phpmyadmin / docker Goto Github PK

I'm using PHP 7 everywhere now and am curious if there's a reason not to update this package.

Thanks,

S

https://secure.php.net/manual/en/opcache.configuration.php#ini.opcache.restrict-api

the value used as "start of path", more information:
wpsharks/comet-cache#733

fix:
it will be better to disable it completely, didn't found way to do it, does it PHP bug/limitation? probably better to limit it using opcache.restrict_api (instead of using disable_functions for this)

Reported by Emanuel Bronshtein.

Using the latest image, I'm mounting a file under /config.user.inc.php as described in the documentation. The file is not loaded by the default config.inc.php.

After investigating, the file is mounted properly but the line if (file_exists('/config.user.inc.php')) { return false, which means that the PHP code does not have access to this file. A simple scandir('/') returns false also.

I'm running Docker 1.11.1

I've got a project that sets phpmyadmin up in docker-compose using the following configuration:

phpmyadmin:
image: phpmyadmin/phpmyadmin
ports:
- "8080:80"
environment:
PMA_HOST: "mysql"
PMA_PORT: 3306

I need to import sql but I'm not sure how to access either via command line, browser, or sequel pro (where do I find the credentials to use?)
ssh host-?
ssh user-?
ssh key-?

Preferably sql pro so I can view all the data and learn the structure better :)

Just a thought: wouldn't it make sense to expose port 80 instead of port 8080? A user can always map any exposed ports to whatever he likes, e.g. -p 8080:80, and as this is in fact a Docker container running a web application, doesn't it sound logical to use the http port for that? Or were there practical considerations for using port 8080 instead?

If you agree, I'm willing to open a PR, but let's discuss this first.

Any chance of taging versions on docker hub?

I was trying to use that new feature (#13, #12 PmaAbsoluteUri) and couldn't understand why it wasn't working. Turns out this feature is incredibly new and not part of my 7 day old image. Ugh!

But anyways, I'm glad its implemented. :)

Hello, are you have plans make version without nginx and supervisord?

Nginx with default config only creates excessive load, much better to add separate nginx-proxy (docker-compose or host-based).

supervisord need only for run nginx?

In some setups, MySQL is not available via TCP and only listens via socket. It would be great to have an ability to set MySQL socket instead of hostname.

For cases where the hosts are IP addresses
how can one give description to the IP address so one can know what DB server the ip belongs to when on login page?

So instead of showing ip address of host on login page and no one knows what DB server the ip address belongs to, i can declare a some env variable to connect ip address to a description

Thanks

Hi all,
I am trying to serve this phpmyadmin docker image via nginx upstream.
It is working with :

# docker run -d -e PMA_ABSOLUTE_URI="https://my.domain.com/" phpmyadmin/phpmyadmin
nginx: location / { proxy_pass http://phpmyadmin;  }

But not working with:

# docker run -d -e PMA_ABSOLUTE_URI="https://my.domain.com/phpmyadmin/" phpmyadmin/phpmyadmin
nginx: location /phpmyadmin { proxy_pass http://phpmyadmin;  }

php just returns it can't find the index.php (or any other files). Any ideas? :-)

It should be possible to set MySQL host via an environment variable.

In some container engines (for example Kubernetes), there are no concept of link aliases, so a user will have to change his service name (if it's not db) in order to make it work with this Docker image.

While PMA code does send the below headers in sendHttpHeaders function
(the correct place for such headers, are in PMA code, as it's the best/safest place to calculate CSP headers)
but it effects only .php files.
thus, it's recommended to add the below headers in nginx.conf in case the request wasn't passed to php-fpm

for every request that wasn't passed to php-fpm:

add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;

for every request that wasn't passed to php-fpm and return HTML content (.html files), which effect the files in doc directory (/doc/html/):

add_header X-Xss-Protection "1; mode=block" always;

while I will recommend the following for default CSP header:

add_header Content-Security-Policy "default-src 'self';form-action 'self';referrer no-referrer;reflected-xss block;" always;

The HTML file in doc folder require unsafe-inline in JS & CSS , Thus using:
add_header Content-Security-Policy "default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';form-action 'self';referrer no-referrer;reflected-xss block;" always;

The documentation generated using old Sphinx version (1.2.3) while the last one is 1.4.6.
in case the generated documentation using latest version still require unsafe-inline in JS & CSS, I suggest to report this to Sphinx.

Reported by Emanuel Bronshtein.

I've found an issue in 4.6.2-3. The issue appears when I'm trying to expand a table info in the sidebar.
There is no such error in the latest version. Can you build new tagged version based on the latest one?

I have a fairly vanilla version of the phpMyAdmin docker container yet after I login, I keep losing the session and are taken back to the login screen. Sometimes it'll happen after a few seconds, sometimes after a minute or two.

I've tried clearing all the cookies in my browser, tried multiple computers and multiple browsers without much luck.

Below is the Docker command being used to start the container:

docker run \
        --name phpMyAdmin \
        --restart=always \
        -d \
        -p 8080:80 \
        --link mysql:db \
        phpmyadmin/phpmyadmin

Hi,

the --link option have been deprecated shouldn't we use the --net option?

The docker image marked as public at:
https://hub.docker.com/r/phpmyadmin/phpmyadmin/
There is a process that will mark the image as official, more information:
https://docs.docker.com/docker-hub/official_repos/
example of official repositories:
https://hub.docker.com/_/wordpress/
https://hub.docker.com/_/drupal/
it appears that official repos has some security benefits (apart from distinguish from other public repos) such as content trust (see issue: not signed docker image) enabled by docker itself.

fix:
do the needed changes (there is a guideline), and apply for official repositories at DockerHub.

Reported by Emanuel Bronshtein.

PMA_ARBITRARY seems to be ignored in the latest image build (but its ok with the phpmyadmin/phpmyadmin:4.6.4-1 image)

Steps to reproduce:

1. Create docker-compose.yml with:
   phpmyadmin:
   image: phpmyadmin/phpmyadmin
   environment:

   • PMA_ARBITRARY=1

2. Goto phpmyadmin local app page, the "Server:" field is missing from the "Log in" form.

The default umask set by supervisord is 022 according to: (also set it to processes spawned by it by default)
http://supervisord.org/configuration.html
fix:
use -m or --mask parameter (http://supervisord.org/running.html#supervisord-command-line-options) at:
https://github.com/phpmyadmin/docker/blob/master/run.sh#L21
and set it to 027.

Reported by Emanuel Bronshtein.

I used to reverse-proxy phpmyadmin-docker via nginx-docker-proxy and have it in a sub-URL like https://mydomain.com/phpmyadmin/

Now that PMA_ABSOLUTE_URI has obviously been obsoleted, what now?

The detectPow function at:
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L38
will use bcpow or gmp_pow or pow functions, the bcpow & gmp_pow functions require:
php5-bcmath
php5-gmp
packages

fix:
1. in docker, add php5-bcmath:
https://github.com/phpmyadmin/docker/blob/master/Dockerfile#L4
2. in debian, add under "Recommends" a PHP bcmath package:
https://sources.debian.net/src/phpmyadmin/4:4.6.4%2Bdfsg1-1/debian/control/?hl=29#L29

Reported by Emanuel Bronshtein.

The default umask settings for docker is 022 (which is also used by many distros)
https://github.com/docker/docker/pull/13941/files#diff-f12859176a0bd7f84e8c0884b1d71908R37
it's better to use more secure umask when possible, such as:
027
(none permissions for other)

The umask need to be set before creation of files that will remain in the image, thus affecting the permissions of extracted files (see issue above) & created files, such as: config.secret.inc.php.

Reported by Emanuel Bronshtein.

https://hub.docker.com/r/phpmyadmin/phpmyadmin/builds/

I want to link more than one mysql container into phpmyadmin and this is not working.

It only works when I link only one container and named it db

There's a note in the Dockerfile to update to Alpine 3.4 when released, it's released.

User modifications when run from docker https://github.com/phpmyadmin/docker
need to be made in config.user.inc.php file instead of config.inc.php.
Thus, show 'config.user.inc.php' instead of 'config.inc.php' if run from Docker, for example change need to be done in:
https://github.com/phpmyadmin/phpmyadmin/blob/master/prefs_manage.php#L51
https://github.com/phpmyadmin/phpmyadmin/blob/master/prefs_manage.php#L309
https://github.com/phpmyadmin/phpmyadmin/blob/master/setup/frames/config.inc.php#L30
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/relation.lib.php#L371
also the file created under SETUP need to be 'user.config.inc.php' in the above scenario.

Greetings,

I just needed phpmyadmin for one of our projects and I looked into the image and I don't understand a couple of concepts here.

1.) Why does anything in this image run as root (tried both latest and 4.6.4-1 from docker hub and although they are different both run php processes as root).
2.) Let's presume this is changed and the processes in the container are ran as UID 1000, in that case why is the /www/ directory writable by user 1000.

I think running web applications as root even in a docker container is very insecure as it highly increases the attack surface despite not being as bad as running them on the host.
Also it is I think a common best practice in web operation to make sure that an application is not able to write it's own code.

I don't think there is any need in the docker world to run things on privileged ports like 80 so I don't think that should prevent the process to be ran as a non root user that is not able to write anything except what it needs to.

Thanks a lot in advance.

I do not know what might be the case, but I cannot login to PMA. I have the following docker-composer.yml file:

db:
  image: mysql:5.6
  environment:
    - MYSQL_ROOT_PASSWORD=blabla
    - MYSQL_DATABASE=wordpress
  volumes_from:
    - datamysql

datamysql:
  image: debian:jessie
  volumes:
    - /mypath:/var/lib/mysql

phpmyadmin:
  image: phpmyadmin/phpmyadmin
  links:
    - db:mysql
  ports:
    - "8080:80"

I tried to log in to PMA using root account and the given password: blabla.
I receive the following error:

#2002 - php_network_getaddresses: getaddrinfo failed: Name does not resolve — The server is not responding (or the local server's socket is not correctly configured).

Something wrong with my setup?

The code at:
https://github.com/phpmyadmin/docker/blob/master/Dockerfile#L26-L28
run after the tar extract at:
https://github.com/phpmyadmin/docker/blob/master/Dockerfile#L22
which will generate files with read permissions for others. (permissions will be changes after the extract & removing some directories)
it's better to avoid creating the files with bad permissions, which possible by:
1. --no-same-permissions in tar , require setting the umask before the tar command to 027, see: #59 (Insecure umask).
2. --no-same-owner in tar
The chown command is still needed, in order to set group as nobody (instead of root)
https://github.com/phpmyadmin/docker/blob/master/Dockerfile#L26
but chmod commands can be removed in line 26&27 after the above change.

Reported by Emanuel Bronshtein.

How do you add themes to this image? Is the best possible way to create my own image from this or would it be good to have all the themes preloaded with this image? I don't know if it will take too much space though?

after setting umask (issues: #59 & #61) a chown call need to be made on nearly all files used by container (such as: config.inc.php, config.secret.inc.php) to set nobody as group (thus giving read access to PHP-FPM).

fix:
chown all files that need read access by nobody with nobody group.

Reported by Emanuel Bronshtein.

Generally on dev env, user is root with a simple password or none.

Would be great to be able to set a USER_LOGIN and optionally USER_PASSWORD env var that will change configuration from cookie to config.

Thus breaking if running behind a reverse proxy.

When logging in, the server answers with a 302 and Location: https://<server>:8080/index.php?token=<token>, even though <server> was accessed via port 80.

I'm operating this docker container and am running into all kinds of problems. Among many other issues, none of these filtering options actually filter the current "Browse" selection. The tab will reload and that's it.

Would be great if zip & bz2 were enabled by default in the image. I think it's pretty common to import zipped SQL files.

It is currently not possible to use this image with Kubernetes because of known bug in alpine image.
It would be great to have an additional tag, suffixed with -k8s, that will use janeczku/alpine-kubernetes as a base image.

When shutting down the image, docker first sends a SIGTERM to the process used as ENTRYPOINT, then after 10 secs a SIGKILL.

The phpmyadmin image ignores the first signal.

Even though there is no probable data loss at stake, it would be nicer if the image stopped immediately, saving 10 secs of wait on every docker stop.

Two ways to do that come to my mind:
a- catch the signal in run.sh (but this means not using 'exec' as last command)
b- do not run as entrypoint for the webserver the std index.php from phpmyadmin, but have a 'startup' php script which sets up listening to signals then includes the default index.php

I can send a PR if you have any preference for either option...

the try_files at:
https://github.com/phpmyadmin/docker/blob/master/etc/nginx.conf#L63
has internal redirect to:
/index.php?$query_string
which increase attack surface by enabling various URIs, for example such as:
possible XSS via REQUEST_URI, etc..:
http://host/"><script>alert(1)</script>.txt?param1=value1
possible phishing via //phishing.com/ if used in URL context.
http://host//phishing.com/login/
possible RFD: (force using of .hta extension, which will used in forced file download)
http://host/page.hta?params_to_return_malicous_content

Reported by Emanuel Bronshtein.

docker has mechanism for image signing (called "content trust"), more information:
https://docs.docker.com/engine/security/trust/trust_sandbox/
https://docs.docker.com/engine/security/trust/content_trust/
I wasn't able to install PMA docker while using --disable-content-trust=false such as:
docker pull phpmyadmin/phpmyadmin --disable-content-trust=false
result:

Error: remote trust data does not exist for docker.io/phpmyadmin/phpmyadmin: notary.docker.io does not have trust data for docker.io/phpmyadmin/phpmyadmin

Reported by Emanuel Bronshtein.

The php.ini file in docker contain some sections which are not needed (related modules isn't used/installed), thus make it harder to audit it:
mcrypt don't installed (don't install it, use openssl instead as already done)
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1818
COM is windows only:
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1657
Not used DBs:
MSSQL
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1583
PostgreSQL
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1266
Oracle
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1213
Interbase
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1051
Sybase
https://github.com/phpmyadmin/docker/blob/master/etc/php.ini#L1294

Reported by Emanuel Bronshtein.

This can be done once fix for phpmyadmin/phpmyadmin#12588 is released.

Currently the configuration at:
https://github.com/phpmyadmin/docker/blob/master/etc/nginx.conf#L117
deny access to files that startwith .ht such as .htpassed, it's better to deny access to any file that startswith . (which mean hidden file), for example:

location ~ /\. {

Reported by Emanuel Bronshtein.

With the following docker-compose.yml file:

mysql:
  image: mysql
  volumes_from:
    - data
  environment:
    MYSQL_ALLOW_EMPTY_PASSWORD: 'yes'

pma:
  image: phpmyadmin/phpmyadmin
  links:
    - mysql:db
  ports:
    - '8080:8080'
  environment:
    PMA_USER: root
    PMA_PASSWORD: ''

If I dump the $_ENV variable from config.inc.php, I get an empty array.

Did I something wrong?

As a follow-on to:
#38

The docker configuration of PHPMYADMIN does not allow turning on of the PMADB / Configuration Storage settings for PHPMYADMIN, leaving it somewhat less functional than it's non-dockerized installation. (This is among other non-configurable options).

This is easy to turn on without breaking or corrupting the current installation:

1. Put a user hook at the end of the current config.inc.php file:
   include('./config.userdef.inc.php');

2. Document the override for users to write their own config options based off of the standard config.sample.inc.php file distributed with the base phpmyadmin package.
   -v /some/local/directory/config.userdef.inc.php:/www/config.userdef.inc.php

3. Update run.sh to "touch" the config.userdef.inc.php file upon boot in the same way it creates the config.secrets.inc.php file. This will keep the warning message from "include" from firing.
   if [ ! -f /www/config.userdef.inc.php ]; then
   touch /www/config.userdef.inc.php
   fi

The benefit to this approach is it leaves the code written to handle external variables alone and allows the config.inc.php file to continue being maintained by the maintainer of the docker files while still allowing users to configure their phpmyadmin installation in the same way they're capable of maintaining the non-dockerized version. config.inc.php becomes a "hands off" file that no one needs to touch, and users still get the ability to configure the full range of phpmyadmin settings for their local installations.

If anyone wants, I can put a pull request together for this.

The filename contain 7.0 which is php version that's not used by the image.
php7.0-fpm.log
https://github.com/phpmyadmin/docker/blob/master/etc/php-fpm.conf#L2
https://github.com/phpmyadmin/docker/blob/master/run.sh#L17
https://github.com/phpmyadmin/docker/blob/master/run.sh#L18
php7.0-fpm.sock
https://github.com/phpmyadmin/docker/blob/master/etc/php-fpm.conf#L7

fix:
use filename without version such as (thus, the name is correct even if used with newer/older php versions):
php-fpm.log
php-fpm.sock

Reported by Emanuel Bronshtein.

it's recommended to white-list the used HTTP methods (decrease attack surface) as noted by:
https://www.acunetix.com/blog/articles/nginx-server-security-hardening-configuration-1/
https://support.rackspace.com/how-to/install-nginx-and-php-fpm-running-on-unix-file-sockets/

for example:

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
       return 405;
}

Note: while there no usage of HEAD method in PMA, it's suggested to enable it in order to not break monitoring tools (which use HEAD method instead of GET to check that application is responding)

Reported by Emanuel Bronshtein.

Currently we download the phpMyAdmin sources and do no verification of that download.

This could be improved by checking PGP signature on download. All needed pieces are there, it just needs to be properly glued together. The most tricky part is probably to avoid increasing size of the image.

• The PGP signature for latest release is on same URL, just append .asc, see https://www.phpmyadmin.net/about-website/
• The PGP keyring should be included in sources, not downloaded during the build
• Verification should be done by gpgv as it doesn't seem to do all the initialization which gpg does

I just tried to import a dump that uses lock table, and it throws

#1100 - Table 'pma_column_info' was not locked with LOCK TABLES

I found the answer here http://stackoverflow.com/questions/18215379/importing-sql-file-using-phpmyadmin-in-easyphp. Seems like you have to insert

$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = '';

inside the loop for every server. I just tried it out and it works.
I'm not sure if this is really a problem, or should be included in the run.sh. But I like the idea of having a container that can start without configuration and works out of the box.

1. set opcache.save_comments to false
   in:
   

   docker/etc/php.ini

   Line 1872 in 9055117

   ;opcache.save_comments=1

   
   more information:
   https://secure.php.net/manual/en/opcache.configuration.php#ini.opcache.save-comments

2. set opcache.validate_timestamps to 0
   in:
   

   docker/etc/php.ini

   Line 1860 in 9055117

   ;opcache.validate_timestamps=1

   
   more information:
   https://secure.php.net/manual/en/opcache.configuration.php#ini.opcache.validate-timestamps
   will require note in documentation that changes in files content require Resetting the OpCache / Restarting PHP-FPM.

Reported by Emanuel Bronshtein.

More information about AppArmor profile for Docker container:
https://docs.docker.com/engine/security/apparmor/
The docker-default is very permissive, it's better to provide custom profile.

it's like issue:
phpmyadmin/phpmyadmin#12436
but related to docker container while using mod_apparmor apply to profile that cover PMA under Apache only.

Reported by Emanuel Bronshtein.

I would like to change some other configuration values that are not settable via environment variables (FirstLevelNavigationItems in this case). However it seems there is no way to do this at the moment.

A good way to implement this would be via volume mapping. My proposal would be to:

1. Add a include '/config.inc.php'; as a last line to config.inc.php in this repo.

2. Make the Dockerfile create an empty PHP file to that location.

3. Document that one can volume map a PHP file to that location. Ie:

   phpmyadmin:
    volumes:
      - ./some/local/file.inc.php:/config.inc.php

Now any configuration option can be set or overwritten.

Any thoughts on this?