From a3ad095833fea2a993add6d419ec8964decd10c3 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 23 Feb 2021 13:36:12 +0100 Subject: [PATCH 1/3] Changed: release notes 3.0.0 --- CHANGELOG.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bc247f..afd583f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,73 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v2.12.0...HEAD) +## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.0.0...HEAD) + +## [3.0.0](https://github.com/passbolt/passbolt_docker/compare/v2.13.5...v3.0.0) - 2021-02-23 + +We are happy to announce the release of passbolt docker 3.0.0! + +This release contains passbolt-api 3.0.0 as well as some new additions and deprection +notices. + +Passbolt docker images now rely on passbolt's debian package. As a result the dockerfiles +are now using debian-slim as base images and not longer rely on docker php library images. + +As a result of using debian packages some paths such as /var/www/passbolt are going to be +deprecated. This release still supports both paths by symlinking so users should not +be impacted by the path changes. We strongly recommend that you update your volumes +accordingly. + +We have also released a rootless image that runs entirely under www-data user and uses +supercronic instead of plain cron to run the background tasks. We aim to make a transition +to rootless images by default to make our docker images a bit more secure by default. +However, rootless alternatives are still considered beta. + +As with this release passbolt images are no longer tagged with the '-debian' suffix. Instead: + +- Passbolt docker CE images will be tagged as: passbolt/passbolt:-ce +- Passbolt docker CE rootless images will be tagged as: passbolt/passbolt:-ce-non-root +- Passbolt docker pro images will be tagged as: passbolt/passbolt:-pro +- Passbolt docker pro rootless images will be tagged as: passbolt/passbolt:-pro-non-root + +You can still find the old Dockerfiles on the dev/ directory as they are still quite +handy for development purposes. + +### Added + +- New debian package based docker images +- New rootless images +- Supercronic introduced on rootless images + +### Changed + +- Passbolt installation uses official passbolt debian packages +- /var/www/passbolt files are now in /usr/share/php/passbolt +- /var/www/passbolt/config files are no in /etc/passbolt +- Default workdir is now /usr/share/php/passbolt +- Old docker images moved to dev/ directory +- debian Dockerfiles moved to debian/ directory +- Deprecation message is shown on startup of the containers if old paths detected + +## [2.13.5](https://github.com/passbolt/passbolt_docker/compare/v2.13.1...v2.13.5) - 2020-08-04 + +- Passbolt api bumped to 2.13.5 + +## [2.13.1](https://github.com/passbolt/passbolt_docker/compare/v2.13.0...v2.13.1) - 2020-07-07 + +- Passbolt api bumped to 2.13.1 + +## [2.13.0](https://github.com/passbolt/passbolt_docker/compare/v2.12.1...v2.13.0) - 2020-06-23 + +- Passbolt api bumped to 2.13.0 +- PHP version pinned to 7.3.19 + +## [2.12.1](https://github.com/passbolt/passbolt_docker/compare/v2.12.0...v2.12.1) - 2020-04-14 + +### Changed + +- Dockerfile pins specific php version for better control +- Passbolt code version bumped to 2.12.1 ## [2.12.0](https://github.com/passbolt/passbolt_docker/compare/v2.11.0...v2.12.0) - 2019-12-06 From c401c8a4e7c50f5e1d22f5755b82c00c6cafe0db Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 23 Feb 2021 16:55:43 +0100 Subject: [PATCH 2/3] Changed: updated docker-compose files --- docker-compose-pro.yml | 4 +++- docker-compose.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docker-compose-pro.yml b/docker-compose-pro.yml index d714c57..0edeb36 100644 --- a/docker-compose-pro.yml +++ b/docker-compose-pro.yml @@ -10,7 +10,9 @@ services: - "127.0.0.1:3306:3306" passbolt: - image: passbolt/passbolt:3.0.0-pro-debian + image: passbolt/passbolt:3.0.0-pro + #Alternatively you can use rootless: + #image: passbolt/passbolt:3.0.0-pro-non-root tty: true depends_on: - db diff --git a/docker-compose.yml b/docker-compose.yml index 95077a7..bdcd2b1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,9 @@ services: - "127.0.0.1:3306:3306" passbolt: - image: passbolt/passbolt:3.0.0-debian + image: passbolt/passbolt:3.0.0-ce + #Alternatively you can use rootless: + #image: passbolt/passbolt:3.0.0-ce-non-root tty: true depends_on: - db From 6359b110c9771f7b93f99fc226d23cd132f20cbf Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 23 Feb 2021 16:56:00 +0100 Subject: [PATCH 3/3] Changed: readme updates on new config paths and cosmetic changes --- README.md | 125 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 66 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index 94be893..e86236f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ /_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/ `-./ .'...--` The open source password manager for teams `' - (c) 2018 Passbolt SARL + (c) 2021 Passbolt SA https://www.passbolt.com ``` [![Codacy Badge](https://api.codacy.com/project/badge/Grade/0de4eaf7426944769a70a2d727a9012b)](https://www.codacy.com/app/passbolt/passbolt_docker?utm_source=github.com&utm_medium=referral&utm_content=passbolt/passbolt_docker&utm_campaign=Badge_Grade) @@ -20,14 +20,22 @@ Passbolt is a free and open source password manager that allows team members to store and share credentials securely. -# Requirements: +# Requirements -* rng-tools or haveged are required on host machine to speed up entropy generation on containers. +* rng-tools or haveged might be required on host machine to speed up entropy generation on containers. This way gpg key creation on passbolt container will be faster. * mariadb/mysql >= 5.0 # Usage +### docker-compose + +Usage: + +``` +$ docker-compose up +``` + Users are encouraged to use [official docker image from the docker hub](https://hub.docker.com/r/passbolt/passbolt/). ## Start passbolt instance @@ -44,7 +52,7 @@ $ docker run -e MYSQL_ROOT_PASSWORD= \ ``` Then you can start passbolt just by providing the database container ip in the -`db_host` environment variable. +`DATASOURCES_DEFAULT_HOST` environment variable. ```bash $ docker run --name passbolt \ @@ -61,7 +69,7 @@ $ docker run --name passbolt \ Once the container is running create your first admin user: ```bash -$ docker exec passbolt su -m -c "/var/www/passbolt/bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data +$ docker exec passbolt su -m -c "bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data ``` This registration command will return a single use url required to continue the @@ -74,43 +82,44 @@ available browsing `https://yourdomain.com` Passbolt docker image provides several environment variables to configure different aspects: -| Variable name | Description | Default value | -| ----------------------------------- | -------------------------------- | ------------------- | -| APP_BASE | it allows people to specify the base subdir the application is running in | null | -| APP_FULL_BASE_URL | Passbolt base url | false | -| DATASOURCES_DEFAULT_HOST | Database hostname | localhost | -| DATASOURCES_DEFAULT_PORT | Database port | 3306 | -| DATASOURCES_DEFAULT_USERNAME | Database username | '' | -| DATASOURCES_DEFAULT_PASSWORD | Database password | '' | -| DATASOURCES_DEFAULT_DATABASE | Database name | '' | -| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' | -| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' | -| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' | -| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp | -| EMAIL_DEFAULT_FROM | From email address | you@localhost | -| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default | -| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost | -| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 | -| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 | -| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null | -| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null | -| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null | -| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null | -| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null | -| GNUPGHOME | path to gnupghome directory | /home/www-data/.gnupg | -| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048 | -| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048 | -| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user | -| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com | -| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires | -| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null | -| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /var/www/passbolt/config/gpg/serverkey.asc | -| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /var/www/passbolt/config/gpg/serverkey_private.asc | -| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true | -| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true | -| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false | -| PASSBOLT_SSL_FORCE | Redirects http to https | true | -| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true | | SECURITY_SALT | CakePHP security salt | __SALT__ | +| Variable name | Description | Default value +| ----------------------------------- | -------------------------------- | ------------------- +| APP_BASE | it allows people to specify the base subdir the application is running in | null +| APP_FULL_BASE_URL | Passbolt base url | false +| DATASOURCES_DEFAULT_HOST | Database hostname | localhost +| DATASOURCES_DEFAULT_PORT | Database port | 3306 +| DATASOURCES_DEFAULT_USERNAME | Database username | '' +| DATASOURCES_DEFAULT_PASSWORD | Database password | '' +| DATASOURCES_DEFAULT_DATABASE | Database name | '' +| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' +| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' +| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' +| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp +| EMAIL_DEFAULT_FROM | From email address | you@localhost +| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default +| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost +| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 +| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 +| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null +| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null +| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null +| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null +| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null +| GNUPGHOME | path to gnupghome directory | /var/lib/passbolt/.gnupg +| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048 +| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048 +| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user +| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com +| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires +| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null +| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /etc/passbolt/gpg/serverkey.asc +| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /etc/passbolt/gpg/serverkey_private.asc +| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true +| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true +| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false +| PASSBOLT_SSL_FORCE | Redirects http to https | true +| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true +| SECURITY_SALT | CakePHP security salt | __SALT__ For more env variables supported please check [default.php](https://github.com/passbolt/passbolt_api/blob/master/config/default.php) and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/config/app.default.php) @@ -120,11 +129,11 @@ and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/confi What if you already have a set of gpg keys and custom configuration files for passbolt? It it possible to mount the desired configuration files as volumes. -* /var/www/passbolt/config/app.php -* /var/www/passbolt/config/passbolt.php -* /var/www/passbolt/config/gpg/serverkey.asc -* /var/www/passbolt/config/gpg/serverkey_private.asc -* /var/www/passbolt/webroot/img/public/images +* /etc/passbolt/app.php +* /etc/passbolt/passbolt.php +* /etc/passbolt/gpg/serverkey.asc +* /etc/passbolt/gpg/serverkey_private.asc +* /usr/share/php/passbolt/webroot/img/public/images ### SSL certificate files @@ -147,24 +156,22 @@ ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem ``` -### docker-compose - -Usage: - -``` -$ docker-compose up -``` ### CLI healthcheck In order to run the healtcheck from the CLI on the container: +On a root docker image: + ``` -$ su -c "source /etc/environment; bin/cake passbolt healthcheck" -s /bin/bash www-data +$ su -s /bin/bash www-data +$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" +$ bin/cake passbolt healthcheck ``` -# Requirements: +Non root image: -* rng-tools or haveged are required on host machine to speed up entropy generation on containers. -This way gpg key creation on passbolt container will be faster. -* mariadb/mysql >= 5.6 +``` +$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" +$ bin/cake passbolt healthcheck +```