Add Docker Compose development environment #111
Conversation
Dockerize the application with services for nginx, PHP-FPM, MySQL 8, Redis, realtime (Node.js), and cron jobs. This provides a modern alternative to the Vagrant-based setup. Changes: - Add docker-compose.yml and docker-compose.prod.yml - Add Dockerfiles and configs in services/ for each component - Add dev-setup.sh script for SSL cert generation and directory setup - Add .env.example for environment configuration - Add .config.docker for Docker-specific app settings - Update realtime/app.js to support configurable Redis host - Update mysqlConnectionInfo.inc to support configurable Redis host - Update README with Docker setup instructions
- Add DEFAULT 0 to nsfw column in offensive_uploads schema - Use NULL instead of empty string for vote column in comments MySQL 8's strict mode rejects missing defaults for NOT NULL columns and empty strings for ENUM columns.
There was a problem hiding this comment.
Pull request overview
This PR introduces a Docker Compose-based development environment as a modern alternative to the existing Vagrant setup. It containerizes the application with services for nginx, PHP-FPM, MySQL 8, Redis, Node.js realtime WebSocket server, and cron jobs.
Changes:
- Added Docker Compose configuration files for development and production environments
- Created service-specific Dockerfiles and configuration files for nginx, PHP, realtime, and cron services
- Updated application code for MySQL 8 compatibility and configurable Redis host
- Added development setup script for SSL certificate generation
- Updated documentation with Docker setup instructions
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 24 comments.
Show a summary per file
| File | Description |
|---|---|
| docker-compose.yml | Main orchestration file defining all services, volumes, and networks |
| docker-compose.prod.yml | Production overrides for restart policies and volume management |
| services/nginx/Dockerfile | Nginx web server container configuration |
| services/nginx/nginx.conf | Main nginx configuration |
| services/nginx/tmbo.conf | Application-specific nginx virtual host configuration |
| services/php/Dockerfile | PHP-FPM 5.6 container setup |
| services/php/php.ini | PHP runtime configuration |
| services/php/www.conf | PHP-FPM pool configuration |
| services/realtime/Dockerfile | Node.js 14 container for WebSocket server |
| services/cron/Dockerfile | Cron service container for scheduled tasks |
| services/cron/crontab | Cron job definitions |
| scripts/dev-setup.sh | Setup script for SSL certificates and directories |
| realtime/app.js | Updated with configurable Redis host support |
| realtime/package.json | Updated mysql package version |
| admin/mysqlConnectionInfo.inc | Added configurable Redis host |
| offensive/assets/core.inc | MySQL 8 strict mode compatibility fix |
| admin/database/schema.sql | Added DEFAULT 0 to nsfw column |
| admin/.config.docker | Docker-specific configuration file |
| .env.example | Environment variable template |
| README.md | Added Docker setup instructions |
| .gitignore | Added Docker-generated directories |
Comments suppressed due to low confidence (1)
realtime/app.js:12
- The use of eval() on line 12 in the checkIniString function is a security risk. Even though the input comes from a configuration file, using eval() can execute arbitrary code. Consider using JSON.parse() or a safer alternative to handle quoted strings.
function checkIniString(data) {
if (/^("|').*("|')$/.test(data))
return eval(data);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| mkdir -p "$PROJECT_ROOT/services/web/src/offensive/uploads" | ||
| mkdir -p "$PROJECT_ROOT/services/web/src/offensive/zips" | ||
| mkdir -p "$PROJECT_ROOT/services/web/src/offensive/quarantine" |
There was a problem hiding this comment.
The script references paths like 'services/web/src/offensive/uploads' but these directories may not exist in the repository structure. Verify that these paths are correct and align with the actual project structure or document that they will be created by the application.
| [tmbo] | ||
| database_host = "db" | ||
| database_user = "tmbo" | ||
| database_pass = "shortbus" |
There was a problem hiding this comment.
The database password 'shortbus' is hardcoded in the configuration file. While this is acceptable for development, ensure this file is never used in production environments. Consider adding a comment in the file itself warning against production use.
| ENV NODE_ENV=production | ||
|
|
There was a problem hiding this comment.
The NODE_ENV is set to 'production' in the Dockerfile but the docker-compose.yml overrides it to 'development' (line 94). Consider removing this default from the Dockerfile to avoid confusion and let the docker-compose file control the environment setting.
| ENV NODE_ENV=production |
| @@ -0,0 +1,117 @@ | |||
| [PHP] | |||
| engine = On | |||
| short_open_tag = On | |||
There was a problem hiding this comment.
The 'short_open_tag' setting is enabled, which allows PHP code to use the <? opening tag instead of <?php. This feature is deprecated and may be removed in future PHP versions. Consider setting this to 'Off' and updating code to use the standard <?php tag for better compatibility.
| short_open_tag = On | |
| short_open_tag = Off |
| disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, | ||
| disable_classes = | ||
| zend.enable_gc = On | ||
| expose_php = On |
There was a problem hiding this comment.
The 'expose_php' setting is enabled, which sends the PHP version in HTTP response headers. This exposes information about the server stack that could be used by attackers. Consider setting this to 'Off' for better security through obscurity.
| expose_php = On | |
| expose_php = Off |
| @@ -0,0 +1,21 @@ | |||
| FROM node:14-alpine | |||
There was a problem hiding this comment.
Node.js 14 reached end-of-life on April 30, 2023. Consider upgrading to a supported LTS version such as Node.js 18 or 20 for security updates and long-term support.
| FROM node:14-alpine | |
| FROM node:20-alpine |
| display_errors = On | ||
| display_startup_errors = On |
There was a problem hiding this comment.
Display errors are enabled in production. The 'display_errors' and 'display_startup_errors' settings should be set to 'Off' in production environments to prevent sensitive information from being exposed to users. Error details should only be logged, not displayed.
| display_errors = On | |
| display_startup_errors = On | |
| display_errors = Off | |
| display_startup_errors = Off |
| session.hash_function = 0 | ||
| session.hash_bits_per_character = 5 |
There was a problem hiding this comment.
The session.hash_function and session.hash_bits_per_character settings are deprecated as of PHP 7.1 and removed in PHP 7.2+. While this won't affect PHP 5.6, consider removing these lines for future compatibility.
| session.hash_function = 0 | |
| session.hash_bits_per_character = 5 |
|
|
||
| root /var/www/html; | ||
|
|
There was a problem hiding this comment.
The nginx configuration lacks a 'server_name' directive. In production, this should be set to the actual domain name to ensure proper virtual host routing and prevent potential host header injection attacks.
| root /var/www/html; | |
| # TODO: Replace "_" with the actual domain name in production, e.g. "example.com". | |
| server_name _; |
| networks: | ||
| - tmbo-network | ||
| healthcheck: | ||
| test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-pshortbus"] |
There was a problem hiding this comment.
The healthcheck command includes the MySQL root password in plain text ('-pshortbus'). While this is within a container environment, it's still a security risk as the password appears in process listings. Consider using a .my.cnf file or the MYSQL_PWD environment variable for healthchecks.
1 participant
Dockerize the application with services for nginx, PHP-FPM, MySQL 8, Redis, realtime (Node.js), and cron jobs. This provides a modern alternative to the Vagrant-based setup.
Changes:
Notes: