From 040af10182a4392e9f8558dc1ec35b261f024164 Mon Sep 17 00:00:00 2001 From: Christian Kniep Date: Thu, 22 Jul 2021 15:09:31 +0200 Subject: [PATCH 1/4] example of container-fs read-only --- 21.0/apache/Dockerfile | 52 +++++++++++++++++++++++++--------- 21.0/apache/docker-compose.yml | 41 +++++++++++++++++++++++++++ 21.0/apache/entrypoint.sh | 25 ++++++++-------- 3 files changed, 93 insertions(+), 25 deletions(-) create mode 100644 21.0/apache/docker-compose.yml diff --git a/21.0/apache/Dockerfile b/21.0/apache/Dockerfile index cbabaf92..e90e30b6 100644 --- a/21.0/apache/Dockerfile +++ b/21.0/apache/Dockerfile @@ -1,6 +1,10 @@ # DO NOT EDIT: created by update.sh from Dockerfile-debian.template FROM php:7.4-apache-buster +ENV NEXTCLOUD_VERSION 21.0.3 +ENV PHP_MEMORY_LIMIT 512M +ENV PHP_UPLOAD_LIMIT 512M + # entrypoint.sh and cron.sh dependencies RUN set -ex; \ \ @@ -17,8 +21,6 @@ RUN set -ex; \ # install the PHP extensions we need # see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html -ENV PHP_MEMORY_LIMIT 512M -ENV PHP_UPLOAD_LIMIT 512M RUN set -ex; \ \ savedAptMark="$(apt-mark showmanual)"; \ @@ -121,7 +123,6 @@ RUN a2enmod headers rewrite remoteip ;\ } > /etc/apache2/conf-available/remoteip.conf;\ a2enconf remoteip -ENV NEXTCLOUD_VERSION 21.0.3 RUN set -ex; \ fetchDeps=" \ @@ -139,19 +140,44 @@ RUN set -ex; \ # gpg key from https://nextcloud.com/nextcloud.asc gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \ gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \ - tar -xjf nextcloud.tar.bz2 -C /usr/src/; \ - gpgconf --kill all; \ + tar -xjf nextcloud.tar.bz2 --strip-components=1 -C . \ +&& gpgconf --kill all; \ rm nextcloud.tar.bz2.asc nextcloud.tar.bz2; \ - rm -rf "$GNUPGHOME" /usr/src/nextcloud/updater; \ - mkdir -p /usr/src/nextcloud/data; \ - mkdir -p /usr/src/nextcloud/custom_apps; \ - chmod +x /usr/src/nextcloud/occ; \ + rm -rf "$GNUPGHOME" /var/www/html/updater; \ + chmod +x /var/www/html/occ; \ \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* \ + && mkdir -p /usr/src/nextcloud \ + && mv /var/www/html/themes /usr/src/nextcloud/ \ + && mv /var/www/html/config /usr/src/nextcloud/ -COPY *.sh upgrade.exclude / +### Volumes +# to store the pid +VOLUME /run/apache2 +# /tmp for session data +VOLUME /tmp +####### +# A volume for each directory within the nextcloud installation, so that +# 1/ each one can be swapped out with a persistent volume +# 2/ file access is faster as it is not part of the overlay file-system +# 3/ if 2/ is crafted carefully it will eventually allow the container FS to be mounted read-only, which helps security +VOLUME /var/www/html/3rdparty +VOLUME /var/www/html/apps +VOLUME /var/www/html/config +VOLUME /var/www/html/core +VOLUME /var/www/html/custom_apps +VOLUME /var/www/html/data +VOLUME /var/www/html/lib +VOLUME /var/www/html/ocm-provider +VOLUME /var/www/html/ocs +VOLUME /var/www/html/ocs-provider +VOLUME /var/www/html/resources +VOLUME /var/www/html/themes + +COPY entrypoint.sh /usr/local/bin/ +COPY cron.sh / COPY config/* /usr/src/nextcloud/config/ -ENTRYPOINT ["/entrypoint.sh"] -CMD ["apache2-foreground"] +ENTRYPOINT [] +CMD ["/usr/local/bin/entrypoint.sh", "apache2-foreground"] diff --git a/21.0/apache/docker-compose.yml b/21.0/apache/docker-compose.yml new file mode 100644 index 00000000..fb97d081 --- /dev/null +++ b/21.0/apache/docker-compose.yml @@ -0,0 +1,41 @@ +version: "3.9" + +services: + db: + image: mariadb:10.5 + command: --transaction-isolation=READ-COMMITTED + volumes: + - db_data:/var/lib/mysql + restart: unless-stopped + environment: + MARIADB_RANDOM_ROOT_PASSWORD: "yes" + MYSQL_DATABASE: nextcloud + MYSQL_USER: nextcloud + MYSQL_PASSWORD: nextcloud + + nextcloud: + depends_on: + - db + image: ${NC_IMAGE_NAME:-nextcloud:latest} + volumes: + - nextcloud_data:/var/www/html/data + - nextcloud_apps:/var/www/html/apps + - nextcloud_config:/var/www/html/config + - nextcloud_themes:/var/www/html/themes + ports: + - "8000:80" + restart: always + environment: + NEXTCLOUD_ADMIN_USER: adminstrator + NEXTCLOUD_ADMIN_PASSWORD: adminpass + NEXTCLOUD_TRUSTED_DOMAINS: localhost + MYSQL_DATABASE: nextcloud + MYSQL_PASSWORD: nextcloud + MYSQL_USER: nextcloud + MYSQL_HOST: db +volumes: + db_data: {} + nextcloud_data: {} + nextcloud_apps: {} + nextcloud_config: {} + nextcloud_themes: {} diff --git a/21.0/apache/entrypoint.sh b/21.0/apache/entrypoint.sh index b6da893b..530cee80 100755 --- a/21.0/apache/entrypoint.sh +++ b/21.0/apache/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/sh -set -eu +set -eux # version_greater A B returns whether A > B version_greater() { @@ -78,12 +78,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP fi installed_version="0.0.0.0" - if [ -f /var/www/html/version.php ]; then - # shellcheck disable=SC2016 - installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')" - fi # shellcheck disable=SC2016 - image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')" + image_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')" if version_greater "$installed_version" "$image_version"; then echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?" @@ -101,14 +97,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP else rsync_options="-rlD" fi - rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/ - - for dir in config data custom_apps themes; do + ## Carefully checking whether the persistent volumes we care about are empty. + for dir in config themes; do if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ + echo ">> Bootstraping '/var/www/html/${dir}'" + rsync $rsync_options /usr/src/nextcloud/${dir}/. /var/www/html/${dir}/. fi done - rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/ echo "Initializing finished" #install @@ -150,7 +145,7 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"' install=true fi - + chown -R www-data:root /var/www/html/apps /var/www/html/custom_apps /var/www/html/data if [ "$install" = true ]; then echo "starting nextcloud installation" max_retries=10 @@ -191,4 +186,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP fi fi +chown -R www-data:root \ + /var/www/html/apps \ + /var/www/html/custom_apps \ + /var/www/html/data \ + /var/www/html/themes + exec "$@" From f69bcf3d1cd667836e250f19efabaed08d92170b Mon Sep 17 00:00:00 2001 From: Christian Kniep Date: Thu, 22 Jul 2021 15:23:03 +0200 Subject: [PATCH 2/4] move ARG/ENV down to allow caching --- 21.0/apache/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/21.0/apache/Dockerfile b/21.0/apache/Dockerfile index e90e30b6..ac3682de 100644 --- a/21.0/apache/Dockerfile +++ b/21.0/apache/Dockerfile @@ -1,7 +1,6 @@ # DO NOT EDIT: created by update.sh from Dockerfile-debian.template FROM php:7.4-apache-buster -ENV NEXTCLOUD_VERSION 21.0.3 ENV PHP_MEMORY_LIMIT 512M ENV PHP_UPLOAD_LIMIT 512M @@ -123,7 +122,8 @@ RUN a2enmod headers rewrite remoteip ;\ } > /etc/apache2/conf-available/remoteip.conf;\ a2enconf remoteip - +ARG NEXTCLOUD_VERSION=21.0.3 +ENV NEXTCLOUD_VERSION=${NEXTCLOUD_VERSION} RUN set -ex; \ fetchDeps=" \ gnupg \ From 3481db03a02af5f37afbada6628bbca756055af8 Mon Sep 17 00:00:00 2001 From: Christian Kniep Date: Thu, 22 Jul 2021 16:13:57 +0200 Subject: [PATCH 3/4] fix upgrade process --- 21.0/apache/docker-compose.yml | 7 ++++++- 21.0/apache/entrypoint.sh | 6 +++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/21.0/apache/docker-compose.yml b/21.0/apache/docker-compose.yml index fb97d081..df51176f 100644 --- a/21.0/apache/docker-compose.yml +++ b/21.0/apache/docker-compose.yml @@ -6,7 +6,10 @@ services: command: --transaction-isolation=READ-COMMITTED volumes: - db_data:/var/lib/mysql + - /run/mysqld/ + - /tmp restart: unless-stopped + read_only: true environment: MARIADB_RANDOM_ROOT_PASSWORD: "yes" MYSQL_DATABASE: nextcloud @@ -17,6 +20,7 @@ services: depends_on: - db image: ${NC_IMAGE_NAME:-nextcloud:latest} + read_only: true volumes: - nextcloud_data:/var/www/html/data - nextcloud_apps:/var/www/html/apps @@ -26,9 +30,10 @@ services: - "8000:80" restart: always environment: - NEXTCLOUD_ADMIN_USER: adminstrator + NEXTCLOUD_ADMIN_USER: administrator NEXTCLOUD_ADMIN_PASSWORD: adminpass NEXTCLOUD_TRUSTED_DOMAINS: localhost + ### Commented out as this will make the entrypoint assume that a clean install is appropriate MYSQL_DATABASE: nextcloud MYSQL_PASSWORD: nextcloud MYSQL_USER: nextcloud diff --git a/21.0/apache/entrypoint.sh b/21.0/apache/entrypoint.sh index 530cee80..8672b310 100755 --- a/21.0/apache/entrypoint.sh +++ b/21.0/apache/entrypoint.sh @@ -79,6 +79,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP installed_version="0.0.0.0" # shellcheck disable=SC2016 + if [ -f /var/www/html/config/version.php ];then + installed_version="$(php -r 'require "/var/www/html/config/version.php"; echo implode(".", $OC_Version);')" + fi image_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')" if version_greater "$installed_version" "$image_version"; then @@ -175,14 +178,15 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP fi #upgrade else + chown -R www-data:root /var/www/html/apps /var/www/html/custom_apps /var/www/html/data run_as 'php /var/www/html/occ upgrade' run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after echo "The following apps have been disabled:" diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1 rm -f /tmp/list_before /tmp/list_after - fi + cp /var/www/html/version.php /var/www/html/config/version.php fi fi From 087371d7a025e6fbd7cd91d8a7042f2adad58e26 Mon Sep 17 00:00:00 2001 From: Christian Kniep Date: Thu, 22 Jul 2021 16:23:30 +0200 Subject: [PATCH 4/4] remove comment --- 21.0/apache/docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/21.0/apache/docker-compose.yml b/21.0/apache/docker-compose.yml index df51176f..396def79 100644 --- a/21.0/apache/docker-compose.yml +++ b/21.0/apache/docker-compose.yml @@ -33,7 +33,6 @@ services: NEXTCLOUD_ADMIN_USER: administrator NEXTCLOUD_ADMIN_PASSWORD: adminpass NEXTCLOUD_TRUSTED_DOMAINS: localhost - ### Commented out as this will make the entrypoint assume that a clean install is appropriate MYSQL_DATABASE: nextcloud MYSQL_PASSWORD: nextcloud MYSQL_USER: nextcloud