Transitions the Docker image to use s6 and s6-overlay for process supervision instead of supervisord (#8886)

.dockerignore

@@ -26,3 +26,5 @@
 ./dist
 ./scripts
 ./resources
+# Other stuff
+**/*.drawio.png

.github/workflows/ci.yml

@@ -131,7 +131,7 @@ jobs:
       -
         name: Configure ImageMagick
         run: |
-          sudo cp docker/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml
+          sudo cp docker/rootfs/etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml
       -
         name: Install Python dependencies
         run: |

.ruff.toml

@@ -76,8 +76,12 @@ ignore = ["DJ001", "SIM105", "RUF012"]
 "src/paperless_tesseract/tests/test_parser.py" = ["RUF001", "PTH"]  # TODO PTH Enable & remove
 "src/paperless_tika/tests/test_live_tika.py" = ["PTH"]  # TODO Enable & remove
 "src/paperless_tika/tests/test_tika_parser.py" = ["PTH"]  # TODO Enable & remove
+# Testing
 "*/tests/*.py" = ["E501", "SIM117"]
+# Migrations
 "*/migrations/*.py" = ["E501", "SIM", "T201"]
+# Docker specific
+"docker/rootfs/usr/local/bin/wait-for-redis.py" = ["INP001", "T201"]
 
 [lint.isort]
 force-single-line = true

Dockerfile

@@ -43,11 +43,66 @@ RUN set -eux \
   && echo "Generating requirement.txt" \
     && pipenv requirements > requirements.txt
 
+# Stage: s6-overlay-base
+# Purpose: Installs s6-overlay and rootfs
+# Comments:
+#  - Don't leave anything extra in here either
+FROM docker.io/python:3.12-slim-bookworm AS s6-overlay-base
+
+WORKDIR /usr/src/s6
+
+# https://github.com/just-containers/s6-overlay#customizing-s6-overlay-behaviour
+ENV \
+    S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
+    S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
+    S6_VERBOSITY=1 \
+    PATH=/command:$PATH
+
+# Buildx provided, must be defined to use though
+ARG TARGETARCH
+ARG TARGETVARIANT
+# Lock this version
+ARG S6_OVERLAY_VERSION=3.2.0.2
+
+ARG S6_BUILD_TIME_PKGS="curl \
+                        xz-utils"
+
+RUN set -eux \
+    && echo "Installing build time packages" \
+      && apt-get update \
+      && apt-get install --yes --quiet --no-install-recommends ${S6_BUILD_TIME_PKGS} \
+    && echo "Determining arch" \
+      && S6_ARCH="" \
+      && if [ "${TARGETARCH}${TARGETVARIANT}" = "amd64" ]; then S6_ARCH="x86_64"; \
+      elif [ "${TARGETARCH}${TARGETVARIANT}" = "arm64" ]; then S6_ARCH="aarch64"; fi\
+      && if [ -z "${S6_ARCH}" ]; then { echo "Error: Not able to determine arch"; exit 1; }; fi \
+    && echo "Installing s6-overlay for ${S6_ARCH}" \
+      && curl --fail --silent --no-progress-meter --show-error --location --remote-name-all --parallel --parallel-max 4 \
+        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz" \
+        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz.sha256" \
+        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz" \
+        "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz.sha256" \
+      && echo "Validating s6-archive checksums" \
+        && sha256sum --check ./*.sha256 \
+      && echo "Unpacking archives" \
+        && tar --directory / -Jxpf s6-overlay-noarch.tar.xz \
+        && tar --directory / -Jxpf s6-overlay-${S6_ARCH}.tar.xz \
+      && echo "Removing downloaded archives" \
+        && rm ./*.tar.xz \
+        && rm ./*.sha256 \
+    && echo "Cleaning up image" \
+      && apt-get --yes purge ${S6_BUILD_TIME_PKGS} \
+      && apt-get --yes autoremove --purge \
+      && rm -rf /var/lib/apt/lists/*
+
+# Copy our service defs and filesystem
+COPY ./docker/rootfs /
+
 # Stage: main-app
 # Purpose: The final image
 # Comments:
 #  - Don't leave anything extra in here
-FROM docker.io/python:3.12-slim-bookworm AS main-app
+FROM s6-overlay-base AS main-app
 
 LABEL org.opencontainers.image.authors="paperless-ngx team <hello@paperless-ngx.com>"
 LABEL org.opencontainers.image.documentation="https://docs.paperless-ngx.com/"
@@ -143,64 +198,23 @@ RUN set -eux \
         && dpkg --install ./ghostscript_${GS_VERSION}.dfsg-1_${TARGETARCH}.deb \
       && echo "Installing jbig2enc" \
         && dpkg --install ./jbig2enc_${JBIG2ENC_VERSION}-1_${TARGETARCH}.deb \
+      && echo "Configuring imagemagick" \
+        && cp /etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml \
       && echo "Cleaning up image layer" \
         && rm --force --verbose *.deb \
-    && rm --recursive --force --verbose /var/lib/apt/lists/* \
-  && echo "Installing supervisor" \
-    && python3 -m pip install --default-timeout=1000 --upgrade --no-cache-dir supervisor==4.2.5
+    && rm --recursive --force --verbose /var/lib/apt/lists/*
 
 # Copy gunicorn config
 # Changes very infrequently
 WORKDIR /usr/src/paperless/
 
-COPY gunicorn.conf.py .
-
-# setup docker-specific things
-# These change sometimes, but rarely
-WORKDIR /usr/src/paperless/src/docker/
-
-COPY [ \
-  "docker/imagemagick-policy.xml", \
-  "docker/supervisord.conf", \
-  "docker/docker-entrypoint.sh", \
-  "docker/docker-prepare.sh", \
-  "docker/paperless_cmd.sh", \
-  "docker/wait-for-redis.py", \
-  "docker/env-from-file.sh", \
-  "docker/management_script.sh", \
-  "docker/flower-conditional.sh", \
-  "docker/install_management_commands.sh", \
-  "/usr/src/paperless/src/docker/" \
-]
-
-RUN set -eux \
-  && echo "Configuring ImageMagick" \
-    && mv imagemagick-policy.xml /etc/ImageMagick-6/policy.xml \
-  && echo "Configuring supervisord" \
-    && mkdir /var/log/supervisord /var/run/supervisord \
-    && mv supervisord.conf /etc/supervisord.conf \
-  && echo "Setting up Docker scripts" \
-    && mv docker-entrypoint.sh /sbin/docker-entrypoint.sh \
-    && chmod 755 /sbin/docker-entrypoint.sh \
-    && mv docker-prepare.sh /sbin/docker-prepare.sh \
-    && chmod 755 /sbin/docker-prepare.sh \
-    && mv wait-for-redis.py /sbin/wait-for-redis.py \
-    && chmod 755 /sbin/wait-for-redis.py \
-    && mv env-from-file.sh /sbin/env-from-file.sh \
-    && chmod 755 /sbin/env-from-file.sh \
-    && mv paperless_cmd.sh /usr/local/bin/paperless_cmd.sh \
-    && chmod 755 /usr/local/bin/paperless_cmd.sh \
-    && mv flower-conditional.sh /usr/local/bin/flower-conditional.sh \
-    && chmod 755 /usr/local/bin/flower-conditional.sh \
-  && echo "Installing management commands" \
-    && chmod +x install_management_commands.sh \
-    && ./install_management_commands.sh
+COPY --chown=1000:1000 gunicorn.conf.py /usr/src/paperless/gunicorn.conf.py
 
 WORKDIR /usr/src/paperless/src/
 
 # Python dependencies
 # Change pretty frequently
-COPY --from=pipenv-base /usr/src/pipenv/requirements.txt ./
+COPY --chown=1000:1000 --from=pipenv-base /usr/src/pipenv/requirements.txt ./
 
 # Packages needed only for building a few quick Python
 # dependencies
@@ -222,7 +236,7 @@ RUN --mount=type=cache,target=/root/.cache/pip/,id=pip-cache \
   && echo "Installing build system packages" \
     && apt-get update \
     && apt-get install --yes --quiet --no-install-recommends ${BUILD_PACKAGES} \
-    && python3 -m pip install --no-cache-dir --upgrade wheel \
+    && python3 -m pip install --upgrade wheel \
   && echo "Installing Python requirements" \
     && curl --fail --silent --no-progress-meter --show-error --location --remote-name-all --parallel --parallel-max 4 \
       https://github.com/paperless-ngx/builder/releases/download/psycopg-${PSYCOPG_VERSION}/psycopg_c-${PSYCOPG_VERSION}-cp312-cp312-linux_x86_64.whl \
@@ -267,18 +281,16 @@ RUN set -eux \
   && echo "Adjusting all permissions" \
     && chown --from root:root --changes --recursive paperless:paperless /usr/src/paperless \
   && echo "Collecting static files" \
-    && gosu paperless python3 manage.py collectstatic --clear --no-input --link \
-    && gosu paperless python3 manage.py compilemessages
+    && s6-setuidgid paperless python3 manage.py collectstatic --clear --no-input --link \
+    && s6-setuidgid paperless python3 manage.py compilemessages
 
 VOLUME ["/usr/src/paperless/data", \
         "/usr/src/paperless/media", \
         "/usr/src/paperless/consume", \
         "/usr/src/paperless/export"]
 
-ENTRYPOINT ["/sbin/docker-entrypoint.sh"]
+ENTRYPOINT ["/init"]
 
 EXPOSE 8000
 
-CMD ["/usr/local/bin/paperless_cmd.sh"]
-
 HEALTHCHECK --interval=30s --timeout=10s --retries=5 CMD [ "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000" ]

docker/docker-prepare.sh

@@ -1,120 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-wait_for_postgres() {
-	local attempt_num=1
-	local -r max_attempts=5
-
-	echo "Waiting for PostgreSQL to start..."
-
-	local -r host="${PAPERLESS_DBHOST:-localhost}"
-	local -r port="${PAPERLESS_DBPORT:-5432}"
-
-	# Disable warning, host and port can't have spaces
-	# shellcheck disable=SC2086
-	while [ ! "$(pg_isready --host ${host} --port ${port})" ]; do
-
-		if [ $attempt_num -eq $max_attempts ]; then
-			echo "Unable to connect to database."
-			exit 1
-		else
-			echo "Attempt $attempt_num failed! Trying again in 5 seconds..."
-		fi
-
-		attempt_num=$(("$attempt_num" + 1))
-		sleep 5
-	done
-	echo "Connected to PostgreSQL"
-}
-
-wait_for_mariadb() {
-	echo "Waiting for MariaDB to start..."
-
-	local -r host="${PAPERLESS_DBHOST:=localhost}"
-	local -r port="${PAPERLESS_DBPORT:=3306}"
-
-	local attempt_num=1
-	local -r max_attempts=5
-
-	# Disable warning, host and port can't have spaces
-	# shellcheck disable=SC2086
-	while ! true > /dev/tcp/$host/$port; do
-
-		if [ $attempt_num -eq $max_attempts ]; then
-			echo "Unable to connect to database."
-			exit 1
-		else
-			echo "Attempt $attempt_num failed! Trying again in 5 seconds..."
-
-		fi
-
-		attempt_num=$(("$attempt_num" + 1))
-		sleep 5
-	done
-	echo "Connected to MariaDB"
-}
-
-wait_for_redis() {
-	# We use a Python script to send the Redis ping
-	# instead of installing redis-tools just for 1 thing
-	if ! python3 /sbin/wait-for-redis.py; then
-		exit 1
-	fi
-}
-
-migrations() {
-	(
-		# flock is in place to prevent multiple containers from doing migrations
-		# simultaneously. This also ensures that the db is ready when the command
-		# of the current container starts.
-		flock 200
-		echo "Apply database migrations..."
-		python3 manage.py migrate --skip-checks --no-input
-	) 200>"${DATA_DIR}/migration_lock"
-}
-
-django_checks() {
-	# Explicitly run the Django system checks
-	echo "Running Django checks"
-	python3 manage.py check
-}
-
-search_index() {
-
-	local -r index_version=9
-	local -r index_version_file=${DATA_DIR}/.index_version
-
-	if [[ (! -f "${index_version_file}") || $(<"${index_version_file}") != "$index_version" ]]; then
-		echo "Search index out of date. Updating..."
-		python3 manage.py document_index reindex --no-progress-bar
-		echo ${index_version} | tee "${index_version_file}" >/dev/null
-	fi
-}
-
-superuser() {
-	if [[ -n "${PAPERLESS_ADMIN_USER}" ]]; then
-		python3 manage.py manage_superuser
-	fi
-}
-
-do_work() {
-	if [[ "${PAPERLESS_DBENGINE}" == "mariadb" ]]; then
-		wait_for_mariadb
-	elif [[ -n "${PAPERLESS_DBHOST}" ]]; then
-		wait_for_postgres
-	fi
-
-	wait_for_redis
-
-	migrations
-
-	django_checks
-
-	search_index
-
-	superuser
-
-}
-
-do_work

docker/env-from-file.sh

@@ -1,42 +0,0 @@
-#!/usr/bin/env bash
-
-# Scans the environment variables for those with the suffix _FILE
-# When located, checks the file exists, and exports the contents
-# of the file as the same name, minus the suffix
-# This allows the use of Docker secrets or mounted files
-# to fill in any of the settings configurable via environment
-# variables
-
-set -eu
-
-for line in $(printenv)
-do
-	# Extract the name of the environment variable
-	env_name=${line%%=*}
-	# Check if it starts with "PAPERLESS_" and ends in "_FILE"
-	if [[ ${env_name} == PAPERLESS_*_FILE ]]; then
-		# This should have been named different..
-		if [[ ${env_name} == "PAPERLESS_OCR_SKIP_ARCHIVE_FILE" || ${env_name} == "PAPERLESS_MODEL_FILE" ]]; then
-			continue
-		fi
-		# Extract the value of the environment
-		env_value=${line#*=}
-
-		# Check the file exists
-		if [[ -f ${env_value} ]]; then
-
-			# Trim off the _FILE suffix
-			non_file_env_name=${env_name%"_FILE"}
-			echo "Setting ${non_file_env_name} from file"
-
-			# Reads the value from th file
-			val="$(< "${!env_name}")"
-
-			# Sets the normal name to the read file contents
-			export "${non_file_env_name}"="${val}"
-
-		else
-			echo "File ${env_value} referenced by ${env_name} doesn't exist"
-		fi
-	fi
-done

docker/flower-conditional.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-echo "Checking if we should start flower..."
-
-if [[ -n  "${PAPERLESS_ENABLE_FLOWER}" ]]; then
-	# Small delay to allow celery to be up first
-	echo "Starting flower in 5s"
-	sleep 5
-	celery --app paperless flower --conf=/usr/src/paperless/src/paperless/flowerconfig.py
-else
-	echo "Not starting flower"
-fi

docker/install_management_commands.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+# Run this script to generate the management commands again (for example if a new command is create or the template is updated)
+
 set -eu
 
 for command in decrypt_documents \
@@ -19,6 +21,6 @@ for command in decrypt_documents \
 	prune_audit_logs;
 do
 	echo "installing $command..."
-	sed "s/management_command/$command/g" management_script.sh > /usr/local/bin/$command
-	chmod +x /usr/local/bin/$command
+	sed "s/management_command/$command/g" management_script.sh >"$PWD/rootfs/usr/local/bin/$command"
+	chmod +x "$PWD/rootfs/usr/local/bin/$command"
 done

docker/management_script.sh

@@ -1,17 +1,13 @@
-#!/usr/bin/env bash
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
 
 set -e
 
-cd /usr/src/paperless/src/
-# This ensures environment is setup
-# shellcheck disable=SC1091
-source /sbin/env-from-file.sh
+cd "${PAPERLESS_SRC_DIR}"
 
-if [[ $(id -u) == 0 ]] ;
-then
-	gosu paperless python3 manage.py management_command "$@"
-elif [[ $(id -un) == "paperless" ]] ;
-then
+if [[ $(id -u) == 0 ]]; then
+	s6-setuidgid paperless python3 manage.py management_command "$@"
+elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py management_command "$@"
 else
 	echo "Unknown user."

docker/paperless_cmd.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-SUPERVISORD_WORKING_DIR="${PAPERLESS_SUPERVISORD_WORKING_DIR:-$PWD}"
-rootless_args=()
-if [ "$(id -u)" == "$(id -u paperless)" ]; then
-	rootless_args=(
-		--user
-		paperless
-		--logfile
-		"${SUPERVISORD_WORKING_DIR}/supervisord.log"
-		--pidfile
-		"${SUPERVISORD_WORKING_DIR}/supervisord.pid"
-	)
-fi
-
-exec /usr/local/bin/supervisord -c /etc/supervisord.conf "${rootless_args[@]}"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-complete/run

@@ -0,0 +1,8 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+declare -r log_prefix="[init-complete]"
+declare -r end_time=$(date +%s)
+declare -r start_time=${PAPERLESS_START_TIME_S}
+
+echo "${log_prefix} paperless-ngx docker container init completed in $(($end_time-$start_time)) seconds"
+echo "${log_prefix} Starting services"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-complete/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-complete/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-complete/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-custom-init/run

@@ -0,0 +1,44 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[custom-init]"
+
+# Mostly borrowed from the LinuxServer.io base image
+# https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d
+declare -r custom_script_dir="/custom-cont-init.d"
+
+# Tamper checking.
+# Don't run files which are owned by anyone except root
+# Don't run files which are writeable by others
+if [ -d "${custom_script_dir}" ]; then
+	if [ -n "$(/usr/bin/find "${custom_script_dir}" -maxdepth 1 ! -user root)" ]; then
+		echo "${log_prefix} **** Potential tampering with custom scripts detected ****"
+		echo "${log_prefix} **** The folder '${custom_script_dir}' must be owned by root ****"
+		exit 0
+	fi
+	if [ -n "$(/usr/bin/find "${custom_script_dir}" -maxdepth 1 -perm -o+w)" ]; then
+		echo "${log_prefix} **** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****"
+		echo "${log_prefix} **** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****"
+		exit 0
+	fi
+
+	# Make sure custom init directory has files in it
+	if [ -n "$(/bin/ls --almost-all "${custom_script_dir}" 2>/dev/null)" ]; then
+		echo "${log_prefix} files found in ${custom_script_dir} executing"
+		# Loop over files in the directory
+		for SCRIPT in "${custom_script_dir}"/*; do
+			NAME="$(basename "${SCRIPT}")"
+			if [ -f "${SCRIPT}" ]; then
+				echo "${log_prefix} ${NAME}: executing..."
+				/command/with-contenv /bin/bash "${SCRIPT}"
+				echo "${log_prefix} ${NAME}: exited $?"
+			elif [ ! -f "${SCRIPT}" ]; then
+				echo "${log_prefix} ${NAME}: is not a file"
+			fi
+		done
+	else
+		echo "${log_prefix} no custom files found exiting..."
+	fi
+else
+	echo "${log_prefix} ${custom_script_dir} doesn't exist, nothing to do"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-custom-init/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-custom-init/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-custom-init/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-env-file/run

@@ -0,0 +1,30 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[env-init]"
+
+echo "${log_prefix} Checking for environment from files"
+
+if find /run/s6/container_environment/*"_FILE" -maxdepth 1 > /dev/null 2>&1; then
+	for FILENAME in /run/s6/container_environment/*; do
+		if [[ "${FILENAME##*/}" == PAPERLESS_*_FILE ]]; then
+			# This should have been named different..
+			if [[ ${FILENAME} == "PAPERLESS_OCR_SKIP_ARCHIVE_FILE" || ${FILENAME} == "PAPERLESS_MODEL_FILE" ]]; then
+				continue
+			fi
+			SECRETFILE=$(cat "${FILENAME}")
+			# Check the file exists
+			if [[ -f ${SECRETFILE} ]]; then
+				# Trim off trailing _FILE
+				FILESTRIP=${FILENAME//_FILE/}
+				# Set environment variable
+				cat "${SECRETFILE}" > "${FILESTRIP}"
+				echo "${log_prefix} ${FILESTRIP##*/} set from ${FILENAME##*/}"
+			else
+				echo "${log_prefix} cannot find secret in ${FILENAME##*/}"
+			fi
+		fi
+	done
+else
+		echo "${log_prefix} No *_FILE environment found"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-env-file/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-env-file/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-env-file/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-folders/run

@@ -0,0 +1,33 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-folders]"
+
+declare -r export_dir="/usr/src/paperless/export"
+declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
+declare -r media_root_dir="${PAPERLESS_MEDIA_ROOT:-/usr/src/paperless/media}"
+declare -r consume_dir="${PAPERLESS_CONSUMPTION_DIR:-/usr/src/paperless/consume}"
+declare -r tmp_dir="${PAPERLESS_SCRATCH_DIR:=/tmp/paperless}"
+
+echo "${log_prefix} Checking for folder existence"
+
+for dir in \
+	"${export_dir}" \
+	"${data_dir}" "${data_dir}/index" \
+	"${media_root_dir}" "${media_root_dir}/documents" "${media_root_dir}/documents/originals" "${media_root_dir}/documents/thumbnails" \
+	"${consume_dir}" \
+	"${tmp_dir}"; do
+	if [[ ! -d "${dir}" ]]; then
+		mkdir --parents --verbose "${dir}"
+	fi
+done
+
+echo "${log_prefix} Adjusting file and folder permissions"
+for dir in \
+	"${export_dir}" \
+	"${data_dir}" \
+	"${media_root_dir}" \
+	"${consume_dir}" \
+	"${tmp_dir}"; do
+	find "${dir}" -not \( -user paperless -and -group paperless \) -exec chown --changes paperless:paperless {} +
+done

docker/rootfs/etc/s6-overlay/s6-rc.d/init-folders/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-folders/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-folders/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-migrations/run

@@ -0,0 +1,20 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+declare -r log_prefix="[init-migrations]"
+declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
+
+(
+	# flock is in place to prevent multiple containers from doing migrations
+	# simultaneously. This also ensures that the db is ready when the command
+	# of the current container starts.
+	flock 200
+	echo "${log_prefix} Apply database migrations..."
+	cd "${PAPERLESS_SRC_DIR}"
+
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		exec python3 manage.py migrate --skip-checks --no-input
+	else
+		exec s6-setuidgid paperless python3 manage.py migrate --skip-checks --no-input
+	fi
+
+) 200>"${data_dir}/migration_lock"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-migrations/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-migrations/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-migrations/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-modify-user/run

@@ -0,0 +1,22 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+declare -r log_prefix="[init-user]"
+
+declare -r usermap_original_uid=$(id -u paperless)
+declare -r usermap_original_gid=$(id -g paperless)
+declare -r usermap_new_uid=${USERMAP_UID:-$usermap_original_uid}
+declare -r usermap_new_gid=${USERMAP_GID:-${usermap_original_gid:-$usermap_new_uid}}
+
+if [[ ${usermap_new_uid} != "${usermap_original_uid}" ]]; then
+	echo "${log_prefix} Mapping UID for paperless to $usermap_new_uid"
+	usermod --non-unique --uid "${usermap_new_uid}" paperless
+else
+	echo "${log_prefix} No UID changes for paperless"
+fi
+
+if [[ ${usermap_new_gid} != "${usermap_original_gid}" ]]; then
+	echo "${log_prefix} Mapping GID for paperless to $usermap_new_gid"
+	groupmod --non-unique --gid "${usermap_new_gid}" paperless
+else
+	echo "${log_prefix} No GID changes for paperless"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-modify-user/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-modify-user/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-modify-user/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-search-index/run

@@ -0,0 +1,28 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-index]"
+
+declare -r index_version=9
+declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
+declare -r index_version_file="${data_dir}/.index_version"
+
+update_index () {
+	echo "${log_prefix} Search index out of date. Updating..."
+	cd "${PAPERLESS_SRC_DIR}"
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		python3 manage.py document_index reindex --no-progress-bar
+		echo ${index_version} | tee "${index_version_file}" > /dev/null
+	else
+		s6-setuidgid paperless python3 manage.py document_index reindex --no-progress-bar
+		echo ${index_version} | s6-setuidgid paperless tee "${index_version_file}" > /dev/null
+	fi
+}
+
+if [[ (! -f "${index_version_file}") ]]; then
+	echo "${log_prefix} No index version file found"
+	update_index
+elif [[ $(<"${index_version_file}") != "$index_version" ]]; then
+	echo "${log_prefix} index version updated"
+	update_index
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-search-index/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-search-index/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-search-index/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-start/run

@@ -0,0 +1,19 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-start]"
+
+echo "${log_prefix} paperless-ngx docker container starting..."
+
+# Set some directories into environment for other steps to access via environment
+# Sort of like variables for later
+printf "/usr/src/paperless/src" > /var/run/s6/container_environment/PAPERLESS_SRC_DIR
+echo $(date +%s) > /var/run/s6/container_environment/PAPERLESS_START_TIME_S
+
+# Check if we're starting as a non-root user
+if [ $(id -u) == $(id -u paperless) ]; then
+	printf "true" > /var/run/s6/container_environment/USER_IS_NON_ROOT
+	echo "${log_prefix}  paperless-ngx docker container running under a user"
+else
+	echo "${log_prefix}  paperless-ngx docker container starting init as root"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-start/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-start/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-start/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-superuser/run

@@ -0,0 +1,20 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-superuser]"
+
+if [[ -n "${PAPERLESS_ADMIN_USER}" ]]; then
+	echo "${log_prefix} Creating superuser..."
+	cd "${PAPERLESS_SRC_DIR}"
+
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		python3 manage.py manage_superuser
+	else
+		s6-setuidgid paperless python3 manage.py manage_superuser
+	fi
+
+	echo "${log_prefix} Superuser creation done"
+
+else
+	echo "${log_prefix} Not creating superuser"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-superuser/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-superuser/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-superuser/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-system-checks/run

@@ -0,0 +1,15 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-checks]"
+
+# Explicitly run the Django system checks
+echo "${log_prefix} Running Django checks"
+
+cd "${PAPERLESS_SRC_DIR}"
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py check
+else
+	s6-setuidgid paperless python3 manage.py check
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-system-checks/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-system-checks/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-system-checks/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-tesseract-langs/run

@@ -0,0 +1,65 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-tesseract-langs]"
+
+install_languages() {
+	echo "Installing languages..."
+
+	read -ra langs <<<"$1"
+
+	# Check that it is not empty
+	if [ ${#langs[@]} -eq 0 ]; then
+		return
+	fi
+
+	# Build list of packages to install
+	to_install=()
+	for lang in "${langs[@]}"; do
+		pkg="tesseract-ocr-$lang"
+
+		if dpkg --status "$pkg" &>/dev/null; then
+			echo "${log_prefix} Package $pkg already installed!"
+			continue
+		else
+			to_install+=("$pkg")
+		fi
+	done
+
+	# Use apt only when we install packages
+	if [ ${#to_install[@]} -gt 0 ]; then
+
+		# Warn the user if they're not root, but try anyway
+		if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+			echo "${log_prefix} ERROR: Unable to install language ${pkg} as non-root, startup may fail"
+		fi
+
+		apt-get --quiet update &>/dev/null
+
+		for pkg in "${to_install[@]}"; do
+			if ! apt-cache --quiet show "$pkg" &>/dev/null; then
+				echo "${log_prefix} Skipped $pkg: Package not found! :("
+				continue
+			fi
+			echo "${log_prefix} Installing package $pkg..."
+			if ! apt-get --quiet --assume-yes install "$pkg" &>/dev/null; then
+				echo "${log_prefix} Could not install $pkg"
+				exit 1
+			else
+				echo "${log_prefix} Installed $pkg"
+			fi
+		done
+
+	fi
+}
+
+echo "${log_prefix} Checking if additional teseract languages needed"
+
+# Install additional languages if specified
+if [[ -n "$PAPERLESS_OCR_LANGUAGES" ]]; then
+
+	install_languages "$PAPERLESS_OCR_LANGUAGES"
+	echo "${log_prefix} Additional packages installed"
+else
+	echo "${log_prefix} No additional installs requested"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-tesseract-langs/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-tesseract-langs/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-tesseract-langs/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-db/run

@@ -0,0 +1,70 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-db-wait]"
+
+wait_for_postgres() {
+	local attempt_num=1
+	local -r max_attempts=5
+
+	echo "${log_prefix} Waiting for PostgreSQL to start..."
+
+	local -r host="${PAPERLESS_DBHOST:-localhost}"
+	local -r port="${PAPERLESS_DBPORT:-5432}"
+	local -r user="${PAPERLESS_DBUSER:-paperless}"
+
+	# Disable warning, host and port can't have spaces
+	# shellcheck disable=SC2086
+	while [ ! "$(pg_isready -h ${host} -p ${port} --username ${user})" ]; do
+
+		if [ $attempt_num -eq $max_attempts ]; then
+			echo "${log_prefix} Unable to connect to database."
+			exit 1
+		else
+			echo "${log_prefix} Attempt $attempt_num failed! Trying again in 5 seconds..."
+		fi
+
+		attempt_num=$(("$attempt_num" + 1))
+		sleep 5
+	done
+	# Extra in case this is a first start
+	sleep 5
+	echo "Connected to PostgreSQL"
+}
+
+wait_for_mariadb() {
+	echo "${log_prefix} Waiting for MariaDB to start..."
+
+	local -r host="${PAPERLESS_DBHOST:=localhost}"
+	local -r port="${PAPERLESS_DBPORT:=3306}"
+
+	local attempt_num=1
+	local -r max_attempts=5
+
+	# Disable warning, host and port can't have spaces
+	# shellcheck disable=SC2086
+	while ! true > /dev/tcp/$host/$port; do
+
+		if [ $attempt_num -eq $max_attempts ]; then
+			echo "${log_prefix} Unable to connect to database."
+			exit 1
+		else
+			echo "${log_prefix} Attempt $attempt_num failed! Trying again in 5 seconds..."
+
+		fi
+
+		attempt_num=$(("$attempt_num" + 1))
+		sleep 5
+	done
+	echo "Connected to MariaDB"
+}
+
+if [[ "${PAPERLESS_DBENGINE}" == "mariadb" ]]; then
+	echo "${log_prefix} Waiting for MariaDB to report ready"
+	wait_for_mariadb
+elif [[ -n "${PAPERLESS_DBHOST}" ]]; then
+	echo "${log_prefix} Waiting for postgresql to report ready"
+	wait_for_postgres
+fi
+
+	echo "${log_prefix} Database is ready"

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-db/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-db/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-wait-for-db/run

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-redis/run

@@ -0,0 +1,14 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[init-redis-wait]"
+
+echo "${log_prefix} Waiting for Redis to report ready"
+
+# We use a Python script to send the Redis ping
+# instead of installing redis-tools just for 1 thing
+if ! python3 /usr/local/bin/wait-for-redis.py; then
+	exit 1
+else
+	echo "${log_prefix} Redis ready"
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-redis/type

@@ -0,0 +1 @@
+oneshot

docker/rootfs/etc/s6-overlay/s6-rc.d/init-wait-for-redis/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-wait-for-redis/run

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-consumer/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec python3 manage.py document_consumer
+else
+	exec s6-setuidgid paperless python3 manage.py document_consumer
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-consumer/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-flower/run

@@ -0,0 +1,24 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+declare -r log_prefix="[svc-flower]"
+
+echo "${log_prefix} Checking if we should start flower..."
+
+if [[ -n "${PAPERLESS_ENABLE_FLOWER}" ]]; then
+	# Small delay to allow celery to be up first
+	echo "${log_prefix} Starting flower in 5s"
+	sleep 5
+	cd ${PAPERLESS_SRC_DIR}
+
+	if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+		exec /usr/local/bin/celery --app paperless flower --conf=${PAPERLESS_SRC_DIR}/paperless/flowerconfig.py
+	else
+		exec s6-setuidgid paperless /usr/local/bin/celery --app paperless flower --conf=${PAPERLESS_SRC_DIR}/paperless/flowerconfig.py
+	fi
+
+else
+	echo "${log_prefix} Not starting flower"
+	# https://skarnet.org/software/s6/s6-svc.html
+	s6-svc -Od .
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-flower/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-scheduler/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec /usr/local/bin/celery --app paperless beat --loglevel INFO
+else
+	exec s6-setuidgid paperless /usr/local/bin/celery --app paperless beat --loglevel INFO
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-scheduler/type

@@ -0,0 +1 @@
+longrun

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-webserver/run

@@ -0,0 +1,10 @@
+#!/command/with-contenv /usr/bin/bash
+# shellcheck shell=bash
+
+cd ${PAPERLESS_SRC_DIR}
+
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	exec /usr/local/bin/gunicorn -c /usr/src/paperless/gunicorn.conf.py paperless.asgi:application
+else
+	exec s6-setuidgid paperless /usr/local/bin/gunicorn -c /usr/src/paperless/gunicorn.conf.py paperless.asgi:application
+fi

docker/rootfs/etc/s6-overlay/s6-rc.d/svc-webserver/type

@@ -0,0 +1 @@
+longrun