Skip to content

Commit 402f9e4

Browse files
committed
Merge branch 'release/v3.10.0'
2 parents 43edcbb + ac518b1 commit 402f9e4

File tree

7 files changed

+117
-70
lines changed

7 files changed

+117
-70
lines changed

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,6 @@ src
3737

3838
# docker compose specific
3939
dev/.env
40+
41+
# Vim session files
42+
*.vim

CHANGELOG.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,12 @@
22
All notable changes to this project will be documented in this file.
33
This project adheres to [Semantic Versioning](http://semver.org/).
44

5-
## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.9.4...HEAD)
5+
## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.10.0...HEAD)
6+
7+
## [3.10.0](https://github.com/passbolt/passbolt_docker/compare/v3.9.4...v3.10.0) - 2023-05-02
8+
9+
### Added
10+
- Make rootless docker image to own the supervisor files [#197](https://github.com/passbolt/passbolt_docker/pull/197)
611

712
## [3.9.4](https://github.com/passbolt/passbolt_docker/compare/v3.9.3...v3.9.4) - 2023-04-18
813

Gemfile.lock

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,12 @@ GEM
66
docker-api (2.2.0)
77
excon (>= 0.47.0)
88
multi_json
9-
excon (0.98.0)
9+
excon (0.99.0)
1010
method_source (1.0.0)
1111
multi_json (1.15.0)
1212
net-scp (4.0.0)
1313
net-ssh (>= 2.6.5, < 8.0.0)
14-
net-ssh (7.0.1)
14+
net-ssh (7.1.0)
1515
net-telnet (0.1.1)
1616
pry (0.14.2)
1717
coderay (~> 1.1)
@@ -21,25 +21,25 @@ GEM
2121
rspec-core (~> 3.12.0)
2222
rspec-expectations (~> 3.12.0)
2323
rspec-mocks (~> 3.12.0)
24-
rspec-core (3.12.0)
24+
rspec-core (3.12.2)
2525
rspec-support (~> 3.12.0)
26-
rspec-expectations (3.12.2)
26+
rspec-expectations (3.12.3)
2727
diff-lcs (>= 1.2.0, < 2.0)
2828
rspec-support (~> 3.12.0)
2929
rspec-its (1.3.0)
3030
rspec-core (>= 3.0.0)
3131
rspec-expectations (>= 3.0.0)
32-
rspec-mocks (3.12.3)
32+
rspec-mocks (3.12.5)
3333
diff-lcs (>= 1.2.0, < 2.0)
3434
rspec-support (~> 3.12.0)
3535
rspec-support (3.12.0)
36-
serverspec (2.42.1)
36+
serverspec (2.42.2)
3737
multi_json
3838
rspec (~> 3.0)
3939
rspec-its
4040
specinfra (~> 2.72)
4141
sfl (2.3)
42-
specinfra (2.84.1)
42+
specinfra (2.85.0)
4343
net-scp
4444
net-ssh (>= 2.7)
4545
net-telnet (= 0.1.1)

debian/Dockerfile

Lines changed: 33 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -15,32 +15,32 @@ ENV PASSBOLT_FLAVOUR=$PASSBOLT_FLAVOUR
1515
ENV PASSBOLT_PKG="passbolt-$PASSBOLT_FLAVOUR-server"
1616

1717
RUN apt-get update \
18-
&& DEBIAN_FRONTEND=non-interactive apt-get -y install \
19-
ca-certificates \
20-
gnupg \
21-
&& apt-key adv --keyserver $PASSBOLT_SERVER_KEY --recv-keys $PASSBOLT_PKG_KEY \
22-
&& echo "deb $PASSBOLT_REPO_URL $PASSBOLT_DISTRO $PASSBOLT_COMPONENT" > /etc/apt/sources.list.d/passbolt.list \
23-
&& apt-get update \
24-
&& DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
25-
nginx \
26-
$PASSBOLT_PKG \
27-
supervisor \
28-
curl \
29-
&& rm -f /etc/passbolt/jwt/* \
30-
&& rm /etc/nginx/sites-enabled/default \
31-
&& mkdir /run/php \
32-
&& cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
33-
&& sed -i 's,;clear_env = no,clear_env = no,' /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
34-
&& sed -i 's,# include __PASSBOLT_SSL__,include /etc/nginx/snippets/passbolt-ssl.conf;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
35-
&& sed -i '/listen \[\:\:\]\:443 ssl http2;/a listen 443 ssl http2;' /etc/nginx/snippets/passbolt-ssl.conf \
36-
&& sed -i 's,__CERT_PATH__,/etc/ssl/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \
37-
&& sed -i 's,__KEY_PATH__,/etc/ssl/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \
38-
&& sed -i 's,www-data.*$,root su -s /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron" www-data >/proc/1/fd/1 2>\&1,' /etc/cron.d/$PASSBOLT_PKG \
39-
&& sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \
40-
&& ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
41-
&& ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
42-
&& ln -sf /dev/stderr /var/log/passbolt/error.log \
43-
&& ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log
18+
&& DEBIAN_FRONTEND=non-interactive apt-get -y install \
19+
ca-certificates \
20+
gnupg \
21+
&& apt-key adv --keyserver $PASSBOLT_SERVER_KEY --recv-keys $PASSBOLT_PKG_KEY \
22+
&& echo "deb $PASSBOLT_REPO_URL $PASSBOLT_DISTRO $PASSBOLT_COMPONENT" > /etc/apt/sources.list.d/passbolt.list \
23+
&& apt-get update \
24+
&& DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
25+
nginx \
26+
$PASSBOLT_PKG \
27+
supervisor \
28+
curl \
29+
&& rm -f /etc/passbolt/jwt/* \
30+
&& rm /etc/nginx/sites-enabled/default \
31+
&& mkdir /run/php \
32+
&& cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
33+
&& sed -i 's,;clear_env = no,clear_env = no,' /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
34+
&& sed -i 's,# include __PASSBOLT_SSL__,include /etc/nginx/snippets/passbolt-ssl.conf;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
35+
&& sed -i '/listen \[\:\:\]\:443 ssl http2;/a listen 443 ssl http2;' /etc/nginx/snippets/passbolt-ssl.conf \
36+
&& sed -i 's,__CERT_PATH__,/etc/ssl/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \
37+
&& sed -i 's,__KEY_PATH__,/etc/ssl/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \
38+
&& sed -i 's,www-data.*$,root su -s /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron" www-data >/proc/1/fd/1 2>\&1,' /etc/cron.d/$PASSBOLT_PKG \
39+
&& sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \
40+
&& ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
41+
&& ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
42+
&& ln -sf /dev/stderr /var/log/passbolt/error.log \
43+
&& ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log
4444

4545
COPY conf/supervisor/cron.conf /etc/supervisor/conf.d/cron.conf
4646
COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
@@ -52,6 +52,13 @@ COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.
5252
COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh
5353
COPY scripts/wait-for.sh /usr/bin/wait-for.sh
5454

55+
# Docker API does not support buildkit so we
56+
# need to do this workaround https://github.com/docker/for-linux/issues/1136
57+
RUN chmod 0644 /etc/supervisor/conf.d/* \
58+
&& chmod 0700 /docker-entrypoint.sh \
59+
&& chmod 0700 /passbolt/* \
60+
&& chmod 0700 /usr/bin/wait-for.sh
61+
5562
EXPOSE 80 443
5663

5764
WORKDIR /usr/share/php/passbolt

debian/Dockerfile.rootless

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@ RUN apt-get update \
4040
&& ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
4141

4242
COPY conf/supervisor/cron.conf.rootless /etc/supervisor/conf.d/cron.conf
43+
COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
44+
COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf
4345

4446
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
4547
&& sed -i 's,listen \[\:\:\]\:80;,listen \[\:\:\]\:8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
@@ -67,6 +69,9 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
6769
&& chown www-data:0 /etc/passbolt/certs \
6870
&& chown www-data:0 /etc/passbolt/jwt \
6971
&& chown www-data:0 /var/log/supervisor \
72+
&& chown www-data:0 /etc/supervisor/conf.d/cron.conf \
73+
&& chown www-data:0 /etc/supervisor/conf.d/php.conf \
74+
&& chown www-data:0 /etc/supervisor/conf.d/nginx.conf \
7075
&& chown -R www-data:0 /var/log/nginx \
7176
&& ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
7277
&& ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
@@ -81,15 +86,20 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
8186
&& chown www-data:www-data /etc/environment \
8287
&& chmod 600 /etc/environment
8388

84-
COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
85-
COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf
8689
COPY scripts/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh
8790
COPY scripts/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh
8891
COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh
8992
COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh
9093
COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh
9194
COPY scripts/wait-for.sh /usr/bin/wait-for.sh
9295

96+
# Docker API does not support buildkit so we
97+
# need to do this workaround https://github.com/docker/for-linux/issues/1136
98+
RUN chmod 0644 /etc/supervisor/conf.d/* \
99+
&& chmod 0755 /docker-entrypoint.sh \
100+
&& chmod 0755 /passbolt/* \
101+
&& chmod 0755 /usr/bin/wait-for.sh
102+
93103
EXPOSE 8080 4433
94104

95105
WORKDIR /usr/share/php/passbolt

spec/docker_image/image_spec.rb

Lines changed: 55 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,13 @@
22
require 'json'
33

44
describe 'Dockerfile' do
5-
65
before(:all) do
76
set :env, {
8-
'DATASOURCES_DEFAULT_HOST' => '172.17.0.2',
7+
'DATASOURCES_DEFAULT_HOST' => '172.17.0.2',
98
'DATASOURCES_DEFAULT_PASSWORD' => 'P4ssb0lt',
109
'DATASOURCES_DEFAULT_USERNAME' => 'passbolt',
1110
'DATASOURCES_DEFAULT_DATABASE' => 'passbolt',
12-
'PASSBOLT_GPG_KEYRING' => '/var/lib/passbolt/.gnupg'
11+
'PASSBOLT_GPG_KEYRING' => '/var/lib/passbolt/.gnupg'
1312
}
1413

1514
if ENV['GITLAB_CI']
@@ -18,13 +17,19 @@
1817
'password' => ENV['CI_REGISTRY_PASSWORD'].to_s,
1918
'serveraddress' => 'https://registry.gitlab.com/'
2019
)
21-
if ENV['ROOTLESS'] == 'true'
22-
@image = Docker::Image.create('fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-rootless-latest")
23-
else
24-
@image = Docker::Image.create('fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-root-latest")
25-
end
20+
@image = if ENV['ROOTLESS'] == 'true'
21+
Docker::Image.create('fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-rootless-latest")
22+
else
23+
Docker::Image.create('fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-root-latest")
24+
end
2625
else
27-
@image = Docker::Image.build_from_dir(ROOT_DOCKERFILES, { 'dockerfile' => $dockerfile, 'buildargs' => JSON.generate($buildargs) } )
26+
@image = Docker::Image.build_from_dir(
27+
ROOT_DOCKERFILES,
28+
{
29+
'dockerfile' => $dockerfile,
30+
'buildargs' => JSON.generate($buildargs)
31+
}
32+
)
2833
end
2934
set :docker_image, @image.id
3035
set :docker_container_create_options, { 'Cmd' => '/bin/sh' }
@@ -34,22 +39,24 @@
3439
let(:php_conf) { '/etc/php/7.4/fpm/php.ini' }
3540
let(:site_conf) { '/etc/nginx/sites-enabled/nginx-passbolt.conf' }
3641
let(:supervisor_conf) do
37-
[ '/etc/supervisor/conf.d/nginx.conf',
38-
'/etc/supervisor/conf.d/php.conf',
39-
'/etc/supervisor/conf.d/cron.conf' ]
42+
['/etc/supervisor/conf.d/nginx.conf',
43+
'/etc/supervisor/conf.d/php.conf',
44+
'/etc/supervisor/conf.d/cron.conf']
4045
end
4146
let(:passbolt_home) { '/usr/share/php/passbolt' }
4247
let(:passbolt_tmp) { '/var/lib/passbolt/tmp' }
4348
let(:passbolt_image) { "#{passbolt_home}/webroot/img/public" }
4449
let(:passbolt_owner) { 'www-data' }
45-
let(:exposed_ports) { [ $http_port, $https_port ] }
46-
let(:php_extensions) { [
47-
'gd', 'intl', 'json', 'mysqlnd', 'xsl', 'phar',
48-
'posix', 'xml', 'zlib', 'ctype', 'pdo', 'gnupg', 'pdo_mysql'
49-
] }
50+
let(:exposed_ports) { [$http_port, $https_port] }
51+
let(:php_extensions) do
52+
%w[
53+
gd intl json mysqlnd xsl phar
54+
posix xml zlib ctype pdo gnupg pdo_mysql
55+
]
56+
end
5057
let(:wait_for) { '/usr/bin/wait-for.sh' }
51-
jwt_conf = "#{PASSBOLT_CONFIG_PATH + '/jwt'}"
52-
let(:jwt_key_pair) { [ "#{jwt_conf}/jwt.key", "#{jwt_conf}/jwt.pem" ] }
58+
let(:jwt_conf) { "#{PASSBOLT_CONFIG_PATH + '/jwt'}" }
59+
let(:jwt_key_pair) { ["#{jwt_conf}/jwt.key", "#{jwt_conf}/jwt.pem"] }
5360

5461
describe 'passbolt required php extensions' do
5562
it 'has php extensions installed' do
@@ -67,6 +74,14 @@
6774
it 'has config files' do
6875
supervisor_conf.each do |config|
6976
expect(file(config)).to exist
77+
if ENV['ROOTLESS'] == 'true'
78+
expect(file(config)).to be_owned_by(passbolt_owner)
79+
else
80+
expect(file(config)).to be_owned_by('root')
81+
end
82+
expect(file(config)).to be_writable.by('owner')
83+
expect(file(config)).not_to be_writable.by('group')
84+
expect(file(config)).not_to be_writable.by('others')
7085
end
7186
end
7287
end
@@ -159,36 +174,43 @@
159174
end
160175
end
161176

162-
describe file(jwt_conf) do
163-
it { should be_a_directory }
164-
it { should be_mode 770 }
165-
it { should be_owned_by($root_user) }
166-
it { should be_grouped_into($config_group) }
167-
end
177+
describe 'jwt configuration' do
178+
it 'should have the correct permissions' do
179+
expect(file(jwt_conf)).to be_a_directory
180+
expect(file(jwt_conf)).to be_mode 770
181+
expect(file(jwt_conf)).to be_owned_by($root_user)
182+
expect(file(jwt_conf)).to be_grouped_into($config_group)
183+
end
168184

169-
describe file("#{jwt_conf}/jwt.key") do
170-
it { should_not exist }
171-
end
172-
describe file("#{jwt_conf}/jwt.pem") do
173-
it { should_not exist }
185+
describe 'JWT key file' do
186+
it 'should not exist' do
187+
expect(file("#{jwt_conf}/jwt.key")).not_to exist
188+
end
189+
end
190+
191+
describe 'JWT pem file' do
192+
it 'should not exist' do
193+
expect(file("#{jwt_conf}/jwt.pem")).not_to exist
194+
end
195+
end
174196
end
175197

176198
describe '/etc/environment' do
177199
it 'exists and has the correct permissions' do
178200
expect(file('/etc/environment')).to exist
179201
if ENV['ROOTLESS'] == 'true'
180202
expect(file('/etc/environment')).to be_owned_by(passbolt_owner)
181-
expect(file('/etc/environment')).to be_mode 600
203+
expect(file('/etc/environment')).to be_mode 600
182204
else
183205
expect(file('/etc/environment')).to be_owned_by($root_user)
184-
expect(file('/etc/environment')).to be_mode 644
206+
expect(file('/etc/environment')).to be_mode 644
185207
end
186208
end
187209
end
188210

189211
describe 'cron table' do
190212
it 'exists and executes the email job' do
191-
expect(cron.table).to match(/PASSBOLT_BASE_DIR\/bin\/cron/)
213+
expect(cron.table).to match(%r{PASSBOLT_BASE_DIR/bin/cron})
192214
end
193215
end
194216
end

spec/docker_runtime/runtime_spec.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@
100100
)
101101
@container.exec(['cp', '/tmp/passbolt-cron-temporary', "/etc/cron.d/passbolt-#{ENV['PASSBOLT_FLAVOUR']}-server"])
102102
# force reload supercronic cron file
103-
@container.exec(['supervisorctl', 'restart', 'cron'])
103+
@container.exec(%w[supervisorctl restart cron])
104104

105105
# wait for cron
106106
sleep 61

0 commit comments

Comments
 (0)