flywithu/kopano-docker
1
0
Fork 0
mirror of https://github.com/zokradonh/kopano-docker synced 2025-06-06 15:36:40 +00:00
Code Issues Releases Wiki Activity

Run all containers read-only (#314)

Browse Source 
* switch containers in compose file to read-only
related to https://github.com/zokradonh/kopano-docker/issues/310
* make scheduler container read-only
* make meet container read-only
* fix konnect for read-only
* make core mostly read-only
* add custom location for ldap.cfg to default config
* sort config option for readability
* update makefile pull workaround
* make kdav read-only
* remove locale generation code from core startup
* fix commander tests
* fix store language tests
* add test for a dutch mailbox
* make it possible to run webapp read-only
* add locale hint to the compose file
* finish read-only mode for z-push
This commit is contained in:
Felix Bartels 2020-01-14 14:31:53 +01:00 committed by GitHub
parent 5a4335998d
commit 70e9940b38
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 220 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -36,6 +36,7 @@ TAG_FILE := build.tags
export
# convert lowercase componentname to uppercase
component ?= base
COMPONENT = $(shell echo $(component) | tr a-z A-Z)
.PHONY: default
@ -149,7 +150,7 @@ build-python:
component=python make build
build-kdav:
docker pull composer:1.8
docker pull composer:1.9
component=kdav make build-builder
component=kdav make build
@ -158,7 +159,7 @@ build-scheduler:
component=scheduler make build-simple
build-ssl:
docker pull alpine:3.9
docker pull alpine:3.11
component=ssl make build-simple
build-utils:

2
base/Dockerfile
View File

@ -57,8 +57,10 @@ RUN curl -L https://github.com/aelsabbahy/goss/releases/download/$GOSS_VERSION/g
chmod +rx /usr/local/bin/goss && \
goss --version
# if additional locales are required this should be adjusted here
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i -e 's/# nl_NL.UTF-8 UTF-8/nl_NL.UTF-8 UTF-8/' /etc/locale.gen && \
dpkg-reconfigure --frontend=noninteractive locales && \
update-locale LANG=en_US.UTF-8

48
core/commander/server/commander.yaml
View File

@ -24,7 +24,7 @@ tests:
env:
ADDITIONAL_KOPANO_PACKAGES: "kopano-server"
generate configuration for kopano-server:
command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/server.cfg
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/server.cfg
exit-code: 0
stdout:
contains:
@ -33,7 +33,7 @@ tests:
not-contains:
- #server_listen_tls = *:237
generate ldap configuration openLDAP (default):
command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/ldap.cfg
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/ldap.cfg
exit-code: 0
stdout:
contains:
@ -42,7 +42,7 @@ tests:
not-contains:
- "#!include /usr/share/kopano/ldap.openldap.cfg"
generate ldap configuration for ADS:
command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/ldap.cfg
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/ldap.cfg
exit-code: 0
stdout:
contains:
@ -55,16 +55,6 @@ tests:
KCCOMMENT_LDAP_1: "!include /usr/share/kopano/ldap.openldap.cfg"
KCUNCOMMENT_LDAP_1: "!include /usr/share/kopano/ldap.active-directory.cfg"
start-service script default locale:
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
exit-code: 0
stdout:
contains:
- C
- C.UTF-8
- de_DE.utf8
- en_US.utf8
- POSIX
start-service script dutch locale:
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
exit-code: 0
stdout:
@ -75,38 +65,6 @@ tests:
- en_US.utf8
- nl_NL.utf8
- POSIX
config:
env:
KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "nl_NL.UTF-8"
start-service script dutch locale (short):
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
exit-code: 0
stdout:
contains:
- C
- C.UTF-8
- de_DE.utf8
- en_US.utf8
- nl_NL.utf8
- POSIX
config:
env:
KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "nl_NL"
start-service script unknown locale:
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
exit-code: 0
stdout:
contains:
- C
- C.UTF-8
- de_DE.utf8
- en_US.utf8
- POSIX
not-contains:
- abc
config:
env:
KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "abc"
start-service script no dockerize:
command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh"
exit-code: 0

4
core/defaultconfigs/dagent.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/dagent.cfg":
r"/tmp/kopano/dagent.cfg":
{
'lmtp_listen': "0.0.0.0:2003",
'log_file': "-",
@ -13,4 +13,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

4
core/defaultconfigs/gateway.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/gateway.cfg":
r"/tmp/kopano/gateway.cfg":
{
'imap_listen': "0.0.0.0:143",
'log_file': "-",
@ -13,4 +13,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

2
core/defaultconfigs/grapi.py
View File

@ -2,4 +2,4 @@ import os
import kcconf
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

4
core/defaultconfigs/ical.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/ical.cfg":
r"/tmp/kopano/ical.cfg":
{
'ical_listen': "0.0.0.0:8080",
'log_file': "-",
@ -12,4 +12,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

4
core/defaultconfigs/kapi.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/kapid.cfg":
r"/tmp/kopano/kapid.cfg":
{
'log_level': "info",
'listen': "0.0.0.0:8039",
@ -15,4 +15,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

4
core/defaultconfigs/monitor.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/monitor.cfg":
r"/tmp/kopano/monitor.cfg":
{
'log_file': "-",
'log_level': "4"
@ -11,4 +11,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

4
core/defaultconfigs/search.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/search.cfg":
r"/tmp/kopano/search.cfg":
{
'log_file': "-",
'log_level': "4",
@ -12,4 +12,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

15
core/defaultconfigs/server.py
View File

@ -3,19 +3,20 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/server.cfg":
r"/tmp/kopano/server.cfg":
{
'attachment_path': "/kopano/data/attachments/",
'kcoidc_initialize_timeout': "360",
'log_file': "-",
'log_level': "3",
'attachment_path': "/kopano/data/attachments/",
'user_plugin': "ldap",
'server_listen': "0.0.0.0:236",
'server_listen_tls': "0.0.0.0:237",
'sync_gab_realtime': "no",
'server_listen': "0.0.0.0:236",
'softdelete_lifetime': "0",
'kcoidc_initialize_timeout': "360"
'sync_gab_realtime': "no",
'user_plugin_config': "/tmp/kopano/ldap.cfg",
'user_plugin': "ldap"
}
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

4
core/defaultconfigs/spooler.py
View File

@ -3,7 +3,7 @@ import kcconf
# Component specific configurations
kcconf.configkopano({
r"/etc/kopano/spooler.cfg":
r"/tmp/kopano/spooler.cfg":
{
'log_file': "-",
'log_level': "4",
@ -12,4 +12,4 @@ kcconf.configkopano({
})
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

68
core/start-service.sh
View File

@ -15,11 +15,17 @@ KCCONF_SEARCH_SERVER_SOCKET=${KCCONF_SEARCH_SERVER_SOCKET:-"file:///var/run/kopa
KCCONF_SPOOLER_SERVER_SOCKET=${KCCONF_SPOOLER_SERVER_SOCKET:-"file:///var/run/kopano/server.sock"}
KOPANO_CON=${KOPANO_CON:-"file:///var/run/kopano/server.sock"}
# copy configuration files to /tmp/kopano to prevent modification of mounted config files
mkdir -p /tmp/kopano
cp /etc/kopano/*.cfg /tmp/kopano
if [ ! -e /kopano/"$SERVICE_TO_START".py ]; then
echo "Invalid service specified: $SERVICE_TO_START" | ts
exit 1
fi
# Hint: this is not compatible with a read-only container.
# The general recommendation is to already build a container that has all required packages installed.
ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@ -31,8 +37,9 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
fi
done
mkdir -p /kopano/data/attachments /kopano/data/kapi-kvs /tmp/"$SERVICE_TO_START" /var/run/kopano /var/lib/kopano-grapi
mkdir -p /tmp/"$SERVICE_TO_START" /var/run/kopano
# TODO is this still required now that we won't modify configuration mounted to /etc/kopano?
if [ "${DISABLE_CONFIG_CHANGES}" == false ]; then
echo "Configure core service '$SERVICE_TO_START'" | ts
/usr/bin/python3 /kopano/"$SERVICE_TO_START".py
@ -41,10 +48,6 @@ fi
# ensure removed pid-file on unclean shutdowns and mounted volumes
rm -f /var/run/kopano/"$SERVICE_TO_START".pid
echo "Set ownership" | ts
chown kopano:kopano /kopano/data/ /kopano/data/attachments
chown kapi:kopano /var/lib/kopano-grapi
coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server)
echo "Using Kopano Groupware Core: $coreversion"
@ -89,30 +92,10 @@ fi
# start regular service
case "$SERVICE_TO_START" in
server)
# TODO this could check if the desired locale already exists before calling sed
KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${KCCONF_ADMIN_DEFAULT_STORE_LOCALE:-"en_US.UTF-8"}
# get locales from env
# shellcheck disable=SC1004
sed --regexp-extended --expression='
1 {
i\
# This file lists locales that you wish to have built. You can find a list\
# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add\
# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change\
# this file, you need to rerun locale-gen.\
\
}
/^('"$KCCONF_ADMIN_DEFAULT_STORE_LOCALE"')(_[[:upper:]]+)?(\.UTF-8)?(@[^[:space:]]+)?[[:space:]]+UTF-8$/! s/^/# /
' /usr/share/i18n/SUPPORTED > /etc/locale.gen
# make sure that en_US and de_DE are always there
sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen
dpkg-reconfigure --frontend=noninteractive locales
echo "Set ownership" | ts
mkdir -p /kopano/data/attachments
chown kopano:kopano /kopano/data/ /kopano/data/attachments
if [[ "$DISABLE_CHECKS" == false ]]; then
# determine db connection mode (unix vs. network socket)
if [ -n "$KCCONF_SERVER_MYSQL_SOCKET" ]; then
@ -129,11 +112,11 @@ server)
fi
# pre populate database
if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then
kopano-dbadm populate
kopano-dbadm -c /tmp/kopano/server.cfg populate
fi
# cleaning up env variables
unset "${!KCCONF_@}"
exec /usr/sbin/kopano-server -F
exec /usr/sbin/kopano-server --config /tmp/kopano/server.cfg -F
;;
dagent)
dockerize \
@ -141,7 +124,7 @@ dagent)
-timeout 360s
# cleaning up env variables
unset "${!KCCONF_@}"
exec /usr/sbin/kopano-dagent -l
exec /usr/sbin/kopano-dagent --config /tmp/kopano/dagent.cfg -l
;;
gateway)
dockerize \
@ -149,7 +132,7 @@ gateway)
-timeout 360s
# cleaning up env variables
unset "${!KCCONF_@}"
exec /usr/sbin/kopano-gateway -F
exec /usr/sbin/kopano-gateway --config /tmp/kopano/gateway.cfg -F
;;
ical)
dockerize \
@ -157,13 +140,15 @@ ical)
-timeout 360s
# cleaning up env variables
unset "${!KCCONF_@}"
exec /usr/sbin/kopano-ical -F
exec /usr/sbin/kopano-ical --config /tmp/kopano/ical.cfg -F
;;
grapi)
LC_CTYPE=en_US.UTF-8
export socket_path=/var/run/kopano/grapi
mkdir -p "$socket_path"
export pid_file="$socket_path/grapi.pid"
mkdir -p "$socket_path" /var/lib/kopano-grapi
chown -R kapi:kopano "$socket_path"
chown kapi:kopano /var/lib/kopano-grapi
# TODO there could be a case where multiple backends are desired
case $GRAPI_BACKEND in
ldap)
@ -176,7 +161,7 @@ grapi)
fi
;;
esac
sed s/\ *=\ */=/g /etc/kopano/grapi.cfg > /tmp/grapi-env
sed s/\ *=\ */=/g /tmp/kopano/grapi.cfg > /tmp/grapi-env
# shellcheck disable=SC2046
export $(grep -v '^#' /tmp/grapi-env | xargs -d '\n')
# cleaning up env variables
@ -191,6 +176,7 @@ grapi)
fi
;;
kapi)
mkdir -p /kopano/data/kapi-kvs
if [ "$KCCONF_KAPID_INSECURE" = "yes" ]; then
dockerize \
-skip-tls-verify \
@ -206,7 +192,7 @@ kapi)
kapiversion=$(dpkg-query --showformat='${Version}' --show kopano-kapid)
echo "Using Kopano Kapi: $kapiversion"
LC_CTYPE=en_US.UTF-8
sed s/\ *=\ */=/g /etc/kopano/kapid.cfg > /tmp/kapid-env
sed s/\ *=\ */=/g /tmp/kopano/kapid.cfg > /tmp/kapid-env
# shellcheck disable=SC2046
export $(grep -v '^#' /tmp/kapid-env | xargs -d '\n')
kopano-kapid setup
@ -220,7 +206,7 @@ monitor)
-timeout 360s
# cleaning up env variables
unset "${!KCCONF_@}"
exec /usr/sbin/kopano-monitor -F
exec /usr/sbin/kopano-monitor --config /tmp/kopano/monitor.cfg -F
;;
search)
dockerize \
@ -233,9 +219,9 @@ search)
# with commit 702bb3fccb3 search does not need -F any longer
searchversion=$(dpkg-query --showformat='${Version}' --show kopano-search)
if dpkg --compare-versions "$searchversion" "gt" "8.7.82.165"; then
exec /usr/sbin/kopano-search
exec /usr/sbin/kopano-search --config /tmp/kopano/search.cfg
else
exec /usr/bin/python3 /usr/sbin/kopano-search -F
exec /usr/bin/python3 /usr/sbin/kopano-search --config /tmp/kopano/search.cfg -F
fi
;;
spooler)
@ -245,7 +231,7 @@ spooler)
-timeout 1080s
# cleaning up env variables
unset "${!KCCONF_@}"
exec /usr/sbin/kopano-spooler -F
exec /usr/sbin/kopano-spooler --config /tmp/kopano/spooler.cfg -F
;;
*)
echo "Failed to start: Unknown service name: '$SERVICE_TO_START'" | ts

66
docker-compose.yml
View File

@ -3,6 +3,7 @@ version: "3.5"
services:
web:
image: ${docker_repo:-zokradonh}/kopano_web:${KWEB_VERSION:-latest}
read_only: true
restart: unless-stopped
environment:
- DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp}
@ -123,6 +124,7 @@ services:
kopano_ssl:
image: ${docker_repo:-zokradonh}/kopano_ssl:${SSL_VERSION:-latest}
read_only: true
environment:
- FQDN=${FQDN}
- PKI_COUNTRY=NL
@ -130,9 +132,12 @@ services:
- kopano_ssl.env
volumes:
- kopanossl/:/kopano/ssl
tmpfs:
- /kopano/easypki/
kopano_kustomer:
image: kopano/kustomerd:${KUSTOMER_VERSION:-latest}
read_only: true
restart: unless-stopped
command: serve --log-level debug
volumes:
@ -143,6 +148,7 @@ services:
kopano_server:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true # in case additional packages need to be installed this option should be set to false
restart: unless-stopped
hostname: kopano_server
container_name: ${COMPOSE_PROJECT_NAME}_server
@ -154,6 +160,7 @@ services:
environment:
- ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
- KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
# Hint: if additional locales are required that should be added in base/Dockerfile
- KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8}
- KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW}
- KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN}
@ -189,9 +196,12 @@ services:
- kopanodata/:/kopano/data
- kopanosocket/:/run/kopano
- kopanossl/:/kopano/ssl
tmpfs:
- /tmp/
kopano_webapp:
image: ${docker_repo:-zokradonh}/kopano_webapp:${WEBAPP_VERSION:-latest}
read_only: true # in case additional packages need to be installed this option should be set to false
restart: unless-stopped
hostname: kopano_webapp
depends_on:
@ -212,9 +222,15 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /tmp/
- /run/sessions/
- /run/php/
- /var/log/
kopano_zpush:
image: ${docker_repo:-zokradonh}/kopano_zpush:${ZPUSH_VERSION:-latest}
read_only: true
restart: unless-stopped
hostname: kopano_zpush
container_name: ${COMPOSE_PROJECT_NAME}_zpush
@ -236,9 +252,15 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /run/apache2/
- /run/sessions/
- /tmp
- /var/log/z-push/
kopano_grapi:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
container_name: ${COMPOSE_PROJECT_NAME}_grapi
depends_on:
@ -251,6 +273,7 @@ services:
environment:
- KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no
- KCCONF_GRAPI_INSECURE=${INSECURE}
- KCCONF_GRAPI_PERSISTENCY_PATH=/var/lib/kopano-grapi
- SERVICE_TO_START=grapi
- TZ=${TZ}
env_file:
@ -258,9 +281,12 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /tmp/
kopano_kapi:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
container_name: ${COMPOSE_PROJECT_NAME}_kapi
depends_on:
@ -282,9 +308,12 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /tmp
kopano_kdav:
image: ${docker_repo:-zokradonh}/kopano_kdav:${KDAV_VERSION:-latest}
read_only: true
restart: unless-stopped
hostname: kopano_kdav
container_name: ${COMPOSE_PROJECT_NAME}_kdav
@ -301,9 +330,15 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /run/apache2/
- /run/sessions/
- /tmp
- /var/log/kdav/
kopano_dagent:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
depends_on:
- kopano_server
@ -321,9 +356,12 @@ services:
- kopano_dagent.env
networks:
- kopano-net
tmpfs:
- /tmp
kopano_spooler:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
hostname: spooler
domainname: ${LDAP_DOMAIN}
@ -345,9 +383,12 @@ services:
- kopano_spooler.env
networks:
- kopano-net
tmpfs:
- /tmp
kopano_gateway:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
depends_on:
- kopano_server
@ -365,9 +406,12 @@ services:
- kopano_gateway.env
networks:
- kopano-net
tmpfs:
- /tmp
kopano_ical:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
depends_on:
- kopano_server
@ -385,9 +429,12 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /tmp
kopano_monitor:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
depends_on:
- kopano_server
@ -403,9 +450,12 @@ services:
- kopano_monitor.env
networks:
- kopano-net
tmpfs:
- /tmp
kopano_search:
image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
read_only: true
restart: unless-stopped
container_name: ${COMPOSE_PROJECT_NAME}_search
depends_on:
@ -423,14 +473,17 @@ services:
- kopano_search.env
networks:
- kopano-net
tmpfs:
- /tmp
kopano_konnect:
image: ${docker_repo:-zokradonh}/kopano_konnect:${KONNECT_VERSION:-latest}
read_only: true
restart: unless-stopped
depends_on:
- kopano_ssl
- web
# to be useful Konnect also need a running kopano_server, but this dependency cannot be added here since this would be a circular dependency
# to be useful Konnect also needs a running kopano_server, but this dependency cannot be added here since this would be a circular dependency
volumes:
- /etc/machine-id:/etc/machine-id
- /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
@ -452,9 +505,12 @@ services:
networks:
- kopano-net
- web-net
tmpfs:
- /tmp
kopano_kwmserver:
image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest}
read_only: true
restart: unless-stopped
command: wrapper.sh
depends_on:
@ -473,9 +529,12 @@ services:
- kopanossl/:/kopano/ssl
networks:
- web-net
tmpfs:
- /tmp
kopano_meet:
image: ${docker_repo:-zokradonh}/kopano_meet:${MEET_VERSION:-latest}
read_only: true
restart: unless-stopped
environment:
- KCCONF_MEET_disableFullGAB=false
@ -493,9 +552,12 @@ services:
- /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
networks:
- web-net
tmpfs:
- /tmp
kopano_scheduler:
image: ${docker_repo:-zokradonh}/kopano_scheduler:${SCHEDULER_VERSION:-latest}
read_only: true
restart: "no"
container_name: ${COMPOSE_PROJECT_NAME}_scheduler
networks:
@ -515,6 +577,8 @@ services:
- kopano_scheduler.env
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
tmpfs:
- /tmp
volumes:
kdavstates:

5
kdav/Dockerfile
View File

@ -81,6 +81,11 @@ RUN \
COPY --from=builder /usr/share/kdav /usr/share/kdav
# tweaks to make the container read-only
RUN \
mv /usr/share/kdav/config.php /usr/share/kdav/config.php.dist && \
ln -s /tmp/config.php /usr/share/kdav/config.php
EXPOSE 80/tcp
COPY start.sh /kopano/start.sh

13
kdav/start.sh
View File

@ -8,6 +8,7 @@ ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES:-""}
set -eu # unset variables are errors & non-zero return values exit the whole script
[ "$DEBUG" ] && set -x
# TODO this is not compatible with a read-only container
ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@ -20,16 +21,20 @@ done
echo "Ensure directories"
mkdir -p /run/sessions
CONFIG_PHP=/tmp/config.php
# copy latest config template. This should be the mount point for preexisting config files.
cp /usr/share/kdav/config.php.dist $CONFIG_PHP
if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then
echo "kDAV is using the default: connection"
else
echo "kDAV is using an ip connection"
sed -e "s#define([\"']MAPI_SERVER[\"'],\s*[\"']default:[\"'])#define('MAPI_SERVER', 'https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano')#" \
-i /usr/share/kdav/config.php
-i $CONFIG_PHP
fi
# change root uri to /kdav
sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i /usr/share/kdav/config.php
sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i $CONFIG_PHP
echo "Ensure config ownership"
chown -R www-data:www-data /run/sessions
@ -40,10 +45,8 @@ dockerize \
-wait file:///var/lib/dbus/machine-id
touch /var/log/kdav/kdav.log
touch /var/log/kdav/kdav-error.log
chown www-data:www-data /var/log/kdav/kdav.log /var/log/kdav/kdav-error.log
chown www-data:www-data /var/log/kdav/kdav.log
tail --pid=$$ -F --lines=0 -q /var/log/kdav/kdav.log &
tail --pid=$$ -F --lines=0 -q /var/log/kdav/kdav-error.log &
echo "Starting Apache"
rm -f /run/apache2/apache2.pid

3
konnect/wrapper.sh
View File

@ -78,7 +78,8 @@ if [ "${allow_client_guests:-}" = "yes" ]; then
echo "Patching identifier registration for use of the Meet guest mode"
/usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
cp /etc/kopano/konnectd-identifier-registration.yaml /tmp/konnectd-identifier-registration.yaml
CONFIG_JSON=/tmp/konnectd-identifier-registration.yaml
#yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON
yq -y ".clients += [{\"id\": \"kpop-https://${FQDN%/*}/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://${FQDN%/*}/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON
# TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano)

6
meet/Dockerfile
View File

@ -49,8 +49,10 @@ RUN \
kopano-meet kopano-meet-webapp \
${ADDITIONAL_KOPANO_PACKAGES} \
&& \
cp /usr/share/doc/kopano-meet-webapp/config.json.in /usr/share/kopano-kweb/www/config/kopano/meet.json && \
rm -rf /var/cache/apt /var/lib/apt/lists
rm -rf /var/cache/apt /var/lib/apt/lists && \
# make configuration a symlink to prevent overwriting it
# TODO better would be to override its configuration in kweb.cfg
ln -s /tmp/meet.json /usr/share/kopano-kweb/www/config/kopano/meet.json
COPY defaultconfigs/ start-service.sh /kopano/
COPY goss.yaml /goss/

2
meet/defaultconfigs/meet.py
View File

@ -2,4 +2,4 @@ import os
import kcconf
# Override configs from environment variables
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

13
meet/start-service.sh
View File

@ -5,11 +5,16 @@ ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES:-""}
set -eu # unset variables are errors & non-zero return values exit the whole script
[ "$DEBUG" ] && set -x
# copy configuration files to /tmp/kopano to prevent modification of mounted config files
mkdir -p /tmp/kopano
cp /etc/kopano/*.cfg /tmp/kopano
if [ ! -e /kopano/"$SERVICE_TO_START".py ]; then
echo "Invalid service specified: $SERVICE_TO_START" | ts
exit 1
fi
# TODO how to best move this to /tmp?
echo "Configure service '$SERVICE_TO_START'" | ts
/usr/bin/python3 /kopano/"$SERVICE_TO_START".py
@ -22,7 +27,8 @@ if [ $# -gt 0 ]; then
exit
fi
CONFIG_JSON="/usr/share/kopano-kweb/www/config/kopano/meet.json"
cp /usr/share/doc/kopano-meet-webapp/config.json.in /tmp/meet.json
CONFIG_JSON="/tmp/meet.json"
echo "Updating $CONFIG_JSON"
for setting in $(compgen -A variable KCCONF_MEET); do
setting2=${setting#KCCONF_MEET_}
@ -54,11 +60,12 @@ if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then
jq '.apps.enabled += ["kopano-webapp"]' $CONFIG_JSON | sponge $CONFIG_JSON
fi
sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg
# todo do not replace here, but in a temp location
sed s/\ *=\ */=/g /tmp/kopano/kwebd.cfg > /tmp/kweb-env
# always disable tls
export tls=no
# shellcheck disable=SC2046
export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n')
export $(grep -v '^#' /tmp/kweb-env | xargs -d '\n')
# services need to be aware of the machine-id
dockerize \

17
scheduler/commander.yaml
View File

@ -1,5 +1,5 @@
tests:
check mailbox language: # this needs a running kopano-server can can therefore not be executed in that container directly
check mailbox language: # this needs a running kopano-server and can can therefore not be executed in that container directly
command: "docker exec kopano_server kopano-storeadm -C -n user10; docker exec kopano_server show-folders.py --user user10"
exit-code: 0
stdout:
@ -12,13 +12,24 @@ tests:
stdout:
not-contains:
- "WARNING: Unable to get user store entry id. User possibly has no store."
check mailbox language german: # this needs a running kopano-server can can therefore not be executed in that container directly
command: "docker exec kopano_server kopano-storeadm -D user 11; docker exec kopano_server kopano-storeadm -C -l de_DE -n user11; docker exec kopano_server show-folders.py --user user11"
check mailbox language german: # this needs a running kopano-server and can can therefore not be executed in that container directly
command: "docker exec kopano_server kopano-storeadm -D -n user11; docker exec kopano_server kopano-storeadm -C -l de_DE -n user11; docker exec kopano_server show-folders.py --user user11"
exit-code: 0
stdout:
not-contains:
- "Inbox"
- "Drafts"
contains:
- "Posteingang"
check mailbox language dutch: # this needs a running kopano-server and can can therefore not be executed in that container directly
command: "docker exec kopano_server kopano-storeadm -D -n user12; docker exec kopano_server kopano-storeadm -C -l nl_NL -n user12; docker exec kopano_server show-folders.py --user user12"
exit-code: 0
stdout:
not-contains:
- "Inbox"
- "Drafts"
contains:
- "Postvak IN"
# test renaming of folders:
# command: docker exec kopano_server env KCCONF_ADMIN_DEFAULT_STORE_LOCALE=de_DE.UTF-8 /usr/bin/python3 /kopano/server.py && docker exec kopano_server kopano-storeadm -Y -n user12
# exit-code: 0

10
scheduler/start.sh
View File

@ -2,7 +2,7 @@
set -eo pipefail
cronfile=/etc/crontab
cronfile=/tmp/crontab
# purge existing entries from crontab
true > "$cronfile"
@ -15,7 +15,7 @@ done
for cronvar in ${!CRONDELAYED_*}; do
cronvalue=${!cronvar}
echo "Adding $cronvalue to crontab"
echo "Adding $cronvalue to crontab (delayed)"
echo "$cronvalue" >> "$cronfile"
done
@ -26,7 +26,7 @@ dockerize \
echo "creating public store"
docker exec kopano_server kopano-storeadm -h default: -P || true
# run sheduled cron jobs once
echo "Running sheduled cron jobs once"
for cronvar in ${!CRON_*}; do
cronvalue=${!cronvar}
croncommand=$(echo "$cronvalue" | cut -d ' ' -f 6-)
@ -34,5 +34,5 @@ for cronvar in ${!CRON_*}; do
$croncommand
done
supercronic -test /etc/crontab
exec supercronic /etc/crontab
supercronic -test $cronfile
exec supercronic $cronfile

7
webapp/Dockerfile
View File

@ -64,6 +64,13 @@ RUN \
${ADDITIONAL_KOPANO_WEBAPP_PLUGINS} \
&& rm -rf /var/cache/apt /var/lib/apt/lists
# tweak to make the container read-only
RUN mkdir -p /tmp/webapp/ && \
for i in /etc/kopano/webapp/* /etc/kopano/webapp/.[^.]*; do \
mv "$i" "$i.dist"; \
ln -s /tmp/webapp/"$(basename "$i")" "$i"; \
done
COPY start.sh /kopano/start.sh
COPY goss* /goss/

16
webapp/start.sh
View File

@ -12,8 +12,9 @@ set -eu # unset variables are errors & non-zero return values exit the whole scr
# shellcheck source=php/start-helper.sh
source /kopano/start-helper.sh
# Hint: this is not compatible with a read-only container.
# The general recommendation is to already build a container that has all required packages installed.
ADDITIONAL_KOPANO_PACKAGES="$ADDITIONAL_KOPANO_PACKAGES $ADDITIONAL_KOPANO_WEBAPP_PLUGINS"
ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@ -25,6 +26,13 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
fi
done
# copy latest config template
mkdir -p /tmp/webapp/
for i in /etc/kopano/webapp/*.dist /etc/kopano/webapp/.[^.]*.dist; do
filename=$(basename -- "$i")
cp "$i" "/tmp/webapp/${filename%.*}"
done
# Ensure directories exist
mkdir -p /run/sessions /tmp/webapp
@ -37,13 +45,13 @@ if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then
echo "Kopano WebApp is using the default: connection"
else
echo "Kopano WebApp is using an ip connection"
php_cfg_gen /etc/kopano/webapp/config.php DEFAULT_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
php_cfg_gen /tmp/webapp/config.php DEFAULT_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
fi
# configuring webapp from env
for setting in $(compgen -A variable KCCONF_WEBAPP_); do
setting2=${setting#KCCONF_WEBAPP_}
php_cfg_gen /etc/kopano/webapp/config.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/webapp/config.php "${setting2}" "${!setting}"
done
# configuring webapp plugins from env
@ -52,7 +60,7 @@ for setting in $(compgen -A variable KCCONF_WEBAPPPLUGIN_); do
filename="${setting2%%_*}"
setting3=${setting#KCCONF_WEBAPPPLUGIN_${filename}_}
identifier="${filename,,}"
php_cfg_gen /etc/kopano/webapp/config-"$identifier".php "${setting3}" "${!setting}"
php_cfg_gen /tmp/webapp/config-"$identifier".php "${setting3}" "${!setting}"
done
echo "Ensure config ownership"

7
zpush/Dockerfile
View File

@ -61,6 +61,13 @@ RUN \
${ADDITIONAL_KOPANO_PACKAGES} \
&& rm -rf /var/cache/apt /var/lib/apt/lists
# tweak to make the container read-only
RUN mkdir -p /tmp/z-push/ && \
for i in /etc/z-push/*; do \
mv "$i" "$i.dist"; \
ln -s /tmp/z-push/"$(basename "$i")" "$i"; \
done
COPY apache2-kopano.conf /etc/apache2/sites-available/kopano.conf
# configure basics

34
zpush/start.sh
View File

@ -39,6 +39,8 @@ php_cfg_gen() {
fi
}
# Hint: this is not compatible with a read-only container.
# The general recommendation is to already build a container that has all required packages installed.
ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
[ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@ -50,6 +52,13 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
fi
done
# copy latest config template
mkdir -p /tmp/z-push/
for i in /etc/z-push/*.dist; do
filename=$(basename -- "$i")
cp "$i" "/tmp/z-push/${filename%.*}"
done
# Ensure directories
mkdir -p /run/sessions
@ -62,58 +71,58 @@ if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then
echo "Z-Push is using the default: connection"
else
echo "Z-Push is using an ip connection"
php_cfg_gen /etc/z-push/kopano.conf.php MAPI_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
php_cfg_gen /tmp/z-push/kopano.conf.php MAPI_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
fi
echo "Configuring Z-Push for use behind a reverse proxy"
php_cfg_gen /etc/z-push/z-push.conf.php USE_CUSTOM_REMOTE_IP_HEADER HTTP_X_FORWARDED_FOR
php_cfg_gen /tmp/z-push/z-push.conf.php USE_CUSTOM_REMOTE_IP_HEADER HTTP_X_FORWARDED_FOR
# configuring z-push from env
for setting in $(compgen -A variable KCCONF_ZPUSH_); do
setting2=${setting#KCCONF_ZPUSH_}
php_cfg_gen /etc/z-push/z-push.conf.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/z-push/z-push.conf.php "${setting2}" "${!setting}"
done
# configuring autodiscover
for setting in $(compgen -A variable KCCONF_ZPUSHAUTODISCOVER_); do
setting2=${setting#KCCONF_ZPUSHAUTODISCOVER_}
php_cfg_gen /etc/z-push/autodiscover.conf.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/z-push/autodiscover.conf.php "${setting2}" "${!setting}"
done
# configuring z-push gabsync
php_cfg_gen /etc/z-push/gabsync.conf.php USERNAME SYSTEM
php_cfg_gen /tmp/z-push/gabsync.conf.php USERNAME SYSTEM
for setting in $(compgen -A variable KCCONF_ZPUSHGABSYNC_); do
setting2=${setting#KCCONF_ZPUSHGAVSYNC_}
php_cfg_gen /etc/z-push/z-push.conf.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/z-push/z-push.conf.php "${setting2}" "${!setting}"
done
# configuring z-push sql state engine
for setting in $(compgen -A variable KCCONF_ZPUSHSQL_); do
setting2=${setting#KCCONF_ZPUSHSQL_}
php_cfg_gen /etc/z-push/state-sql.conf.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/z-push/state-sql.conf.php "${setting2}" "${!setting}"
done
# configuring z-push memcached
for setting in $(compgen -A variable KCCONF_ZPUSHMEMCACHED_); do
setting2=${setting#KCCONF_ZPUSHMEMCACHED_}
php_cfg_gen /etc/z-push/memcached.conf.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/z-push/memcached.conf.php "${setting2}" "${!setting}"
done
# configuring z-push gab2contacts
for setting in $(compgen -A variable KCCONF_ZPUSHGA2CONTACTS_); do
setting2=${setting#KCCONF_ZPUSHSQL_}
php_cfg_gen /etc/z-push/gab2contacts.conf.php "${setting2}" "${!setting}"
php_cfg_gen /tmp/z-push/gab2contacts.conf.php "${setting2}" "${!setting}"
done
# configuring z-push shared folders
perl -i -0pe 's/\$additionalFolders.*\);//s' /etc/z-push/z-push.conf.php
echo -e " \$additionalFolders = array(" >> /etc/z-push/z-push.conf.php
perl -i -0pe 's/\$additionalFolders.*\);//s' /tmp/z-push/z-push.conf.php
echo -e " \$additionalFolders = array(" >> /tmp/z-push/z-push.conf.php
echo "$ZPUSH_ADDITIONAL_FOLDERS" | jq -c '.[]' | while read -r folder; do
eval "$(echo "$folder" | jq -r '@sh "NAME=\(.name) ID=\(.id) TYPE=\(.type) FLAGS=\(.flags)"')"
echo -e " array('store' => \"SYSTEM\", 'folderid' => \"$ID\", 'name' => \"$NAME\", 'type' => $TYPE, 'flags' => $FLAGS)," >> /etc/z-push/z-push.conf.php
done
echo -e ' );' >> /etc/z-push/z-push.conf.php
echo -e ' );' >> /tmp/z-push/z-push.conf.php
echo "Ensure config ownership"
chown -R www-data:www-data /run/sessions
@ -124,6 +133,7 @@ dockerize \
-wait file:///var/lib/dbus/machine-id
echo "Activate z-push log rerouting"
mkdir -p /var/log/z-push/
touch /var/log/z-push/{z-push.log,z-push-error.log,autodiscover.log,autodiscover-error.log}
chown -R www-data:www-data /var/log/z-push
tail --pid=$$ -F --lines=0 -q /var/log/z-push/z-push.log &