diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index 556cef93d..1ad06f12e 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -13,6 +13,7 @@ body: - [The troubleshooting documentation](https://paperless-ngx.readthedocs.io/en/latest/troubleshooting.html). - [The installation instructions](https://paperless-ngx.readthedocs.io/en/latest/setup.html#installation). - [Existing issues and discussions](https://github.com/paperless-ngx/paperless-ngx/search?q=&type=issues). + - Disable any customer container initialization scripts, if using any If you encounter issues while installing or configuring Paperless-ngx, please post in the ["Support" section of the discussions](https://github.com/paperless-ngx/paperless-ngx/discussions/new?category=support). - type: textarea diff --git a/docker/docker-prepare.sh b/docker/docker-prepare.sh index c4e45c032..e1c970284 100755 --- a/docker/docker-prepare.sh +++ b/docker/docker-prepare.sh @@ -89,6 +89,46 @@ superuser() { fi } +customer_container_init() { + # Mostly borrowed from the LinuxServer.io base image + # https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d + readonly custom_script_dir="/custom-cont-init.d" + # Tamper checking. + # Don't run files which are owned by anyone except root + # Don't run files which are writeable by others + if [ -d "${custom_script_dir}" ]; then + if [ -n "$(find "${custom_script_dir}" ! -user root)" ]; then + echo "**** Potential tampering with custom scripts detected ****" + echo "**** The folder '${custom_script_dir}' must be owned by root ****" + return 0 + fi + if [ -n "$(find "${custom_script_dir}" -perm -o+w)" ]; then + echo "**** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****" + echo "**** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****" + return 0 + fi + + # Make sure custom init directory has files in it + if [ -n "$(/bin/ls -A "${custom_script_dir} "2>/dev/null)" ]; then + echo "[custom-init] files found in ${custom_script_dir} executing" + # Loop over files in the directory + for SCRIPT in "${custom_script_dir}"/*; do + NAME="$(basename "${SCRIPT}")" + if [ -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: executing..." + /bin/bash "${SCRIPT}" + echo "[custom-init] ${NAME}: exited $?" + elif [ ! -f "${SCRIPT}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + else + echo "[custom-init] no custom files found exiting..." + fi + + fi +} + do_work() { if [[ "${PAPERLESS_DBENGINE}" == "mariadb" ]]; then wait_for_mariadb @@ -104,6 +144,9 @@ do_work() { superuser + # Leave this last thing + customer_container_init + } do_work diff --git a/docs/advanced_usage.rst b/docs/advanced_usage.rst index 0dd7e9601..eda2ca259 100644 --- a/docs/advanced_usage.rst +++ b/docs/advanced_usage.rst @@ -392,3 +392,28 @@ a Docker installation, you can use volumes to accomplish this: # ... volumes: - /path/to/my/flowerconfig.py:/usr/src/paperless/src/paperless/flowerconfig.py:ro + +Custom Container Initialization +############################### + +The Docker image includes the ability to run custom user scripts during startup. This could be +utilized for installing additional tools or Python packages, for example. + +To utilize this, mount a folder containing your scripts to the custom initialization directory, `/custom-cont-init.d` +and place scripts you wish to run inside. For security, the folder and its contents must be owned by `root`. +Additionally, scripts must only be writable by `root`. + +Your scripts will be run directly before the webserver completes startup. Scripts will be run by the `root` user. +This is an advanced functionality with which you could break functionality or lose data. + +For example, using Docker Compose: + + +.. code:: yaml + + services: + # ... + webserver: + # ... + volumes: + - /path/to/my/scripts:/custom-cont-init.d:ro