Merge branch 'feature/docker-revamp-non-root' into develop

2021-02-16 19:09:25 +01:00 · 2021-02-16 19:09:25 +01:00 · 3a0ff46ed1
parent c0e5e25417 7e8fd580b5
commit 3a0ff46ed1
11 changed files with 205 additions and 24 deletions
--- a/conf/supervisor/cron.conf
+++ b/conf/supervisor/cron.conf
@ -1,5 +1,5 @@
 [program:cron]
-command=cron -f -l
+command=/bin/bash -c "declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' > /etc/environment; cron -f -l"
 autostart=true
 priority=20
 stdout_logfile=/dev/stdout
--- a/debian/Dockerfile
+++ b/debian/Dockerfile
@ -4,6 +4,12 @@ LABEL maintainer="Passbolt SA <contact@passbolt.com>"

 ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
 ENV PHP_VERSION=7.3
+ENV GNUPGHOME=/var/lib/passbolt/.gnupg
+
+ARG PASSBOLT_REPO_URL="https://download.passbolt.com/ce/debian"
+ARG PASSBOLT_DISTRO="buster"
+ARG PASSBOLT_COMPONENT="stable"
+ARG PASSBOLT_PKG=passbolt-ce-server

 ARG PASSBOLT_REPO_URL="https://download.passbolt.com/ce/debian"
 ARG PASSBOLT_DISTRO="buster"
@ -26,12 +32,18 @@ RUN apt-get update \
    && cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
    && sed -i 's,;clear_env = no,clear_env = no,' /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
    && sed -i 's,# include __PASSBOLT_SSL__,include /etc/nginx/snippets/passbolt-ssl.conf;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
-    && sed -i 's,ssl on;,listen 443 ssl;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i '/listen \[\:\:\]\:443 ssl http2;/a listen 443 ssl http2;' /etc/nginx/snippets/passbolt-ssl.conf \
    && sed -i 's,__CERT_PATH__,/etc/ssl/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \
-    && sed -i 's,__KEY_PATH__,/etc/ssl/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf
+    && sed -i 's,__KEY_PATH__,/etc/ssl/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,www-data.*$,www-data exec /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron",' /etc/cron.d/$PASSBOLT_PKG \
+    && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
+    && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
+    && ln -sf /dev/stderr /var/log/passbolt/error.log \
+    && ln -sf /dev/stderr /var/log/php7.3-fpm.log \
+    && crontab /etc/cron.d/$PASSBOLT_PKG

 COPY conf/supervisor/*.conf /etc/supervisor/conf.d/
-COPY bin/docker-entrypoint.sh /docker-entrypoint.sh
+COPY debian/bin/docker-entrypoint.sh /docker-entrypoint.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh

 EXPOSE 80 443
--- a/debian/Dockerfile.rootless
+++ b/debian/Dockerfile.rootless
@ -0,0 +1,71 @@
+FROM debian:buster-slim
+
+LABEL maintainer="Passbolt SA <contact@passbolt.com>"
+
+ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
+ENV PHP_VERSION=7.3
+ENV GNUPGHOME=/var/lib/passbolt/.gnupg
+
+ARG PASSBOLT_REPO_URL="https://download.passbolt.com/ce/debian"
+ARG PASSBOLT_DISTRO="buster"
+ARG PASSBOLT_COMPONENT="stable"
+ARG PASSBOLT_PKG=passbolt-ce-server
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=non-interactive apt-get -y install \
+      ca-certificates \
+      gnupg \
+    && apt-key adv --keyserver keys.gnupg.net --recv-keys $PASSBOLT_PKG_KEY \
+    && echo "deb $PASSBOLT_REPO_URL $PASSBOLT_DISTRO $PASSBOLT_COMPONENT" > /etc/apt/sources.list.d/passbolt.list \
+    && apt-get update \
+    && DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
+      nginx \
+      $PASSBOLT_PKG \
+      supervisor
+
+RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+    && rm /etc/nginx/sites-enabled/default \
+    && cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,;clear_env = no,clear_env = no,' /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
+    && sed -i 's,# include __PASSBOLT_SSL__,include /etc/nginx/snippets/passbolt-ssl.conf;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+    && sed -i 's,listen \[\:\:\]\:443 ssl http2;,listen \[\:\:\]\:4443 ssl http2;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i '/listen \[\:\:\]\:4443 ssl http2;/a listen 4443 ssl http2;' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,__CERT_PATH__,/etc/passbolt/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,__KEY_PATH__,/etc/passbolt/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i '/user www-data;/d' /etc/nginx/nginx.conf \
+    && sed -i 's,/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+    && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+    && sed -i 's,listen = /run/php/php7.3-fpm.sock,listen = 127.0.0.1:9000,' /etc/php/7.3/fpm/pool.d/www.conf \
+    && sed -i 's,unix:/run/php/php7.3-fpm.sock,127.0.0.1:9000,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+    && sed -i 's,pid = /run/php/php7.3-fpm.pid,pid = /tmp/php7.3-fpm.pid,' /etc/php/7.3/fpm/php-fpm.conf \
+    && sed -i 's,/var/run/supervisor.sock,/tmp/supervisor.sock,' /etc/supervisor/supervisord.conf \
+# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+    #&& chown -R www-data:0 /var/cache/nginx \
+    #&& chmod -R g+w /var/cache/nginx \
+    && chown -R www-data:0 /etc/nginx \
+    && chmod -R g+w /etc/nginx \
+    && mkdir /etc/passbolt/certs \
+    && chown www-data:0 /etc/passbolt/certs \
+    && chown www-data:0 /var/log/supervisor \
+    && chown -R www-data:0 /var/log/nginx \
+    && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
+    && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
+    && ln -sf /dev/stderr /var/log/passbolt/error.log \
+    && ln -sf /dev/stderr /var/log/php7.3-fpm.log \
+    && chown -R www-data:0 /var/log/supervisor \
+    && touch /var/www/.profile \
+    && chown www-data:www-data /var/www/.profile \
+    && sed -i 's,www-data.*$,www-data exec /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron",' /etc/cron.d/$PASSBOLT_PKG \
+    && crontab /etc/cron.d/$PASSBOLT_PKG
+
+COPY conf/supervisor/*.conf /etc/supervisor/conf.d/
+COPY debian/bin/docker-entrypoint.sh /docker-entrypoint.sh
+COPY scripts/wait-for.sh /usr/bin/wait-for.sh
+
+EXPOSE 8080 4443
+
+WORKDIR /usr/share/php/passbolt
+
+USER www-data
+
+CMD ["/docker-entrypoint.sh"]
--- a/debian/bin/docker-entrypoint.sh
+++ b/debian/bin/docker-entrypoint.sh
@ -11,8 +11,6 @@ ssl_cert='/etc/ssl/certs/certificate.crt'

 deprecation_message=""

-export GNUPGHOME="/var/lib/passbolt/.gnupg"
-
 entropy_check() {
  local entropy_avail

@ -73,7 +71,6 @@ gen_ssl_cert() {
 }

 install() {
-
  if [ ! -f "$passbolt_config/app.php" ]; then
    su -c "cp $passbolt_config/app.default.php $passbolt_config/app.php" -s /bin/bash www-data
  fi
@ -86,15 +83,6 @@ install() {
  su -c '/usr/share/php/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data || su -c '/usr/share/php/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data && echo "Enjoy! ☮"
 }

-email_cron_job() {
-  cron_task='/etc/cron.d/passbolt_email'
-  declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' > /etc/environment
-  if [ ! -f "$cron_task" ]; then
-    echo "* * * * * su -c \"source /etc/environment ; /var/www/passbolt/bin/cake EmailQueue.sender\" -s /bin/bash www-data >> /var/log/cron.log 2>&1" >> $cron_task
-    crontab /etc/cron.d/passbolt_email
-  fi
-}
-
 create_deprecation_message() {
  deprecation_message+="\033[33;5;7mWARNING: $1 is deprecated, point your docker volume to $2\033[0m\n"
 }
@ -147,7 +135,8 @@ if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \
 fi

 install
-email_cron_job
+
+echo -e "$deprecation_message"

 echo -e "$deprecation_message"

--- a/debian/conf
+++ b/debian/conf
@ -0,0 +1 @@
+../conf
--- a/debian/scripts
+++ b/debian/scripts
@ -0,0 +1 @@
+../scripts
--- a/dev/Dockerfile
+++ b/dev/Dockerfile
@ -1,8 +1,8 @@
-FROM php:7.3.16-fpm
+FROM php:7.3.24-fpm

 LABEL maintainer="Passbolt SA <contact@passbolt.com>"

-ARG PASSBOLT_VERSION="2.12.1"
+ARG PASSBOLT_VERSION="2.13.5"
 ARG PASSBOLT_URL="https://github.com/passbolt/passbolt_api/archive/v${PASSBOLT_VERSION}.tar.gz"
 ARG PASSBOLT_CURL_HEADERS=""

@ -60,7 +60,7 @@ RUN apt-get update \
         rm composer-setup.php; \
         exit 1; \
       fi \
-    && php composer-setup.php \
+    && php composer-setup.php --1 \
    && mv composer.phar /usr/local/bin/composer \
    && rm composer-setup.php \
    && curl -sSL -H "$PASSBOLT_CURL_HEADERS" "$PASSBOLT_URL" | tar zxf - -C . --strip-components 1 \
@ -76,11 +76,14 @@ RUN apt-get update \
    && rm /usr/local/bin/composer \
    && echo 'php_flag[expose_php] = off' > /usr/local/etc/php-fpm.d/expose.conf \
    && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \
-    && mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
+    && mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \
+    && echo "* * * * * su -c \"source /etc/environment ; /var/www/passbolt/bin/cake EmailQueue.sender\" -s /bin/bash www-data >> /var/log/cron.log 2>&1" >> /etc/cron.d/passbolt_email \
+    && crontab /etc/cron.d/passbolt_email \
+    && ln -s $(which php-fpm){,7.3}

 COPY conf/passbolt.conf /etc/nginx/conf.d/default.conf
 COPY conf/supervisor/*.conf /etc/supervisor/conf.d/
-COPY bin/docker-entrypoint.sh /docker-entrypoint.sh
+COPY dev/bin/docker-entrypoint.sh /docker-entrypoint.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh

 EXPOSE 80 443
--- a/dev/bin/docker-entrypoint.sh
+++ b/dev/bin/docker-entrypoint.sh
@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-/var/www/passbolt/config/gpg/serverkey_private.asc}"
+gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-/var/www/passbolt/config/gpg/serverkey.asc}"
+
+ssl_key='/etc/ssl/certs/certificate.key'
+ssl_cert='/etc/ssl/certs/certificate.crt'
+
+export GNUPGHOME="/home/www-data/.gnupg"
+
+entropy_check() {
+  local entropy_avail
+
+  entropy_avail=$(cat /proc/sys/kernel/random/entropy_avail)
+
+  if [ "$entropy_avail" -lt 2000 ]; then
+
+    cat <<EOF
+==================================================================================
+  Your entropy pool is low. This situation could lead GnuPG to not
+  be able to create the gpg serverkey so the container start process will hang
+  until enough entropy is obtained.
+  Please consider installing rng-tools and/or virtio-rng on your host as the
+  preferred method to generate random numbers using a TRNG.
+  If rngd (rng-tools) does not provide enough or fast enough randomness you could
+  consider installing haveged as a helper to speed up this process.
+  Using haveged as a replacement for rngd is not recommended. You can read more
+  about this topic here: https://lwn.net/Articles/525459/
+==================================================================================
+EOF
+  fi
+}
+
+gpg_gen_key() {
+  key_email="${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com}"
+  key_name="${PASSBOLT_KEY_NAME:-Passbolt default user}"
+  key_length="${PASSBOLT_KEY_LENGTH:-2048}"
+  subkey_length="${PASSBOLT_SUBKEY_LENGTH:-2048}"
+  expiration="${PASSBOLT_KEY_EXPIRATION:-0}"
+
+  entropy_check
+
+  su -c "gpg --batch --no-tty --gen-key <<EOF
+    Key-Type: default
+		Key-Length: $key_length
+		Subkey-Type: default
+		Subkey-Length: $subkey_length
+    Name-Real: $key_name
+    Name-Email: $key_email
+    Expire-Date: $expiration
+    %no-protection
+		%commit
+EOF" -ls /bin/bash www-data
+
+  su -c "gpg --armor --export-secret-keys $key_email > $gpg_private_key" -ls /bin/bash www-data
+  su -c "gpg --armor --export $key_email > $gpg_public_key" -ls /bin/bash www-data
+}
+
+gpg_import_key() {
+  su -c "gpg --batch --import $gpg_public_key" -ls /bin/bash www-data
+  su -c "gpg --batch --import $gpg_private_key" -ls /bin/bash www-data
+}
+
+gen_ssl_cert() {
+  openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
+    -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \
+    -keyout $ssl_key -out $ssl_cert
+}
+
+install() {
+  local app_config="/var/www/passbolt/config/app.php"
+
+  if [ ! -f "$app_config" ]; then
+    su -c 'cp /var/www/passbolt/config/app.default.php /var/www/passbolt/config/app.php' -s /bin/bash www-data
+  fi
+
+  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  '/var/www/passbolt/config/passbolt.php' ]; then
+    gpg_auto_fingerprint="$(su -c "gpg --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
+    export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
+  fi
+
+  su -c '/var/www/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data || su -c '/var/www/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data && echo "Enjoy! ☮"
+}
+
+if [ ! -f "$gpg_private_key" ] && [ ! -L "$gpg_private_key" ] || \
+   [ ! -f "$gpg_public_key" ] && [ ! -L "$gpg_public_key" ]; then
+  gpg_gen_key
+  gpg_import_key
+else
+  gpg_import_key
+fi
+
+if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \
+   [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then
+  gen_ssl_cert
+fi
+
+install
+
+exec /usr/bin/supervisord -n
--- a/dev/conf
+++ b/dev/conf
@ -0,0 +1 @@
+../conf
--- a/dev/scripts
+++ b/dev/scripts
@ -0,0 +1 @@
+../scripts
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -21,8 +21,8 @@ services:
      - images_volume:/usr/share/php/passbolt/webroot/img/public
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
-      - 80:80
-      - 443:443
+      - 80:8080
+      - 443:4443

 volumes:
  database_volume: