Run all containers read-only (#314)

* switch containers in compose file to read-only
related to https://github.com/zokradonh/kopano-docker/issues/310
* make scheduler container read-only
* make meet container read-only
* fix konnect for read-only
* make core mostly read-only
* add custom location for ldap.cfg to default config
* sort config option for readability
* update makefile pull workaround
* make kdav read-only
* remove locale generation code from core startup
* fix commander tests
* fix store language tests
* add test for a dutch mailbox
* make it possible to run webapp read-only
* add locale hint to the compose file
* finish read-only mode for z-push

Makefile

@@ -36,6 +36,7 @@ TAG_FILE := build.tags
 export
 
 # convert lowercase componentname to uppercase
+component ?= base
 COMPONENT = $(shell echo $(component) | tr a-z A-Z)
 
 .PHONY: default
@@ -149,7 +150,7 @@ build-python:
 	component=python make build
 
 build-kdav:
-	docker pull composer:1.8
+	docker pull composer:1.9
 	component=kdav make build-builder
 	component=kdav make build
 
@@ -158,7 +159,7 @@ build-scheduler:
 	component=scheduler make build-simple
 
 build-ssl:
-	docker pull alpine:3.9
+	docker pull alpine:3.11
 	component=ssl make build-simple
 
 build-utils:

base/Dockerfile

@@ -57,8 +57,10 @@ RUN curl -L https://github.com/aelsabbahy/goss/releases/download/$GOSS_VERSION/g
     chmod +rx /usr/local/bin/goss && \
     goss --version
 
+# if additional locales are required this should be adjusted here
 RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
     sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen && \
+    sed -i -e 's/# nl_NL.UTF-8 UTF-8/nl_NL.UTF-8 UTF-8/' /etc/locale.gen && \
     dpkg-reconfigure --frontend=noninteractive locales && \
     update-locale LANG=en_US.UTF-8
 

core/commander/server/commander.yaml

@@ -24,7 +24,7 @@ tests:
       env:
         ADDITIONAL_KOPANO_PACKAGES: "kopano-server"
   generate configuration for kopano-server:
-    command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/server.cfg
+    command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/server.cfg
     exit-code: 0
     stdout:
       contains:
@@ -33,7 +33,7 @@ tests:
       not-contains:
         - #server_listen_tls = *:237
   generate ldap configuration openLDAP (default):
-    command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/ldap.cfg
+    command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/ldap.cfg
     exit-code: 0
     stdout:
       contains:
@@ -42,7 +42,7 @@ tests:
       not-contains:
         - "#!include /usr/share/kopano/ldap.openldap.cfg"
   generate ldap configuration for ADS:
-    command: /usr/bin/python3 /kopano/server.py && cat /etc/kopano/ldap.cfg
+    command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh" && cat /tmp/kopano/ldap.cfg
     exit-code: 0
     stdout:
       contains:
@@ -55,16 +55,6 @@ tests:
         KCCOMMENT_LDAP_1: "!include /usr/share/kopano/ldap.openldap.cfg"
         KCUNCOMMENT_LDAP_1: "!include /usr/share/kopano/ldap.active-directory.cfg"
   start-service script default locale:
-    command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
-    exit-code: 0
-    stdout:
-      contains:
-        - C
-        - C.UTF-8
-        - de_DE.utf8
-        - en_US.utf8
-        - POSIX
-  start-service script dutch locale:
     command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
     exit-code: 0
     stdout:
@@ -75,38 +65,6 @@ tests:
         - en_US.utf8
         - nl_NL.utf8
         - POSIX
-    config:
-      env:
-        KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "nl_NL.UTF-8"
-  start-service script dutch locale (short):
-    command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
-    exit-code: 0
-    stdout:
-      contains:
-        - C
-        - C.UTF-8
-        - de_DE.utf8
-        - en_US.utf8
-        - nl_NL.utf8
-        - POSIX
-    config:
-      env:
-        KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "nl_NL"
-  start-service script unknown locale:
-    command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh && locale -a"
-    exit-code: 0
-    stdout:
-      contains:
-        - C
-        - C.UTF-8
-        - de_DE.utf8
-        - en_US.utf8
-        - POSIX
-      not-contains:
-        - abc
-    config:
-      env:
-        KCCONF_ADMIN_DEFAULT_STORE_LOCALE: "abc"
   start-service script no dockerize:
     command: bash -c "shopt -s expand_aliases; alias exec='echo'; . /kopano/start-service.sh"
     exit-code: 0

core/defaultconfigs/dagent.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/dagent.cfg":
+    r"/tmp/kopano/dagent.cfg":
     {
         'lmtp_listen': "0.0.0.0:2003",
         'log_file': "-",
@@ -13,4 +13,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/gateway.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/gateway.cfg":
+    r"/tmp/kopano/gateway.cfg":
     {
         'imap_listen': "0.0.0.0:143",
         'log_file': "-",
@@ -13,4 +13,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/grapi.py

@@ -2,4 +2,4 @@ import os
 import kcconf
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/ical.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/ical.cfg":
+    r"/tmp/kopano/ical.cfg":
     {
         'ical_listen': "0.0.0.0:8080",
         'log_file': "-",
@@ -12,4 +12,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/kapi.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/kapid.cfg":
+    r"/tmp/kopano/kapid.cfg":
     {
         'log_level': "info",
         'listen': "0.0.0.0:8039",
@@ -15,4 +15,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/monitor.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/monitor.cfg":
+    r"/tmp/kopano/monitor.cfg":
     {
         'log_file': "-",
         'log_level': "4"
@@ -11,4 +11,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/search.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/search.cfg":
+    r"/tmp/kopano/search.cfg":
     {
         'log_file': "-",
         'log_level': "4",
@@ -12,4 +12,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/server.py

@@ -3,19 +3,20 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/server.cfg":
+    r"/tmp/kopano/server.cfg":
     {
+        'attachment_path': "/kopano/data/attachments/",
+        'kcoidc_initialize_timeout': "360",
         'log_file': "-",
         'log_level': "3",
-        'attachment_path': "/kopano/data/attachments/",
-        'user_plugin': "ldap",
-        'server_listen': "0.0.0.0:236",
         'server_listen_tls': "0.0.0.0:237",
-        'sync_gab_realtime': "no",
+        'server_listen': "0.0.0.0:236",
         'softdelete_lifetime': "0",
-        'kcoidc_initialize_timeout': "360"
+        'sync_gab_realtime': "no",
+        'user_plugin_config': "/tmp/kopano/ldap.cfg",
+        'user_plugin': "ldap"
     }
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/defaultconfigs/spooler.py

@@ -3,7 +3,7 @@ import kcconf
 
 # Component specific configurations
 kcconf.configkopano({
-    r"/etc/kopano/spooler.cfg":
+    r"/tmp/kopano/spooler.cfg":
     {
         'log_file': "-",
         'log_level': "4",
@@ -12,4 +12,4 @@ kcconf.configkopano({
 })
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

core/start-service.sh

@@ -15,11 +15,17 @@ KCCONF_SEARCH_SERVER_SOCKET=${KCCONF_SEARCH_SERVER_SOCKET:-"file:///var/run/kopa
 KCCONF_SPOOLER_SERVER_SOCKET=${KCCONF_SPOOLER_SERVER_SOCKET:-"file:///var/run/kopano/server.sock"}
 KOPANO_CON=${KOPANO_CON:-"file:///var/run/kopano/server.sock"}
 
+# copy configuration files to /tmp/kopano to prevent modification of mounted config files
+mkdir -p /tmp/kopano
+cp /etc/kopano/*.cfg /tmp/kopano
+
 if [ ! -e /kopano/"$SERVICE_TO_START".py ]; then
 	echo "Invalid service specified: $SERVICE_TO_START" | ts
 	exit 1
 fi
 
+# Hint: this is not compatible with a read-only container.
+# The general recommendation is to already build a container that has all required packages installed.
 ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@@ -31,8 +37,9 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 	fi
 done
 
-mkdir -p /kopano/data/attachments /kopano/data/kapi-kvs /tmp/"$SERVICE_TO_START" /var/run/kopano /var/lib/kopano-grapi
+mkdir -p /tmp/"$SERVICE_TO_START" /var/run/kopano
 
+# TODO is this still required now that we won't modify configuration mounted to /etc/kopano?
 if [ "${DISABLE_CONFIG_CHANGES}" == false ]; then
 	echo "Configure core service '$SERVICE_TO_START'" | ts
 	/usr/bin/python3 /kopano/"$SERVICE_TO_START".py
@@ -41,10 +48,6 @@ fi
 # ensure removed pid-file on unclean shutdowns and mounted volumes
 rm -f /var/run/kopano/"$SERVICE_TO_START".pid
 
-echo "Set ownership" | ts
-chown kopano:kopano /kopano/data/ /kopano/data/attachments
-chown kapi:kopano /var/lib/kopano-grapi
-
 coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server)
 echo "Using Kopano Groupware Core: $coreversion"
 
@@ -89,29 +92,9 @@ fi
 # start regular service
 case "$SERVICE_TO_START" in
 server)
-	# TODO this could check if the desired locale already exists before calling sed
+	echo "Set ownership" | ts
-	KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${KCCONF_ADMIN_DEFAULT_STORE_LOCALE:-"en_US.UTF-8"}
+	mkdir -p /kopano/data/attachments
-	# get locales from env
+	chown kopano:kopano /kopano/data/ /kopano/data/attachments
-	# shellcheck disable=SC1004
-	sed --regexp-extended --expression='
-
-		1  {
-			i\
-# This file lists locales that you wish to have built. You can find a list\
-# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add\
-# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change\
-# this file, you need to rerun locale-gen.\
-\
-
-
-			}
-
-		/^('"$KCCONF_ADMIN_DEFAULT_STORE_LOCALE"')(_[[:upper:]]+)?(\.UTF-8)?(@[^[:space:]]+)?[[:space:]]+UTF-8$/!   s/^/# /
-	' /usr/share/i18n/SUPPORTED >  /etc/locale.gen
-	# make sure that en_US and de_DE are always there
-	sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
-	sed -i -e 's/# de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen
-	dpkg-reconfigure --frontend=noninteractive locales
 	
 	if [[ "$DISABLE_CHECKS" == false ]]; then
 		# determine db connection mode (unix vs. network socket)
@@ -129,11 +112,11 @@ server)
 	fi
 	# pre populate database
 	if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then
-		kopano-dbadm populate
+		kopano-dbadm -c /tmp/kopano/server.cfg populate
 	fi
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
-	exec /usr/sbin/kopano-server -F
+	exec /usr/sbin/kopano-server --config /tmp/kopano/server.cfg -F
 	;;
 dagent)
 	dockerize \
@@ -141,7 +124,7 @@ dagent)
 		-timeout 360s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
-	exec /usr/sbin/kopano-dagent -l
+	exec /usr/sbin/kopano-dagent --config /tmp/kopano/dagent.cfg -l
 	;;
 gateway)
 	dockerize \
@@ -149,7 +132,7 @@ gateway)
 		-timeout 360s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
-	exec /usr/sbin/kopano-gateway -F
+	exec /usr/sbin/kopano-gateway --config /tmp/kopano/gateway.cfg -F
 	;;
 ical)
 	dockerize \
@@ -157,13 +140,15 @@ ical)
 		-timeout 360s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
-	exec /usr/sbin/kopano-ical -F
+	exec /usr/sbin/kopano-ical --config /tmp/kopano/ical.cfg -F
 	;;
 grapi)
 	LC_CTYPE=en_US.UTF-8
 	export socket_path=/var/run/kopano/grapi
-	mkdir -p "$socket_path"
+	export pid_file="$socket_path/grapi.pid"
+	mkdir -p "$socket_path" /var/lib/kopano-grapi
 	chown -R kapi:kopano "$socket_path"
+	chown kapi:kopano /var/lib/kopano-grapi
 	# TODO there could be a case where multiple backends are desired
 	case $GRAPI_BACKEND in
 	ldap)
@@ -176,7 +161,7 @@ grapi)
 		fi
 		;;
 	esac
-	sed s/\ *=\ */=/g /etc/kopano/grapi.cfg > /tmp/grapi-env
+	sed s/\ *=\ */=/g /tmp/kopano/grapi.cfg > /tmp/grapi-env
 	# shellcheck disable=SC2046
 	export $(grep -v '^#' /tmp/grapi-env | xargs -d '\n')
 	# cleaning up env variables
@@ -191,6 +176,7 @@ grapi)
 	fi
 	;;
 kapi)
+	mkdir -p /kopano/data/kapi-kvs
 	if [ "$KCCONF_KAPID_INSECURE" = "yes" ]; then
 		dockerize \
 		-skip-tls-verify \
@@ -206,7 +192,7 @@ kapi)
 	kapiversion=$(dpkg-query --showformat='${Version}' --show kopano-kapid)
 	echo "Using Kopano Kapi: $kapiversion"
 	LC_CTYPE=en_US.UTF-8
-	sed s/\ *=\ */=/g /etc/kopano/kapid.cfg > /tmp/kapid-env
+	sed s/\ *=\ */=/g /tmp/kopano/kapid.cfg > /tmp/kapid-env
 	# shellcheck disable=SC2046
 	export $(grep -v '^#' /tmp/kapid-env | xargs -d '\n')
 	kopano-kapid setup
@@ -220,7 +206,7 @@ monitor)
 		-timeout 360s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
-	exec /usr/sbin/kopano-monitor -F
+	exec /usr/sbin/kopano-monitor --config /tmp/kopano/monitor.cfg -F
 	;;
 search)
 	dockerize \
@@ -233,9 +219,9 @@ search)
 	# with commit 702bb3fccb3 search does not need -F any longer
 	searchversion=$(dpkg-query --showformat='${Version}' --show kopano-search)
 	if dpkg --compare-versions "$searchversion" "gt" "8.7.82.165"; then
-		exec /usr/sbin/kopano-search
+		exec /usr/sbin/kopano-search --config /tmp/kopano/search.cfg
 	else
-		exec /usr/bin/python3 /usr/sbin/kopano-search -F
+		exec /usr/bin/python3 /usr/sbin/kopano-search --config /tmp/kopano/search.cfg -F
 	fi
 	;;
 spooler)
@@ -245,7 +231,7 @@ spooler)
 		-timeout 1080s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
-	exec /usr/sbin/kopano-spooler -F
+	exec /usr/sbin/kopano-spooler --config /tmp/kopano/spooler.cfg -F
 	;;
 *)
 	echo "Failed to start: Unknown service name: '$SERVICE_TO_START'" | ts

docker-compose.yml

@@ -3,6 +3,7 @@ version: "3.5"
 services:
   web:
     image: ${docker_repo:-zokradonh}/kopano_web:${KWEB_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     environment:
       - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp}
@@ -123,6 +124,7 @@ services:
 
   kopano_ssl:
     image: ${docker_repo:-zokradonh}/kopano_ssl:${SSL_VERSION:-latest}
+    read_only: true
     environment:
       - FQDN=${FQDN}
       - PKI_COUNTRY=NL
@@ -130,9 +132,12 @@ services:
       - kopano_ssl.env
     volumes:
       - kopanossl/:/kopano/ssl
+    tmpfs:
+      - /kopano/easypki/
 
   kopano_kustomer:
     image: kopano/kustomerd:${KUSTOMER_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     command: serve --log-level debug
     volumes:
@@ -143,6 +148,7 @@ services:
 
   kopano_server:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true # in case additional packages need to be installed this option should be set to false
     restart: unless-stopped
     hostname: kopano_server
     container_name: ${COMPOSE_PROJECT_NAME}_server
@@ -154,6 +160,7 @@ services:
     environment:
       - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
       - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
+      # Hint: if additional locales are required that should be added in base/Dockerfile
       - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8}
       - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW}
       - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN}
@@ -189,9 +196,12 @@ services:
       - kopanodata/:/kopano/data
       - kopanosocket/:/run/kopano
       - kopanossl/:/kopano/ssl
+    tmpfs:
+      - /tmp/
 
   kopano_webapp:
     image: ${docker_repo:-zokradonh}/kopano_webapp:${WEBAPP_VERSION:-latest}
+    read_only: true # in case additional packages need to be installed this option should be set to false
     restart: unless-stopped
     hostname: kopano_webapp
     depends_on:
@@ -212,9 +222,15 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /tmp/
+      - /run/sessions/
+      - /run/php/
+      - /var/log/
 
   kopano_zpush:
     image: ${docker_repo:-zokradonh}/kopano_zpush:${ZPUSH_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     hostname: kopano_zpush
     container_name: ${COMPOSE_PROJECT_NAME}_zpush
@@ -236,9 +252,15 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /run/apache2/
+      - /run/sessions/
+      - /tmp
+      - /var/log/z-push/
 
   kopano_grapi:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     container_name: ${COMPOSE_PROJECT_NAME}_grapi
     depends_on:
@@ -251,6 +273,7 @@ services:
     environment:
       - KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no
       - KCCONF_GRAPI_INSECURE=${INSECURE}
+      - KCCONF_GRAPI_PERSISTENCY_PATH=/var/lib/kopano-grapi
       - SERVICE_TO_START=grapi
       - TZ=${TZ}
     env_file:
@@ -258,9 +281,12 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /tmp/
 
   kopano_kapi:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     container_name: ${COMPOSE_PROJECT_NAME}_kapi
     depends_on:
@@ -282,9 +308,12 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /tmp
 
   kopano_kdav:
     image: ${docker_repo:-zokradonh}/kopano_kdav:${KDAV_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     hostname: kopano_kdav
     container_name: ${COMPOSE_PROJECT_NAME}_kdav
@@ -301,9 +330,15 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /run/apache2/
+      - /run/sessions/
+      - /tmp
+      - /var/log/kdav/
 
   kopano_dagent:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     depends_on:
       - kopano_server
@@ -321,9 +356,12 @@ services:
       - kopano_dagent.env
     networks:
       - kopano-net
+    tmpfs:
+      - /tmp
 
   kopano_spooler:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     hostname: spooler
     domainname: ${LDAP_DOMAIN}
@@ -345,9 +383,12 @@ services:
       - kopano_spooler.env
     networks:
       - kopano-net
+    tmpfs:
+      - /tmp
 
   kopano_gateway:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     depends_on:
       - kopano_server
@@ -365,9 +406,12 @@ services:
       - kopano_gateway.env
     networks:
       - kopano-net
+    tmpfs:
+      - /tmp
 
   kopano_ical:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     depends_on:
       - kopano_server
@@ -385,9 +429,12 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /tmp
 
   kopano_monitor:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     depends_on:
       - kopano_server
@@ -403,9 +450,12 @@ services:
       - kopano_monitor.env
     networks:
       - kopano-net
+    tmpfs:
+      - /tmp
 
   kopano_search:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     container_name: ${COMPOSE_PROJECT_NAME}_search
     depends_on:
@@ -423,14 +473,17 @@ services:
       - kopano_search.env
     networks:
       - kopano-net
+    tmpfs:
+      - /tmp
 
   kopano_konnect:
     image: ${docker_repo:-zokradonh}/kopano_konnect:${KONNECT_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     depends_on:
       - kopano_ssl
       - web
-      # to be useful Konnect also need a running kopano_server, but this dependency cannot be added here since this would be a circular dependency
+      # to be useful Konnect also needs a running kopano_server, but this dependency cannot be added here since this would be a circular dependency
     volumes:
       - /etc/machine-id:/etc/machine-id
       - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
@@ -452,9 +505,12 @@ services:
     networks:
       - kopano-net
       - web-net
+    tmpfs:
+      - /tmp
 
   kopano_kwmserver:
     image: ${docker_repo:-zokradonh}/kopano_kwmserver:${KWM_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     command: wrapper.sh
     depends_on:
@@ -473,9 +529,12 @@ services:
       - kopanossl/:/kopano/ssl
     networks:
       - web-net
+    tmpfs:
+      - /tmp
 
   kopano_meet:
     image: ${docker_repo:-zokradonh}/kopano_meet:${MEET_VERSION:-latest}
+    read_only: true
     restart: unless-stopped
     environment:
       - KCCONF_MEET_disableFullGAB=false
@@ -493,9 +552,12 @@ services:
       - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
     networks:
       - web-net
+    tmpfs:
+      - /tmp
 
   kopano_scheduler:
     image: ${docker_repo:-zokradonh}/kopano_scheduler:${SCHEDULER_VERSION:-latest}
+    read_only: true
     restart: "no"
     container_name: ${COMPOSE_PROJECT_NAME}_scheduler
     networks:
@@ -515,6 +577,8 @@ services:
       - kopano_scheduler.env
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    tmpfs:
+      - /tmp
 
 volumes:
   kdavstates:

kdav/Dockerfile

@@ -81,6 +81,11 @@ RUN \
 
 COPY --from=builder /usr/share/kdav /usr/share/kdav
 
+# tweaks to make the container read-only
+RUN \
+    mv /usr/share/kdav/config.php /usr/share/kdav/config.php.dist && \
+    ln -s /tmp/config.php /usr/share/kdav/config.php
+
 EXPOSE 80/tcp
 
 COPY start.sh /kopano/start.sh

kdav/start.sh

@@ -8,6 +8,7 @@ ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES:-""}
 set -eu # unset variables are errors & non-zero return values exit the whole script
 [ "$DEBUG" ] && set -x
 
+# TODO this is not compatible with a read-only container
 ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@@ -20,16 +21,20 @@ done
 echo "Ensure directories"
 mkdir -p /run/sessions
 
+CONFIG_PHP=/tmp/config.php
+# copy latest config template. This should be the mount point for preexisting config files.
+cp /usr/share/kdav/config.php.dist $CONFIG_PHP
+
 if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then
 	echo "kDAV is using the default: connection"
 else
 	echo "kDAV is using an ip connection"
 	sed -e "s#define([\"']MAPI_SERVER[\"'],\s*[\"']default:[\"'])#define('MAPI_SERVER', 'https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano')#" \
-		-i /usr/share/kdav/config.php
+		-i $CONFIG_PHP
 fi
 
 # change root uri to /kdav
-sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i /usr/share/kdav/config.php
+sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i $CONFIG_PHP
 
 echo "Ensure config ownership"
 chown -R www-data:www-data /run/sessions
@@ -40,10 +45,8 @@ dockerize \
 	-wait file:///var/lib/dbus/machine-id
 
 touch /var/log/kdav/kdav.log
-touch /var/log/kdav/kdav-error.log
+chown www-data:www-data /var/log/kdav/kdav.log
-chown www-data:www-data /var/log/kdav/kdav.log /var/log/kdav/kdav-error.log
 tail --pid=$$ -F --lines=0 -q /var/log/kdav/kdav.log &
-tail --pid=$$ -F --lines=0 -q /var/log/kdav/kdav-error.log &
 
 echo "Starting Apache"
 rm -f /run/apache2/apache2.pid

konnect/wrapper.sh

@@ -78,7 +78,8 @@ if [ "${allow_client_guests:-}" = "yes" ]; then
 
 	echo "Patching identifier registration for use of the Meet guest mode"
 	/usr/local/bin/konnectd utils jwk-from-pem --use sig "$eckey" > /tmp/jwk-meet.json
-	CONFIG_JSON=/etc/kopano/konnectd-identifier-registration.yaml
+	cp /etc/kopano/konnectd-identifier-registration.yaml /tmp/konnectd-identifier-registration.yaml
+	CONFIG_JSON=/tmp/konnectd-identifier-registration.yaml
 	#yq -y ".clients += [{\"id\": \"grapi-explorer.js\", \"name\": \"Grapi Explorer\", \"application_type\": \"web\", \"trusted\": true, \"insecure\": true, \"redirect_uris\": [\"http://$FQDNCLEANED:3000/\"]}]" $CONFIG_JSON | sponge $CONFIG_JSON
 	yq -y ".clients += [{\"id\": \"kpop-https://${FQDN%/*}/meet/\", \"name\": \"Kopano Meet\", \"application_type\": \"web\", \"trusted\": true, \"redirect_uris\": [\"https://${FQDN%/*}/meet/\"], \"trusted_scopes\": [\"konnect/guestok\", \"kopano/kwm\"], \"jwks\": {\"keys\": [{\"kty\": $(jq .kty /tmp/jwk-meet.json), \"use\": $(jq .use /tmp/jwk-meet.json), \"crv\": $(jq .crv /tmp/jwk-meet.json), \"d\": $(jq .d /tmp/jwk-meet.json), \"kid\": $(jq .kid /tmp/jwk-meet.json), \"x\": $(jq .x /tmp/jwk-meet.json), \"y\": $(jq .y /tmp/jwk-meet.json)}]},\"request_object_signing_alg\": \"ES256\"}]" $CONFIG_JSON | sponge $CONFIG_JSON
 	# TODO this last bit can likely go (but then we must default to a registry stored below /etc/kopano)

meet/Dockerfile

@@ -49,8 +49,10 @@ RUN \
         kopano-meet kopano-meet-webapp \
         ${ADDITIONAL_KOPANO_PACKAGES} \
         && \
-    cp /usr/share/doc/kopano-meet-webapp/config.json.in /usr/share/kopano-kweb/www/config/kopano/meet.json && \
+    rm -rf /var/cache/apt /var/lib/apt/lists && \
-    rm -rf /var/cache/apt /var/lib/apt/lists
+    # make configuration a symlink to prevent overwriting it
+    # TODO better would be to override its configuration in kweb.cfg
+    ln -s /tmp/meet.json /usr/share/kopano-kweb/www/config/kopano/meet.json
 
 COPY defaultconfigs/ start-service.sh /kopano/
 COPY goss.yaml /goss/

meet/defaultconfigs/meet.py

@@ -2,4 +2,4 @@ import os
 import kcconf
 
 # Override configs from environment variables
-kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/"))
+kcconf.configkopano(kcconf.parseenvironmentvariables(r"/tmp/kopano/"))

meet/start-service.sh

@@ -5,11 +5,16 @@ ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES:-""}
 set -eu # unset variables are errors & non-zero return values exit the whole script
 [ "$DEBUG" ] && set -x
 
+# copy configuration files to /tmp/kopano to prevent modification of mounted config files
+mkdir -p /tmp/kopano
+cp /etc/kopano/*.cfg /tmp/kopano
+
 if [ ! -e /kopano/"$SERVICE_TO_START".py ]; then
 	echo "Invalid service specified: $SERVICE_TO_START" | ts
 	exit 1
 fi
 
+# TODO how to best move this to /tmp? 
 echo "Configure service '$SERVICE_TO_START'" | ts
 /usr/bin/python3 /kopano/"$SERVICE_TO_START".py
 
@@ -22,7 +27,8 @@ if [ $# -gt 0 ]; then
 	exit
 fi
 
-CONFIG_JSON="/usr/share/kopano-kweb/www/config/kopano/meet.json"
+cp /usr/share/doc/kopano-meet-webapp/config.json.in /tmp/meet.json
+CONFIG_JSON="/tmp/meet.json"
 echo "Updating $CONFIG_JSON"
 for setting in $(compgen -A variable KCCONF_MEET); do
 	setting2=${setting#KCCONF_MEET_}
@@ -54,11 +60,12 @@ if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then
 	jq '.apps.enabled += ["kopano-webapp"]' $CONFIG_JSON | sponge $CONFIG_JSON
 fi
 
-sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg
+# todo do not replace here, but in a temp location
+sed s/\ *=\ */=/g /tmp/kopano/kwebd.cfg > /tmp/kweb-env
 # always disable tls
 export tls=no
 # shellcheck disable=SC2046
-export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n')
+export $(grep -v '^#' /tmp/kweb-env | xargs -d '\n')
 
 # services need to be aware of the machine-id
 dockerize \

scheduler/commander.yaml

@@ -1,5 +1,5 @@
 tests:
-  check mailbox language: # this needs a running kopano-server can can therefore not be executed in that container directly
+  check mailbox language: # this needs a running kopano-server and can can therefore not be executed in that container directly
     command: "docker exec kopano_server kopano-storeadm -C -n user10; docker exec kopano_server show-folders.py --user user10"
     exit-code: 0
     stdout:
@@ -12,13 +12,24 @@ tests:
     stdout:
       not-contains:
         - "WARNING: Unable to get user store entry id. User possibly has no store."
-  check mailbox language german: # this needs a running kopano-server can can therefore not be executed in that container directly
+  check mailbox language german: # this needs a running kopano-server and can can therefore not be executed in that container directly
-    command: "docker exec kopano_server kopano-storeadm -D user 11; docker exec kopano_server kopano-storeadm -C -l de_DE -n user11; docker exec kopano_server show-folders.py --user user11"
+    command: "docker exec kopano_server kopano-storeadm -D -n user11; docker exec kopano_server kopano-storeadm -C -l de_DE -n user11; docker exec kopano_server show-folders.py --user user11"
     exit-code: 0
     stdout:
       not-contains:
         - "Inbox"
         - "Drafts"
+      contains:
+        - "Posteingang"
+  check mailbox language dutch: # this needs a running kopano-server and can can therefore not be executed in that container directly
+    command: "docker exec kopano_server kopano-storeadm -D -n user12; docker exec kopano_server kopano-storeadm -C -l nl_NL -n user12; docker exec kopano_server show-folders.py --user user12"
+    exit-code: 0
+    stdout:
+      not-contains:
+        - "Inbox"
+        - "Drafts"
+      contains:
+        - "Postvak IN"
 #  test renaming of folders:
 #    command: docker exec kopano_server env KCCONF_ADMIN_DEFAULT_STORE_LOCALE=de_DE.UTF-8 /usr/bin/python3 /kopano/server.py && docker exec kopano_server kopano-storeadm -Y -n user12
 #    exit-code: 0

scheduler/start.sh

@@ -2,7 +2,7 @@
 
 set -eo pipefail
 
-cronfile=/etc/crontab
+cronfile=/tmp/crontab
 
 # purge existing entries from crontab
 true > "$cronfile"
@@ -15,7 +15,7 @@ done
 
 for cronvar in ${!CRONDELAYED_*}; do
 	cronvalue=${!cronvar}
-	echo "Adding $cronvalue to crontab"
+	echo "Adding $cronvalue to crontab (delayed)"
 	echo "$cronvalue" >> "$cronfile"
 done
 
@@ -26,7 +26,7 @@ dockerize \
 echo "creating public store"
 docker exec kopano_server kopano-storeadm -h default: -P || true
 
-# run sheduled cron jobs once
+echo "Running sheduled cron jobs once"
 for cronvar in ${!CRON_*}; do
 	cronvalue=${!cronvar}
 	croncommand=$(echo "$cronvalue" | cut -d ' ' -f 6-)
@@ -34,5 +34,5 @@ for cronvar in ${!CRON_*}; do
 	$croncommand
 done
 
-supercronic -test /etc/crontab
+supercronic -test $cronfile
-exec supercronic /etc/crontab
+exec supercronic $cronfile

webapp/Dockerfile

@@ -64,6 +64,13 @@ RUN \
         ${ADDITIONAL_KOPANO_WEBAPP_PLUGINS} \
     && rm -rf /var/cache/apt /var/lib/apt/lists
 
+# tweak to make the container read-only
+RUN mkdir -p /tmp/webapp/ && \
+    for i in /etc/kopano/webapp/* /etc/kopano/webapp/.[^.]*; do \
+        mv "$i" "$i.dist"; \
+        ln -s /tmp/webapp/"$(basename "$i")" "$i"; \
+    done
+
 COPY start.sh /kopano/start.sh
 COPY goss* /goss/
 

webapp/start.sh

@@ -12,8 +12,9 @@ set -eu # unset variables are errors & non-zero return values exit the whole scr
 # shellcheck source=php/start-helper.sh
 source /kopano/start-helper.sh
 
+# Hint: this is not compatible with a read-only container.
+# The general recommendation is to already build a container that has all required packages installed.
 ADDITIONAL_KOPANO_PACKAGES="$ADDITIONAL_KOPANO_PACKAGES $ADDITIONAL_KOPANO_WEBAPP_PLUGINS"
-
 ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@@ -25,6 +26,13 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 	fi
 done
 
+# copy latest config template
+mkdir -p /tmp/webapp/
+for i in /etc/kopano/webapp/*.dist /etc/kopano/webapp/.[^.]*.dist; do
+	filename=$(basename -- "$i")
+	cp "$i" "/tmp/webapp/${filename%.*}"
+done
+
 # Ensure directories exist
 mkdir -p /run/sessions /tmp/webapp
 
@@ -37,13 +45,13 @@ if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then
 	echo "Kopano WebApp is using the default: connection"
 else
 	echo "Kopano WebApp is using an ip connection"
-	php_cfg_gen /etc/kopano/webapp/config.php DEFAULT_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
+	php_cfg_gen /tmp/webapp/config.php DEFAULT_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
 fi
 
 # configuring webapp from env
 for setting in $(compgen -A variable KCCONF_WEBAPP_); do
 	setting2=${setting#KCCONF_WEBAPP_}
-	php_cfg_gen /etc/kopano/webapp/config.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/webapp/config.php "${setting2}" "${!setting}"
 done
 
 # configuring webapp plugins from env
@@ -52,7 +60,7 @@ for setting in $(compgen -A variable KCCONF_WEBAPPPLUGIN_); do
 	filename="${setting2%%_*}"
 	setting3=${setting#KCCONF_WEBAPPPLUGIN_${filename}_}
 	identifier="${filename,,}"
-	php_cfg_gen /etc/kopano/webapp/config-"$identifier".php "${setting3}" "${!setting}"
+	php_cfg_gen /tmp/webapp/config-"$identifier".php "${setting3}" "${!setting}"
 done
 
 echo "Ensure config ownership"

zpush/Dockerfile

@@ -61,6 +61,13 @@ RUN \
         ${ADDITIONAL_KOPANO_PACKAGES} \
     && rm -rf /var/cache/apt /var/lib/apt/lists
 
+# tweak to make the container read-only
+RUN mkdir -p /tmp/z-push/ && \
+    for i in /etc/z-push/*; do \
+        mv "$i" "$i.dist"; \
+        ln -s /tmp/z-push/"$(basename "$i")" "$i"; \
+    done
+
 COPY apache2-kopano.conf /etc/apache2/sites-available/kopano.conf
 
 # configure basics

zpush/start.sh

@@ -39,6 +39,8 @@ php_cfg_gen() {
 	fi
 }
 
+# Hint: this is not compatible with a read-only container.
+# The general recommendation is to already build a container that has all required packages installed.
 ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && apt update
 [ -n "${ADDITIONAL_KOPANO_PACKAGES// }" ] && for installpkg in $ADDITIONAL_KOPANO_PACKAGES; do
@@ -50,6 +52,13 @@ ADDITIONAL_KOPANO_PACKAGES=$(echo "$ADDITIONAL_KOPANO_PACKAGES" | tr -d '"')
 	fi
 done
 
+# copy latest config template
+mkdir -p /tmp/z-push/
+for i in /etc/z-push/*.dist; do
+	filename=$(basename -- "$i")
+	cp "$i" "/tmp/z-push/${filename%.*}"
+done
+
 # Ensure directories
 mkdir -p /run/sessions
 
@@ -62,58 +71,58 @@ if [ "$KCCONF_SERVERHOSTNAME" == "127.0.0.1" ]; then
 	echo "Z-Push is using the default: connection"
 else
 	echo "Z-Push is using an ip connection"
-	php_cfg_gen /etc/z-push/kopano.conf.php MAPI_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
+	php_cfg_gen /tmp/z-push/kopano.conf.php MAPI_SERVER "https://${KCCONF_SERVERHOSTNAME}:${KCCONF_SERVERPORT}/kopano"
 fi
 
 echo "Configuring Z-Push for use behind a reverse proxy"
-php_cfg_gen /etc/z-push/z-push.conf.php USE_CUSTOM_REMOTE_IP_HEADER HTTP_X_FORWARDED_FOR
+php_cfg_gen /tmp/z-push/z-push.conf.php USE_CUSTOM_REMOTE_IP_HEADER HTTP_X_FORWARDED_FOR
 
 # configuring z-push from env
 for setting in $(compgen -A variable KCCONF_ZPUSH_); do
 	setting2=${setting#KCCONF_ZPUSH_}
-	php_cfg_gen /etc/z-push/z-push.conf.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/z-push/z-push.conf.php "${setting2}" "${!setting}"
 done
 
 # configuring autodiscover
 for setting in $(compgen -A variable KCCONF_ZPUSHAUTODISCOVER_); do
 	setting2=${setting#KCCONF_ZPUSHAUTODISCOVER_}
-	php_cfg_gen /etc/z-push/autodiscover.conf.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/z-push/autodiscover.conf.php "${setting2}" "${!setting}"
 done
 
 # configuring z-push gabsync
-php_cfg_gen /etc/z-push/gabsync.conf.php USERNAME SYSTEM
+php_cfg_gen /tmp/z-push/gabsync.conf.php USERNAME SYSTEM
 
 for setting in $(compgen -A variable KCCONF_ZPUSHGABSYNC_); do
 	setting2=${setting#KCCONF_ZPUSHGAVSYNC_}
-	php_cfg_gen /etc/z-push/z-push.conf.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/z-push/z-push.conf.php "${setting2}" "${!setting}"
 done
 
 # configuring z-push sql state engine
 for setting in $(compgen -A variable KCCONF_ZPUSHSQL_); do
 	setting2=${setting#KCCONF_ZPUSHSQL_}
-	php_cfg_gen /etc/z-push/state-sql.conf.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/z-push/state-sql.conf.php "${setting2}" "${!setting}"
 done
 
 # configuring z-push memcached
 for setting in $(compgen -A variable KCCONF_ZPUSHMEMCACHED_); do
 	setting2=${setting#KCCONF_ZPUSHMEMCACHED_}
-	php_cfg_gen /etc/z-push/memcached.conf.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/z-push/memcached.conf.php "${setting2}" "${!setting}"
 done
 
 # configuring z-push gab2contacts
 for setting in $(compgen -A variable KCCONF_ZPUSHGA2CONTACTS_); do
 	setting2=${setting#KCCONF_ZPUSHSQL_}
-	php_cfg_gen /etc/z-push/gab2contacts.conf.php "${setting2}" "${!setting}"
+	php_cfg_gen /tmp/z-push/gab2contacts.conf.php "${setting2}" "${!setting}"
 done
 
 # configuring z-push shared folders
-perl -i -0pe 's/\$additionalFolders.*\);//s' /etc/z-push/z-push.conf.php
+perl -i -0pe 's/\$additionalFolders.*\);//s' /tmp/z-push/z-push.conf.php
-echo -e "  \$additionalFolders = array(" >> /etc/z-push/z-push.conf.php
+echo -e "  \$additionalFolders = array(" >> /tmp/z-push/z-push.conf.php
 echo "$ZPUSH_ADDITIONAL_FOLDERS" | jq -c '.[]' | while read -r folder; do
 	eval "$(echo "$folder" | jq -r '@sh "NAME=\(.name) ID=\(.id) TYPE=\(.type) FLAGS=\(.flags)"')"
 	echo -e "    array('store' => \"SYSTEM\", 'folderid' => \"$ID\", 'name' => \"$NAME\", 'type' => $TYPE, 'flags' => $FLAGS)," >> /etc/z-push/z-push.conf.php
 done
-echo -e '  );' >> /etc/z-push/z-push.conf.php
+echo -e '  );' >> /tmp/z-push/z-push.conf.php
 
 echo "Ensure config ownership"
 chown -R www-data:www-data /run/sessions
@@ -124,6 +133,7 @@ dockerize \
 	-wait file:///var/lib/dbus/machine-id
 
 echo "Activate z-push log rerouting"
+mkdir -p /var/log/z-push/
 touch /var/log/z-push/{z-push.log,z-push-error.log,autodiscover.log,autodiscover-error.log}
 chown -R www-data:www-data /var/log/z-push
 tail --pid=$$ -F --lines=0 -q /var/log/z-push/z-push.log &