Check if entrypoint.sh was changed, as we are using it to add our code.
No code updates, only version updates
- Update the code with the small updates ( do not update any debian OS related version)
- Fix the commit id in the
Readme.mdfile
This repo was made from the bitnami repo, with the following differeces:
-
Added our scripts
-
Update
./rootfs/opt/bitnami/scripts/matomo/entrypoint.sha. Update
ifline to supportrun_docker commandsb. add
/use_matomo_in_rancher.sh
Until Avoid empty string values in serialized referrer cookie #22071 bug is fixed, you need to update the js files.
You need to fork matomo repository and rebase the branch m21170 with the latest changes.
You should re-minify the js files to make sure they were rebased correctly:
To install YUICompressor run:
cd /path/to/piwik/js/
wget https://github.com/yui/yuicompressor/releases/download/v2.4.8/yuicompressor-2.4.8.zip
unzip yuicompressor-2.4.8.zipTo compress the code containing the evil "eval", run:
cd /path/to/piwik/js/
sed '/<DEBUG>/,/<\/DEBUG>/d' < piwik.js | sed 's/eval/replacedEvilString/' | java -jar yuicompressor-2.4.8.jar --type js --line-break 1000 | sed 's/replacedEvilString/eval/' | sed 's/^[/][*]/\/*!/' > piwik.min.js && cp piwik.min.js ../piwik.js && cp piwik.min.js ../matomo.js echo "show tables;" | mysql -p$MARIADB_ROOT_PASSWORD $MARIADB_DATABASE | grep -v ^matomo_log_ | grep -v ^matomo_archive_ | grep -v ^Tables_in_eea | tr '\n' ' ' > /var/lib/mysql/tablelist.txt
echo "show tables;" | mysql -p$MARIADB_ROOT_PASSWORD $MARIADB_DATABASE | grep -E '^matomo_log_|^matomo_archive_' | grep -v ^Tables_in_eea | tr '\n' ' ' > /var/lib/mysql/tablelist-data.txt
mysqldump -u root -p$MARIADB_ROOT_PASSWORD --add-drop-table $MARIADB_DATABASE $(cat /var/lib/mysql/tablelist.txt) > /var/lib/mysql/backup_$(date '+%F').sql
mysqldump -u root -p$MARIADB_ROOT_PASSWORD --add-drop-table --no-data $MARIADB_DATABASE $(cat /var/lib/mysql/tablelist-data.txt) >> /var/lib/mysql/backup_$(date '+%F').sql
The image contains a scheduled task to synchronize the local users with the Entra ID users. The steps are
- Create in Matomo all the new users from Entra ID, without access rights
- Update in Matomo all the e-mails with different case
- For the users in the specified AZURE_VIEW_GROUP Entra group (and its subgroups), add view rights to all the Matomo sites. This applies also to newly added sites.
- Delete from Matomo all the users that are not in Entra anymore
The user identification is only possible via the e-mail field.
The script matomo_entra_sync.php uses the following environment variables, that have to be configured in the orchestrator:
- AZURE_TENANT_ID - the tenant ID from Entra
- AZURE_CLIENT_ID - the client ID of the Entra application
- AZURE_CLIENT_SECRET - the secret of the Entra application
- AZURE_VIEW_GROUP - the Entra group of the users to be synchronized
- ADMIN_EMAIL - a user e-mail to be avoided when deleting users that are not in Entra (optional, for a local backup user)
- SYNC_DEBUG - enables verbose output (optional, true/false, default false) The Entra ID application set up above needs to have read access to the Graph API to read users and groups.
The other environment variables should be already set up for Matomo:
- MATOMO_DATABASE_HOST
- MATOMO_DATABASE_USER
- MATOMO_DATABASE_PASSWORD
- MATOMO_DATABASE_NAME
- MATOMO_DATABASE_PORT_NUMBER - defaults to 3306
To schedule, the existing run_ldapsync.sh script is modified to start the php script.