Currently, we rely on Debian to pick a UID and GID for daemon users.
However, those numbers can change as software evolves over time, in
particular as the base distribution changes.
Because those IDs are relevant in the data volume, which has a lifetime
independent from the daemon container, it is important that they don't
change.
Other projects have run into this issue over the years too, this is not
a purely theoretical concern.
This patch fixes the UID/GIDs for the daemon users to their current
values, to prevent problems in the future.
See https://github.com/albertito/chasquid/pull/72 for further
discussion.
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Adjusted commit message, formatted RUN command line, changed the
dovecot group ID to match the previous value.
Using the "slim" version of the debian:stable image helps reduce size,
while having no impact on runtime usability or performance. The main
differences are around locale and manpages.
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Adjusted commit message.
Today, we launch dovecot in the background and chasquid in the
foreground using sudo.
This means that dovecot failures won't propagate, and signals to the
container (e.g. to stop it) also don't get propagated to dovecot
(because it's in the background) or chasquid (because they don't go
beyond the sudo process).
Thanks to [Guiorgy@github](https://github.com/Guiorgy) for identifying
the problem, proposing alternatives, help debugging, and discussing this
in https://github.com/albertito/chasquid/pull/70.
From the Dockerfile docs:
> Environment variable persistence can cause unexpected side effects.
> For example, setting ENV DEBIAN_FRONTEND=noninteractive changes the
> behavior of apt-get, and may confuse users of your image.
>
> If an environment variable is only needed during build, and not in the
> final image, consider setting a value for a single command instead.
So this patch adjusts the use of the DEBIAN_FRONTEND variable to match
the documented best practice.
https://github.com/albertito/chasquid/pull/68
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Adjusted commit message.
This patch fixes some Dockerfile style warnings:
- `WARN: FromAsCasing: 'as' and 'FROM' keywords' casing do not match`
- `LegacyKeyValueFormat: "ENV key=value" should be used instead of
legacy "ENV key value" format`
https://github.com/albertito/chasquid/pull/68
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Adjusted commit message.
When creating containers to run a single one-off command that alters a
volume, the `--rm` option is needed, otherwise that container is left
around and can cause confusion later on.
https://github.com/albertito/chasquid/pull/69
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Adjusted commit message.
When a single dovecot user exists and their password is being updated via
docker/add-user.sh, the `grep -v` command intended to remove the user's
old password will not match any lines and exit with error code 1, causing
the entire script to fail.
This patch fixes it by replacing the if-grep logic with a simpler sed
invocation.
https://github.com/albertito/chasquid/pull/43
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Minor edits to the commit message.
This patch extends docker/add-user.sh to support getting the email and
password from environment variables.
That way, docker/add-user.sh can be used in scripts.
https://github.com/albertito/chasquid/pull/43
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Minor edits to the commit message.
There is a bug causing an invalid config in the generated
/etc/dovecot/auto-ssl.conf, e.g.:
ssl_cert = </etc/letsencrypt/live//etc/letsencrypt/live/mail.grouplok.com/fullchain.pem
ssl_key = </etc/letsencrypt/live//etc/letsencrypt/live/mail.grouplok.com/privkey.pem
This patch fixes it by using the domain name instead of the path, which
matches the original intent.
https://github.com/albertito/chasquid/pull/42
Amended-by: Alberto Bertogli <albertito@blitiri.com.ar>
Minor edits to the commit message.
This patch updates the shell scripts with some of the common best
practices, which should make them more resilient to unusual failures and
unexpected environments (in particular, directories with spaces).
Most of these were identified by shellcheck.
Today, we do setfacl unconditionally; this can be a problem for
user-provided certificates because they may be located somewhere else.
This patch fixes the problem by only doing setfacl after renewing the
certificates.
Externally provided certificates will be untouched, and the user is
responsible for ensuring that chasquid can read them.
Thanks to Alex Ellwein (aellwein@github) for reporting this in
https://github.com/albertito/chasquid/issues/29!
The latest Debian stable images don't include the `setcap` binary by
default like they used to.
Our Docker build depends on it, so this patch makes the Dockerfile
install the libcap2-bin package (which contains the `setcap` binary).
In commit 5305d584 we fixed an issue with the way the Docker image
adds the "hostname" option to chasquid.conf.
Currently, the Docker entrypoint sets the "hostname" option in
chasquid.conf if it's missing.
That works fine, except when there is a configuration change and the
domain is removed. In that case, the hostname option will have a stale
value, forcing the user to re-create the container, which can be
cumbersome.
This patch fixes the issue by unconditionally setting the hostname
option to one of the available domains at the time of start up.
Thanks to Jaywann@github for finding and reporting this problem on
https://github.com/albertito/chasquid/issues/16, and suggesting an
alternative fix!
When the chasquid docker container is restarted, entrypoint.sh will add
the hostname again, even if it is present.
This causes chasquid to fail to start due to the duplicated option
(`non-repeated field "hostname" is repeated`).
Thanks to Jaywann@github for finding and reporting this problem, on
https://github.com/albertito/chasquid/issues/16.
This patch fixes the issue by only adding the option if it isn't already
present.
This patch adds a new docker directory, which contains a Dockerfile plus
some additional configuration for creating a container that runs
chasquid+dovecot+letsencrypt.
It also updates the gitlab CI pipeline to automatically build and
publish an image on each commit.
This is experimental and likely to break.
