diff --git a/CHANGELOG.md b/CHANGELOG.md index ee79533..afd583f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,53 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v2.13.5...HEAD) +## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.0.0...HEAD) + +## [3.0.0](https://github.com/passbolt/passbolt_docker/compare/v2.13.5...v3.0.0) - 2021-02-23 + +We are happy to announce the release of passbolt docker 3.0.0! + +This release contains passbolt-api 3.0.0 as well as some new additions and deprection +notices. + +Passbolt docker images now rely on passbolt's debian package. As a result the dockerfiles +are now using debian-slim as base images and not longer rely on docker php library images. + +As a result of using debian packages some paths such as /var/www/passbolt are going to be +deprecated. This release still supports both paths by symlinking so users should not +be impacted by the path changes. We strongly recommend that you update your volumes +accordingly. + +We have also released a rootless image that runs entirely under www-data user and uses +supercronic instead of plain cron to run the background tasks. We aim to make a transition +to rootless images by default to make our docker images a bit more secure by default. +However, rootless alternatives are still considered beta. + +As with this release passbolt images are no longer tagged with the '-debian' suffix. Instead: + +- Passbolt docker CE images will be tagged as: passbolt/passbolt:-ce +- Passbolt docker CE rootless images will be tagged as: passbolt/passbolt:-ce-non-root +- Passbolt docker pro images will be tagged as: passbolt/passbolt:-pro +- Passbolt docker pro rootless images will be tagged as: passbolt/passbolt:-pro-non-root + +You can still find the old Dockerfiles on the dev/ directory as they are still quite +handy for development purposes. + +### Added + +- New debian package based docker images +- New rootless images +- Supercronic introduced on rootless images + +### Changed + +- Passbolt installation uses official passbolt debian packages +- /var/www/passbolt files are now in /usr/share/php/passbolt +- /var/www/passbolt/config files are no in /etc/passbolt +- Default workdir is now /usr/share/php/passbolt +- Old docker images moved to dev/ directory +- debian Dockerfiles moved to debian/ directory +- Deprecation message is shown on startup of the containers if old paths detected ## [2.13.5](https://github.com/passbolt/passbolt_docker/compare/v2.13.1...v2.13.5) - 2020-08-04 diff --git a/README.md b/README.md index 548f110..e86236f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ /_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/ `-./ .'...--` The open source password manager for teams `' - (c) 2018 Passbolt SARL + (c) 2021 Passbolt SA https://www.passbolt.com ``` [![Codacy Badge](https://api.codacy.com/project/badge/Grade/0de4eaf7426944769a70a2d727a9012b)](https://www.codacy.com/app/passbolt/passbolt_docker?utm_source=github.com&utm_medium=referral&utm_content=passbolt/passbolt_docker&utm_campaign=Badge_Grade) @@ -20,14 +20,22 @@ Passbolt is a free and open source password manager that allows team members to store and share credentials securely. -# Requirements: +# Requirements -* rng-tools or haveged are required on host machine to speed up entropy generation on containers. +* rng-tools or haveged might be required on host machine to speed up entropy generation on containers. This way gpg key creation on passbolt container will be faster. * mariadb/mysql >= 5.0 # Usage +### docker-compose + +Usage: + +``` +$ docker-compose up +``` + Users are encouraged to use [official docker image from the docker hub](https://hub.docker.com/r/passbolt/passbolt/). ## Start passbolt instance @@ -44,7 +52,7 @@ $ docker run -e MYSQL_ROOT_PASSWORD= \ ``` Then you can start passbolt just by providing the database container ip in the -`db_host` environment variable. +`DATASOURCES_DEFAULT_HOST` environment variable. ```bash $ docker run --name passbolt \ @@ -61,7 +69,7 @@ $ docker run --name passbolt \ Once the container is running create your first admin user: ```bash -$ docker exec passbolt su -m -c "/var/www/passbolt/bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data +$ docker exec passbolt su -m -c "bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data ``` This registration command will return a single use url required to continue the @@ -74,44 +82,44 @@ available browsing `https://yourdomain.com` Passbolt docker image provides several environment variables to configure different aspects: -| Variable name | Description | Default value | -| ----------------------------------- | -------------------------------- | ------------------- | -| APP_BASE | it allows people to specify the base subdir the application is running in | null | -| APP_FULL_BASE_URL | Passbolt base url | false | -| DATASOURCES_DEFAULT_HOST | Database hostname | localhost | -| DATASOURCES_DEFAULT_PORT | Database port | 3306 | -| DATASOURCES_DEFAULT_USERNAME | Database username | '' | -| DATASOURCES_DEFAULT_PASSWORD | Database password | '' | -| DATASOURCES_DEFAULT_DATABASE | Database name | '' | -| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' | -| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' | -| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' | -| DATASOURCES_QUOTE_IDENTIFIER | Enable database quoting ([needed for for MySQL 8+](https://github.com/passbolt/passbolt_api/issues/325)) | false | -| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp | -| EMAIL_DEFAULT_FROM | From email address | you@localhost | -| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default | -| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost | -| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 | -| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 | -| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null | -| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null | -| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null | -| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null | -| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null | -| GNUPGHOME | path to gnupghome directory | /home/www-data/.gnupg | -| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048 | -| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048 | -| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user | -| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com | -| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires | -| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null | -| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /var/www/passbolt/config/gpg/serverkey.asc | -| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /var/www/passbolt/config/gpg/serverkey_private.asc | -| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true | -| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true | -| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false | -| PASSBOLT_SSL_FORCE | Redirects http to https | true | -| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true | | SECURITY_SALT | CakePHP security salt | __SALT__ | +| Variable name | Description | Default value +| ----------------------------------- | -------------------------------- | ------------------- +| APP_BASE | it allows people to specify the base subdir the application is running in | null +| APP_FULL_BASE_URL | Passbolt base url | false +| DATASOURCES_DEFAULT_HOST | Database hostname | localhost +| DATASOURCES_DEFAULT_PORT | Database port | 3306 +| DATASOURCES_DEFAULT_USERNAME | Database username | '' +| DATASOURCES_DEFAULT_PASSWORD | Database password | '' +| DATASOURCES_DEFAULT_DATABASE | Database name | '' +| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' +| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' +| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' +| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp +| EMAIL_DEFAULT_FROM | From email address | you@localhost +| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default +| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost +| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 +| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 +| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null +| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null +| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null +| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null +| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null +| GNUPGHOME | path to gnupghome directory | /var/lib/passbolt/.gnupg +| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048 +| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048 +| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user +| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com +| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires +| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null +| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /etc/passbolt/gpg/serverkey.asc +| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /etc/passbolt/gpg/serverkey_private.asc +| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true +| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true +| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false +| PASSBOLT_SSL_FORCE | Redirects http to https | true +| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true +| SECURITY_SALT | CakePHP security salt | __SALT__ For more env variables supported please check [default.php](https://github.com/passbolt/passbolt_api/blob/master/config/default.php) and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/config/app.default.php) @@ -121,11 +129,11 @@ and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/confi What if you already have a set of gpg keys and custom configuration files for passbolt? It it possible to mount the desired configuration files as volumes. -* /var/www/passbolt/config/app.php -* /var/www/passbolt/config/passbolt.php -* /var/www/passbolt/config/gpg/serverkey.asc -* /var/www/passbolt/config/gpg/serverkey_private.asc -* /var/www/passbolt/webroot/img/public/images +* /etc/passbolt/app.php +* /etc/passbolt/passbolt.php +* /etc/passbolt/gpg/serverkey.asc +* /etc/passbolt/gpg/serverkey_private.asc +* /usr/share/php/passbolt/webroot/img/public/images ### SSL certificate files @@ -148,24 +156,22 @@ ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem ``` -### docker-compose - -Usage: - -``` -$ docker-compose up -``` ### CLI healthcheck In order to run the healtcheck from the CLI on the container: +On a root docker image: + ``` -$ su -c "source /etc/environment; bin/cake passbolt healthcheck" -s /bin/bash www-data +$ su -s /bin/bash www-data +$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" +$ bin/cake passbolt healthcheck ``` -# Requirements: +Non root image: -* rng-tools or haveged are required on host machine to speed up entropy generation on containers. -This way gpg key creation on passbolt container will be faster. -* mariadb/mysql >= 5.6 +``` +$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" +$ bin/cake passbolt healthcheck +``` diff --git a/docker-compose-pro.yml b/docker-compose-pro.yml index 5e805da..6299bb5 100644 --- a/docker-compose-pro.yml +++ b/docker-compose-pro.yml @@ -11,6 +11,8 @@ services: passbolt: image: passbolt/passbolt:3.0.0-pro + #Alternatively you can use rootless: + #image: passbolt/passbolt:3.0.0-pro-non-root tty: true depends_on: - db @@ -24,6 +26,9 @@ services: ports: - 80:80 - 443:443 + #Alternatively for non-root images: + # - 80:8080 + # - 443:4433 volumes: database_volume: diff --git a/docker-compose.yml b/docker-compose.yml index d70178c..235ad4c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,6 +11,8 @@ services: passbolt: image: passbolt/passbolt:3.0.0-ce + #Alternatively you can use rootless: + #image: passbolt/passbolt:3.0.0-ce-non-root tty: true depends_on: - db @@ -23,6 +25,9 @@ services: ports: - 80:80 - 443:443 + #Alternatively for non-root images: + # - 80:8080 + # - 443:4433 volumes: database_volume: