Icinga2 dockerized in nginx and php-fpm

php
nginx

(Saviour Cacciattolo) #1

Hi,

We are trying to implement icinga2 in the following order:
icingaweb2 - php7, php-fpm7 and icingaweb2 (downloaded from source)
icinga2core - installed on ubuntu docker container (apt-get install)
webserver - nginx installed on an alpine docker container
mysql - mariadb installed on a docker ubuntu

We are encountering the problem with the images. We are trying to configure the nginx to tell the php to serve the images (through fastcgi) but the images are not working. On the other hand, the images works when we save them locally on the nginx server.

Nginx configuration below:

server {
listen *:80;
server_name localhost;

location / {
return 301 /icingaweb2;
}

location ~ ^/icingaweb2/index.php(.*)$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass 10.149.16.179:9000;
fastcgi_index index.php;
include fastcgi_params;
include /etc/nginx/mime.types;
fastcgi_param SCRIPT_FILENAME /usr/share/webapps/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
fastcgi_param REMOTE_USER $remote_user;
}

location ~ ^/icingaweb2(.+)? {
alias /usr/share/webapps/icingaweb2/public;
#rewrite ^/$ /icingaweb2;
index index.php;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
}
}

Any help will be much appreciated.

Thanks,
GNL


#2

Hi,

I didn’t understand what the problem is, can you give a bit more insights here? What happens when you call Icinga Web 2?

A blind guess: php-fpm only listens on localhost as a client and ignore remote clients. Ensure that php-fpm also listens on remote clients.

Cheers
Michael


(Saviour Cacciattolo) #3

Hi,

The problem is that everything is working fine except the images are not loading, screenshot attached.

Php-fpm is working fine, I am able to load the website without any problems. Php is allowed to listen to any client (listen = 9000).

My question is, is it possible to use fastcgi to load images from a seperate docker container?


(Saviour Cacciattolo) #4

To provide more insight, please find a screenshot of our docker containers below:

docker-containers


(Michael Friedrich) #5

A bit more details on the Docker images, their general installation routine, how’s docker-compose and port mapping involved, etc would help here.


#6

I assume nginx can’t find the images because they are installed in the icingaweb2 docker container and not inside the nginx webserver docker container.

You must ensure that the webserver can read the images either by installing the webserver directly into the icingaweb2/php docker container or by using a shared data volume for the icingaweb2 files.

Some information on the problem:


(Saviour Cacciattolo) #7

Nginx dockerfile:

FROM alpine

RUN apk update

RUN apk add nginx
RUN mkdir -p /run/nginx
RUN chown -R nginx:nginx /run/nginx
RUN rm -f /etc/nginx/conf.d/default.conf
ADD ./monitoring-configs/icinga2/icingaweb2.conf /etc/nginx/conf.d/
CMD [“nginx”, “-g”, “daemon off;”]

Note: the icingaweb2.conf is the config above in the original thread

PHP Dockerfile:

FROM alpine

WORKDIR /tmp/
RUN apk update --no-cache

RUN apk add php7 php7-common php7-intl php7-openssl php7-mysqlnd php7-gettext php7-ctype php7-sockets php7-dom php7-imagick php7-pdo php7-pdo_mysql php7-session php7-fpm php7-xsl php7-pgsql php7-curl php7-cli php7-pear php7-xmlrpc php7-soap php7-gd php7-ldap php7-json php7-pdo_pgsql
RUN wget https://github.com/Icinga/icingaweb2/archive/v2.5.3.tar.gz
RUN tar -xvf /tmp/.tar.gz
RUN mkdir -p /usr/share/webapps/
RUN mv /tmp/icingaweb2
/usr/share/webapps/icingaweb2
RUN sed -i “s/listen = 127.0.0.1:/listen = /g” /etc/php7/php-fpm.d/www.conf
RUN sed -i “s#;date.timezone =#date.timezone = Europe/Rome#g” /etc/php7/php.ini
RUN su -c “mkdir -m 2770 /etc/icingaweb2; head -c 12 /dev/urandom | base64 | tee /etc/icingaweb2/setup.token; chmod -R 777 /etc/icingaweb2”;
CMD [“php-fpm7”, “–nodaemonize”]


(Saviour Cacciattolo) #8

@mcktr - that was my big question really, I wasn’t sure if it was even possible to serve static images from php.

Creating a volume or a mount is one way to solve this problem, but I needed to confirm if this was possible.


(Michael Friedrich) #9

That sounds like a mix of many components into different images. I would split this up.

  • Nginx container with a shared volume for the custom configuration for icingaweb2, ports exposed for FPM and 443
  • PHP with FPM container with a shared volume /usr/share/icingaweb2, ports exposed for FPM
  • MySQL container
  • Icinga Web 2 container which exposes /usr/share/icingaweb2 and seeds the database

Creation and management done in docker-compose.

I also wouldn’t bother with the setup.token, but completely automate the setup with a default user, skipping the web setup wizard. Such things are done e.g. inside the Puppet module.


(Saviour Cacciattolo) #10

That sounds more logical :slight_smile:

We are going to try to implement your recommended setup, I’ll let you know how things work out.

Thanks again!,

GNL


#11

I did a short reading on this topic and it seems that this is somehow theoretically possible but there are a bunch of security related questions that must be addressed in such a configuration e.g. what if you serve a .jpg file that contains php code. Also to keep in mind that this costs performance because everything needs to go through php-fpm.

IMHO the possibilty to have a vulnerability during such a configuration is not worth the implemention effort.

Go with the recommend setup from @dnsmichi this sounds like a resonable and secure environment

Regards
Michael