From 897a0df433101ec35c033cfe815b67d68c79f0b0 Mon Sep 17 00:00:00 2001 From: "osboxes.org" Date: Fri, 22 Feb 2019 06:15:10 -0500 Subject: [PATCH 1/3] on centos7 the file is created only with -rw------- which makes konnect startup fail --- ssl/start.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/start.sh b/ssl/start.sh index ad4c36a..1a9055c 100755 --- a/ssl/start.sh +++ b/ssl/start.sh @@ -33,6 +33,7 @@ signkey="/kopano/ssl/konnectd-tokens-signing-key.pem" if [ ! -f $signkey ]; then echo "creating new token signing key" openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096 + chmod go+r $signkey.tmp mv $signkey.tmp $signkey fi From 7680cfc76f28144a042bc472ae396cf3d4230feb Mon Sep 17 00:00:00 2001 From: "osboxes.org" Date: Fri, 22 Feb 2019 08:08:52 -0500 Subject: [PATCH 2/3] alternative approach to internal name resolution obsoletes EXTRA_HOST --- setup.sh | 6 ------ web/Dockerfile | 3 +++ web/kweb.cfg | 4 ++-- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/setup.sh b/setup.sh index c03cdb3..d7f5c0c 100755 --- a/setup.sh +++ b/setup.sh @@ -117,11 +117,6 @@ if [ ! -e ./.env ]; then read -p "FQDN to be used (for reverse proxy) [$value_default]: " new_value FQDN=${new_value:-$value_default} - LOCALIP=$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p') - value_default="$LOCALIP" - read -p "IP of your primary network interface (used to ensure to always resolve the FQDN) [$value_default]: " new_value - FQDNIP=${new_value:-$value_default} - value_default="self_signed" read -p "Email address to use for Lets Encrypt. Use 'self_signed' as your email to create self signed certificates. @@ -318,7 +313,6 @@ HTTPS=443 LDAPPORT=389 # Settings for test environments -EXTRAHOSTS=$FQDN:$FQDNIP INSECURE=$INSECURE # Docker Repository to push to/pull from diff --git a/web/Dockerfile b/web/Dockerfile index 53381c9..d1388b0 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -3,6 +3,9 @@ FROM kopano/kwebd:${CODE_VERSION} ARG CODE_VERSION ENV CODE_VERSION="${CODE_VERSION}" +ENV KWEBD_USER root +ENV KWEBD_GROUP root +USER root COPY wrapper.sh /usr/local/bin COPY kweb.cfg /etc/kweb.cfg diff --git a/web/kweb.cfg b/web/kweb.cfg index c18baff..19455bc 100644 --- a/web/kweb.cfg +++ b/web/kweb.cfg @@ -1,8 +1,8 @@ -:8080 { +:80 { redir / https://{host}{uri} } -*, :8443 { +*, :443 { log stdout errors stdout From 53a5b0868c137ae752052affef207191a21c213f Mon Sep 17 00:00:00 2001 From: "osboxes.org" Date: Fri, 22 Feb 2019 08:10:47 -0500 Subject: [PATCH 3/3] also commit changes to compose --- docker-compose.yml-example | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/docker-compose.yml-example b/docker-compose.yml-example index 4c085a7..df1fa63 100644 --- a/docker-compose.yml-example +++ b/docker-compose.yml-example @@ -7,16 +7,25 @@ services: restart: always ports: - "2015:2015" - - "${HTTP}:8080" - - "${HTTPS}:8443" + - "${HTTP}:80" + - "${HTTPS}:443" environment: - EMAIL=${EMAIL} - FQDN=${FQDN} command: wrapper.sh + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE + - CHOWN + - SETGID + - SETUID volumes: - web:/.kweb networks: - - web-net + web-net: + aliases: + - ${FQDN} ldap: image: ${docker_repo:?err}/kopano_ldap_demo @@ -209,8 +218,7 @@ services: networks: - kopano-net - ldap-net - extra_hosts: - - ${EXTRAHOSTS} + - web-net volumes: - kopanodata/:/kopano/data - kopanossl/:/kopano/ssl @@ -270,8 +278,6 @@ services: - KCCONF_KAPID_LOG_LEVEL=DEBUG - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN} - KCCONF_KAPID_INSECURE=${INSECURE} - extra_hosts: - - ${EXTRAHOSTS} networks: - kopano-net - web-net @@ -388,8 +394,6 @@ services: - oidc_issuer_identifier=https://${FQDN} volumes: - kopanossl/:/kopano/ssl - extra_hosts: - - ${EXTRAHOSTS} networks: - web-net