centos-ssh-apache-php

Docker Image including:

• CentOS-6 6.8 x86_64, Apache 2.2, PHP 5.3, PHP memcached 1.0, PHP APC 3.1.
• CentOS-6 6.8 x86_64, Apache 2.4, PHP-FPM 5.6, PHP memcached 2.2, Zend Opcache 7.0.

Apache PHP web server, loading only a minimal set of Apache modules by default. Supports custom configuration via environment variables.

Overview & links

Tags and respective Dockerfile links

• centos-6-httpd24u-php56u, centos-6-httpd24u-php56u-2.1.1, 2.1.1 (centos-6-httpd24u-php56u/Dockerfile)
• centos-6, centos-6-1.9.1, 1.9.1 (centos-6/Dockerfile)

centos-6

The latest CentOS-6 Standard Package based release can be pulled from the centos-6 Docker tag. It is recommended to select a specific release tag - the convention is centos-6-1.9.1 or 1.9.1 for the 1.9.1 release tag. This build of Apache, (httpd CentOS package), uses the mpm_prefork_module and php5_module modules for handling PHP.

centos-6-httpd24u-php56u

The latest CentOS-6 IUS Apache 2.4, PHP-FPM 5.6 based release can be pulled from the centos-6-httpd24u-php56u Docker tag. It is recommended to select a specific release tag - the convention is centos-6-httpd24u-php56u-2.1.1 or 2.1.1 for the 2.1.1 release tag. This build of Apache, (httpd24u package), uses the mpm_prefork_module and php-fpm for handling PHP. This version has the option of using the worker or event MPM.

Included in the build are the SCL, EPEL and IUS repositories. Installed packages include OpenSSH secure shell, vim-minimal, elinks (for fullstatus support), PHP Memcached are installed along with python-setuptools, supervisor and supervisor-stdout. The centos-6 "Standard" PHP 5.3 build includes PHP APC where Zend Opcache is bundled in PHP 5.6.

Supervisor is used to start the httpd (and, if applicable, php-fpm) daemon when a docker container based on this image is run. To enable simple viewing of stdout for the service's subprocess, supervisor-stdout is included. This allows you to see output from the supervisord controlled subprocesses with docker logs {docker-container-name}.

If enabling and configuring SSH access, it is by public key authentication and, by default, the Vagrant insecure private key is required.

SSH Alternatives

SSH is not required in order to access a terminal for the running container. The simplest method is to use the docker exec command to run bash (or sh) as follows:

$ docker exec -it {docker-name-or-id} bash

For cases where access to docker exec is not possible the preferred method is to use Command Keys and the nsenter command. See command-keys.md for details on how to set this up.

Quick Example

Run up a container named apache-php.pool-1.1.1 from the docker image jdeathe/centos-ssh-apache-php on port 8080 of your docker host.

$ docker run -d \
  --name apache-php.pool-1.1.1 \
  -p 8080:80 \
  -e "APACHE_SERVER_NAME=app-1.local" \
  jdeathe/centos-ssh-apache-php:centos-6

Now point your browser to http://{docker-host}:8080 where {docker-host} is the host name of your docker server and, if all went well, you should see the "Hello, world!" page.

To be able to access the server using the "app-1.local" domain name you need to add a hosts file entry locally; such that the IP address of the Docker host resolves to the name "app-1.local". Alternatively, you can use the elinks browser installed in the container. Note that because you are using the browser from the container you access the site over port 80.

$ docker exec -it apache-php.pool-1.1.1 \
  elinks http://app-1.local

To verify the container is initialised and running successfully by inspecting the container's logs.

$ docker logs apache-php.pool-1.1.1

On first run, the bootstrap script, (/usr/sbin/httpd-bootstrap), will check if the DocumentRoot directory is empty and, if so, will populate it with the example app scripts and app specific configuration files.

The apachectl command can be accessed as follows.

$ docker exec -it apache-php.pool-1.1.1 apachectl -h

Instructions

Running

To run the a docker container from this image you can use the standard docker commands. Alternatively, you can use the embedded (Service Container Manager Interface) scmi that is included in the image since centos-6-1.7.2 or, if you have a checkout of the source repository, and have make installed the Makefile provides targets to build, install, start, stop etc. where environment variables can be used to configure the container options and set custom docker run parameters.

SCMI Installation Examples

The following example uses docker to run the SCMI install command to create and start a container named apache-php.pool-1.1.1. To use SCMI it requires the use of the --privileged docker run parameter and the docker host's root directory mounted as a volume with the container's mount directory also being set in the scmi --chroot option. The --setopt option is used to add extra parameters to the default docker run command template; in the following example a named configuration volume is added which allows the SSH host keys to persist after the first container initialisation. Not that the placeholder {{NAME}} can be used in this option and is replaced with the container's name.

SCMI Install

$ docker run \
  --rm \
  --privileged \
  --volume /:/media/root \
  --env BASH_ENV="" \
  --env ENV="" \
  jdeathe/centos-ssh-apache-php:2.1.1 \
  /usr/sbin/scmi install \
    --chroot=/media/root \
    --tag=2.1.1 \
    --name=apache-php.pool-1.1.1

SCMI Uninstall

To uninstall the previous example simply run the same docker run command with the scmi uninstall command.

$ docker run \
  --rm \
  --privileged \
  --volume /:/media/root \
  --env BASH_ENV="" \
  --env ENV="" \
  jdeathe/centos-ssh-apache-php:2.1.1 \
  /usr/sbin/scmi uninstall \
    --chroot=/media/root \
    --tag=2.1.1 \
    --name=apache-php.pool-1.1.1

SCMI Systemd Support

If your docker host has systemd (and optionally etcd) installed then scmi provides a method to install the container as a systemd service unit. This provides some additional features for managing a group of instances on a single docker host and has the option to use an etcd backed service registry. Using a systemd unit file allows the System Administrator to use a Drop-In to override the settings of a unit-file template used to create service instances. To use the systemd method of installation use the -m or --manager option of scmi and to include the optional etcd register companion unit use the --register option.

$ docker run \
  --rm \
  --privileged \
  --volume /:/media/root \
  --env BASH_ENV="" \
  --env ENV="" \
  jdeathe/centos-ssh-apache-php:2.1.1 \
  /usr/sbin/scmi install \
    --chroot=/media/root \
    --tag=2.1.1 \
    --name=apache-php.pool-1.1.1 \
    --manager=systemd \
    --register \
    --env='APACHE_MOD_SSL_ENABLED=true' \
    --setopt='--volume {{NAME}}.data-ssl:/etc/services-config/ssl'

SCMI Fleet Support

If your docker host has systemd, fleetd (and optionally etcd) installed then scmi provides a method to schedule the container to run on the cluster. This provides some additional features for managing a group of instances on a fleet cluster and has the option to use an etcd backed service registry. To use the fleet method of installation use the -m or --manager option of scmi and to include the optional etcd register companion unit use the --register option.

SCMI Image Information

Since release centos-6-1.7.2 the install template has been added to the image metadata. Using docker inspect you can access scmi to simplify install/uninstall tasks.

NOTE: A prerequisite of the following examples is that the image has been pulled (or loaded from the release package).

$ docker pull jdeathe/centos-ssh-apache-php:2.1.1

To see detailed information about the image run scmi with the --info option. To see all available scmi options run with the --help option.

$ eval "sudo -E $(
    docker inspect \
    -f "{{.ContainerConfig.Labels.install}}" \
    jdeathe/centos-ssh-apache-php:2.1.1
  ) --info"

To perform an installation using the docker name apache-php.pool-1.2.1 simply use the --name or -n option.

$ eval "sudo -E $(
    docker inspect \
    -f "{{.ContainerConfig.Labels.install}}" \
    jdeathe/centos-ssh-apache-php:2.1.1
  ) --name=apache-php.pool-1.2.1"

To uninstall use the same command that was used to install but with the uninstall Label.

$ eval "sudo -E $(
    docker inspect \
    -f "{{.ContainerConfig.Labels.uninstall}}" \
    jdeathe/centos-ssh-apache-php:2.1.1
  ) --name=apache-php.pool-1.2.1"

SCMI on Atomic Host

With the addition of install/uninstall image labels it is possible to use Project Atomic's atomic install command to simplify install/uninstall tasks on CentOS Atomic Hosts.

To see detailed information about the image run scmi with the --info option. To see all available scmi options run with the --help option.

$ sudo -E atomic install \
  -n apache-php.pool-1.3.1 \
  jdeathe/centos-ssh-apache-php:2.1.1 \
  --info

To perform an installation using the docker name apache-php.pool-1.3.1 simply use the -n option of the atomic install command.

$ sudo -E atomic install \
  -n apache-php.pool-1.3.1 \
  jdeathe/centos-ssh-apache-php:2.1.1

Alternatively, you could use the scmi options --name or -n for naming the container.

$ sudo -E atomic install \
  jdeathe/centos-ssh-apache-php:2.1.1 \
  --name apache-php.pool-1.3.1

To uninstall use the same command that was used to install but with the uninstall Label.

$ sudo -E atomic uninstall \
  -n apache-php.pool-1.3.1 \
  jdeathe/centos-ssh-apache-php:2.1.1

Environment Variables

APACHE_SERVER_NAME & APACHE_SERVER_ALIAS

The APACHE_SERVER_NAME and APACHE_SERVER_ALIAS environmental variables are used to set the VirtualHost ServerName and ServerAlias values respectively. If the value contains the placeholder {{HOSTNAME}} it will be replaced with the system hostname value; by default this is the container id but the hostname can be modified using the --hostname docker create|run parameter.

In the following example the running container would respond to the host names app-1.local or app-1.

...
  --env "APACHE_SERVER_ALIAS=app-1" \
  --env "APACHE_SERVER_NAME=app-1.local" \
...

APACHE_CONTENT_ROOT

The home directory of the service user and parent directory of the Apache DocumentRoot is /var/www/app by default but can be changed if necessary using the APACHE_CONTENT_ROOT environment variable.

...
  --env "APACHE_CONTENT_ROOT=/var/www/app-1" \
...

from your browser you can then access it with http://app-1.local:8080 assuming you have the IP address of your docker mapped to the hostname using your DNS server or a local hosts entry.

APACHE_CUSTOM_LOG_LOCATION & APACHE_CUSTOM_LOG_FORMAT

The Apache CustomLog can be defined using APACHE_CUSTOM_LOG_LOCATION to set a file | pipe location and APACHE_CUSTOM_LOG_FORMAT to specify the required LogFormat nickname.

...
  --env "APACHE_CUSTOM_LOG_LOCATION=/var/log/httpd/access_log" \
  --env "APACHE_CUSTOM_LOG_FORMAT=common" \
...

APACHE_ERROR_LOG_LOCATION & APACHE_ERROR_LOG_LEVEL

The Apache ErrorLog can be defined using APACHE_ERROR_LOG_LOCATION to set a file | pipe location and APACHE_ERROR_LOG_LEVEL to specify the required LogLevel value.

...
  --env "APACHE_CUSTOM_LOG_LOCATION=/var/log/httpd/error_log" \
  --env "APACHE_CUSTOM_LOG_FORMAT=error" \
...

APACHE_EXTENDED_STATUS_ENABLED

The variable APACHE_EXTENDED_STATUS_ENABLED allows you to turn ExtendedStatus on. It is turned off by default as it has an impact on the server's performance but with it enabled you can gather more statistics.

...
  --env "APACHE_EXTENDED_STATUS_ENABLED=true" \
...

You can view the output from Apache server-status either using the elinks browser from onboard the container or by using watch and curl to monitor status over time. The following command shows the server-status updated at a 1 second interval given an APACHE_SERVER_NAME or APACHE_SERVER_ALIAS of "app-1.local".

$ docker exec -it apache-php.pool-1.1.1 \
  env TERM=xterm \
  watch -n 1 \
  -d "curl -sH 'Host: app-1.local' http://127.0.0.1/server-status?auto"

APACHE_HEADER_X_SERVICE_UID

The APACHE_HEADER_X_SERVICE_UID environmental variable is used to set a response header named X-Service-UID that lets you identify the container that is serving the content. This is useful when you have many containers running on a single host using different ports or if you are running a cluster and need to identify which host the content is served from. If the value contains the placeholder {{HOSTNAME}} it will be replaced with the system hostname value; by default this is the container id but the hostname can be modified using the --hostname docker create|run parameter.

...
  --env "APACHE_HEADER_X_SERVICE_UID={{HOSTNAME}}" \
...

APACHE_LOAD_MODULES

The variable APACHE_LOAD_MODULES defines all Apache modules to be loaded from /etc/httpd/conf/http.conf. The default is the minimum required so you may need to add more as necessary. To add the "mod_rewrite" Apache Module you would add it's identifier rewrite_module to the array as follows.

...
  --env "APACHE_LOAD_MODULES=authz_user_module log_config_module expires_module deflate_module headers_module setenvif_module mime_module status_module dir_module alias_module rewrite_module"
...

APACHE_MOD_SSL_ENABLED

By default SSL support is disabled but a second port, (mapped to 8443), is available for traffic that has been been through upstream SSL termination (SSL Offloading). If you want the container to support SSL directly then set APACHE_MOD_SSL_ENABLED=true this will then generate a self signed certificate and will update Apache to accept traffic on port 443.

$ docker stop apache-php.pool-1.1.1 && \
  docker rm apache-php.pool-1.1.1
$ docker run -d \
  --name apache-php.pool-1.1.1 \
  --publish 8080:80 \
  --publish 9443:443 \
  --env "APACHE_SERVER_ALIAS=app-1" \
  --env "APACHE_SERVER_NAME=app-1.local" \
  --env "APACHE_MOD_SSL_ENABLED=true" \
  --volume apache-php.pool-1.1.1.data-ssl:/etc/services-config/ssl \
  jdeathe/centos-ssh-apache-php:centos-6

APACHE_MPM

Using APACHE_MPM the Apache MPM can be set. Defaults to prefork and in most cases this shouldn't be altered.

...
  --env "APACHE_MPM=prefork" \
...

APACHE_RUN_USER & APACHE_RUN_GROUP

The Apache process is run by the User and Group defined by APACHE_RUN_USER and APACHE_RUN_GROUP respectively.

...
  --env "APACHE_RUN_GROUP=www-app" \
  --env "APACHE_RUN_USER=www-app" \
...

APACHE_PUBLIC_DIRECTORY

The public directory is relative to the APACHE_CONTENT_ROOT and together they form the Apache DocumentRoot path. The default value is public_html and should not be changed unless changes are made to the source of the app to include an alternative public directory such as web or public.

...
  --env "APACHE_PUBLIC_DIRECTORY=web" \
...

APACHE_SSL_CERTIFICATE

The APACHE_SSL_CERTIFICATE environment variable is used to define a PEM, (and optionally base64), encoded certificate bundle. Base64 encoding of the PEM file contents is recommended. To make a compatible certificate bundle use the cat command to combine the certificate files together.

$ cat /usr/share/private/server-key.pem \
    /usr/share/certs/server-certificate.pem \
    /usr/share/certs/intermediate-certificate.pem \
  > /usr/share/certs/server-bundle.pem

Note: The base64 command on Mac OSX will encode a file without line breaks by default but if using the command on Linux you need to include use the -w option to prevent wrapping lines at 80 characters. i.e. base64 -w 0 -i {certificate-path}.

...
  --env "APACHE_SSL_CERTIFICATE=$(
    base64 -i "/usr/share/certs/server-bundle.pem"
  )" \
...

APACHE_SSL_CIPHER_SUITE

Use the APACHE_SSL_CIPHER_SUITE environment variable to define an appropriate Cipher Suite. The default "intermediate" selection should be suitable for most use-cases where support for a wide range browsers is necessary.

References:

• OpenSSL ciphers documentation.
• Mozilla Security/Server Side TLS guidance.

Note: The value show is using space separated values to allow for readablity in the documentation; this is valid syntax however using the colon separator is the recommended form.

...
  --env "APACHE_SSL_CIPHER_SUITE=ECDHE-ECDSA-AES256-GCM-SHA384 \
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 \
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 \
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 \
ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 \
ECDHE-RSA-AES128-SHA256" \
...

APACHE_SSL_PROTOCOL

Use the APACHE_SSL_PROTOCOL environment variable to define the supported protocols. The default protocols are suitable for most "intermediate" use-cases however you might want to restrict the TLS version support for example.

...
  --env "APACHE_SSL_PROTOCOL=All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" \
...

APACHE_SYSTEM_USER

Use the APACHE_SYSTEM_USER environment variable to define a custom service username.

...
  --env "APACHE_SYSTEM_USER=app-1" \
...

PHP_OPTIONS_DATE_TIMEZONE

The default timezone for the container, and the PHP app, is UTC however the operator can set an appropriate timezone using the PHP_OPTIONS_DATE_TIMEZONE variable. The value should be a timezone identifier, like UTC or Europe/London. The list of valid identifiers is available in the PHP List of Supported Timezones.

To set the timezone for the UK and account for British Summer Time you would use:

...
  --env "PHP_OPTIONS_DATE_TIMEZONE=Europe/London" \
...