From db4ab1d548ab2d0b0bbe620034a9a48563ebd642 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 3 May 2023 16:01:27 +1000 Subject: [PATCH 001/316] Verbose debugging of s6 scripts --- docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run | 2 ++ docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh | 2 ++ docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh | 2 ++ .../rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh | 2 ++ docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh | 2 ++ docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 7 ++++++- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh | 2 ++ 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run index e8ffa17c3..9fe0831df 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run @@ -2,6 +2,8 @@ # shellcheck shell=bash set -e +# verbose +set -x . /bin/common.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh index c5cf54355..1f290de1c 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh @@ -2,6 +2,8 @@ # shellcheck shell=bash set -e +# verbose +set -x log_info 'Configuring npmuser ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh index 2f59ef41a..12f6400e9 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh @@ -2,6 +2,8 @@ # shellcheck shell=bash set -e +# verbose +set -x log_info 'Checking paths ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 684166e13..41da358be 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -2,6 +2,8 @@ # shellcheck shell=bash set -e +# verbose +set -x log_info 'Setting ownership ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh index 0cb9f1264..d13fae7a8 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh @@ -2,6 +2,8 @@ # shellcheck shell=bash set -e +# verbose +set -x log_info 'Dynamic resolvers ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index bc27eb145..3e583bfa4 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -1,8 +1,13 @@ -#!/bin/bash +#!/command/with-contenv bash +# shellcheck shell=bash # This command reads the `DISABLE_IPV6` env var and will either enable # or disable ipv6 in all nginx configs based on this setting. +set -e +# verbose +set -x + log_info 'IPv6 ...' # Lowercase diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh index faa22accb..1a7243820 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh @@ -2,6 +2,8 @@ # shellcheck shell=bash set -e +# verbose +set -x # in s6, environmental variables are written as text files for s6 to monitor # search through full-path filenames for files ending in "__FILE" From a1245bc16149fd487e21014b26fd2e28b88cc768 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Thu, 4 May 2023 08:27:38 +1000 Subject: [PATCH 002/316] Split up ownership to indentify point of failure --- .../s6-rc.d/prepare/30-ownership.sh | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 41da358be..3c583ab3b 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -11,16 +11,16 @@ log_info 'Setting ownership ...' chown root /tmp/nginx # npmuser -chown -R "$PUID:$PGID" /data \ - /etc/letsencrypt \ - /run/nginx \ - /tmp/nginx \ - /var/cache/nginx \ - /var/lib/logrotate \ - /var/lib/nginx \ - /var/log/nginx +chown -R "$PUID:$PGID" /data +chown -R "$PUID:$PGID" /etc/letsencrypt +chown -R "$PUID:$PGID" /run/nginx +chown -R "$PUID:$PGID" /tmp/nginx +chown -R "$PUID:$PGID" /var/cache/nginx +chown -R "$PUID:$PGID" /var/lib/logrotate +chown -R "$PUID:$PGID" /var/lib/nginx +chown -R "$PUID:$PGID" /var/log/nginx # Don't chown entire /etc/nginx folder as this causes crashes on some systems -chown -R "$PUID:$PGID" /etc/nginx/nginx \ - /etc/nginx/nginx.conf \ - /etc/nginx/conf.d +chown -R "$PUID:$PGID" /etc/nginx/nginx +chown -R "$PUID:$PGID" /etc/nginx/nginx.conf +chown -R "$PUID:$PGID" /etc/nginx/conf.d From c432c34fb3117da32c04acd1ca7826e9d63e6c85 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Thu, 4 May 2023 10:03:06 +1000 Subject: [PATCH 003/316] Small refactor of user/groups and add checks during startup. Only use -x in bash scripts when DEBUG=true set in env vars --- docker/rootfs/bin/common.sh | 12 ++++++ docker/rootfs/etc/nginx/nginx.conf | 2 +- .../rootfs/etc/s6-overlay/s6-rc.d/backend/run | 6 +-- .../etc/s6-overlay/s6-rc.d/frontend/run | 6 +-- .../rootfs/etc/s6-overlay/s6-rc.d/nginx/run | 2 +- .../etc/s6-overlay/s6-rc.d/prepare/00-all.sh | 6 ++- .../s6-overlay/s6-rc.d/prepare/10-npmuser.sh | 22 ---------- .../s6-rc.d/prepare/10-usergroup.sh | 40 +++++++++++++++++++ .../s6-overlay/s6-rc.d/prepare/20-paths.sh | 2 - .../s6-rc.d/prepare/30-ownership.sh | 4 +- .../s6-overlay/s6-rc.d/prepare/40-dynamic.sh | 2 - .../etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 4 +- .../s6-overlay/s6-rc.d/prepare/60-secrets.sh | 2 - .../s6-overlay/s6-rc.d/prepare/90-banner.sh | 5 ++- 14 files changed, 70 insertions(+), 45 deletions(-) delete mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh diff --git a/docker/rootfs/bin/common.sh b/docker/rootfs/bin/common.sh index 0bc6468d3..913dd3e17 100644 --- a/docker/rootfs/bin/common.sh +++ b/docker/rootfs/bin/common.sh @@ -12,6 +12,11 @@ export CYAN BLUE YELLOW RED RESET PUID=${PUID:-0} PGID=${PGID:-0} +NPMUSER=npm +NPMGROUP=npm +NPMHOME=/tmp/npmuserhome +export NPMUSER NPMGROUP NPMHOME + if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then # set group id to same as user id, # the user probably forgot to specify the group id and @@ -40,3 +45,10 @@ log_fatal () { /run/s6/basedir/bin/halt exit 1 } + +# param $1: group_name +get_group_id () { + if [ "${1:-}" != '' ]; then + getent group "$1" | cut -d: -f3 + fi +} diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf index c2ee97cce..826183378 100644 --- a/docker/rootfs/etc/nginx/nginx.conf +++ b/docker/rootfs/etc/nginx/nginx.conf @@ -1,7 +1,7 @@ # run nginx in foreground daemon off; pid /run/nginx/nginx.pid; -user npmuser; +user npm; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run index 9fe0831df..f3209de73 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run @@ -12,12 +12,12 @@ cd /app || exit 1 log_info 'Starting backend ...' if [ "${DEVELOPMENT:-}" = 'true' ]; then - s6-setuidgid npmuser yarn install - exec s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js' + s6-setuidgid "$PUID:$PGID" yarn install + exec s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js" else while : do - s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --abort_on_uncaught_exception --max_old_space_size=250 index.js' + s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --abort_on_uncaught_exception --max_old_space_size=250 index.js" sleep 1 done fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run index 1181c53e4..e62f749ce 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run @@ -8,14 +8,14 @@ set -e if [ "$DEVELOPMENT" = 'true' ]; then . /bin/common.sh cd /app/frontend || exit 1 - HOME=/tmp/npmuserhome + HOME=$NPMHOME export HOME mkdir -p /app/frontend/dist chown -R "$PUID:$PGID" /app/frontend/dist log_info 'Starting frontend ...' - s6-setuidgid npmuser yarn install - exec s6-setuidgid npmuser yarn watch + s6-setuidgid "$PUID:$PGID" yarn install + exec s6-setuidgid "$PUID:$PGID" yarn watch else exit 0 fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run index fa8c1fc50..b1bed7a44 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run @@ -6,4 +6,4 @@ set -e . /bin/common.sh log_info 'Starting nginx ...' -exec s6-setuidgid npmuser nginx +exec s6-setuidgid "$PUID:$PGID" nginx diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh index 1d5899e43..82fbefb1c 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh @@ -9,7 +9,11 @@ if [ "$(id -u)" != "0" ]; then log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization." fi -. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +if [ "$DEBUG" = "true" ]; then + set -x +fi + +. /etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh deleted file mode 100755 index 1f290de1c..000000000 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/command/with-contenv bash -# shellcheck shell=bash - -set -e -# verbose -set -x - -log_info 'Configuring npmuser ...' - -if id -u npmuser; then - # user already exists - usermod -u "$PUID" npmuser || exit 1 -else - # Add npmuser user - useradd -o -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1 -fi - -usermod -G "$PGID" npmuser || exit 1 -groupmod -o -g "$PGID" npmuser || exit 1 -# Home for npmuser -mkdir -p /tmp/npmuserhome -chown -R "$PUID:$PGID" /tmp/npmuserhome diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh new file mode 100755 index 000000000..ea1001938 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh @@ -0,0 +1,40 @@ +#!/command/with-contenv bash +# shellcheck shell=bash + +set -e + +log_info "Configuring $NPMUSER user ..." + +if id -u "$NPMUSER" 2>/dev/null; then + # user already exists + usermod -u "$PUID" "$NPMUSER" +else + # Add user + useradd -o -u "$PUID" -U -d "$NPMHOME" -s /bin/false "$NPMUSER" +fi + +log_info "Configuring $NPMGROUP group ..." +if [ "$(get_group_id "$NPMGROUP")" = '' ]; then + # Add group. This will not set the id properly if it's already taken + groupadd -f -g "$PGID" "$NPMGROUP" +else + groupmod -o -g "$PGID" "$NPMGROUP" +fi + +# Set the group ID and check it +groupmod -o -g "$PGID" "$NPMGROUP" +if [ "$(get_group_id "$NPMGROUP")" != "$PGID" ]; then + echo "ERROR: Unable to set group id properly" + exit 1 +fi + +# Set the group against the user and check it +usermod -G "$PGID" "$NPMGROUP" +if [ "$(id -g "$NPMUSER")" != "$PGID" ] ; then + echo "ERROR: Unable to set group against the user properly" + exit 1 +fi + +# Home for user +mkdir -p "$NPMHOME" +chown -R "$PUID:$PGID" "$NPMHOME" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh index 12f6400e9..2f59ef41a 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x log_info 'Checking paths ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 3c583ab3b..817c2c8e3 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -2,15 +2,13 @@ # shellcheck shell=bash set -e -# verbose -set -x log_info 'Setting ownership ...' # root chown root /tmp/nginx -# npmuser +# npm user and group chown -R "$PUID:$PGID" /data chown -R "$PUID:$PGID" /etc/letsencrypt chown -R "$PUID:$PGID" /run/nginx diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh index d13fae7a8..0cb9f1264 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x log_info 'Dynamic resolvers ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index 3e583bfa4..76e9a6510 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -5,8 +5,6 @@ # or disable ipv6 in all nginx configs based on this setting. set -e -# verbose -set -x log_info 'IPv6 ...' @@ -33,7 +31,7 @@ process_folder () { sed -E -i "$SED_REGEX" "$FILE" done - # ensure the files are still owned by the npmuser + # ensure the files are still owned by the npm user chown -R "$PUID:$PGID" "$1" } diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh index 1a7243820..faa22accb 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x # in s6, environmental variables are written as text files for s6 to monitor # search through full-path filenames for files ending in "__FILE" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh index 7991ddf4f..48ba63923 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh @@ -2,6 +2,7 @@ # shellcheck shell=bash set -e +set +x echo " ------------------------------------- @@ -11,7 +12,7 @@ echo " | |\ | __/| | | | |_| \_|_| |_| |_| ------------------------------------- -User ID: $PUID -Group ID: $PGID +User: $NPMUSER PUID:$PUID ID:$(id -u "$NPMUSER") GROUP:$(id -g "$NPMUSER") +Group: $NPMGROUP PGID:$PGID ID:$(get_group_id "$NPMGROUP") ------------------------------------- " From c3735fdbbb0e9ccc8f8a64c3a1ed76efb5472157 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Thu, 4 May 2023 12:30:27 +1000 Subject: [PATCH 004/316] Missed a file that was explicit verbose --- docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run index f3209de73..197461691 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x . /bin/common.sh From 4f41fe0c953176dd0ce00b222389e85d5ca4d6c9 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Fri, 5 May 2023 08:46:54 +1000 Subject: [PATCH 005/316] Update s6-overlay --- docker/scripts/install-s6 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/scripts/install-s6 b/docker/scripts/install-s6 index 5a5a9c9c3..8a236d51d 100755 --- a/docker/scripts/install-s6 +++ b/docker/scripts/install-s6 @@ -8,7 +8,7 @@ BLUE='\E[1;34m' GREEN='\E[1;32m' RESET='\E[0m' -S6_OVERLAY_VERSION=3.1.4.1 +S6_OVERLAY_VERSION=3.1.4.2 TARGETPLATFORM=${1:unspecified} # Determine the correct binary file for the architecture given From ecf02902032e4bde9bd67b4db7327ec93ca0c152 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Tue, 9 May 2023 08:15:44 +1000 Subject: [PATCH 006/316] Update s6-overlay --- docker/scripts/install-s6 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/scripts/install-s6 b/docker/scripts/install-s6 index 8a236d51d..0681aed94 100755 --- a/docker/scripts/install-s6 +++ b/docker/scripts/install-s6 @@ -8,7 +8,7 @@ BLUE='\E[1;34m' GREEN='\E[1;32m' RESET='\E[0m' -S6_OVERLAY_VERSION=3.1.4.2 +S6_OVERLAY_VERSION=3.1.5.0 TARGETPLATFORM=${1:unspecified} # Determine the correct binary file for the architecture given From c3f019c911f21a4fd446b377c7a7f4c45d092a60 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Tue, 9 May 2023 08:19:09 +1000 Subject: [PATCH 007/316] Test ipv6 disabled in ci --- docker/docker-compose.ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/docker-compose.ci.yml b/docker/docker-compose.ci.yml index 9f4edc00e..209d2d0e6 100644 --- a/docker/docker-compose.ci.yml +++ b/docker/docker-compose.ci.yml @@ -35,6 +35,7 @@ services: DB_SQLITE_FILE: '/data/mydb.sqlite' PUID: 1000 PGID: 1000 + DISABLE_IPV6: 'true' volumes: - npm_data:/data expose: From 4b6f9d9419b004a1f5734eea4b96231870623fa8 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 10 May 2023 09:57:24 +1000 Subject: [PATCH 008/316] Remove s6 service timeout --- docker/Dockerfile | 6 +++++- docker/dev/Dockerfile | 10 +++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 564f838af..b1cd31a26 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -10,9 +10,13 @@ ARG BUILD_VERSION ARG BUILD_COMMIT ARG BUILD_DATE +# See: https://github.com/just-containers/s6-overlay/blob/master/README.md ENV SUPPRESS_NO_CONFIG_WARNING=1 \ - S6_FIX_ATTRS_HIDDEN=1 \ S6_BEHAVIOUR_IF_STAGE2_FAILS=1 \ + S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \ + S6_FIX_ATTRS_HIDDEN=1 \ + S6_KILL_FINISH_MAXTIME=10000 \ + S6_VERBOSITY=1 \ NODE_ENV=production \ NPM_BUILD_VERSION="${BUILD_VERSION}" \ NPM_BUILD_COMMIT="${BUILD_COMMIT}" \ diff --git a/docker/dev/Dockerfile b/docker/dev/Dockerfile index 833f10034..749ac343c 100644 --- a/docker/dev/Dockerfile +++ b/docker/dev/Dockerfile @@ -1,9 +1,13 @@ FROM jc21/nginx-full:certbot-node LABEL maintainer="Jamie Curnow " -ENV S6_LOGGING=0 \ - SUPPRESS_NO_CONFIG_WARNING=1 \ - S6_FIX_ATTRS_HIDDEN=1 +# See: https://github.com/just-containers/s6-overlay/blob/master/README.md +ENV SUPPRESS_NO_CONFIG_WARNING=1 \ + S6_BEHAVIOUR_IF_STAGE2_FAILS=1 \ + S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \ + S6_FIX_ATTRS_HIDDEN=1 \ + S6_KILL_FINISH_MAXTIME=10000 \ + S6_VERBOSITY=2 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \ && apt-get update \ From 0127dc7f03b98ce5d53d3c1b56ce36a564491aca Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 10 May 2023 11:32:22 +1000 Subject: [PATCH 009/316] Bump version --- .version | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.version b/.version index c6436a853..5f4f65c85 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -2.10.2 +2.10.3 diff --git a/README.md b/README.md index eefa11eb9..95d6551a9 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@



- + From 05307aa253c073cf94237fc96d816ec2919f4d7f Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Wed, 10 May 2023 14:39:08 +1000 Subject: [PATCH 010/316] Fix certbot plugins install when using PUID/PGID --- backend/setup.js | 2 +- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/backend/setup.js b/backend/setup.js index a805978ba..403c14e72 100644 --- a/backend/setup.js +++ b/backend/setup.js @@ -131,7 +131,7 @@ const setupCertbotPlugins = () => { }); if (plugins.length) { - const install_cmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir --user ' + plugins.join(' ') + ' && deactivate'; + const install_cmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + plugins.join(' ') + ' && deactivate'; promises.push(utils.exec(install_cmd)); } diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 817c2c8e3..a714298bb 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -22,3 +22,6 @@ chown -R "$PUID:$PGID" /var/log/nginx chown -R "$PUID:$PGID" /etc/nginx/nginx chown -R "$PUID:$PGID" /etc/nginx/nginx.conf chown -R "$PUID:$PGID" /etc/nginx/conf.d + +# Prevents errors when installing python certbot plugins when non-root +chown -R "$PUID:$PGID" /opt/certbot From 4c59400731b5bc432649d8a0f7aa2bffec79c634 Mon Sep 17 00:00:00 2001 From: Benjamin Hubert Date: Tue, 16 May 2023 21:46:26 +0200 Subject: [PATCH 011/316] added support for dns.he.net certbot plugin #2153 --- global/certbot-dns-plugins.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 8ac9ea817..042f674ca 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -286,6 +286,16 @@ dns_google_domains_zone = "example.com"`, full_plugin_name: 'dns-google-domains', }, //####################################################// + he: { + display_name: 'Hurricane Electric', + package_name: 'certbot-dns-he', + version_requirement: '~=1.0.0', + dependencies: '', + credentials: `dns_he_user = Me +dns_he_pass = my HE password`, + full_plugin_name: 'dns-he', + }, + //####################################################// hetzner: { display_name: 'Hetzner', package_name: 'certbot-dns-hetzner', From 847e879b3f3f8bce40ac00306603ea8d087a37b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Maa=C3=9F?= Date: Thu, 18 May 2023 13:44:52 +0200 Subject: [PATCH 012/316] Update certbot-dns-plugins.js Add dns wildcard certificate support for strato.de using the provided certbot plugin --- global/certbot-dns-plugins.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 8ac9ea817..0cda3fa3b 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -521,6 +521,19 @@ aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`, full_plugin_name: 'dns-route53', }, //####################################################// + strato: { + display_name: 'Strato', + package_name: 'certbot-dns-strato', + version_requirement: '~=0.1.1', + dependencies: '', + credentials: `dns_strato_username = user +dns_strato_password = pass +# uncomment if domain name contains special characters +# insert domain display name as seen on your account page here +# dns_strato_domain_display_name = my-punicode-url.de`, + full_plugin_name: 'dns-strato', + }, + //####################################################// transip: { display_name: 'TransIP', package_name: 'certbot-dns-transip', From 53d61bd626bd5fb7cc787f7645a374824cf36eee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Maa=C3=9F?= Date: Thu, 18 May 2023 14:14:38 +0200 Subject: [PATCH 013/316] Try to fix linter error in certbot plugin definitions. --- global/certbot-dns-plugins.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js index 0cda3fa3b..91555898d 100644 --- a/global/certbot-dns-plugins.js +++ b/global/certbot-dns-plugins.js @@ -531,7 +531,7 @@ dns_strato_password = pass # uncomment if domain name contains special characters # insert domain display name as seen on your account page here # dns_strato_domain_display_name = my-punicode-url.de`, - full_plugin_name: 'dns-strato', + full_plugin_name: 'dns-strato', }, //####################################################// transip: { From 81054631f9e42a4146e5f09fa1d98a72730f1167 Mon Sep 17 00:00:00 2001 From: nietzscheanic <101259812+nietzscheanic@users.noreply.github.com> Date: Fri, 19 May 2023 14:13:29 +0200 Subject: [PATCH 014/316] Fix for ignored ssl_protocols and ssl_ciphers directive in conf.d/include/ssl-ciphers.conf nginx only uses the `ssl_protocols` directive in the `server{}` block of the first processed host config, which is the default config in `/etc/nginx/conf.d/default.conf`. in version `v2.9.20` the default ssl site was dropped by using `ssl_reject_handshake on` in the default host config. but beside the include of `conf.d/include/ssl-ciphers.conf` was removed from the default host config. that's why `tlsv1.3` isn't applied by default anymore, same thing with the defined cipher suites. npm is so broken since `2023-03-16`. commit that broke the config -> https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a7f0c3b730678ae4352ade2829d891a3ce3cd3bc --- docker/rootfs/etc/nginx/conf.d/default.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/rootfs/etc/nginx/conf.d/default.conf b/docker/rootfs/etc/nginx/conf.d/default.conf index 3368250ef..e4262e1dc 100644 --- a/docker/rootfs/etc/nginx/conf.d/default.conf +++ b/docker/rootfs/etc/nginx/conf.d/default.conf @@ -32,6 +32,7 @@ server { server_name localhost; access_log /data/logs/fallback_access.log standard; error_log /dev/null crit; + include conf.d/include/ssl-ciphers.conf; ssl_reject_handshake on; return 444; From 2dd4434ceb976d429e164f78d5941e08ffa2d802 Mon Sep 17 00:00:00 2001 From: Will Rouesnel Date: Mon, 22 May 2023 11:59:50 +1000 Subject: [PATCH 015/316] Add support for nginx 444 default response The default nginx 444 response drops the inbound connection without sending any response to the client. --- backend/templates/default.conf | 6 ++++++ frontend/js/app/settings/default-site/main.ejs | 4 ++++ frontend/js/i18n/messages.json | 1 + 3 files changed, 11 insertions(+) diff --git a/backend/templates/default.conf b/backend/templates/default.conf index ec68530ca..cc590f9d8 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -24,6 +24,12 @@ server { } {% endif %} +{%- if value == "444" %} + location / { + return 444; + } +{% endif %} + {%- if value == "redirect" %} location / { return 301 {{ meta.redirect }}; diff --git a/frontend/js/app/settings/default-site/main.ejs b/frontend/js/app/settings/default-site/main.ejs index 126c9d0ac..f1c4ccf62 100644 --- a/frontend/js/app/settings/default-site/main.ejs +++ b/frontend/js/app/settings/default-site/main.ejs @@ -18,6 +18,10 @@ >

<%- i18n('settings', 'default-site-404') %>
+