CommunEu
/
Passbolt
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'release/v3.0.0'

This commit is contained in:
Diego Lendoiro 2021-02-23 16:59:16 +01:00
parent 802c9f7c84 6359b110c9
commit be64af4241
No known key found for this signature in database
GPG Key ID: 3808AD1A50FF0B59
4 changed files with 123 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
CHANGELOG.md
View File

@ -2,7 +2,53 @@
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v2.13.5...HEAD)
## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.0.0...HEAD)
## [3.0.0](https://github.com/passbolt/passbolt_docker/compare/v2.13.5...v3.0.0) - 2021-02-23
We are happy to announce the release of passbolt docker 3.0.0!
This release contains passbolt-api 3.0.0 as well as some new additions and deprection
notices.
Passbolt docker images now rely on passbolt's debian package. As a result the dockerfiles
are now using debian-slim as base images and not longer rely on docker php library images.
As a result of using debian packages some paths such as /var/www/passbolt are going to be
deprecated. This release still supports both paths by symlinking so users should not
be impacted by the path changes. We strongly recommend that you update your volumes
accordingly.
We have also released a rootless image that runs entirely under www-data user and uses
supercronic instead of plain cron to run the background tasks. We aim to make a transition
to rootless images by default to make our docker images a bit more secure by default.
However, rootless alternatives are still considered beta.
As with this release passbolt images are no longer tagged with the '-debian' suffix. Instead:
- Passbolt docker CE images will be tagged as: passbolt/passbolt:<version>-ce
- Passbolt docker CE rootless images will be tagged as: passbolt/passbolt:<version>-ce-non-root
- Passbolt docker pro images will be tagged as: passbolt/passbolt:<version>-pro
- Passbolt docker pro rootless images will be tagged as: passbolt/passbolt:<version>-pro-non-root
You can still find the old Dockerfiles on the dev/ directory as they are still quite
handy for development purposes.
### Added
- New debian package based docker images
- New rootless images
- Supercronic introduced on rootless images
### Changed
- Passbolt installation uses official passbolt debian packages
- /var/www/passbolt files are now in /usr/share/php/passbolt
- /var/www/passbolt/config files are no in /etc/passbolt
- Default workdir is now /usr/share/php/passbolt
- Old docker images moved to dev/ directory
- debian Dockerfiles moved to debian/ directory
- Deprecation message is shown on startup of the containers if old paths detected
## [2.13.5](https://github.com/passbolt/passbolt_docker/compare/v2.13.1...v2.13.5) - 2020-08-04

126
README.md
View File

@ -6,7 +6,7 @@
/_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/
`-./ .'...--`
The open source password manager for teams `'
(c) 2018 Passbolt SARL
(c) 2021 Passbolt SA
https://www.passbolt.com
```
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/0de4eaf7426944769a70a2d727a9012b)](https://www.codacy.com/app/passbolt/passbolt_docker?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=passbolt/passbolt_docker&amp;utm_campaign=Badge_Grade)
@ -20,14 +20,22 @@
Passbolt is a free and open source password manager that allows team members to
store and share credentials securely.
# Requirements:
# Requirements
* rng-tools or haveged are required on host machine to speed up entropy generation on containers.
* rng-tools or haveged might be required on host machine to speed up entropy generation on containers.
This way gpg key creation on passbolt container will be faster.
* mariadb/mysql >= 5.0
# Usage
### docker-compose
Usage:
```
$ docker-compose up
```
Users are encouraged to use [official docker image from the docker hub](https://hub.docker.com/r/passbolt/passbolt/).
## Start passbolt instance
@ -44,7 +52,7 @@ $ docker run -e MYSQL_ROOT_PASSWORD=<root_password> \
```
Then you can start passbolt just by providing the database container ip in the
`db_host` environment variable.
`DATASOURCES_DEFAULT_HOST` environment variable.
```bash
$ docker run --name passbolt \
@ -61,7 +69,7 @@ $ docker run --name passbolt \
Once the container is running create your first admin user:
```bash
$ docker exec passbolt su -m -c "/var/www/passbolt/bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data
$ docker exec passbolt su -m -c "bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data
```
This registration command will return a single use url required to continue the
@ -74,44 +82,44 @@ available browsing `https://yourdomain.com`
Passbolt docker image provides several environment variables to configure different aspects:
| Variable name | Description | Default value |
| ----------------------------------- | -------------------------------- | ------------------- |
| APP_BASE | it allows people to specify the base subdir the application is running in | null |
| APP_FULL_BASE_URL | Passbolt base url | false |
| DATASOURCES_DEFAULT_HOST | Database hostname | localhost |
| DATASOURCES_DEFAULT_PORT | Database port | 3306 |
| DATASOURCES_DEFAULT_USERNAME | Database username | '' |
| DATASOURCES_DEFAULT_PASSWORD | Database password | '' |
| DATASOURCES_DEFAULT_DATABASE | Database name | '' |
| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' |
| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' |
| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' |
| DATASOURCES_QUOTE_IDENTIFIER | Enable database quoting ([needed for for MySQL 8+](https://github.com/passbolt/passbolt_api/issues/325)) | false |
| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp |
| EMAIL_DEFAULT_FROM | From email address | you@localhost |
| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default |
| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost |
| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 |
| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 |
| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null |
| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null |
| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null |
| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null |
| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null |
| GNUPGHOME | path to gnupghome directory | /home/www-data/.gnupg |
| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048 |
| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048 |
| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user |
| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com |
| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires |
| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null |
| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /var/www/passbolt/config/gpg/serverkey.asc |
| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /var/www/passbolt/config/gpg/serverkey_private.asc |
| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true |
| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true |
| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false |
| PASSBOLT_SSL_FORCE | Redirects http to https | true |
| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true | | SECURITY_SALT | CakePHP security salt | __SALT__ |
| Variable name | Description | Default value
| ----------------------------------- | -------------------------------- | -------------------
| APP_BASE | it allows people to specify the base subdir the application is running in | null
| APP_FULL_BASE_URL | Passbolt base url | false
| DATASOURCES_DEFAULT_HOST | Database hostname | localhost
| DATASOURCES_DEFAULT_PORT | Database port | 3306
| DATASOURCES_DEFAULT_USERNAME | Database username | ''
| DATASOURCES_DEFAULT_PASSWORD | Database password | ''
| DATASOURCES_DEFAULT_DATABASE | Database name | ''
| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | ''
| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | ''
| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | ''
| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp
| EMAIL_DEFAULT_FROM | From email address | you@localhost
| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default
| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost
| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25
| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30
| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null
| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null
| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null
| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null
| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null
| GNUPGHOME | path to gnupghome directory | /var/lib/passbolt/.gnupg
| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048
| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048
| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user
| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com
| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires
| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null
| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /etc/passbolt/gpg/serverkey.asc
| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /etc/passbolt/gpg/serverkey_private.asc
| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true
| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true
| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false
| PASSBOLT_SSL_FORCE | Redirects http to https | true
| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true
| SECURITY_SALT | CakePHP security salt | __SALT__
For more env variables supported please check [default.php](https://github.com/passbolt/passbolt_api/blob/master/config/default.php)
and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/config/app.default.php)
@ -121,11 +129,11 @@ and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/confi
What if you already have a set of gpg keys and custom configuration files for passbolt?
It it possible to mount the desired configuration files as volumes.
* /var/www/passbolt/config/app.php
* /var/www/passbolt/config/passbolt.php
* /var/www/passbolt/config/gpg/serverkey.asc
* /var/www/passbolt/config/gpg/serverkey_private.asc
* /var/www/passbolt/webroot/img/public/images
* /etc/passbolt/app.php
* /etc/passbolt/passbolt.php
* /etc/passbolt/gpg/serverkey.asc
* /etc/passbolt/gpg/serverkey_private.asc
* /usr/share/php/passbolt/webroot/img/public/images
### SSL certificate files
@ -148,24 +156,22 @@ ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
```
### docker-compose
Usage:
```
$ docker-compose up
```
### CLI healthcheck
In order to run the healtcheck from the CLI on the container:
On a root docker image:
```
$ su -c "source /etc/environment; bin/cake passbolt healthcheck" -s /bin/bash www-data
$ su -s /bin/bash www-data
$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
$ bin/cake passbolt healthcheck
```
# Requirements:
Non root image:
* rng-tools or haveged are required on host machine to speed up entropy generation on containers.
This way gpg key creation on passbolt container will be faster.
* mariadb/mysql >= 5.6
```
$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
$ bin/cake passbolt healthcheck
```

5
docker-compose-pro.yml
View File

@ -11,6 +11,8 @@ services:
passbolt:
image: passbolt/passbolt:3.0.0-pro
#Alternatively you can use rootless:
#image: passbolt/passbolt:3.0.0-pro-non-root
tty: true
depends_on:
- db
@ -24,6 +26,9 @@ services:
ports:
- 80:80
- 443:443
#Alternatively for non-root images:
# - 80:8080
# - 443:4433
volumes:
database_volume:

5
docker-compose.yml
View File

@ -11,6 +11,8 @@ services:
passbolt:
image: passbolt/passbolt:3.0.0-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:3.0.0-ce-non-root
tty: true
depends_on:
- db
@ -23,6 +25,9 @@ services:
ports:
- 80:80
- 443:443
#Alternatively for non-root images:
# - 80:8080
# - 443:4433
volumes:
database_volume: