From 70e9940b385ab99b3b6aaac585997f65598c841b Mon Sep 17 00:00:00 2001 From: Felix Bartels <1257835+fbartels@users.noreply.github.com> Date: Tue, 14 Jan 2020 14:31:53 +0100 Subject: [PATCH] Run all containers read-only (#314) * switch containers in compose file to read-only related to https://github.com/zokradonh/kopano-docker/issues/310 * make scheduler container read-only * make meet container read-only * fix konnect for read-only * make core mostly read-only * add custom location for ldap.cfg to default config * sort config option for readability * update makefile pull workaround * make kdav read-only * remove locale generation code from core startup * fix commander tests * fix store language tests * add test for a dutch mailbox * make it possible to run webapp read-only * add locale hint to the compose file * finish read-only mode for z-push --- Makefile | 5 +- base/Dockerfile | 2 + core/commander/server/commander.yaml | 48 ++------------------ core/defaultconfigs/dagent.py | 4 +- core/defaultconfigs/gateway.py | 4 +- core/defaultconfigs/grapi.py | 2 +- core/defaultconfigs/ical.py | 4 +- core/defaultconfigs/kapi.py | 4 +- core/defaultconfigs/monitor.py | 4 +- core/defaultconfigs/search.py | 4 +- core/defaultconfigs/server.py | 15 +++--- core/defaultconfigs/spooler.py | 4 +- core/start-service.sh | 68 +++++++++++----------------- docker-compose.yml | 66 ++++++++++++++++++++++++++- kdav/Dockerfile | 5 ++ kdav/start.sh | 13 ++++-- konnect/wrapper.sh | 3 +- meet/Dockerfile | 6 ++- meet/defaultconfigs/meet.py | 2 +- meet/start-service.sh | 13 ++++-- scheduler/commander.yaml | 17 +++++-- scheduler/start.sh | 10 ++-- webapp/Dockerfile | 7 +++ webapp/start.sh | 16 +++++-- zpush/Dockerfile | 7 +++ zpush/start.sh | 34 +++++++++----- 26 files changed, 220 insertions(+), 147 deletions(-) diff --git a/Makefile b/Makefile index 34f4597..bf68c1d 100644 --- a/Makefile +++ b/Makefile @@ -36,6 +36,7 @@ TAG_FILE := build.tags export # convert lowercase componentname to uppercase +component ?= base COMPONENT = $(shell echo $(component) | tr a-z A-Z) .PHONY: default @@ -149,7 +150,7 @@ build-python: component=python make build build-kdav: - docker pull composer:1.8 + docker pull composer:1.9 component=kdav make build-builder component=kdav make build @@ -158,7 +159,7 @@ build-scheduler: component=scheduler make build-simple build-ssl: - docker pull alpine:3.9 + docker pull alpine:3.11 component=ssl make build-simple build-utils: diff --git a/base/Dockerfile b/base/Dockerfile index cbbd8fc..bcf511c 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -57,8 +57,10 @@ RUN curl -L https://github.com/aelsabbahy/goss/releases/download/$GOSS_VERSION/g chmod +rx /usr/local/bin/goss && \ goss --version +# if additional locales are required this should be adjusted here RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen && \ + sed -i -e 's/# nl_NL.UTF-8 UTF-8/nl_NL.UTF-8 UTF-8/' /etc/locale.gen && \ dpkg-reconfigure --frontend=noninteractive locales && \ update-locale LANG=en_US.UTF-8 diff --git a/core/commander/server/commander.yaml b/core/commander/server/commander.yaml index 232051a..ef4ab06 100644 --- a/core/commander/server/commander.yaml +++ b/core/commander/server/commander.yaml @@ -24,7 +24,7 @@ tests: env: ADDITIONAL_KOPANO_PACKAGES: "kopano-server" generate configuration for kopano-server: - command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/server.cfg + command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/server.cfg exit-code: 0 stdout: contains: @@ -33,7 +33,7 @@ tests: not-contains: - #server_listen_tls = *:237 generate ldap configuration openLDAP (default): - command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/ldap.cfg + command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/ldap.cfg exit-code: 0 stdout: contains: @@ -42,7 +42,7 @@ tests: not-contains: - "#!include /usr/share/kopano/ldap.openldap.cfg" generate ldap configuration for ADS: - command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/ldap.cfg + command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/ldap.cfg exit-code: 0 stdout: contains: @@ -55,16 +55,6 @@ tests: KCCOMMENT_LDAP_1: "!include /usr/share/kopano/ldap.openldap.cfg" KCUNCOMMENT_LDAP_1: "!include /usr/share/kopano/ldap.active-directory.cfg" start-service script default locale: - command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a" - exit-code: 0 - stdout: - contains: - - C - - C.UTF-8 - - de_DE.utf8 - - en_US.utf8 - - POSIX - start-service script dutch locale: command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a" exit-code: 0 stdout: @@ -75,38 +65,6 @@ tests: - en_US.utf8 - nl_NL.utf8 - POSIX - config: - env: - KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "nl_NL.UTF-8" - start-service script dutch locale (short): - command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a" - exit-code: 0 - stdout: - contains: - - C - - C.UTF-8 - - de_DE.utf8 - - en_US.utf8 - - nl_NL.utf8 - - POSIX - config: - env: - KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "nl_NL" - start-service script unknown locale: - command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a" - exit-code: 0 - stdout: - contains: - - C - - C.UTF-8 - - de_DE.utf8 - - en_US.utf8 - - POSIX - not-contains: - - abc - config: - env: - KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "abc" start-service script no dockerize: command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" exit-code: 0 diff --git a/core/defaultconfigs/dagent.py b/core/defaultconfigs/dagent.py index 4bdb6dc..d81c90c 100644 --- a/core/defaultconfigs/dagent.py +++ b/core/defaultconfigs/dagent.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/dagent.cfg": + r"/tmp/kopano/dagent.cfg": { 'lmtp_listen': "0.0.0.0:2003", 'log_file': "-", @@ -13,4 +13,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/gateway.py b/core/defaultconfigs/gateway.py index 71443b3..2bbbb62 100644 --- a/core/defaultconfigs/gateway.py +++ b/core/defaultconfigs/gateway.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/gateway.cfg": + r"/tmp/kopano/gateway.cfg": { 'imap_listen': "0.0.0.0:143", 'log_file': "-", @@ -13,4 +13,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/grapi.py b/core/defaultconfigs/grapi.py index 48407c7..756042a 100644 --- a/core/defaultconfigs/grapi.py +++ b/core/defaultconfigs/grapi.py @@ -2,4 +2,4 @@ import os import kcconf # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/ical.py b/core/defaultconfigs/ical.py index 40cdd86..1885c6d 100644 --- a/core/defaultconfigs/ical.py +++ b/core/defaultconfigs/ical.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/ical.cfg": + r"/tmp/kopano/ical.cfg": { 'ical_listen': "0.0.0.0:8080", 'log_file': "-", @@ -12,4 +12,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/kapi.py b/core/defaultconfigs/kapi.py index 1ed786b..dd757d7 100644 --- a/core/defaultconfigs/kapi.py +++ b/core/defaultconfigs/kapi.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/kapid.cfg": + r"/tmp/kopano/kapid.cfg": { 'log_level': "info", 'listen': "0.0.0.0:8039", @@ -15,4 +15,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/monitor.py b/core/defaultconfigs/monitor.py index 0806893..a5b5421 100644 --- a/core/defaultconfigs/monitor.py +++ b/core/defaultconfigs/monitor.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/monitor.cfg": + r"/tmp/kopano/monitor.cfg": { 'log_file': "-", 'log_level': "4" @@ -11,4 +11,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/search.py b/core/defaultconfigs/search.py index 3ee90e8..cd90b1b 100644 --- a/core/defaultconfigs/search.py +++ b/core/defaultconfigs/search.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/search.cfg": + r"/tmp/kopano/search.cfg": { 'log_file': "-", 'log_level': "4", @@ -12,4 +12,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/server.py b/core/defaultconfigs/server.py index 30eccf6..e0ae3eb 100644 --- a/core/defaultconfigs/server.py +++ b/core/defaultconfigs/server.py @@ -3,19 +3,20 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/server.cfg": + r"/tmp/kopano/server.cfg": { + 'attachment_path': "/kopano/data/attachments/", + 'kcoidc_initialize_timeout': "360", 'log_file': "-", 'log_level': "3", - 'attachment_path': "/kopano/data/attachments/", - 'user_plugin': "ldap", - 'server_listen': "0.0.0.0:236", 'server_listen_tls': "0.0.0.0:237", - 'sync_gab_realtime': "no", + 'server_listen': "0.0.0.0:236", 'softdelete_lifetime': "0", - 'kcoidc_initialize_timeout': "360" + 'sync_gab_realtime': "no", + 'user_plugin_config': "/tmp/kopano/ldap.cfg", + 'user_plugin': "ldap" } }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/defaultconfigs/spooler.py b/core/defaultconfigs/spooler.py index 8c4dae6..219eb44 100644 --- a/core/defaultconfigs/spooler.py +++ b/core/defaultconfigs/spooler.py @@ -3,7 +3,7 @@ import kcconf # Component specific configurations kcconf.configkopano({ - r"/etc/kopano/spooler.cfg": + r"/tmp/kopano/spooler.cfg": { 'log_file': "-", 'log_level': "4", @@ -12,4 +12,4 @@ kcconf.configkopano({ }) # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/core/start-service.sh b/core/start-service.sh index 9067874..b033bcc 100755 --- a/core/start-service.sh +++ b/core/start-service.sh @@ -15,11 +15,17 @@ KCCONF_SEARCH_SERVER_SOCKET=${KCCONF_SEARCH_SERVER_SOCKET:-"file:///var/run/kopa KCCONF_SPOOLER_SERVER_SOCKET=${KCCONF_SPOOLER_SERVER_SOCKET:-"file:///var/run/kopano/server.sock"} KOPANO_CON=${KOPANO_CON:-"file:///var/run/kopano/server.sock"} +# copy configuration files to /tmp/kopano to prevent modification of mounted config files +mkdir -p /tmp/kopano +cp /etc/kopano/*.cfg /tmp/kopano + if [ ! -e /kopano/"$SERVICE_TO_START".py ]; then echo "Invalid service specified: $SERVICE_TO_START" | ts exit 1 fi +# Hint: this is not compatible with a read-only container. +# The general recommendation is to already build a container that has all required packages installed. ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do @@ -31,8 +37,9 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') fi done -mkdir -p /kopano/data/attachments /kopano/data/kapi-kvs /tmp/"$SERVICE_TO_START" /var/run/kopano /var/lib/kopano-grapi +mkdir -p /tmp/"$SERVICE_TO_START" /var/run/kopano +# TODO is this still required now that we won't modify configuration mounted to /etc/kopano? if [ "${DISABLE_CONFIG_CHANGES}" == false ]; then echo "Configure core service '$SERVICE_TO_START'" | ts /usr/bin/python3 /kopano/"$SERVICE_TO_START".py @@ -41,10 +48,6 @@ fi # ensure removed pid-file on unclean shutdowns and mounted volumes rm -f /var/run/kopano/"$SERVICE_TO_START".pid -echo "Set ownership" | ts -chown kopano:kopano /kopano/data/ /kopano/data/attachments -chown kapi:kopano /var/lib/kopano-grapi - coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) echo "Using Kopano Groupware Core: $coreversion" @@ -89,30 +92,10 @@ fi # start regular service case "$SERVICE_TO_START" in server) - # TODO this could check if the desired locale already exists before calling sed - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${KCCONF_ADMIN_DEFAULT_STORE_LOCALE:-"en_US.UTF-8"} - # get locales from env - # shellcheck disable=SC1004 - sed --regexp-extended --expression=' - - 1 { - i\ -# This file lists locales that you wish to have built. You can find a list\ -# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add\ -# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change\ -# this file, you need to rerun locale-gen.\ -\ - - - } - - /^('"$KCCONF_ADMIN_DEFAULT_STORE_LOCALE"')(_[[:upper:]]+)?(\.UTF-8)?(@[^[:space:]]+)?[[:space:]]+UTF-8$/! s/^/# / - ' /usr/share/i18n/SUPPORTED > /etc/locale.gen - # make sure that en_US and de_DE are always there - sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen - sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen - dpkg-reconfigure --frontend=noninteractive locales - + echo "Set ownership" | ts + mkdir -p /kopano/data/attachments + chown kopano:kopano /kopano/data/ /kopano/data/attachments + if [[ "$DISABLE_CHECKS" == false ]]; then # determine db connection mode (unix vs. network socket) if [ -n "$KCCONF_SERVER_MYSQL_SOCKET" ]; then @@ -129,11 +112,11 @@ server) fi # pre populate database if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then - kopano-dbadm populate + kopano-dbadm -c /tmp/kopano/server.cfg populate fi # cleaning up env variables unset "${!KCCONF_@}" - exec /usr/sbin/kopano-server -F + exec /usr/sbin/kopano-server --config /tmp/kopano/server.cfg -F ;; dagent) dockerize \ @@ -141,7 +124,7 @@ dagent) -timeout 360s # cleaning up env variables unset "${!KCCONF_@}" - exec /usr/sbin/kopano-dagent -l + exec /usr/sbin/kopano-dagent --config /tmp/kopano/dagent.cfg -l ;; gateway) dockerize \ @@ -149,7 +132,7 @@ gateway) -timeout 360s # cleaning up env variables unset "${!KCCONF_@}" - exec /usr/sbin/kopano-gateway -F + exec /usr/sbin/kopano-gateway --config /tmp/kopano/gateway.cfg -F ;; ical) dockerize \ @@ -157,13 +140,15 @@ ical) -timeout 360s # cleaning up env variables unset "${!KCCONF_@}" - exec /usr/sbin/kopano-ical -F + exec /usr/sbin/kopano-ical --config /tmp/kopano/ical.cfg -F ;; grapi) LC_CTYPE=en_US.UTF-8 export socket_path=/var/run/kopano/grapi - mkdir -p "$socket_path" + export pid_file="$socket_path/grapi.pid" + mkdir -p "$socket_path" /var/lib/kopano-grapi chown -R kapi:kopano "$socket_path" + chown kapi:kopano /var/lib/kopano-grapi # TODO there could be a case where multiple backends are desired case $GRAPI_BACKEND in ldap) @@ -176,7 +161,7 @@ grapi) fi ;; esac - sed s/\ *=\ */=/g /etc/kopano/grapi.cfg > /tmp/grapi-env + sed s/\ *=\ */=/g /tmp/kopano/grapi.cfg > /tmp/grapi-env # shellcheck disable=SC2046 export $(grep -v '^#' /tmp/grapi-env | xargs -d '\n') # cleaning up env variables @@ -191,6 +176,7 @@ grapi) fi ;; kapi) + mkdir -p /kopano/data/kapi-kvs if [ "$KCCONF_KAPID_INSECURE" = "yes" ]; then dockerize \ -skip-tls-verify \ @@ -206,7 +192,7 @@ kapi) kapiversion=$(dpkg-query --showformat='${Version}' --show kopano-kapid) echo "Using Kopano Kapi: $kapiversion" LC_CTYPE=en_US.UTF-8 - sed s/\ *=\ */=/g /etc/kopano/kapid.cfg > /tmp/kapid-env + sed s/\ *=\ */=/g /tmp/kopano/kapid.cfg > /tmp/kapid-env # shellcheck disable=SC2046 export $(grep -v '^#' /tmp/kapid-env | xargs -d '\n') kopano-kapid setup @@ -220,7 +206,7 @@ monitor) -timeout 360s # cleaning up env variables unset "${!KCCONF_@}" - exec /usr/sbin/kopano-monitor -F + exec /usr/sbin/kopano-monitor --config /tmp/kopano/monitor.cfg -F ;; search) dockerize \ @@ -233,9 +219,9 @@ search) # with commit 702bb3fccb3 search does not need -F any longer searchversion=$(dpkg-query --showformat='${Version}' --show kopano-search) if dpkg --compare-versions "$searchversion" "gt" "8.7.82.165"; then - exec /usr/sbin/kopano-search + exec /usr/sbin/kopano-search --config /tmp/kopano/search.cfg else - exec /usr/bin/python3 /usr/sbin/kopano-search -F + exec /usr/bin/python3 /usr/sbin/kopano-search --config /tmp/kopano/search.cfg -F fi ;; spooler) @@ -245,7 +231,7 @@ spooler) -timeout 1080s # cleaning up env variables unset "${!KCCONF_@}" - exec /usr/sbin/kopano-spooler -F + exec /usr/sbin/kopano-spooler --config /tmp/kopano/spooler.cfg -F ;; *) echo "Failed to start: Unknown service name: '$SERVICE_TO_START'" | ts diff --git a/docker-compose.yml b/docker-compose.yml index 045e984..1bae32f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,6 +3,7 @@ version: "3.5" services: web: image: ${docker_repo:-zokradonh}/kopano_web:${KWEB_VERSION:-latest} + read_only: true restart: unless-stopped environment: - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp} @@ -123,6 +124,7 @@ services: kopano_ssl: image: ${docker_repo:-zokradonh}/kopano_ssl:${SSL_VERSION:-latest} + read_only: true environment: - FQDN=${FQDN} - PKI_COUNTRY=NL @@ -130,9 +132,12 @@ services: - kopano_ssl.env volumes: - kopanossl/:/kopano/ssl + tmpfs: + - /kopano/easypki/ kopano_kustomer: image: kopano/kustomerd:${KUSTOMER_VERSION:-latest} + read_only: true restart: unless-stopped command: serve --log-level debug volumes: @@ -143,6 +148,7 @@ services: kopano_server: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true # in case additional packages need to be installed this option should be set to false restart: unless-stopped hostname: kopano_server container_name: ${COMPOSE_PROJECT_NAME}_server @@ -154,6 +160,7 @@ services: environment: - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES} - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1} + # Hint: if additional locales are required that should be added in base/Dockerfile - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8} - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW} - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN} @@ -189,9 +196,12 @@ services: - kopanodata/:/kopano/data - kopanosocket/:/run/kopano - kopanossl/:/kopano/ssl + tmpfs: + - /tmp/ kopano_webapp: image: ${docker_repo:-zokradonh}/kopano_webapp:${WEBAPP_VERSION:-latest} + read_only: true # in case additional packages need to be installed this option should be set to false restart: unless-stopped hostname: kopano_webapp depends_on: @@ -212,9 +222,15 @@ services: networks: - kopano-net - web-net + tmpfs: + - /tmp/ + - /run/sessions/ + - /run/php/ + - /var/log/ kopano_zpush: image: ${docker_repo:-zokradonh}/kopano_zpush:${ZPUSH_VERSION:-latest} + read_only: true restart: unless-stopped hostname: kopano_zpush container_name: ${COMPOSE_PROJECT_NAME}_zpush @@ -236,9 +252,15 @@ services: networks: - kopano-net - web-net + tmpfs: + - /run/apache2/ + - /run/sessions/ + - /tmp + - /var/log/z-push/ kopano_grapi: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped container_name: ${COMPOSE_PROJECT_NAME}_grapi depends_on: @@ -251,6 +273,7 @@ services: environment: - KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no - KCCONF_GRAPI_INSECURE=${INSECURE} + - KCCONF_GRAPI_PERSISTENCY_PATH=/var/lib/kopano-grapi - SERVICE_TO_START=grapi - TZ=${TZ} env_file: @@ -258,9 +281,12 @@ services: networks: - kopano-net - web-net + tmpfs: + - /tmp/ kopano_kapi: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped container_name: ${COMPOSE_PROJECT_NAME}_kapi depends_on: @@ -282,9 +308,12 @@ services: networks: - kopano-net - web-net + tmpfs: + - /tmp kopano_kdav: image: ${docker_repo:-zokradonh}/kopano_kdav:${KDAV_VERSION:-latest} + read_only: true restart: unless-stopped hostname: kopano_kdav container_name: ${COMPOSE_PROJECT_NAME}_kdav @@ -301,9 +330,15 @@ services: networks: - kopano-net - web-net + tmpfs: + - /run/apache2/ + - /run/sessions/ + - /tmp + - /var/log/kdav/ kopano_dagent: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped depends_on: - kopano_server @@ -321,9 +356,12 @@ services: - kopano_dagent.env networks: - kopano-net + tmpfs: + - /tmp kopano_spooler: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped hostname: spooler domainname: ${LDAP_DOMAIN} @@ -345,9 +383,12 @@ services: - kopano_spooler.env networks: - kopano-net + tmpfs: + - /tmp kopano_gateway: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped depends_on: - kopano_server @@ -365,9 +406,12 @@ services: - kopano_gateway.env networks: - kopano-net + tmpfs: + - /tmp kopano_ical: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped depends_on: - kopano_server @@ -385,9 +429,12 @@ services: networks: - kopano-net - web-net + tmpfs: + - /tmp kopano_monitor: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped depends_on: - kopano_server @@ -403,9 +450,12 @@ services: - kopano_monitor.env networks: - kopano-net + tmpfs: + - /tmp kopano_search: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} + read_only: true restart: unless-stopped container_name: ${COMPOSE_PROJECT_NAME}_search depends_on: @@ -423,14 +473,17 @@ services: - kopano_search.env networks: - kopano-net + tmpfs: + - /tmp kopano_konnect: image: ${docker_repo:-zokradonh}/kopano_konnect:${KONNECT_VERSION:-latest} + read_only: true restart: unless-stopped depends_on: - kopano_ssl - web - # to be useful Konnect also need a running kopano_server, but this dependency cannot be added here since this would be a circular dependency + # to be useful Konnect also needs a running kopano_server, but this dependency cannot be added here since this would be a circular dependency volumes: - /etc/machine-id:/etc/machine-id - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id @@ -452,9 +505,12 @@ services: networks: - kopano-net - web-net + tmpfs: + - /tmp kopano_kwmserver: image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest} + read_only: true restart: unless-stopped command: wrapper.sh depends_on: @@ -473,9 +529,12 @@ services: - kopanossl/:/kopano/ssl networks: - web-net + tmpfs: + - /tmp kopano_meet: image: ${docker_repo:-zokradonh}/kopano_meet:${MEET_VERSION:-latest} + read_only: true restart: unless-stopped environment: - KCCONF_MEET_disableFullGAB=false @@ -493,9 +552,12 @@ services: - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id networks: - web-net + tmpfs: + - /tmp kopano_scheduler: image: ${docker_repo:-zokradonh}/kopano_scheduler:${SCHEDULER_VERSION:-latest} + read_only: true restart: "no" container_name: ${COMPOSE_PROJECT_NAME}_scheduler networks: @@ -515,6 +577,8 @@ services: - kopano_scheduler.env volumes: - /var/run/docker.sock:/var/run/docker.sock:ro + tmpfs: + - /tmp volumes: kdavstates: diff --git a/kdav/Dockerfile b/kdav/Dockerfile index 2858d8f..c6d957e 100644 --- a/kdav/Dockerfile +++ b/kdav/Dockerfile @@ -81,6 +81,11 @@ RUN \ COPY --from=builder /usr/share/kdav /usr/share/kdav +# tweaks to make the container read-only +RUN \ + mv /usr/share/kdav/config.php /usr/share/kdav/config.php.dist && \ + ln -s /tmp/config.php /usr/share/kdav/config.php + EXPOSE 80/tcp COPY start.sh /kopano/start.sh diff --git a/kdav/start.sh b/kdav/start.sh index 38d0a91..4eb3817 100755 --- a/kdav/start.sh +++ b/kdav/start.sh @@ -8,6 +8,7 @@ ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES:-""} set -eu # unset variables are errors & non-zero return values exit the whole script [ "$DEBUG" ] && set -x +# TODO this is not compatible with a read-only container ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do @@ -20,16 +21,20 @@ done echo "Ensure directories" mkdir -p /run/sessions +CONFIG_PHP=/tmp/config.php +# copy latest config template. This should be the mount point for preexisting config files. +cp /usr/share/kdav/config.php.dist $CONFIG_PHP + if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then echo "kDAV is using the default: connection" else echo "kDAV is using an ip connection" sed -e "s#define([\"']MAPI_SERVER[\"'],\s*[\"']default:[\"'])#define('MAPI_SERVER', 'https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano')#" \ - -i /usr/share/kdav/config.php + -i $CONFIG_PHP fi # change root uri to /kdav -sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i /usr/share/kdav/config.php +sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i $CONFIG_PHP echo "Ensure config ownership" chown -R www-data:www-data /run/sessions @@ -40,10 +45,8 @@ dockerize \ -wait file:///var/lib/dbus/machine-id touch /var/log/kdav/kdav.log -touch /var/log/kdav/kdav-error.log -chown www-data:www-data /var/log/kdav/kdav.log /var/log/kdav/kdav-error.log +chown www-data:www-data /var/log/kdav/kdav.log tail --pid=$$ -F --lines=0 -q /var/log/kdav/kdav.log & -tail --pid=$$ -F --lines=0 -q /var/log/kdav/kdav-error.log & echo "Starting Apache" rm -f /run/apache2/apache2.pid diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh index b271e67..a32b165 100755 --- a/konnect/wrapper.sh +++ b/konnect/wrapper.sh @@ -78,7 +78,8 @@ if [ "${allow_client_guests:-}" = "yes" ]; then echo "Patching identifier registration for use of the Meet guest mode" /usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json - CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml + cp /etc/kopano/konnectd-identifier-registration.yaml /tmp/konnectd-identifier-registration.yaml + CONFIG_JSON=/tmp/konnectd-identifier-registration.yaml #yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON yq -y ".clients += [{\"id\": \"kpop-https://${FQDN%/*}/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://${FQDN%/*}/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON # TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano) diff --git a/meet/Dockerfile b/meet/Dockerfile index 21caa67..1b670a7 100644 --- a/meet/Dockerfile +++ b/meet/Dockerfile @@ -49,8 +49,10 @@ RUN \ kopano-meet kopano-meet-webapp \ ${ADDITIONAL_KOPANO_PACKAGES} \ && \ - cp /usr/share/doc/kopano-meet-webapp/config.json.in /usr/share/kopano-kweb/www/config/kopano/meet.json && \ - rm -rf /var/cache/apt /var/lib/apt/lists + rm -rf /var/cache/apt /var/lib/apt/lists && \ + # make configuration a symlink to prevent overwriting it + # TODO better would be to override its configuration in kweb.cfg + ln -s /tmp/meet.json /usr/share/kopano-kweb/www/config/kopano/meet.json COPY defaultconfigs/ start-service.sh /kopano/ COPY goss.yaml /goss/ diff --git a/meet/defaultconfigs/meet.py b/meet/defaultconfigs/meet.py index 48407c7..756042a 100644 --- a/meet/defaultconfigs/meet.py +++ b/meet/defaultconfigs/meet.py @@ -2,4 +2,4 @@ import os import kcconf # Override configs from environment variables -kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/")) diff --git a/meet/start-service.sh b/meet/start-service.sh index cb6692f..ba23cae 100755 --- a/meet/start-service.sh +++ b/meet/start-service.sh @@ -5,11 +5,16 @@ ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES:-""} set -eu # unset variables are errors & non-zero return values exit the whole script [ "$DEBUG" ] && set -x +# copy configuration files to /tmp/kopano to prevent modification of mounted config files +mkdir -p /tmp/kopano +cp /etc/kopano/*.cfg /tmp/kopano + if [ ! -e /kopano/"$SERVICE_TO_START".py ]; then echo "Invalid service specified: $SERVICE_TO_START" | ts exit 1 fi +# TODO how to best move this to /tmp? echo "Configure service '$SERVICE_TO_START'" | ts /usr/bin/python3 /kopano/"$SERVICE_TO_START".py @@ -22,7 +27,8 @@ if [ $# -gt 0 ]; then exit fi -CONFIG_JSON="/usr/share/kopano-kweb/www/config/kopano/meet.json" +cp /usr/share/doc/kopano-meet-webapp/config.json.in /tmp/meet.json +CONFIG_JSON="/tmp/meet.json" echo "Updating $CONFIG_JSON" for setting in $(compgen -A variable KCCONF_MEET); do setting2=${setting#KCCONF_MEET_} @@ -54,11 +60,12 @@ if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then jq '.apps.enabled += ["kopano-webapp"]' $CONFIG_JSON | sponge $CONFIG_JSON fi -sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg +# todo do not replace here, but in a temp location +sed s/\ *=\ */=/g /tmp/kopano/kwebd.cfg > /tmp/kweb-env # always disable tls export tls=no # shellcheck disable=SC2046 -export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n') +export $(grep -v '^#' /tmp/kweb-env | xargs -d '\n') # services need to be aware of the machine-id dockerize \ diff --git a/scheduler/commander.yaml b/scheduler/commander.yaml index 5d93ab4..1cc5f90 100644 --- a/scheduler/commander.yaml +++ b/scheduler/commander.yaml @@ -1,5 +1,5 @@ tests: - check mailbox language: # this needs a running kopano-server can can therefore not be executed in that container directly + check mailbox language: # this needs a running kopano-server and can can therefore not be executed in that container directly command: "docker exec kopano_server kopano-storeadm -C -n user10; docker exec kopano_server show-folders.py --user user10" exit-code: 0 stdout: @@ -12,13 +12,24 @@ tests: stdout: not-contains: - "WARNING: Unable to get user store entry id. User possibly has no store." - check mailbox language german: # this needs a running kopano-server can can therefore not be executed in that container directly - command: "docker exec kopano_server kopano-storeadm -D user 11; docker exec kopano_server kopano-storeadm -C -l de_DE -n user11; docker exec kopano_server show-folders.py --user user11" + check mailbox language german: # this needs a running kopano-server and can can therefore not be executed in that container directly + command: "docker exec kopano_server kopano-storeadm -D -n user11; docker exec kopano_server kopano-storeadm -C -l de_DE -n user11; docker exec kopano_server show-folders.py --user user11" exit-code: 0 stdout: not-contains: - "Inbox" - "Drafts" + contains: + - "Posteingang" + check mailbox language dutch: # this needs a running kopano-server and can can therefore not be executed in that container directly + command: "docker exec kopano_server kopano-storeadm -D -n user12; docker exec kopano_server kopano-storeadm -C -l nl_NL -n user12; docker exec kopano_server show-folders.py --user user12" + exit-code: 0 + stdout: + not-contains: + - "Inbox" + - "Drafts" + contains: + - "Postvak IN" # test renaming of folders: # command: docker exec kopano_server env KCCONF_ADMIN_DEFAULT_STORE_LOCALE=de_DE.UTF-8 /usr/bin/python3 /kopano/server.py && docker exec kopano_server kopano-storeadm -Y -n user12 # exit-code: 0 diff --git a/scheduler/start.sh b/scheduler/start.sh index 43e1ca9..cf6082d 100755 --- a/scheduler/start.sh +++ b/scheduler/start.sh @@ -2,7 +2,7 @@ set -eo pipefail -cronfile=/etc/crontab +cronfile=/tmp/crontab # purge existing entries from crontab true > "$cronfile" @@ -15,7 +15,7 @@ done for cronvar in ${!CRONDELAYED_*}; do cronvalue=${!cronvar} - echo "Adding $cronvalue to crontab" + echo "Adding $cronvalue to crontab (delayed)" echo "$cronvalue" >> "$cronfile" done @@ -26,7 +26,7 @@ dockerize \ echo "creating public store" docker exec kopano_server kopano-storeadm -h default: -P || true -# run sheduled cron jobs once +echo "Running sheduled cron jobs once" for cronvar in ${!CRON_*}; do cronvalue=${!cronvar} croncommand=$(echo "$cronvalue" | cut -d ' ' -f 6-) @@ -34,5 +34,5 @@ for cronvar in ${!CRON_*}; do $croncommand done -supercronic -test /etc/crontab -exec supercronic /etc/crontab +supercronic -test $cronfile +exec supercronic $cronfile diff --git a/webapp/Dockerfile b/webapp/Dockerfile index 171b937..1d0a314 100644 --- a/webapp/Dockerfile +++ b/webapp/Dockerfile @@ -64,6 +64,13 @@ RUN \ ${ADDITIONAL_KOPANO_WEBAPP_PLUGINS} \ && rm -rf /var/cache/apt /var/lib/apt/lists +# tweak to make the container read-only +RUN mkdir -p /tmp/webapp/ && \ + for i in /etc/kopano/webapp/* /etc/kopano/webapp/.[^.]*; do \ + mv "$i" "$i.dist"; \ + ln -s /tmp/webapp/"$(basename "$i")" "$i"; \ + done + COPY start.sh /kopano/start.sh COPY goss* /goss/ diff --git a/webapp/start.sh b/webapp/start.sh index 1ea69bc..fc56388 100755 --- a/webapp/start.sh +++ b/webapp/start.sh @@ -12,8 +12,9 @@ set -eu # unset variables are errors & non-zero return values exit the whole scr # shellcheck source=php/start-helper.sh source /kopano/start-helper.sh +# Hint: this is not compatible with a read-only container. +# The general recommendation is to already build a container that has all required packages installed. ADDITIONAL_KOPANO_PACKAGES="$ADDITIONAL_KOPANO_PACKAGES $ADDITIONAL_KOPANO_WEBAPP_PLUGINS" - ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do @@ -25,6 +26,13 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') fi done +# copy latest config template +mkdir -p /tmp/webapp/ +for i in /etc/kopano/webapp/*.dist /etc/kopano/webapp/.[^.]*.dist; do + filename=$(basename -- "$i") + cp "$i" "/tmp/webapp/${filename%.*}" +done + # Ensure directories exist mkdir -p /run/sessions /tmp/webapp @@ -37,13 +45,13 @@ if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then echo "Kopano WebApp is using the default: connection" else echo "Kopano WebApp is using an ip connection" - php_cfg_gen /etc/kopano/webapp/config.php DEFAULT_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano" + php_cfg_gen /tmp/webapp/config.php DEFAULT_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano" fi # configuring webapp from env for setting in $(compgen -A variable KCCONF_WEBAPP_); do setting2=${setting#KCCONF_WEBAPP_} - php_cfg_gen /etc/kopano/webapp/config.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/webapp/config.php "${setting2}" "${!setting}" done # configuring webapp plugins from env @@ -52,7 +60,7 @@ for setting in $(compgen -A variable KCCONF_WEBAPPPLUGIN_); do filename="${setting2%%_*}" setting3=${setting#KCCONF_WEBAPPPLUGIN_${filename}_} identifier="${filename,,}" - php_cfg_gen /etc/kopano/webapp/config-"$identifier".php "${setting3}" "${!setting}" + php_cfg_gen /tmp/webapp/config-"$identifier".php "${setting3}" "${!setting}" done echo "Ensure config ownership" diff --git a/zpush/Dockerfile b/zpush/Dockerfile index 56ee472..e64de78 100644 --- a/zpush/Dockerfile +++ b/zpush/Dockerfile @@ -61,6 +61,13 @@ RUN \ ${ADDITIONAL_KOPANO_PACKAGES} \ && rm -rf /var/cache/apt /var/lib/apt/lists +# tweak to make the container read-only +RUN mkdir -p /tmp/z-push/ && \ + for i in /etc/z-push/*; do \ + mv "$i" "$i.dist"; \ + ln -s /tmp/z-push/"$(basename "$i")" "$i"; \ + done + COPY apache2-kopano.conf /etc/apache2/sites-available/kopano.conf # configure basics diff --git a/zpush/start.sh b/zpush/start.sh index e9fb417..9e2bd17 100755 --- a/zpush/start.sh +++ b/zpush/start.sh @@ -39,6 +39,8 @@ php_cfg_gen() { fi } +# Hint: this is not compatible with a read-only container. +# The general recommendation is to already build a container that has all required packages installed. ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do @@ -50,6 +52,13 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"') fi done +# copy latest config template +mkdir -p /tmp/z-push/ +for i in /etc/z-push/*.dist; do + filename=$(basename -- "$i") + cp "$i" "/tmp/z-push/${filename%.*}" +done + # Ensure directories mkdir -p /run/sessions @@ -62,58 +71,58 @@ if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then echo "Z-Push is using the default: connection" else echo "Z-Push is using an ip connection" - php_cfg_gen /etc/z-push/kopano.conf.php MAPI_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano" + php_cfg_gen /tmp/z-push/kopano.conf.php MAPI_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano" fi echo "Configuring Z-Push for use behind a reverse proxy" -php_cfg_gen /etc/z-push/z-push.conf.php USE_CUSTOM_REMOTE_IP_HEADER HTTP_X_FORWARDED_FOR +php_cfg_gen /tmp/z-push/z-push.conf.php USE_CUSTOM_REMOTE_IP_HEADER HTTP_X_FORWARDED_FOR # configuring z-push from env for setting in $(compgen -A variable KCCONF_ZPUSH_); do setting2=${setting#KCCONF_ZPUSH_} - php_cfg_gen /etc/z-push/z-push.conf.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/z-push/z-push.conf.php "${setting2}" "${!setting}" done # configuring autodiscover for setting in $(compgen -A variable KCCONF_ZPUSHAUTODISCOVER_); do setting2=${setting#KCCONF_ZPUSHAUTODISCOVER_} - php_cfg_gen /etc/z-push/autodiscover.conf.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/z-push/autodiscover.conf.php "${setting2}" "${!setting}" done # configuring z-push gabsync -php_cfg_gen /etc/z-push/gabsync.conf.php USERNAME SYSTEM +php_cfg_gen /tmp/z-push/gabsync.conf.php USERNAME SYSTEM for setting in $(compgen -A variable KCCONF_ZPUSHGABSYNC_); do setting2=${setting#KCCONF_ZPUSHGAVSYNC_} - php_cfg_gen /etc/z-push/z-push.conf.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/z-push/z-push.conf.php "${setting2}" "${!setting}" done # configuring z-push sql state engine for setting in $(compgen -A variable KCCONF_ZPUSHSQL_); do setting2=${setting#KCCONF_ZPUSHSQL_} - php_cfg_gen /etc/z-push/state-sql.conf.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/z-push/state-sql.conf.php "${setting2}" "${!setting}" done # configuring z-push memcached for setting in $(compgen -A variable KCCONF_ZPUSHMEMCACHED_); do setting2=${setting#KCCONF_ZPUSHMEMCACHED_} - php_cfg_gen /etc/z-push/memcached.conf.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/z-push/memcached.conf.php "${setting2}" "${!setting}" done # configuring z-push gab2contacts for setting in $(compgen -A variable KCCONF_ZPUSHGA2CONTACTS_); do setting2=${setting#KCCONF_ZPUSHSQL_} - php_cfg_gen /etc/z-push/gab2contacts.conf.php "${setting2}" "${!setting}" + php_cfg_gen /tmp/z-push/gab2contacts.conf.php "${setting2}" "${!setting}" done # configuring z-push shared folders -perl -i -0pe 's/\$additionalFolders.*\);//s' /etc/z-push/z-push.conf.php -echo -e " \$additionalFolders = array(" >> /etc/z-push/z-push.conf.php +perl -i -0pe 's/\$additionalFolders.*\);//s' /tmp/z-push/z-push.conf.php +echo -e " \$additionalFolders = array(" >> /tmp/z-push/z-push.conf.php echo "$ZPUSH_ADDITIONAL_FOLDERS" | jq -c '.[]' | while read -r folder; do eval "$(echo "$folder" | jq -r '@sh "NAME=\(.name) ID=\(.id) TYPE=\(.type) FLAGS=\(.flags)"')" echo -e " array('store' => \"SYSTEM\", 'folderid' => \"$ID\", 'name' => \"$NAME\", 'type' => $TYPE, 'flags' => $FLAGS)," >> /etc/z-push/z-push.conf.php done -echo -e ' );' >> /etc/z-push/z-push.conf.php +echo -e ' );' >> /tmp/z-push/z-push.conf.php echo "Ensure config ownership" chown -R www-data:www-data /run/sessions @@ -124,6 +133,7 @@ dockerize \ -wait file:///var/lib/dbus/machine-id echo "Activate z-push log rerouting" +mkdir -p /var/log/z-push/ touch /var/log/z-push/{z-push.log,z-push-error.log,autodiscover.log,autodiscover-error.log} chown -R www-data:www-data /var/log/z-push tail --pid=$$ -F --lines=0 -q /var/log/z-push/z-push.log &