added auto-recognition of package versions, updated containerfiles with new paths

5 years ago · 9456b02238
15 changed files with 155 additions and 65 deletions
--- a/bin/pdm-build
+++ b/bin/pdm-build
@ -64,6 +64,10 @@ fi

 # Main

+# tell buildah to build images in docker format instead of the default OCI format
+# because only docker-format images can use the SHELL directive in Containerfiles
+export BUILDAH_FORMAT=docker
+
 # build image
 echo "Building image ..."
 podman build -f Containerfile -t tmp-$epoch $buildopts || quit $?
--- a/src/debian/Containerfile
+++ b/src/debian/Containerfile
@ -2,11 +2,21 @@ FROM debian:stable
 CMD [ "/sbin/init" ]
 ENTRYPOINT [ "/sbin/init" ]

+# set default working directory as root for child images
 WORKDIR /root/
+ONBUILD WORKDIR /root/
+
+# set bash as the default shell for executing commands 
+# inside Containerfiles for child images
+ONBUILD SHELL ["/bin/bash", "-c"]
+
+# tell bash to read /etc/environment when being run
+# non-interactively for child images
+ONBUILD ENV BASH_ENV=/etc/environment

 # We can't use timedatectl because systemd isn't available
 # during the build process, so we have to set the timezone manually
-ENV TZ=US/Central
+ENV TZ=US/Eastern
 RUN rm /etc/localtime && \
    ln -s /usr/share/zoneinfo/$TZ /etc/localtime && \
    echo $TZ > /etc/timezone
--- a/src/debian/assets/bash.bashrc
+++ b/src/debian/assets/bash.bashrc
@ -6,6 +6,9 @@
 # If not running interactively, don't do anything
 [ -z "$PS1" ] && return

+# load environment variables
+. /etc/environment
+
 # check the window size after each command and, if necessary,
 # update the values of LINES and COLUMNS.
 shopt -s checkwinsize
--- a/src/gitea/Containerfile
+++ b/src/gitea/Containerfile
@ -9,16 +9,9 @@ LABEL deployopts="\
 -p 9081:80 \
 -p 9022:22 \
 -v /srv/vol/gitea/git:/vol/git \
-v /srv/vol/gitea/db:/vol/db"
-# make sure mount directories exist
-RUN mkdir -p /vol/git /vol/db
+-v /srv/vol/gitea/data:/vol/data"

 # Build variables
-# version of Gitea
-# see the Gitea github page to determine the latest stable release
-ARG giteav=1.12.1
-# version of postgres
-ARG psqlv=11
 # uid that the files owner user should have
 ARG FILESUID=5000

@ -26,9 +19,6 @@ ARG FILESUID=5000
 # database name and user
 ENV DBUSER=gtadmin
 ENV DBNAME=gitea
-# put environment variables in /etc/environment so we can access them from cron scripts
-RUN echo "DBUSER=$DBUSER" >> /etc/environment && \
-    echo "DBNAME=$DBNAME" >> /etc/environment

 ###
 ### General Setup
@ -37,6 +27,14 @@ RUN echo "DBUSER=$DBUSER" >> /etc/environment && \
 # install packages we want
 RUN apt update -y && apt install -y postgresql postgresql-doc git

+# put database variables in /etc/environment so anyone can access them
+# also autodetect versions of postgres and gitea and put them in /etc/environment as well
+RUN echo "DBUSER=$DBUSER" >> /etc/environment && \
+    echo "DBNAME=$DBNAME" >> /etc/environment && \
+    echo "PSQLV=$(psql -V | cut -d ' ' -f 3 | cut -d '.' -f 1)" >> /etc/environment && \
+    echo "GITEAV=$(wget -q -O - https://dl.gitea.io/gitea/ | grep -m 1 'Current Release' \
+                 | perl -pe 's/.*Current Release ([\d.]+).*/\1/')" >> /etc/environment
+
 # create gitea user with file owner UID
 RUN addgroup --gid $FILESUID gitea && \
    adduser gitea --ingroup gitea --uid $FILESUID --disabled-password --gecos "Gitea Server" --shell /usr/sbin/nologin --home /var/lib/gitea
@ -49,15 +47,15 @@ COPY assets/bin/ /usr/local/bin/
 ###

 # configure PostgreSQL access
-COPY --chown=postgres:postgres assets/pg_hba.conf /etc/postgresql/${psqlv}/main/pg_hba.conf
+COPY --chown=postgres:postgres assets/pg_hba.conf /etc/postgresql/${PSQLV:?}/main/pg_hba.conf

 ###
 ### Gitea
 ###

 # dowload gitea
-RUN wget https://dl.gitea.io/gitea/${giteav}/gitea-${giteav}-linux-amd64 && \
-    mv gitea-${giteav}-linux-amd64 /usr/local/bin/gitea && \
+RUN wget https://dl.gitea.io/gitea/${GITEAV:?}/gitea-${GITEAV:?}-linux-amd64 && \
+    mv gitea-${GITEAV:?}-linux-amd64 /usr/local/bin/gitea && \
    chmod +x /usr/local/bin/gitea

 # make directories gitea needs
--- a/src/gitea/assets/bin/maint
+++ b/src/gitea/assets/bin/maint
@ -8,7 +8,7 @@ day=$(date +%d)
 month=$(date +%m)
 year=$(date +%Y)

-dumpdir=/vol/db
+dumpdir=/vol/data
 errlog=error/$year-$month-$day-T$hour.log

 mkdir -p $dumpdir/error
--- a/src/mailsrv/Containerfile
+++ b/src/mailsrv/Containerfile
@ -10,7 +10,7 @@ LABEL deployopts="\
 -p 587:587 \
 -p 143:143 \
 -p 993:993 \
-v /srv/vol/mailsrv/etc:/vol/etc \
+-v /srv/vol/mailsrv/data:/vol/data \
 -v /srv/vol/mailsrv/mail:/vol/mail \
 -v /srv/vol/mailsrv/ssl:/vol/ssl:ro"

--- a/src/mailsrv/assets/bin/mkvirt
+++ b/src/mailsrv/assets/bin/mkvirt
@ -6,24 +6,24 @@ set -e
 ### Users ###

 # copy users db to dovecot config
-cp /vol/etc/users /etc/dovecot/users
+cp /vol/data/users /etc/dovecot/users
 chown dovecot:dovecot /etc/dovecot/users

 # copy users db to postfix config, but without passwords
-cat /vol/etc/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > /etc/postfix/users
+cat /vol/data/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > /etc/postfix/users
 postmap /etc/postfix/users

 ### Aliases ###

 # copy aliases to postifx config
 cd /etc/postfix
-cat /vol/etc/aliases.d/*.list > aliases
+cat /vol/data/aliases.d/*.list > aliases
 postmap aliases

 ### Sieve ###

 # copy users sieve to mail
-cd /vol/etc/sieve.d
+cd /vol/data/sieve.d
 for user in * ; do
  mkdir -p /vol/mail/${user}
  chown vmail:vmail /vol/mail/${user}
--- a/src/minecraft_be/Containerfile
+++ b/src/minecraft_be/Containerfile
@ -37,7 +37,8 @@ WORKDIR /home/mcadmin
 # download Minecraft Bedrock dedicated server
 RUN url=$(wget -q https://www.minecraft.net/en-us/download/server/bedrock/ -O - | grep -Eo 'https://[^ ]+bin-linux/bedrock-server-[^ ]+\.zip' | head -n 1) && \
    wget $url && \
-    unzip $(basename $url) && \
+    echo "Unzipping ..." && \
+    unzip -q $(basename $url) && \
    rm $(basename $url) && \
    chown -R mcadmin:mcadmin ./

--- a/src/nextcloud/Containerfile
+++ b/src/nextcloud/Containerfile
@ -6,24 +6,17 @@ FROM localhost/debian
 # deploy options
 # -p (port) and -v (volume) both go host:container
 LABEL deployopts="\
+--cap-add SYS_ADMIN \
 -p 9080:80 \
 -v /srv/vol/nextcloud/files:/vol/files \
 -v /srv/vol/nextcloud/data:/vol/data"

 # Build Variables
-# versions of php and postgres
-ARG phpv=7.3
-ARG psqlv=11
 # uid that the files owner user should have
 ARG FILESUID=5000
-
-# Environment Variables
 # database name and user
 ENV DBUSER=ncadmin
 ENV DBNAME=nextcloud
-# put environment variables in /etc/environment so we can access them from cron scripts
-RUN echo "DBUSER=$DBUSER" >> /etc/environment && \
-    echo "DBNAME=$DBNAME" >> /etc/environment

 ###
 ### General Setup
@ -34,37 +27,56 @@ RUN apt update -y && apt install -y apache2 php-fpm php-gd php-zip \
    php-pgsql php-curl php-mbstring php-intl php-imagick php-xml \
    php-json redis php-redis postgresql postgresql-doc php-ldap

+
+# put database variables in /etc/environment so anyone can access them
+# also autodetect versions of php and postgres and put them in /etc/environment as well
+RUN echo "DBUSER=$DBUSER" >> /etc/environment && \
+    echo "DBNAME=$DBNAME" >> /etc/environment && \
+    echo "PSQLV=$(psql -V | cut -d ' ' -f 3 | cut -d '.' -f 1)" >> /etc/environment && \
+    echo "PHPV=$(echo $(php -r 'echo PHP_VERSION;') | cut -d '.' -f 1-2)" >> /etc/environment
+
 # change www-data's UID to the file owner UID
 RUN usermod --uid $FILESUID www-data && \
    groupmod --gid $FILESUID www-data && \
-    chown -R www-data:www-data /var/www /vol
+    chown -R www-data:www-data /var/www

 # copy our custom scripts
 COPY assets/bin/ /usr/local/bin/

+###
+### PHP
+###
+
+# enable PHP interpreter
+RUN systemctl enable php${PHPV:?}-fpm
+
+# copy php configuration
+COPY assets/php/ php/
+RUN mv php/php.ini /etc/php/${PHPV:?}/fpm/ && \
+    mv php/www.conf /etc/php/${PHPV:?}/fpm/pool.d/ && \
+    rmdir php
+
+###
+### PostgreSQL ###
+###
+
+# configure PostgreSQL access
+COPY --chown=postgres:postgres assets/pg_hba.conf ./
+RUN mv pg_hba.conf /etc/postgresql/${PSQLV:?}/main/
+
 ###
 ### Apache
 ###

 # enable modules we need
-RUN a2enmod rewrite headers env dir mime proxy_fcgi && a2enconf php${phpv}-fpm
+RUN a2enmod rewrite headers env dir mime proxy_fcgi && \
+    a2enconf php${PHPV:?}-fpm

 # copy site config
 COPY assets/apache/nextcloud.conf /etc/apache2/sites-available/
 WORKDIR /etc/apache2/sites-enabled
 RUN rm 000-default.conf && ln -s ../sites-available/nextcloud.conf

-###
-### PHP
-###
-
-# enable PHP interpreter
-RUN systemctl enable php${phpv}-fpm
-
-# copy php configuration
-COPY assets/php/php.ini /etc/php/${phpv}/fpm/
-COPY assets/php/www.conf /etc/php/${phpv}/fpm/pool.d/
-
 ###
 ### Redis
 ###
@ -75,13 +87,6 @@ COPY --chown=redis:redis assets/redis.conf /etc/redis/redis.conf
 # add www-data to redis group so it can use the socket
 RUN usermod -a -G redis www-data

-###
-### PostgreSQL ###
-###
-
-# configure PostgreSQL access
-COPY --chown=postgres:postgres assets/pg_hba.conf /etc/postgresql/${psqlv}/main/pg_hba.conf
-
 ###
 ### Nextcloud
 ###
@ -107,3 +112,12 @@ COPY --chown=www-data:www-data assets/my.config.php nextcloud/config/
 COPY assets/crontab /root/
 # crontab for www-data
 RUN crontab -u www-data /root/crontab
+
+###
+### Bugfix
+###
+
+# push the fixed systemd file for redis
+COPY bugfix/redis.service /etc/systemd/system/redis.service
+
+COPY bugfix/apache2.override /etc/systemd/system/apache2.service.d/override.conf
--- a/src/nextcloud/assets/bin/maint
+++ b/src/nextcloud/assets/bin/maint
@ -1,7 +1,7 @@
 #!/bin/bash

 # load environment variables
-source /etc/environment
+. /etc/environment

 hour=$(date +%H)
 day=$(date +%d)
--- a/src/nextcloud/assets/bin/nc-adduser
+++ b/src/nextcloud/assets/bin/nc-adduser
@ -9,13 +9,7 @@ set -e

 nc-occ user:add "$1"

-nc-occ maintenance:mode --on
-
 mkdir -p /vol/files/"$1"
 chown www-data:www-data /vol/files/"$1"

-rsync -vaSH /srv/nextcloud/data/"$1"/files/ /vol/files/"$1"/
-rm -r /srv/nextcloud/data/"$1"/files
-ln -s /vol/files/"$1" /srv/nextcloud/data/"$1"/files
-
-nc-occ maintenance:mode --off
+nc-mntuser "$1"
--- a/src/nextcloud/assets/bin/nc-mntuser
+++ b/src/nextcloud/assets/bin/nc-mntuser
@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [[ -z $1 ]]; then
+        echo "Usage: $0 user"
+        exit 2
+fi
+
+intdir=/srv/nextcloud/data
+extdir=/vol/files
+
+set -e
+
+nc-occ maintenance:mode --on
+
+mkdir -p $intdir/$user/files
+chown -R www-data:www-data $intdir/$user
+echo "$extdir/$user $intdir/$user/files none defaults,bind 0 0" >> /etc/fstab
+mount -a
+
+nc-occ maintenance:mode --off
--- a/src/nextcloud/bugfix/apache2.override
+++ b/src/nextcloud/bugfix/apache2.override
@ -0,0 +1,2 @@
+[Service]
+PrivateTmp=false
--- a/src/nextcloud/bugfix/redis.service
+++ b/src/nextcloud/bugfix/redis.service
@ -0,0 +1,46 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
+ExecStop=/bin/kill -s TERM $MAINPID
+PIDFile=/run/redis/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis
+Group=redis
+RuntimeDirectory=redis
+RuntimeDirectoryMode=2755
+
+UMask=007
+#PrivateTmp=yes
+LimitNOFILE=65535
+#PrivateDevices=yes
+#ProtectHome=yes
+#ReadOnlyDirectories=/
+#ReadWritePaths=-/var/lib/redis
+#ReadWritePaths=-/var/log/redis
+#ReadWritePaths=-/var/run/redis
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+#ProtectKernelModules=true
+#ProtectKernelTunables=true
+#ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# redis-server can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you replace the following lines with "ProtectSystem=full".
+#ProtectSystem=true
+#ReadWritePaths=-/etc/redis
+
+[Install]
+WantedBy=multi-user.target
+Alias=redis.service
--- a/src/samba/Containerfile
+++ b/src/samba/Containerfile
@ -7,11 +7,9 @@ FROM localhost/debian:latest
 # -p (port) and -v (volume) both go host:container
 LABEL deployopts="\
 -p 9045:445 \
-v /tank/files/db/samba:/vol/db \
-v /tank/files/media:/vol/media \
-v /tank/files/user:/vol/user"
-# make sure mount directories exist
-RUN mkdir -p /vol/db /vol/media /vol/user
+-v /srv/vol/samba/data:/vol/data \
+-v /srv/vol/samba/media:/vol/media \
+-v /srv/vol/samba/files:/vol/files"

 # uid that the files owner user should have
 ARG FILESUID=5000
@ -27,7 +25,7 @@ RUN apt update -y && apt install -y samba
 RUN addgroup --gid $FILESUID files && \
    adduser files --ingroup files --uid $FILESUID --disabled-password --gecos "Files Owner" --shell /usr/sbin/nologin --no-create-home

-RUN chown -R files:files /vol
+RUN mkdir /vol && chown -R files:files /vol

 # copy our custom scripts
 COPY assets/bin/ /usr/local/bin/
@ -35,7 +33,7 @@ COPY assets/bin/ /usr/local/bin/
 RUN ls -A /home

 # replace home with symlink
-RUN cd / && rmdir home && ln -s /vol/user home
+RUN cd / && rmdir home && ln -s /vol/files home

 ###
 ### NMBD