From ead0acfdb088475b6d275094481689c260cdf9a5 Mon Sep 17 00:00:00 2001 From: Felix Bartels <1257835+fbartels@users.noreply.github.com> Date: Tue, 19 Nov 2019 13:55:11 +0100 Subject: [PATCH] Add a per setup unique machine-id (#257) * add mount for machine-id * services should check the availability of the machine id before starting * add a note to the readme * add new mounts to the multiserver example * add dockerize to kweb * fix meet demo --- README.md | 6 +- core/start-service.sh | 17 +- docker-compose.yml | 235 ++++++++++-------- .../kopano-multiserver/kopano-multiserver.yml | 67 ++--- examples/meet/docker-compose.yml | 87 ++++--- examples/meet/tests/startup-test/test.sh | 2 +- examples/meet/tests/test-container.yml | 10 +- kdav/start.sh | 5 + konnect/wrapper.sh | 3 + kwmserver/wrapper.sh | 5 + meet/start-service.sh | 9 +- web/Dockerfile | 5 + web/wrapper.sh | 5 + webapp/start.sh | 5 + zpush/start.sh | 5 + 15 files changed, 281 insertions(+), 185 deletions(-) diff --git a/README.md b/README.md index ae48aae..a6dbf37 100644 --- a/README.md +++ b/README.md @@ -128,9 +128,11 @@ The exposed ports of each container are defined in `docker-compose.ports.yml`. I To get a quick impression of Kopano this git repository bundles a locally build LDAP image with some example users. When using the docker-compose.yml in a production environment make sure to: -- either remove `ldap-demo/bootstrap/ldif/demo-users.ldif` from the locally built LDAP image or completely remove the local LDAP from the compose file +- switch to the non-demo ldap tree or completely remove the local LDAP from the compose file - adapt LDAP queries in .env to match you actual LDAP server and users -- all additional configuration of the Kopano components should be specified in the compose file and **not within the running container** +- all additional configuration of the Kopano components should be specified in the compose file/the env file/an override and **not within the running container** +- make sure that there is a unique machine-id for your deployment + - the default setup mounts the file from the host, if your host is running multiple installations of Kopano make sure to generate a unique value for each installation. #### Can I combine these Docker images with my existing environment? diff --git a/core/start-service.sh b/core/start-service.sh index 3d8c25f..c67e74a 100755 --- a/core/start-service.sh +++ b/core/start-service.sh @@ -40,6 +40,11 @@ if [ $# -gt 0 ]; then exit fi +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + # start regular service case "$SERVICE_TO_START" in server) @@ -89,7 +94,7 @@ server) ;; dagent) dockerize \ - -wait file://var/run/kopano/server.sock \ + -wait file:///var/run/kopano/server.sock \ -timeout 360s # cleaning up env variables unset "${!KCCONF_@}" @@ -145,12 +150,12 @@ kapi) if [ "$KCCONF_KAPID_INSECURE" = "yes" ]; then dockerize \ -skip-tls-verify \ - -wait file://var/run/kopano/grapi/notify.sock \ + -wait file:///var/run/kopano/grapi/notify.sock \ -wait "$KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER"/.well-known/openid-configuration \ -timeout 360s else dockerize \ - -wait file://var/run/kopano/grapi/notify.sock \ + -wait file:///var/run/kopano/grapi/notify.sock \ -wait "$KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER"/.well-known/openid-configuration \ -timeout 360s fi @@ -165,7 +170,7 @@ kapi) ;; monitor) dockerize \ - -wait file://var/run/kopano/server.sock \ + -wait file:///var/run/kopano/server.sock \ -timeout 360s # cleaning up env variables unset "${!KCCONF_@}" @@ -173,7 +178,7 @@ monitor) ;; search) dockerize \ - -wait file://var/run/kopano/server.sock \ + -wait file:///var/run/kopano/server.sock \ -timeout 360s # give kopano-server a moment to settler before starting search sleep 5 @@ -189,7 +194,7 @@ search) ;; spooler) dockerize \ - -wait file://var/run/kopano/server.sock \ + -wait file:///var/run/kopano/server.sock \ -wait tcp://"$KCCONF_SPOOLER_SMTP_SERVER":25 \ -timeout 1080s # cleaning up env variables diff --git a/docker-compose.yml b/docker-compose.yml index 2ca25fc..34c847e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,18 +5,20 @@ services: image: ${docker_repo:-zokradonh}/kopano_web:${KWEB_VERSION:-latest} restart: unless-stopped environment: + - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp} - EMAIL=${EMAIL:-off} - FQDN=${FQDNCLEANED?err} - - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp} command: wrapper.sh cap_drop: - ALL cap_add: - - NET_BIND_SERVICE - CHOWN + - NET_BIND_SERVICE - SETGID - SETUID volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - web:/.kweb networks: web-net: @@ -28,12 +30,12 @@ services: restart: unless-stopped container_name: ${COMPOSE_PROJECT_NAME}_ldap environment: - - LDAP_ORGANISATION=${LDAP_ORGANISATION} - - LDAP_DOMAIN=${LDAP_DOMAIN} - - LDAP_BASE_DN=${LDAP_BASE_DN} - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} - - LDAP_READONLY_USER=true + - LDAP_BASE_DN=${LDAP_BASE_DN} + - LDAP_DOMAIN=${LDAP_DOMAIN} + - LDAP_ORGANISATION=${LDAP_ORGANISATION} - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_USER_PASSWORD} + - LDAP_READONLY_USER=true env_file: - ldap.env command: "--loglevel info --copy-service" @@ -56,36 +58,36 @@ services: - mailstate:/var/mail-state - mtaconfig:/tmp/docker-mailserver/ environment: - - TZ=${TZ} - - ENABLE_SPAMASSASSIN=1 + - DMS_DEBUG=0 - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 - - ENABLE_POSTGREY=1 - - ONE_DIR=1 - - DMS_DEBUG=0 - - SSL_TYPE=self-signed - ENABLE_LDAP=1 - - LDAP_SERVER_HOST=${LDAP_SERVER} - - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} + - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 + - ENABLE_POSTGREY=1 + - ENABLE_SASLAUTHD=1 + - ENABLE_SPAMASSASSIN=1 - LDAP_BIND_DN=${LDAP_BIND_DN} - LDAP_BIND_PW=${LDAP_BIND_PW} - - LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER} - - LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP} - LDAP_QUERY_FILTER_ALIAS=${LDAP_QUERY_FILTER_ALIAS} - LDAP_QUERY_FILTER_DOMAIN=${LDAP_QUERY_FILTER_DOMAIN} - - ENABLE_SASLAUTHD=1 - - SASLAUTHD_LDAP_SERVER=${LDAP_SERVER} + - LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP} + - LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER} + - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} + - LDAP_SERVER_HOST=${LDAP_SERVER} + - ONE_DIR=1 + - PERMIT_DOCKER=connected-networks + - POSTFIX_DAGENT=lmtp:kopano_dagent:2003 + - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS} + - REPORT_RECIPIENT=1 - SASLAUTHD_LDAP_BIND_DN=${LDAP_BIND_DN} + - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER} - SASLAUTHD_LDAP_PASSWORD=${LDAP_BIND_PW} - SASLAUTHD_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} - - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER} + - SASLAUTHD_LDAP_SERVER=${LDAP_SERVER} - SASLAUTHD_MECHANISMS=ldap - - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS} - SMTP_ONLY=1 - - PERMIT_DOCKER=connected-networks - - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 - - POSTFIX_DAGENT=lmtp:kopano_dagent:2003 - - REPORT_RECIPIENT=1 + - SSL_TYPE=self-signed + - TZ=${TZ} env_file: - mail.env networks: @@ -105,10 +107,10 @@ services: volumes: - mysql/:/var/lib/mysql environment: + - MYSQL_DATABASE=${MYSQL_DATABASE} + - MYSQL_PASSWORD=${MYSQL_PASSWORD} - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} - MYSQL_USER=${MYSQL_USER} - - MYSQL_PASSWORD=${MYSQL_PASSWORD} - - MYSQL_DATABASE=${MYSQL_DATABASE} env_file: - db.env healthcheck: @@ -136,35 +138,35 @@ services: container_name: ${COMPOSE_PROJECT_NAME}_server depends_on: - db - - ldap - - kopano_ssl - kopano_konnect + - kopano_ssl + - ldap environment: + - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES} + - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1} + - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8} + - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW} + - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN} + - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} + - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER} + - KCCONF_SERVER_COREDUMP_ENABLED=no + - KCCONF_SERVER_ENABLE_SSO=yes + - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE} + - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN} + - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE} + - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST} + - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD} + - KCCONF_SERVER_MYSQL_PORT=3306 + - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER} + - KCCONF_SERVER_PROXY_HEADER=* # delete line if webapp is not behind reverse proxy + - KCCONF_SERVER_SERVER_NAME=Kopano + - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem + - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server.pem + - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients + - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS} + - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1} - SERVICE_TO_START=server - TZ=${TZ} - - KCCONF_SERVER_COREDUMP_ENABLED=no - - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST} - - KCCONF_SERVER_MYSQL_PORT=3306 - - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE} - - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER} - - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD} - - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server.pem - - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem - - KCCONF_SERVER_SERVER_NAME=Kopano - - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients - - KCCONF_SERVER_PROXY_HEADER=* # delete line if webapp is not behind reverse proxy - - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS} - - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER} - - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN} - - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW} - - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} - - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1} - - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1} - - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES} - - KCCONF_SERVER_ENABLE_SSO=yes - - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN} - - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE} - - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8} env_file: - kopano_server.env networks: @@ -172,9 +174,11 @@ services: - ldap-net - web-net volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanodata/:/kopano/data - - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl kopano_webapp: image: ${docker_repo:-zokradonh}/kopano_webapp:${WEBAPP_VERSION:-latest} @@ -183,19 +187,21 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl - kopanowebapp/:/var/lib/kopano-webapp/ environment: - - TZ=${TZ} - ADDITIONAL_KOPANO_WEBAPP_PLUGINS=${ADDITIONAL_KOPANO_WEBAPP_PLUGINS} - - KCCONF_WEBAPP_OIDC_ISS=https://${FQDN} - KCCONF_WEBAPP_OIDC_CLIENT_ID=webapp + - KCCONF_WEBAPP_OIDC_ISS=https://${FQDN} + - TZ=${TZ} env_file: - kopano_webapp.env networks: - - web-net - kopano-net + - web-net kopano_zpush: image: ${docker_repo:-zokradonh}/kopano_zpush:${ZPUSH_VERSION:-latest} @@ -205,8 +211,10 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl - zpushstates/:/var/lib/z-push/ environment: - TZ=${TZ} @@ -216,8 +224,8 @@ services: env_file: - kopano_zpush.env networks: - - web-net - kopano-net + - web-net kopano_grapi: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} @@ -226,13 +234,15 @@ services: depends_on: - kopano_server volumes: - - kopanosocket/:/run/kopano + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanograpi/:/var/lib/kopano-grapi + - kopanosocket/:/run/kopano environment: + - KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no + - KCCONF_GRAPI_INSECURE=${INSECURE} - SERVICE_TO_START=grapi - TZ=${TZ} - - KCCONF_GRAPI_INSECURE=${INSECURE} - - KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no env_file: - kopano_grapi.env networks: @@ -246,15 +256,17 @@ services: depends_on: - kopano_grapi volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanodata/:/kopano/data - - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - - SERVICE_TO_START=kapi - - TZ=${TZ} + - KCCONF_KAPID_INSECURE=${INSECURE} - KCCONF_KAPID_LOG_LEVEL=DEBUG - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN} - - KCCONF_KAPID_INSECURE=${INSECURE} + - SERVICE_TO_START=kapi + - TZ=${TZ} env_file: - kopano_kapi.env networks: @@ -269,9 +281,11 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl - - kopanosocket/:/run/kopano + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kdavstates/:/var/lib/kopano/kdav + - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - TZ=${TZ} networks: @@ -284,13 +298,15 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: + - KCCONF_DAGENT_LOG_LEVEL=3 + - KCCONF_DAGENT_SSLKEY_FILE=/kopano/ssl/kopano_dagent.pem - SERVICE_TO_START=dagent - TZ=${TZ} - - KCCONF_DAGENT_SSLKEY_FILE=/kopano/ssl/kopano_dagent.pem - - KCCONF_DAGENT_LOG_LEVEL=3 env_file: - kopano_dagent.env networks: @@ -305,14 +321,16 @@ services: - kopano_server - mail volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - - SERVICE_TO_START=spooler - - TZ=${TZ} - KCCONF_SPOOLER_LOG_LEVEL=3 - KCCONF_SPOOLER_SMTP_SERVER=mail - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kopano_spooler.pem + - SERVICE_TO_START=spooler + - TZ=${TZ} env_file: - kopano_spooler.env networks: @@ -324,13 +342,15 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: + - KCCONF_GATEWAY_LOG_LEVEL=3 + - KCCONF_GATEWAY_SERVER_SOCKET=http://kopano_server:236/ - SERVICE_TO_START=gateway - TZ=${TZ} - - KCCONF_GATEWAY_SERVER_SOCKET=http://kopano_server:236/ - - KCCONF_GATEWAY_LOG_LEVEL=3 env_file: - kopano_gateway.env networks: @@ -342,12 +362,14 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: + - KCCONF_ICAL_SERVER_SOCKET=http://kopano_server:236/ - SERVICE_TO_START=ical - TZ=${TZ} - - KCCONF_ICAL_SERVER_SOCKET=http://kopano_server:236/ env_file: - kopano_ical.env networks: @@ -360,8 +382,10 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - SERVICE_TO_START=monitor - TZ=${TZ} @@ -377,9 +401,11 @@ services: depends_on: - kopano_server volumes: - - kopanossl/:/kopano/ssl - - kopanosocket/:/run/kopano + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanodata/:/kopano/data + - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - SERVICE_TO_START=search - TZ=${TZ} @@ -396,18 +422,20 @@ services: - web # to be useful Konnect also need a running kopano_server, but this dependency cannot be added here since this would be a circular dependency volumes: - - kopanossl/:/kopano/ssl + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - - FQDN=${FQDN} - - ecparam=/kopano/ssl/ecparam.pem - - eckey=/kopano/ssl/meet-kwmserver.pem - - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem - - encryption_secret_key=/kopano/ssl/konnectd-encryption.key - - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml - - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml - allow_client_guests=yes - allow_dynamic_client_registration=yes + - eckey=/kopano/ssl/meet-kwmserver.pem + - ecparam=/kopano/ssl/ecparam.pem + - encryption_secret_key=/kopano/ssl/konnectd-encryption.key + - FQDN=${FQDN} + - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml + - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml + - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem env_file: - kopano_konnect.env networks: @@ -422,13 +450,15 @@ services: - kopano_kapi - kopano_konnect environment: + - enable_guest_api=yes - INSECURE=${INSECURE} - oidc_issuer_identifier=https://${FQDN} - - enable_guest_api=yes - public_guest_access_regexp=^group/public/.* env_file: - kopano_kwmserver.env volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanossl/:/kopano/ssl networks: - web-net @@ -437,9 +467,9 @@ services: image: ${docker_repo:-zokradonh}/kopano_meet:${MEET_VERSION:-latest} restart: unless-stopped environment: - - SERVICE_TO_START=meet - KCCONF_MEET_disableFullGAB=false - KCCONF_MEET_guests_enabled=true + - SERVICE_TO_START=meet env_file: - kopano_meet.env depends_on: @@ -447,6 +477,9 @@ services: - kopano_konnect - kopano_kwmserver - web + volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id networks: - web-net @@ -462,35 +495,35 @@ services: - kopano_server - kopano_zpush environment: - - TZ=${TZ} - CRON_KOPANOUSERS=10 * * * * docker exec kopano_server kopano-admin --sync - CRON_ZPUSHGAB=0 22 * * * docker exec kopano_zpush z-push-gabsync -a sync - CRONDELAYED_KBACKUP=30 1 * * * docker run --rm -it --volumes-from kopano_server -v /root/kopano-backup:/kopano/path ${docker_repo:-zokradonh}/kopano_utils:${CORE_VERSION:-latest} kopano-backup -h - CRONDELAYED_SOFTDELETE=30 2 * * * docker exec kopano_server kopano-admin --purge-softdelete 30 + - TZ=${TZ} env_file: - kopano_scheduler.env volumes: - /var/run/docker.sock:/var/run/docker.sock:ro volumes: - web: + kdavstates: + kopanodata: + kopanograpi: + kopanosocket: + kopanossl: + kopanowebapp: ldap: - slapd: maildata: mailstate: mtaconfig: mysql: - kopanodata: - kopanograpi: - kopanossl: - kopanosocket: - kopanowebapp: + slapd: + web: zpushstates: - kdavstates: networks: - web-net: kopano-net: driver: bridge ldap-net: driver: bridge + web-net: diff --git a/examples/kopano-multiserver/kopano-multiserver.yml b/examples/kopano-multiserver/kopano-multiserver.yml index 070fbba..2dbf9fe 100644 --- a/examples/kopano-multiserver/kopano-multiserver.yml +++ b/examples/kopano-multiserver/kopano-multiserver.yml @@ -9,9 +9,9 @@ services: kopano_server: environment: - - KCCONF_SERVER_SERVER_NAME=kopano_server - - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true - KCCONF_ADMIN_SSLKEY_FILE=/kopano/ssl/admin.pem + - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true + - KCCONF_SERVER_SERVER_NAME=kopano_server kopano_server_2: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} @@ -19,36 +19,36 @@ services: container_name: ${COMPOSE_PROJECT_NAME}_server_2 depends_on: - db - - ldap - - kopano_ssl - kopano_konnect + - kopano_ssl + - ldap environment: + - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES} + - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1} + - KCCONF_ADMIN_SSLKEY_FILE=/kopano/ssl/admin.pem + - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW} + - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN} + - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} + - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER} + - KCCONF_SERVER_COREDUMP_ENABLED=no + - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true + - KCCONF_SERVER_ENABLE_SSO=yes + - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE} + - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN} + - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}2 + - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST} + - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD} + - KCCONF_SERVER_MYSQL_PORT=3306 + - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER} + - KCCONF_SERVER_PROXY_HEADER=* # delete line if webapp is not behind reverse proxy + - KCCONF_SERVER_SERVER_NAME=kopano_server_2 + - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem + - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server_2.pem + - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients + - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS} + - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1} - SERVICE_TO_START=server - TZ=${TZ} - - KCCONF_SERVER_COREDUMP_ENABLED=no - - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST} - - KCCONF_SERVER_MYSQL_PORT=3306 - - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}2 - - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER} - - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD} - - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server_2.pem - - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem - - KCCONF_SERVER_SERVER_NAME=kopano_server_2 - - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients - - KCCONF_SERVER_PROXY_HEADER=* # delete line if webapp is not behind reverse proxy - - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS} - - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER} - - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN} - - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW} - - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE} - - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1} - - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1} - - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES} - - KCCONF_SERVER_ENABLE_SSO=yes - - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN} - - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE} - - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true - - KCCONF_ADMIN_SSLKEY_FILE=/kopano/ssl/admin.pem env_file: - kopano_server.env networks: @@ -56,9 +56,11 @@ services: - ldap-net - web-net volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanodata2/:/kopano/data - - kopanossl/:/kopano/ssl - kopanosocket2/:/run/kopano + - kopanossl/:/kopano/ssl kopano_spooler_2: image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest} @@ -70,14 +72,14 @@ services: - kopano_server_2 - mail volumes: - - kopanossl/:/kopano/ssl - kopanosocket2/:/run/kopano + - kopanossl/:/kopano/ssl environment: - - SERVICE_TO_START=spooler - - TZ=${TZ} - KCCONF_SPOOLER_LOG_LEVEL=3 - KCCONF_SPOOLER_SMTP_SERVER=mail - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kopano_spooler.pem + - SERVICE_TO_START=spooler + - TZ=${TZ} env_file: - kopano_spooler.env networks: @@ -87,7 +89,6 @@ services: depends_on: - kopano_server_2 environment: - - TZ=${TZ} - CRON_KOPANOUSERS2=10 * * * * docker exec kopano_server_2 kopano-admin --sync volumes: diff --git a/examples/meet/docker-compose.yml b/examples/meet/docker-compose.yml index 09853da..4297819 100644 --- a/examples/meet/docker-compose.yml +++ b/examples/meet/docker-compose.yml @@ -9,18 +9,20 @@ services: - "${HTTP:-80}:80" - "${HTTPS:-443}:443" environment: + - DEFAULTREDIRECT=/meet - EMAIL=${EMAIL:-off} - FQDN=${FQDNCLEANED?err} - - DEFAULTREDIRECT=/meet command: wrapper.sh cap_drop: - ALL cap_add: - - NET_BIND_SERVICE - CHOWN + - NET_BIND_SERVICE - SETGID - SETUID volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - web:/.kweb networks: web-net: @@ -32,12 +34,12 @@ services: restart: unless-stopped container_name: ${COMPOSE_PROJECT_NAME}_ldap environment: - - LDAP_ORGANISATION=${LDAP_ORGANISATION} - - LDAP_DOMAIN=${LDAP_DOMAIN} - - LDAP_BASE_DN=${LDAP_BASE_DN} - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} - - LDAP_READONLY_USER=true + - LDAP_BASE_DN=${LDAP_BASE_DN} + - LDAP_DOMAIN=${LDAP_DOMAIN} + - LDAP_ORGANISATION=${LDAP_ORGANISATION} - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_USER_PASSWORD} + - LDAP_READONLY_USER=true command: "--loglevel info --copy-service" volumes: - ldap:/var/lib/ldap @@ -58,16 +60,18 @@ services: restart: unless-stopped container_name: ${COMPOSE_PROJECT_NAME}_grapi volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanosocket/:/run/kopano environment: - - SERVICE_TO_START=grapi - - TZ=${TZ} - ADDITIONAL_KOPANO_PACKAGES=python3-grapi.backend.ldap - GRAPI_BACKEND=ldap - - LDAP_URI=${LDAP_SERVER} + - LDAP_BASEDN=${LDAP_SEARCH_BASE} - LDAP_BINDDN=${LDAP_BIND_DN} - LDAP_BINDPW=${LDAP_BIND_PW} - - LDAP_BASEDN=${LDAP_SEARCH_BASE} + - LDAP_URI=${LDAP_SERVER} + - SERVICE_TO_START=grapi + - TZ=${TZ} networks: - kopano-net - ldap-net @@ -79,15 +83,17 @@ services: depends_on: - kopano_grapi volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanodata/:/kopano/data - - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - - SERVICE_TO_START=kapi - - TZ=${TZ} + - KCCONF_KAPID_INSECURE=${INSECURE} - KCCONF_KAPID_LOG_LEVEL=DEBUG - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN} - - KCCONF_KAPID_INSECURE=${INSECURE} + - SERVICE_TO_START=kapi + - TZ=${TZ} networks: - kopano-net - web-net @@ -99,29 +105,31 @@ services: - kopano_ssl - web volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanossl/:/kopano/ssl environment: - - FQDN=${FQDN} - - ecparam=/kopano/ssl/ecparam.pem - - eckey=/kopano/ssl/meet-kwmserver.pem - - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem - - encryption_secret_key=/kopano/ssl/konnectd-encryption.key - - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml - - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml - allow_client_guests=yes - allow_dynamic_client_registration=yes + - eckey=/kopano/ssl/meet-kwmserver.pem + - ecparam=/kopano/ssl/ecparam.pem + - encryption_secret_key=/kopano/ssl/konnectd-encryption.key + - FQDN=${FQDN} + - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml + - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml - KONNECT_BACKEND=ldap - - LDAP_URI=${LDAP_SERVER} + - LDAP_BASEDN=${LDAP_SEARCH_BASE} - LDAP_BINDDN=${LDAP_BIND_DN} - LDAP_BINDPW=${LDAP_BIND_PW} - - LDAP_BASEDN=${LDAP_SEARCH_BASE} - - LDAP_SCOPE=sub - - LDAP_LOGIN_ATTRIBUTE=uid - LDAP_EMAIL_ATTRIBUTE=mail - - LDAP_NAME_ATTRIBUTE=cn - - LDAP_UUID_ATTRIBUTE=uidNumber - - LDAP_UUID_ATTRIBUTE_TYPE=text - LDAP_FILTER=(objectClass=organizationalPerson) + - LDAP_LOGIN_ATTRIBUTE=uid + - LDAP_NAME_ATTRIBUTE=cn + - LDAP_SCOPE=sub + - LDAP_URI=${LDAP_SERVER} + - LDAP_UUID_ATTRIBUTE_TYPE=text + - LDAP_UUID_ATTRIBUTE=uidNumber + - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem networks: - kopano-net - ldap-net @@ -135,13 +143,15 @@ services: - kopano_kapi - kopano_konnect environment: + - enable_guest_api=yes - INSECURE=${INSECURE} - oidc_issuer_identifier=https://${FQDN} - - enable_guest_api=yes - public_guest_access_regexp=^group/public/.* - - turn_service_credentials_user=${TURN_USER} - turn_service_credentials_password=${TURN_PASSWORD} + - turn_service_credentials_user=${TURN_USER} volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id - kopanossl/:/kopano/ssl networks: - web-net @@ -150,30 +160,33 @@ services: image: ${docker_repo:-kopano}/kopano_meet:${MEET_VERSION:-latest} restart: unless-stopped environment: - - SERVICE_TO_START=meet - KCCONF_MEET_disableFullGAB=false + - KCCONF_MEET_GRID_WEBAPP=no - KCCONF_MEET_guests_enabled=true - KCCONF_MEET_useIdentifiedUser=true - - KCCONF_MEET_GRID_WEBAPP=no + - SERVICE_TO_START=meet depends_on: - kopano_kapi - kopano_konnect - kopano_kwmserver - web + volumes: + - /etc/machine-id:/etc/machine-id + - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id networks: - web-net volumes: - web: + kopanodata: + kopanosocket: + kopanossl: ldap: slapd: - kopanodata: - kopanossl: - kopanosocket: + web: networks: - web-net: kopano-net: driver: bridge ldap-net: driver: bridge + web-net: diff --git a/examples/meet/tests/startup-test/test.sh b/examples/meet/tests/startup-test/test.sh index f22a99b..d1fd2b0 100755 --- a/examples/meet/tests/startup-test/test.sh +++ b/examples/meet/tests/startup-test/test.sh @@ -5,7 +5,7 @@ set -ex # waits for key events in various containers # e.g. kopano_server:236 signals succesful start of kopano-server process dockerize \ - -wait file://var/run/kopano/grapi/notify.sock \ + -wait file:///var/run/kopano/grapi/notify.sock \ -wait http://kopano_konnect:8777/.well-known/openid-configuration \ -wait tcp://kopano_kwmserver:8778 \ -wait tcp://kopano_meet:9080 \ diff --git a/examples/meet/tests/test-container.yml b/examples/meet/tests/test-container.yml index a1db920..1b5cedc 100644 --- a/examples/meet/tests/test-container.yml +++ b/examples/meet/tests/test-container.yml @@ -11,9 +11,13 @@ services: - ldap-net - web-net volumes: - - kopanodata/:/kopano/data - - kopanossl/:/kopano/ssl - - kopanosocket/:/run/kopano - /var/run/docker.sock:/var/run/docker.sock:ro + - kopanodata/:/kopano/data + - kopanosocket/:/run/kopano + - kopanossl/:/kopano/ssl environment: - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST} + ldap: + tmpfs: + - /var/lib/ldap + - /etc/ldap/slapd.d diff --git a/kdav/start.sh b/kdav/start.sh index a481801..38d0a91 100755 --- a/kdav/start.sh +++ b/kdav/start.sh @@ -34,6 +34,11 @@ sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i /u echo "Ensure config ownership" chown -R www-data:www-data /run/sessions +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + touch /var/log/kdav/kdav.log touch /var/log/kdav/kdav-error.log chown www-data:www-data /var/log/kdav/kdav.log /var/log/kdav/kdav-error.log diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh index 0a456dc..a1c0cda 100755 --- a/konnect/wrapper.sh +++ b/konnect/wrapper.sh @@ -88,9 +88,12 @@ if [ -n "${LDAP_BINDPW_FILE:-}" ]; then export LDAP_BINDPW="${bindpw}" fi +# services need to be aware of the machine-id dockerize \ -wait file://"${signing_private_key:?}" \ -wait file://"${encryption_secret_key:?}" \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id \ -timeout 360s exec konnectd serve \ --signing-private-key="${signing_private_key:?}" \ diff --git a/kwmserver/wrapper.sh b/kwmserver/wrapper.sh index 6d406d7..27da12e 100755 --- a/kwmserver/wrapper.sh +++ b/kwmserver/wrapper.sh @@ -76,6 +76,11 @@ else -timeout 360s fi +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + exec /usr/local/bin/docker-entrypoint.sh serve \ --registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \ "$@" diff --git a/meet/start-service.sh b/meet/start-service.sh index e5fa0a4..6959285 100755 --- a/meet/start-service.sh +++ b/meet/start-service.sh @@ -43,12 +43,17 @@ if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then jq '.apps += {"enabled": ["kopano-webapp", "kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON fi -#cat $CONFIG_JSON - sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg +# always disable tls export tls=no # shellcheck disable=SC2046 export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n') + +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + # cleaning up env variables unset "${!KCCONF_@}" exec kopano-kwebd serve diff --git a/web/Dockerfile b/web/Dockerfile index 7cbd16b..c3c4e2e 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -22,6 +22,11 @@ ENV KWEBD_DNS_KDAV="kopano_kdav" ENV KWEBD_DNS_GRAPI="kopano_grapi" ENV KWEBD_DNS_ICAL="kopano_ical" +ENV DOCKERIZE_VERSION v0.6.1 +RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ + && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ + && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz + COPY wrapper.sh /usr/local/bin COPY kweb.cfg /etc/kweb.cfg diff --git a/web/wrapper.sh b/web/wrapper.sh index 605a0b5..46c2ad5 100755 --- a/web/wrapper.sh +++ b/web/wrapper.sh @@ -2,4 +2,9 @@ set -e +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + exec kwebd caddy -conf /etc/kweb.cfg -agree diff --git a/webapp/start.sh b/webapp/start.sh index c14b05e..92d7c3d 100755 --- a/webapp/start.sh +++ b/webapp/start.sh @@ -53,6 +53,11 @@ done echo "Ensure config ownership" chown -R www-data:www-data /run/sessions /tmp/webapp +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + set +u # cleaning up env variables unset "${!KCCONF_@}" diff --git a/zpush/start.sh b/zpush/start.sh index df9eb29..1077271 100755 --- a/zpush/start.sh +++ b/zpush/start.sh @@ -113,6 +113,11 @@ echo -e ' );' >> /etc/z-push/z-push.conf.php echo "Ensure config ownership" chown -R www-data:www-data /run/sessions +# services need to be aware of the machine-id +dockerize \ + -wait file:///etc/machine-id \ + -wait file:///var/lib/dbus/machine-id + echo "Activate z-push log rerouting" touch /var/log/z-push/{z-push.log,z-push-error.log,autodiscover.log,autodiscover-error.log} chown -R www-data:www-data /var/log/z-push