm: ConfigMap for PHP-FPM
- cm_php: ConfigMap for PHP-FPM
- cm_nginx: ConfigMap for Nginx
- route: Route for the drupalsite
*/
func (r *DrupalSiteReconciler) ensureResourceX(ctx context.Context, d *webservicesv1a1.DrupalSite, resType string, log logr.Logger) (transientErr reconcileError) {
......@@ -1034,7 +1095,7 @@ func (r *DrupalSiteReconciler) ensureResourceX(ctx context.Context, d *webservic
case "site_install_job":
res := jobForDrupalSiteDrush(d)
return createResource(ctx, res, res.Name, res.Namespace, r, log)
case "fpm_cm":
case "cm_php":
res := configMapForPHPFPM(d, log)
if res == nil {
return newApplicationError(nil, ErrFunctionDomain)
......@@ -1046,6 +1107,9 @@ func (r *DrupalSiteReconciler) ensureResourceX(ctx context.Context, d *webservic
return newApplicationError(nil, ErrFunctionDomain)
}
return createResource(ctx, res, res.Name, res.Namespace, r, log)
case "cm_nginx":
res := configMapForNginx(d, log)
return createResource(ctx, res, res.Name, res.Namespace, r, log)
default:
return newApplicationError(nil, ErrFunctionDomain)
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment