Add a per setup unique machine-id (#257)

* add mount for machine-id
* services should check the availability of the machine id before starting
* add a note to the readme
* add new mounts to the multiserver example
* add dockerize to kweb
* fix meet demo

README.md

@@ -128,9 +128,11 @@ The exposed ports of each container are defined in `docker-compose.ports.yml`. I
 
 To get a quick impression of Kopano this git repository bundles a locally build LDAP image with some example users. When using the docker-compose.yml in a production environment make sure to:
 
-- either remove `ldap-demo/bootstrap/ldif/demo-users.ldif` from the locally built LDAP image or completely remove the local LDAP from the compose file
+- switch to the non-demo ldap tree or completely remove the local LDAP from the compose file
 - adapt LDAP queries in .env to match you actual LDAP server and users
-- all additional configuration of the Kopano components should be specified in the compose file and **not within the running container**
+- all additional configuration of the Kopano components should be specified in the compose file/the env file/an override and **not within the running container**
+- make sure that there is a unique machine-id for your deployment
+  - the default setup mounts the file from the host, if your host is running multiple installations of Kopano make sure to generate a unique value for each installation.
 
 #### Can I combine these Docker images with my existing environment?
 

core/start-service.sh

@@ -40,6 +40,11 @@ if [ $# -gt 0 ]; then
 	exit
 fi
 
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 # start regular service
 case "$SERVICE_TO_START" in
 server)
@@ -89,7 +94,7 @@ server)
 	;;
 dagent)
 	dockerize \
-		-wait file://var/run/kopano/server.sock \
+		-wait file:///var/run/kopano/server.sock \
 		-timeout 360s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
@@ -145,12 +150,12 @@ kapi)
 	if [ "$KCCONF_KAPID_INSECURE" = "yes" ]; then
 		dockerize \
 		-skip-tls-verify \
-		-wait file://var/run/kopano/grapi/notify.sock \
+		-wait file:///var/run/kopano/grapi/notify.sock \
 		-wait "$KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER"/.well-known/openid-configuration \
 		-timeout 360s
 	else
 		dockerize \
-		-wait file://var/run/kopano/grapi/notify.sock \
+		-wait file:///var/run/kopano/grapi/notify.sock \
 		-wait "$KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER"/.well-known/openid-configuration \
 		-timeout 360s
 	fi
@@ -165,7 +170,7 @@ kapi)
 	;;
 monitor)
 	dockerize \
-		-wait file://var/run/kopano/server.sock \
+		-wait file:///var/run/kopano/server.sock \
 		-timeout 360s
 	# cleaning up env variables
 	unset "${!KCCONF_@}"
@@ -173,7 +178,7 @@ monitor)
 	;;
 search)
 	dockerize \
-		-wait file://var/run/kopano/server.sock \
+		-wait file:///var/run/kopano/server.sock \
 		-timeout 360s
 	# give kopano-server a moment to settler before starting search
 	sleep 5
@@ -189,7 +194,7 @@ search)
 	;;
 spooler)
 	dockerize \
-		-wait file://var/run/kopano/server.sock \
+		-wait file:///var/run/kopano/server.sock \
 		-wait tcp://"$KCCONF_SPOOLER_SMTP_SERVER":25 \
 		-timeout 1080s
 	# cleaning up env variables

docker-compose.yml

@@ -5,18 +5,20 @@ services:
     image: ${docker_repo:-zokradonh}/kopano_web:${KWEB_VERSION:-latest}
     restart: unless-stopped
     environment:
+      - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp}
       - EMAIL=${EMAIL:-off}
       - FQDN=${FQDNCLEANED?err}
-      - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp}
     command: wrapper.sh
     cap_drop:
       - ALL
     cap_add:
-      - NET_BIND_SERVICE
       - CHOWN
+      - NET_BIND_SERVICE
       - SETGID
       - SETUID
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - web:/.kweb
     networks:
       web-net:
@@ -28,12 +30,12 @@ services:
     restart: unless-stopped
     container_name: ${COMPOSE_PROJECT_NAME}_ldap
     environment:
-      - LDAP_ORGANISATION=${LDAP_ORGANISATION}
-      - LDAP_DOMAIN=${LDAP_DOMAIN}
-      - LDAP_BASE_DN=${LDAP_BASE_DN}
       - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
-      - LDAP_READONLY_USER=true
+      - LDAP_BASE_DN=${LDAP_BASE_DN}
+      - LDAP_DOMAIN=${LDAP_DOMAIN}
+      - LDAP_ORGANISATION=${LDAP_ORGANISATION}
       - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_USER_PASSWORD}
+      - LDAP_READONLY_USER=true
     env_file:
       - ldap.env
     command: "--loglevel info --copy-service"
@@ -56,36 +58,36 @@ services:
       - mailstate:/var/mail-state
       - mtaconfig:/tmp/docker-mailserver/
     environment:
-      - TZ=${TZ}
+      - DMS_DEBUG=0
-      - ENABLE_SPAMASSASSIN=1
       - ENABLE_CLAMAV=1
       - ENABLE_FAIL2BAN=1
-      - ENABLE_POSTGREY=1
-      - ONE_DIR=1
-      - DMS_DEBUG=0
-      - SSL_TYPE=self-signed
       - ENABLE_LDAP=1
-      - LDAP_SERVER_HOST=${LDAP_SERVER}
+      - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1
-      - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
+      - ENABLE_POSTGREY=1
+      - ENABLE_SASLAUTHD=1
+      - ENABLE_SPAMASSASSIN=1
       - LDAP_BIND_DN=${LDAP_BIND_DN}
       - LDAP_BIND_PW=${LDAP_BIND_PW}
-      - LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER}
-      - LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP}
       - LDAP_QUERY_FILTER_ALIAS=${LDAP_QUERY_FILTER_ALIAS}
       - LDAP_QUERY_FILTER_DOMAIN=${LDAP_QUERY_FILTER_DOMAIN}
-      - ENABLE_SASLAUTHD=1
+      - LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP}
-      - SASLAUTHD_LDAP_SERVER=${LDAP_SERVER}
+      - LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER}
+      - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
+      - LDAP_SERVER_HOST=${LDAP_SERVER}
+      - ONE_DIR=1
+      - PERMIT_DOCKER=connected-networks
+      - POSTFIX_DAGENT=lmtp:kopano_dagent:2003
+      - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
+      - REPORT_RECIPIENT=1
       - SASLAUTHD_LDAP_BIND_DN=${LDAP_BIND_DN}
+      - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
       - SASLAUTHD_LDAP_PASSWORD=${LDAP_BIND_PW}
       - SASLAUTHD_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
-      - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
+      - SASLAUTHD_LDAP_SERVER=${LDAP_SERVER}
       - SASLAUTHD_MECHANISMS=ldap
-      - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
       - SMTP_ONLY=1
-      - PERMIT_DOCKER=connected-networks
+      - SSL_TYPE=self-signed
-      - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1
+      - TZ=${TZ}
-      - POSTFIX_DAGENT=lmtp:kopano_dagent:2003
-      - REPORT_RECIPIENT=1
     env_file:
       - mail.env
     networks:
@@ -105,10 +107,10 @@ services:
     volumes:
       - mysql/:/var/lib/mysql
     environment:
+      - MYSQL_DATABASE=${MYSQL_DATABASE}
+      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
       - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
       - MYSQL_USER=${MYSQL_USER}
-      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
-      - MYSQL_DATABASE=${MYSQL_DATABASE}
     env_file:
       - db.env
     healthcheck:
@@ -136,35 +138,35 @@ services:
     container_name: ${COMPOSE_PROJECT_NAME}_server
     depends_on:
       - db
-      - ldap
-      - kopano_ssl
       - kopano_konnect
+      - kopano_ssl
+      - ldap
     environment:
+      - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
+      - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
+      - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8}
+      - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW}
+      - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN}
+      - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
+      - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER}
+      - KCCONF_SERVER_COREDUMP_ENABLED=no
+      - KCCONF_SERVER_ENABLE_SSO=yes
+      - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE}
+      - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN}
+      - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}
+      - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST}
+      - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD}
+      - KCCONF_SERVER_MYSQL_PORT=3306
+      - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER}
+      - KCCONF_SERVER_PROXY_HEADER=*  # delete line if webapp is not behind reverse proxy
+      - KCCONF_SERVER_SERVER_NAME=Kopano
+      - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem
+      - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server.pem
+      - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients
+      - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS}
+      - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1}
       - SERVICE_TO_START=server
       - TZ=${TZ}
-      - KCCONF_SERVER_COREDUMP_ENABLED=no
-      - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST}
-      - KCCONF_SERVER_MYSQL_PORT=3306
-      - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}
-      - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER}
-      - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD}
-      - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server.pem
-      - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem
-      - KCCONF_SERVER_SERVER_NAME=Kopano
-      - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients
-      - KCCONF_SERVER_PROXY_HEADER=*  # delete line if webapp is not behind reverse proxy
-      - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS}
-      - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER}
-      - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN}
-      - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW}
-      - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
-      - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1}
-      - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
-      - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
-      - KCCONF_SERVER_ENABLE_SSO=yes
-      - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN}
-      - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE}
-      - KCCONF_ADMIN_DEFAULT_STORE_LOCALE=${MAILBOXLANG:-en_US.UTF-8}
     env_file:
       - kopano_server.env
     networks:
@@ -172,9 +174,11 @@ services:
       - ldap-net
       - web-net
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanodata/:/kopano/data
-      - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
 
   kopano_webapp:
     image: ${docker_repo:-zokradonh}/kopano_webapp:${WEBAPP_VERSION:-latest}
@@ -183,19 +187,21 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
       - kopanowebapp/:/var/lib/kopano-webapp/
     environment:
-      - TZ=${TZ}
       - ADDITIONAL_KOPANO_WEBAPP_PLUGINS=${ADDITIONAL_KOPANO_WEBAPP_PLUGINS}
-      - KCCONF_WEBAPP_OIDC_ISS=https://${FQDN}
       - KCCONF_WEBAPP_OIDC_CLIENT_ID=webapp
+      - KCCONF_WEBAPP_OIDC_ISS=https://${FQDN}
+      - TZ=${TZ}
     env_file:
       - kopano_webapp.env
     networks:
-      - web-net
       - kopano-net
+      - web-net
 
   kopano_zpush:
     image: ${docker_repo:-zokradonh}/kopano_zpush:${ZPUSH_VERSION:-latest}
@@ -205,8 +211,10 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
       - zpushstates/:/var/lib/z-push/
     environment:
       - TZ=${TZ}
@@ -216,8 +224,8 @@ services:
     env_file:
       - kopano_zpush.env
     networks:
-      - web-net
       - kopano-net
+      - web-net
 
   kopano_grapi:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
@@ -226,13 +234,15 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanosocket/:/run/kopano
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanograpi/:/var/lib/kopano-grapi
+      - kopanosocket/:/run/kopano
     environment:
+      - KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no
+      - KCCONF_GRAPI_INSECURE=${INSECURE}
       - SERVICE_TO_START=grapi
       - TZ=${TZ}
-      - KCCONF_GRAPI_INSECURE=${INSECURE}
-      - KCCONF_GRAPI_ENABLE_EXPERIMENTAL_ENDPOINTS=no
     env_file:
       - kopano_grapi.env
     networks:
@@ -246,15 +256,17 @@ services:
     depends_on:
       - kopano_grapi
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanodata/:/kopano/data
-      - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
-      - SERVICE_TO_START=kapi
+      - KCCONF_KAPID_INSECURE=${INSECURE}
-      - TZ=${TZ}
       - KCCONF_KAPID_LOG_LEVEL=DEBUG
       - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN}
-      - KCCONF_KAPID_INSECURE=${INSECURE}
+      - SERVICE_TO_START=kapi
+      - TZ=${TZ}
     env_file:
       - kopano_kapi.env
     networks:
@@ -269,9 +281,11 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
-      - kopanosocket/:/run/kopano
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kdavstates/:/var/lib/kopano/kdav
+      - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
       - TZ=${TZ}
     networks:
@@ -284,13 +298,15 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
+      - KCCONF_DAGENT_LOG_LEVEL=3
+      - KCCONF_DAGENT_SSLKEY_FILE=/kopano/ssl/kopano_dagent.pem
       - SERVICE_TO_START=dagent
       - TZ=${TZ}
-      - KCCONF_DAGENT_SSLKEY_FILE=/kopano/ssl/kopano_dagent.pem
-      - KCCONF_DAGENT_LOG_LEVEL=3
     env_file:
       - kopano_dagent.env
     networks:
@@ -305,14 +321,16 @@ services:
       - kopano_server
       - mail
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
-      - SERVICE_TO_START=spooler
-      - TZ=${TZ}
       - KCCONF_SPOOLER_LOG_LEVEL=3
       - KCCONF_SPOOLER_SMTP_SERVER=mail
       - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kopano_spooler.pem
+      - SERVICE_TO_START=spooler
+      - TZ=${TZ}
     env_file:
       - kopano_spooler.env
     networks:
@@ -324,13 +342,15 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
+      - KCCONF_GATEWAY_LOG_LEVEL=3
+      - KCCONF_GATEWAY_SERVER_SOCKET=http://kopano_server:236/
       - SERVICE_TO_START=gateway
       - TZ=${TZ}
-      - KCCONF_GATEWAY_SERVER_SOCKET=http://kopano_server:236/
-      - KCCONF_GATEWAY_LOG_LEVEL=3
     env_file:
       - kopano_gateway.env
     networks:
@@ -342,12 +362,14 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
+      - KCCONF_ICAL_SERVER_SOCKET=http://kopano_server:236/
       - SERVICE_TO_START=ical
       - TZ=${TZ}
-      - KCCONF_ICAL_SERVER_SOCKET=http://kopano_server:236/
     env_file:
       - kopano_ical.env
     networks:
@@ -360,8 +382,10 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
       - SERVICE_TO_START=monitor
       - TZ=${TZ}
@@ -377,9 +401,11 @@ services:
     depends_on:
       - kopano_server
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
-      - kopanosocket/:/run/kopano
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanodata/:/kopano/data
+      - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
       - SERVICE_TO_START=search
       - TZ=${TZ}
@@ -396,18 +422,20 @@ services:
       - web
       # to be useful Konnect also need a running kopano_server, but this dependency cannot be added here since this would be a circular dependency
     volumes:
-      - kopanossl/:/kopano/ssl
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
-      - FQDN=${FQDN}
-      - ecparam=/kopano/ssl/ecparam.pem
-      - eckey=/kopano/ssl/meet-kwmserver.pem
-      - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem
-      - encryption_secret_key=/kopano/ssl/konnectd-encryption.key
-      - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
-      - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml
       - allow_client_guests=yes
       - allow_dynamic_client_registration=yes
+      - eckey=/kopano/ssl/meet-kwmserver.pem
+      - ecparam=/kopano/ssl/ecparam.pem
+      - encryption_secret_key=/kopano/ssl/konnectd-encryption.key
+      - FQDN=${FQDN}
+      - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
+      - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml
+      - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem
     env_file:
       - kopano_konnect.env
     networks:
@@ -422,13 +450,15 @@ services:
       - kopano_kapi
       - kopano_konnect
     environment:
+      - enable_guest_api=yes
       - INSECURE=${INSECURE}
       - oidc_issuer_identifier=https://${FQDN}
-      - enable_guest_api=yes
       - public_guest_access_regexp=^group/public/.*
     env_file:
       - kopano_kwmserver.env
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanossl/:/kopano/ssl
     networks:
       - web-net
@@ -437,9 +467,9 @@ services:
     image: ${docker_repo:-zokradonh}/kopano_meet:${MEET_VERSION:-latest}
     restart: unless-stopped
     environment:
-      - SERVICE_TO_START=meet
       - KCCONF_MEET_disableFullGAB=false
       - KCCONF_MEET_guests_enabled=true
+      - SERVICE_TO_START=meet
     env_file:
       - kopano_meet.env
     depends_on:
@@ -447,6 +477,9 @@ services:
       - kopano_konnect
       - kopano_kwmserver
       - web
+    volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
     networks:
       - web-net
 
@@ -462,35 +495,35 @@ services:
       - kopano_server
       - kopano_zpush
     environment:
-      - TZ=${TZ}
       - CRON_KOPANOUSERS=10 * * * * docker exec kopano_server kopano-admin --sync
       - CRON_ZPUSHGAB=0 22 * * * docker exec kopano_zpush z-push-gabsync -a sync
       - CRONDELAYED_KBACKUP=30 1 * * * docker run --rm -it --volumes-from kopano_server -v /root/kopano-backup:/kopano/path ${docker_repo:-zokradonh}/kopano_utils:${CORE_VERSION:-latest} kopano-backup -h
       - CRONDELAYED_SOFTDELETE=30 2 * * * docker exec kopano_server kopano-admin --purge-softdelete 30
+      - TZ=${TZ}
     env_file:
       - kopano_scheduler.env
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
 volumes:
-  web:
+  kdavstates:
+  kopanodata:
+  kopanograpi:
+  kopanosocket:
+  kopanossl:
+  kopanowebapp:
   ldap:
-  slapd:
   maildata:
   mailstate:
   mtaconfig:
   mysql:
-  kopanodata:
+  slapd:
-  kopanograpi:
+  web:
-  kopanossl:
-  kopanosocket:
-  kopanowebapp:
   zpushstates:
-  kdavstates:
 
 networks:
-  web-net:
   kopano-net:
     driver: bridge
   ldap-net:
     driver: bridge
+  web-net:

examples/kopano-multiserver/kopano-multiserver.yml

@@ -9,9 +9,9 @@ services:
 
   kopano_server:
     environment:
-      - KCCONF_SERVER_SERVER_NAME=kopano_server
-      - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true
       - KCCONF_ADMIN_SSLKEY_FILE=/kopano/ssl/admin.pem
+      - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true
+      - KCCONF_SERVER_SERVER_NAME=kopano_server
 
   kopano_server_2:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
@@ -19,36 +19,36 @@ services:
     container_name: ${COMPOSE_PROJECT_NAME}_server_2
     depends_on:
       - db
-      - ldap
-      - kopano_ssl
       - kopano_konnect
+      - kopano_ssl
+      - ldap
     environment:
+      - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
+      - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
+      - KCCONF_ADMIN_SSLKEY_FILE=/kopano/ssl/admin.pem
+      - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW}
+      - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN}
+      - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
+      - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER}
+      - KCCONF_SERVER_COREDUMP_ENABLED=no
+      - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true
+      - KCCONF_SERVER_ENABLE_SSO=yes
+      - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE}
+      - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN}
+      - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}2
+      - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST}
+      - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD}
+      - KCCONF_SERVER_MYSQL_PORT=3306
+      - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER}
+      - KCCONF_SERVER_PROXY_HEADER=* # delete line if webapp is not behind reverse proxy
+      - KCCONF_SERVER_SERVER_NAME=kopano_server_2
+      - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem
+      - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server_2.pem
+      - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients
+      - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS}
+      - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1}
       - SERVICE_TO_START=server
       - TZ=${TZ}
-      - KCCONF_SERVER_COREDUMP_ENABLED=no
-      - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST}
-      - KCCONF_SERVER_MYSQL_PORT=3306
-      - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE}2
-      - KCCONF_SERVER_MYSQL_USER=${MYSQL_USER}
-      - KCCONF_SERVER_MYSQL_PASSWORD=${MYSQL_PASSWORD}
-      - KCCONF_SERVER_SERVER_SSL_KEY_FILE=/kopano/ssl/kopano_server_2.pem
-      - KCCONF_SERVER_SERVER_SSL_CA_FILE=/kopano/ssl/ca.pem
-      - KCCONF_SERVER_SERVER_NAME=kopano_server_2
-      - KCCONF_SERVER_SSLKEYS_PATH=/kopano/ssl/clients
-      - KCCONF_SERVER_PROXY_HEADER=* # delete line if webapp is not behind reverse proxy
-      - KCCONF_SERVER_SYSTEM_EMAIL_ADDRESS=${POSTMASTER_ADDRESS}
-      - KCCONF_LDAP_LDAP_URI=${LDAP_SERVER}
-      - KCCONF_LDAP_LDAP_BIND_USER=${LDAP_BIND_DN}
-      - KCCONF_LDAP_LDAP_BIND_PASSWD=${LDAP_BIND_PW}
-      - KCCONF_LDAP_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
-      - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1}
-      - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1}
-      - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES}
-      - KCCONF_SERVER_ENABLE_SSO=yes
-      - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN}
-      - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE}
-      - KCCONF_SERVER_ENABLE_DISTRIBUTED_KOPANO=true
-      - KCCONF_ADMIN_SSLKEY_FILE=/kopano/ssl/admin.pem
     env_file:
       - kopano_server.env
     networks:
@@ -56,9 +56,11 @@ services:
       - ldap-net
       - web-net
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanodata2/:/kopano/data
-      - kopanossl/:/kopano/ssl
       - kopanosocket2/:/run/kopano
+      - kopanossl/:/kopano/ssl
 
   kopano_spooler_2:
     image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
@@ -70,14 +72,14 @@ services:
       - kopano_server_2
       - mail
     volumes:
-      - kopanossl/:/kopano/ssl
       - kopanosocket2/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
-      - SERVICE_TO_START=spooler
-      - TZ=${TZ}
       - KCCONF_SPOOLER_LOG_LEVEL=3
       - KCCONF_SPOOLER_SMTP_SERVER=mail
       - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kopano_spooler.pem
+      - SERVICE_TO_START=spooler
+      - TZ=${TZ}
     env_file:
       - kopano_spooler.env
     networks:
@@ -87,7 +89,6 @@ services:
     depends_on:
       - kopano_server_2
     environment:
-      - TZ=${TZ}
       - CRON_KOPANOUSERS2=10 * * * * docker exec kopano_server_2 kopano-admin --sync
 
 volumes:

examples/meet/docker-compose.yml

@@ -9,18 +9,20 @@ services:
       - "${HTTP:-80}:80"
       - "${HTTPS:-443}:443"
     environment:
+      - DEFAULTREDIRECT=/meet
       - EMAIL=${EMAIL:-off}
       - FQDN=${FQDNCLEANED?err}
-      - DEFAULTREDIRECT=/meet
     command: wrapper.sh
     cap_drop:
       - ALL
     cap_add:
-      - NET_BIND_SERVICE
       - CHOWN
+      - NET_BIND_SERVICE
       - SETGID
       - SETUID
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - web:/.kweb
     networks:
       web-net:
@@ -32,12 +34,12 @@ services:
     restart: unless-stopped
     container_name: ${COMPOSE_PROJECT_NAME}_ldap
     environment:
-      - LDAP_ORGANISATION=${LDAP_ORGANISATION}
-      - LDAP_DOMAIN=${LDAP_DOMAIN}
-      - LDAP_BASE_DN=${LDAP_BASE_DN}
       - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
-      - LDAP_READONLY_USER=true
+      - LDAP_BASE_DN=${LDAP_BASE_DN}
+      - LDAP_DOMAIN=${LDAP_DOMAIN}
+      - LDAP_ORGANISATION=${LDAP_ORGANISATION}
       - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_USER_PASSWORD}
+      - LDAP_READONLY_USER=true
     command: "--loglevel info --copy-service"
     volumes:
       - ldap:/var/lib/ldap
@@ -58,16 +60,18 @@ services:
     restart: unless-stopped
     container_name: ${COMPOSE_PROJECT_NAME}_grapi
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanosocket/:/run/kopano
     environment:
-      - SERVICE_TO_START=grapi
-      - TZ=${TZ}
       - ADDITIONAL_KOPANO_PACKAGES=python3-grapi.backend.ldap
       - GRAPI_BACKEND=ldap
-      - LDAP_URI=${LDAP_SERVER}
+      - LDAP_BASEDN=${LDAP_SEARCH_BASE}
       - LDAP_BINDDN=${LDAP_BIND_DN}
       - LDAP_BINDPW=${LDAP_BIND_PW}
-      - LDAP_BASEDN=${LDAP_SEARCH_BASE}
+      - LDAP_URI=${LDAP_SERVER}
+      - SERVICE_TO_START=grapi
+      - TZ=${TZ}
     networks:
       - kopano-net
       - ldap-net
@@ -79,15 +83,17 @@ services:
     depends_on:
       - kopano_grapi
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanodata/:/kopano/data
-      - kopanossl/:/kopano/ssl
       - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
-      - SERVICE_TO_START=kapi
+      - KCCONF_KAPID_INSECURE=${INSECURE}
-      - TZ=${TZ}
       - KCCONF_KAPID_LOG_LEVEL=DEBUG
       - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN}
-      - KCCONF_KAPID_INSECURE=${INSECURE}
+      - SERVICE_TO_START=kapi
+      - TZ=${TZ}
     networks:
       - kopano-net
       - web-net
@@ -99,29 +105,31 @@ services:
       - kopano_ssl
       - web
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanossl/:/kopano/ssl
     environment:
-      - FQDN=${FQDN}
-      - ecparam=/kopano/ssl/ecparam.pem
-      - eckey=/kopano/ssl/meet-kwmserver.pem
-      - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem
-      - encryption_secret_key=/kopano/ssl/konnectd-encryption.key
-      - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
-      - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml
       - allow_client_guests=yes
       - allow_dynamic_client_registration=yes
+      - eckey=/kopano/ssl/meet-kwmserver.pem
+      - ecparam=/kopano/ssl/ecparam.pem
+      - encryption_secret_key=/kopano/ssl/konnectd-encryption.key
+      - FQDN=${FQDN}
+      - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
+      - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml
       - KONNECT_BACKEND=ldap
-      - LDAP_URI=${LDAP_SERVER}
+      - LDAP_BASEDN=${LDAP_SEARCH_BASE}
       - LDAP_BINDDN=${LDAP_BIND_DN}
       - LDAP_BINDPW=${LDAP_BIND_PW}
-      - LDAP_BASEDN=${LDAP_SEARCH_BASE}
-      - LDAP_SCOPE=sub
-      - LDAP_LOGIN_ATTRIBUTE=uid
       - LDAP_EMAIL_ATTRIBUTE=mail
-      - LDAP_NAME_ATTRIBUTE=cn
-      - LDAP_UUID_ATTRIBUTE=uidNumber
-      - LDAP_UUID_ATTRIBUTE_TYPE=text
       - LDAP_FILTER=(objectClass=organizationalPerson)
+      - LDAP_LOGIN_ATTRIBUTE=uid
+      - LDAP_NAME_ATTRIBUTE=cn
+      - LDAP_SCOPE=sub
+      - LDAP_URI=${LDAP_SERVER}
+      - LDAP_UUID_ATTRIBUTE_TYPE=text
+      - LDAP_UUID_ATTRIBUTE=uidNumber
+      - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem
     networks:
       - kopano-net
       - ldap-net
@@ -135,13 +143,15 @@ services:
       - kopano_kapi
       - kopano_konnect
     environment:
+      - enable_guest_api=yes
       - INSECURE=${INSECURE}
       - oidc_issuer_identifier=https://${FQDN}
-      - enable_guest_api=yes
       - public_guest_access_regexp=^group/public/.*
-      - turn_service_credentials_user=${TURN_USER}
       - turn_service_credentials_password=${TURN_PASSWORD}
+      - turn_service_credentials_user=${TURN_USER}
     volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
       - kopanossl/:/kopano/ssl
     networks:
       - web-net
@@ -150,30 +160,33 @@ services:
     image: ${docker_repo:-kopano}/kopano_meet:${MEET_VERSION:-latest}
     restart: unless-stopped
     environment:
-      - SERVICE_TO_START=meet
       - KCCONF_MEET_disableFullGAB=false
+      - KCCONF_MEET_GRID_WEBAPP=no
       - KCCONF_MEET_guests_enabled=true
       - KCCONF_MEET_useIdentifiedUser=true
-      - KCCONF_MEET_GRID_WEBAPP=no
+      - SERVICE_TO_START=meet
     depends_on:
       - kopano_kapi
       - kopano_konnect
       - kopano_kwmserver
       - web
+    volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /var/lib/dbus/machine-id:/var/lib/dbus/machine-id
     networks:
       - web-net
 
 volumes:
-  web:
+  kopanodata:
+  kopanosocket:
+  kopanossl:
   ldap:
   slapd:
-  kopanodata:
+  web:
-  kopanossl:
-  kopanosocket:
 
 networks:
-  web-net:
   kopano-net:
     driver: bridge
   ldap-net:
     driver: bridge
+  web-net:

examples/meet/tests/startup-test/test.sh

@@ -5,7 +5,7 @@ set -ex
 # waits for key events in various containers
 # e.g. kopano_server:236 signals succesful start of kopano-server process
 dockerize \
-	-wait file://var/run/kopano/grapi/notify.sock \
+	-wait file:///var/run/kopano/grapi/notify.sock \
 	-wait http://kopano_konnect:8777/.well-known/openid-configuration \
 	-wait tcp://kopano_kwmserver:8778 \
 	-wait tcp://kopano_meet:9080 \

examples/meet/tests/test-container.yml

@@ -11,9 +11,13 @@ services:
       - ldap-net
       - web-net
     volumes:
-      - kopanodata/:/kopano/data
-      - kopanossl/:/kopano/ssl
-      - kopanosocket/:/run/kopano
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - kopanodata/:/kopano/data
+      - kopanosocket/:/run/kopano
+      - kopanossl/:/kopano/ssl
     environment:
       - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST}
+  ldap:
+    tmpfs:
+      - /var/lib/ldap
+      - /etc/ldap/slapd.d

kdav/start.sh

@@ -34,6 +34,11 @@ sed -e "s#define('DAV_ROOT_URI', '/');#define('DAV_ROOT_URI', '/kdav/');#" -i /u
 echo "Ensure config ownership"
 chown -R www-data:www-data /run/sessions
 
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 touch /var/log/kdav/kdav.log
 touch /var/log/kdav/kdav-error.log
 chown www-data:www-data /var/log/kdav/kdav.log /var/log/kdav/kdav-error.log

konnect/wrapper.sh

@@ -88,9 +88,12 @@ if [ -n "${LDAP_BINDPW_FILE:-}" ]; then
 	export LDAP_BINDPW="${bindpw}"
 fi
 
+# services need to be aware of the machine-id
 dockerize \
 	-wait file://"${signing_private_key:?}" \
 	-wait file://"${encryption_secret_key:?}" \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id \
 	-timeout 360s
 exec konnectd serve \
 	--signing-private-key="${signing_private_key:?}" \

kwmserver/wrapper.sh

@@ -76,6 +76,11 @@ else
 	-timeout 360s
 fi
 
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 exec /usr/local/bin/docker-entrypoint.sh serve \
 	--registration-conf /kopano/ssl/konnectd-identifier-registration.yaml \
 	"$@"

meet/start-service.sh

@@ -43,12 +43,17 @@ if [ "${GRID_WEBAPP:-yes}" = "yes" ]; then
 	jq '.apps += {"enabled": ["kopano-webapp", "kopano-konnect"]}' $CONFIG_JSON | sponge $CONFIG_JSON
 fi
 
-#cat $CONFIG_JSON
-
 sed -i s/\ *=\ */=/g /etc/kopano/kwebd.cfg
+# always disable tls
 export tls=no
 # shellcheck disable=SC2046
 export $(grep -v '^#' /etc/kopano/kwebd.cfg | xargs -d '\n')
+
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 # cleaning up env variables
 unset "${!KCCONF_@}"
 exec kopano-kwebd serve

web/Dockerfile

@@ -22,6 +22,11 @@ ENV KWEBD_DNS_KDAV="kopano_kdav"
 ENV KWEBD_DNS_GRAPI="kopano_grapi"
 ENV KWEBD_DNS_ICAL="kopano_ical"
 
+ENV DOCKERIZE_VERSION v0.6.1
+RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
+    && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
+
 COPY wrapper.sh /usr/local/bin
 COPY kweb.cfg /etc/kweb.cfg
 

web/wrapper.sh

@@ -2,4 +2,9 @@
 
 set -e
 
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 exec kwebd caddy -conf /etc/kweb.cfg -agree

webapp/start.sh

@@ -53,6 +53,11 @@ done
 echo "Ensure config ownership"
 chown -R www-data:www-data /run/sessions /tmp/webapp
 
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 set +u
 # cleaning up env variables
 unset "${!KCCONF_@}"

zpush/start.sh

@@ -113,6 +113,11 @@ echo -e '  );' >> /etc/z-push/z-push.conf.php
 echo "Ensure config ownership"
 chown -R www-data:www-data /run/sessions
 
+# services need to be aware of the machine-id
+dockerize \
+	-wait file:///etc/machine-id \
+	-wait file:///var/lib/dbus/machine-id
+
 echo "Activate z-push log rerouting"
 touch /var/log/z-push/{z-push.log,z-push-error.log,autodiscover.log,autodiscover-error.log}
 chown -R www-data:www-data /var/log/z-push