From f58c2d0a7bfabe3b73a4c6ab2aa4b8833ea82402 Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sun, 3 Jul 2022 14:42:36 -0400 Subject: [PATCH 1/9] allow rootless (as paperless user) --- docker/docker-entrypoint.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index c1e7588e1..b68eeb409 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -95,7 +95,11 @@ initialize() { done set -e - gosu paperless /sbin/docker-prepare.sh + if [ $(id -u) == $(id -u paperless) ]; then + /sbin/docker-prepare.sh + else + gosu paperless /sbin/docker-prepare.sh + fi } install_languages() { From 1d38367e79516c1ad394bd7d7346303a4270421f Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sun, 3 Jul 2022 14:42:51 -0400 Subject: [PATCH 2/9] allow podman build --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 630cd367c..f9cf291ec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -117,9 +117,10 @@ COPY gunicorn.conf.py . # setup docker-specific things # Use mounts to avoid copying installer files into the image # These change sometimes, but rarely -WORKDIR /usr/src/paperless/src/docker/ +ARG DOCKER_SRC=/usr/src/paperless/src/docker/ +WORKDIR ${DOCKER_SRC} -RUN --mount=type=bind,readwrite,source=docker,target=./ \ +RUN --mount=type=bind,readwrite,source=docker,target=${DOCKER_SRC} \ set -eux \ && echo "Configuring ImageMagick" \ && cp imagemagick-policy.xml /etc/ImageMagick-6/policy.xml \ From 145c41f462084380a1afd6f7bf74df910957dd33 Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sun, 3 Jul 2022 14:43:18 -0400 Subject: [PATCH 3/9] container repository name must be lowercase --- .github/scripts/common.py | 4 ++-- .github/workflows/ci.yml | 20 ++++++++++++++------ .github/workflows/installer-library.yml | 10 +++++++++- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/.github/scripts/common.py b/.github/scripts/common.py index f0302e79a..62f58aa1c 100644 --- a/.github/scripts/common.py +++ b/.github/scripts/common.py @@ -11,7 +11,7 @@ def get_image_tag( """ Returns a string representing the normal image for a given package """ - return f"ghcr.io/{repo_name}/builder/{pkg_name}:{pkg_version}" + return f"ghcr.io/{repo_name.lower()}/builder/{pkg_name}:{pkg_version}" def get_cache_image_tag( @@ -26,7 +26,7 @@ def get_cache_image_tag( Registry type caching is utilized for the builder images, to allow fast rebuilds, generally almost instant for the same version """ - return f"ghcr.io/{repo_name}/builder/cache/{pkg_name}:{pkg_version}" + return f"ghcr.io/{repo_name.lower()}/builder/cache/{pkg_name}:{pkg_version}" def get_log_level(args) -> int: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10437aa2b..d908a456b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,12 @@ jobs: - ci-backend - ci-frontend steps: + - + name: Set gchr repository name + id: set-ghrc-repository + run: | + ghcr_name=$(echo "${GITHUB_REPOSITORY}" | awk '{ print tolower($0) }') + echo ::set-output name=repository::${ghcr_name} - name: Checkout uses: actions/checkout@v3 @@ -115,6 +121,8 @@ jobs: outputs: + ghcr-repository: ${{ steps.set-ghrc-repository.outputs.repository }} + qpdf-json: ${{ steps.qpdf-setup.outputs.qpdf-json }} pikepdf-json: ${{ steps.pikepdf-setup.outputs.pikepdf-json }} @@ -142,7 +150,7 @@ jobs: # a tag # Otherwise forks would require a Docker Hub account and secrets setup run: | - if [[ ${{ github.repository }} == "paperless-ngx/paperless-ngx" && ( ${{ github.ref_name }} == "main" || ${{ github.ref_name }} == "dev" || ${{ github.ref_name }} == "beta" || ${{ startsWith(github.ref, 'refs/tags/v') }} == "true" ) ]] ; then + if [[ ${{ needs.prepare-docker-build.outputs.ghcr-repository }} == "paperless-ngx/paperless-ngx" && ( ${{ github.ref_name }} == "main" || ${{ github.ref_name }} == "dev" || ${{ github.ref_name }} == "beta" || ${{ startsWith(github.ref, 'refs/tags/v') }} == "true" ) ]] ; then echo "Enabling DockerHub image push" echo ::set-output name=enable::"true" else @@ -155,7 +163,7 @@ jobs: uses: docker/metadata-action@v4 with: images: | - ghcr.io/${{ github.repository }} + ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }} name=paperlessngx/paperless-ngx,enable=${{ steps.docker-hub.outputs.enable }} tags: | # Tag branches with branch name @@ -206,11 +214,11 @@ jobs: # Get cache layers from this branch, then dev, then main # This allows new branches to get at least some cache benefits, generally from dev cache-from: | - type=registry,ref=ghcr.io/${{ github.repository }}/builder/cache/app:${{ github.ref_name }} - type=registry,ref=ghcr.io/${{ github.repository }}/builder/cache/app:dev - type=registry,ref=ghcr.io/${{ github.repository }}/builder/cache/app:main + type=registry,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }} + type=registry,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:dev + type=registry,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:main cache-to: | - type=registry,mode=max,ref=ghcr.io/${{ github.repository }}/builder/cache/app:${{ github.ref_name }} + type=registry,mode=max,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }} - name: Inspect image run: | diff --git a/.github/workflows/installer-library.yml b/.github/workflows/installer-library.yml index 879c31fc9..e236b94fb 100644 --- a/.github/workflows/installer-library.yml +++ b/.github/workflows/installer-library.yml @@ -36,6 +36,12 @@ jobs: name: Prepare Docker Image Version Data runs-on: ubuntu-20.04 steps: + - + name: Set gchr repository name + id: set-ghrc-repository + run: | + ghcr_name=$(echo "${GITHUB_REPOSITORY}" | awk '{ print tolower($0) }') + echo ::set-output name=repository::${ghcr_name} - name: Checkout uses: actions/checkout@v3 @@ -83,6 +89,8 @@ jobs: outputs: + ghcr-repository: ${{ steps.set-ghrc-repository.outputs.repository }} + qpdf-json: ${{ steps.qpdf-setup.outputs.qpdf-json }} pikepdf-json: ${{ steps.pikepdf-setup.outputs.pikepdf-json }} @@ -134,6 +142,6 @@ jobs: dockerfile: ./docker-builders/Dockerfile.pikepdf build-json: ${{ needs.prepare-docker-build.outputs.pikepdf-json }} build-args: | - REPO=${{ github.repository }} + REPO=${{ needs.prepare-docker-build.outputs.ghcr-repository }} QPDF_VERSION=${{ fromJSON(needs.prepare-docker-build.outputs.qpdf-json).version }} PIKEPDF_VERSION=${{ fromJSON(needs.prepare-docker-build.outputs.pikepdf-json).version }} From 9a8562c62421d3fbf0c95b6e0e00c9512126a49d Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Fri, 8 Jul 2022 16:41:21 -0400 Subject: [PATCH 4/9] add instructions for rootless --- docs/setup.rst | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/setup.rst b/docs/setup.rst index 2eee43fec..640b20fa2 100644 --- a/docs/setup.rst +++ b/docs/setup.rst @@ -184,6 +184,29 @@ Install Paperless from Docker Hub port 8000. Modifying the part before the colon will map requests on another port to the webserver running on the default port. + **Rootless** + + If you want to run Paperless as a rootless container, you will need to: + + - set the ``user`` running the container to map to the ``paperless`` user in the + container. + See ``USERMAP_UID`` and ``USERMAP_GID`` :ref:`here `. + + - override some of the ``supervisord`` defaults by setting the ``command`` to: + + .. code:: + + command: + - "/usr/local/bin/supervisord" + - "-c" + - "/etc/supervisord.conf" + - "--user" + - "paperless" + - "--logfile" + - "supervisord.log" + - "--pidfile" + - "supervisord.pid" + 5. Modify ``docker-compose.env``, following the comments in the file. The most important change is to set ``USERMAP_UID`` and ``USERMAP_GID`` to the uid and gid of your user on the host system. Use ``id -u`` and From e86f737320ec9033aff51783cb2207584aa4e1c6 Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sat, 9 Jul 2022 14:37:20 -0400 Subject: [PATCH 5/9] pr comment(s) - CI typos --- .github/workflows/ci.yml | 6 +++--- .github/workflows/installer-library.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d908a456b..3c17f72a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,8 +69,8 @@ jobs: - ci-frontend steps: - - name: Set gchr repository name - id: set-ghrc-repository + name: Set ghcr repository name + id: set-ghcr-repository run: | ghcr_name=$(echo "${GITHUB_REPOSITORY}" | awk '{ print tolower($0) }') echo ::set-output name=repository::${ghcr_name} @@ -121,7 +121,7 @@ jobs: outputs: - ghcr-repository: ${{ steps.set-ghrc-repository.outputs.repository }} + ghcr-repository: ${{ steps.set-ghcr-repository.outputs.repository }} qpdf-json: ${{ steps.qpdf-setup.outputs.qpdf-json }} diff --git a/.github/workflows/installer-library.yml b/.github/workflows/installer-library.yml index e236b94fb..83dc6baa7 100644 --- a/.github/workflows/installer-library.yml +++ b/.github/workflows/installer-library.yml @@ -37,8 +37,8 @@ jobs: runs-on: ubuntu-20.04 steps: - - name: Set gchr repository name - id: set-ghrc-repository + name: Set ghcr repository name + id: set-ghcr-repository run: | ghcr_name=$(echo "${GITHUB_REPOSITORY}" | awk '{ print tolower($0) }') echo ::set-output name=repository::${ghcr_name} @@ -89,7 +89,7 @@ jobs: outputs: - ghcr-repository: ${{ steps.set-ghrc-repository.outputs.repository }} + ghcr-repository: ${{ steps.set-ghcr-repository.outputs.repository }} qpdf-json: ${{ steps.qpdf-setup.outputs.qpdf-json }} From ea07b261ad2a367833b33e367592bcc80a97c2d1 Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sat, 9 Jul 2022 16:14:33 -0400 Subject: [PATCH 6/9] negate second `gosu` command when running as paperless user --- docker/docker-entrypoint.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index b68eeb409..921808f31 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -95,11 +95,7 @@ initialize() { done set -e - if [ $(id -u) == $(id -u paperless) ]; then - /sbin/docker-prepare.sh - else - gosu paperless /sbin/docker-prepare.sh - fi + ${gosu_cmd[@]} /sbin/docker-prepare.sh } install_languages() { @@ -141,6 +137,11 @@ install_languages() { echo "Paperless-ngx docker container starting..." +gosu_cmd=(gosu paperless) +if [ $(id -u) == $(id -u paperless) ]; then + gosu_cmd=() +fi + # Install additional languages if specified if [[ -n "$PAPERLESS_OCR_LANGUAGES" ]]; then install_languages "$PAPERLESS_OCR_LANGUAGES" @@ -150,7 +151,7 @@ initialize if [[ "$1" != "/"* ]]; then echo Executing management command "$@" - exec gosu paperless python3 manage.py "$@" + exec ${gosu_cmd[@]} python3 manage.py "$@" else echo Executing "$@" exec "$@" From 191676b011046e6320ea6d322fc0e7b2aace518c Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sat, 9 Jul 2022 16:15:42 -0400 Subject: [PATCH 7/9] switch from bind mount to `COPY` to avoid requiring host directory relabeling on selinux enabled systems --- Dockerfile | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index f9cf291ec..7f0d1adb0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -120,19 +120,29 @@ COPY gunicorn.conf.py . ARG DOCKER_SRC=/usr/src/paperless/src/docker/ WORKDIR ${DOCKER_SRC} -RUN --mount=type=bind,readwrite,source=docker,target=${DOCKER_SRC} \ - set -eux \ +COPY [ \ + "docker/imagemagick-policy.xml", \ + "docker/supervisord.conf", \ + "docker/docker-entrypoint.sh", \ + "docker/docker-prepare.sh", \ + "docker/wait-for-redis.py", \ + "docker/management_script.sh", \ + "docker/install_management_commands.sh", \ + "${DOCKER_SRC}" \ +] + +RUN set -eux \ && echo "Configuring ImageMagick" \ - && cp imagemagick-policy.xml /etc/ImageMagick-6/policy.xml \ + && mv imagemagick-policy.xml /etc/ImageMagick-6/policy.xml \ && echo "Configuring supervisord" \ && mkdir /var/log/supervisord /var/run/supervisord \ - && cp supervisord.conf /etc/supervisord.conf \ + && mv supervisord.conf /etc/supervisord.conf \ && echo "Setting up Docker scripts" \ - && cp docker-entrypoint.sh /sbin/docker-entrypoint.sh \ + && mv docker-entrypoint.sh /sbin/docker-entrypoint.sh \ && chmod 755 /sbin/docker-entrypoint.sh \ - && cp docker-prepare.sh /sbin/docker-prepare.sh \ + && mv docker-prepare.sh /sbin/docker-prepare.sh \ && chmod 755 /sbin/docker-prepare.sh \ - && cp wait-for-redis.py /sbin/wait-for-redis.py \ + && mv wait-for-redis.py /sbin/wait-for-redis.py \ && chmod 755 /sbin/wait-for-redis.py \ && echo "Installing managment commands" \ && chmod +x install_management_commands.sh \ From 3d16266c69de80fefd6667457acf14336f3a9ae8 Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sat, 9 Jul 2022 16:45:41 -0400 Subject: [PATCH 8/9] pr comment - documentation edits --- docs/setup.rst | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/docs/setup.rst b/docs/setup.rst index 640b20fa2..10301d29d 100644 --- a/docs/setup.rst +++ b/docs/setup.rst @@ -186,26 +186,35 @@ Install Paperless from Docker Hub **Rootless** - If you want to run Paperless as a rootless container, you will need to: + If you want to run Paperless as a rootless container, you will need to add the + following to your ``docker-compose.yml``: - set the ``user`` running the container to map to the ``paperless`` user in the container. - See ``USERMAP_UID`` and ``USERMAP_GID`` :ref:`here `. + This value (``user_id`` below), should be the same id that ``USERMAP_UID`` and + ``USERMAP_GID`` are set to in the next step. + See ``USERMAP_UID`` and ``USERMAP_GID`` :ref:`here `. - - override some of the ``supervisord`` defaults by setting the ``command`` to: + - override some of the ``supervisord`` defaults by setting the docker ``command`` + (`see here `_) to: + + Your ``docker-compose.yml`` entry for Paperless will look something like: .. code:: - command: - - "/usr/local/bin/supervisord" - - "-c" - - "/etc/supervisord.conf" - - "--user" - - "paperless" - - "--logfile" - - "supervisord.log" - - "--pidfile" - - "supervisord.pid" + webserver: + image: ghcr.io/paperless-ngx/paperless-ngx:latest + user: + command: + - "/usr/local/bin/supervisord" + - "-c" + - "/etc/supervisord.conf" + - "--user" + - "paperless" + - "--logfile" + - "supervisord.log" + - "--pidfile" + - "supervisord.pid" 5. Modify ``docker-compose.env``, following the comments in the file. The most important change is to set ``USERMAP_UID`` and ``USERMAP_GID`` From cdecf8904e12fc9af02e0823ec8ad0d19fdcf8d1 Mon Sep 17 00:00:00 2001 From: Aidan Stein Date: Sat, 9 Jul 2022 17:10:30 -0400 Subject: [PATCH 9/9] move supervisord call into wrapper script --- Dockerfile | 5 ++++- docker/paperless_cmd.sh | 15 +++++++++++++++ docs/setup.rst | 19 +++---------------- 3 files changed, 22 insertions(+), 17 deletions(-) create mode 100755 docker/paperless_cmd.sh diff --git a/Dockerfile b/Dockerfile index 7f0d1adb0..981a194c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -125,6 +125,7 @@ COPY [ \ "docker/supervisord.conf", \ "docker/docker-entrypoint.sh", \ "docker/docker-prepare.sh", \ + "docker/paperless_cmd.sh", \ "docker/wait-for-redis.py", \ "docker/management_script.sh", \ "docker/install_management_commands.sh", \ @@ -144,6 +145,8 @@ RUN set -eux \ && chmod 755 /sbin/docker-prepare.sh \ && mv wait-for-redis.py /sbin/wait-for-redis.py \ && chmod 755 /sbin/wait-for-redis.py \ + && mv paperless_cmd.sh /usr/local/bin/paperless_cmd.sh \ + && chmod 755 /usr/local/bin/paperless_cmd.sh \ && echo "Installing managment commands" \ && chmod +x install_management_commands.sh \ && ./install_management_commands.sh @@ -222,4 +225,4 @@ ENTRYPOINT ["/sbin/docker-entrypoint.sh"] EXPOSE 8000 -CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf"] +CMD ["/usr/local/bin/paperless_cmd.sh"] diff --git a/docker/paperless_cmd.sh b/docker/paperless_cmd.sh new file mode 100755 index 000000000..2c8c1364a --- /dev/null +++ b/docker/paperless_cmd.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +rootless_args=() +if [ $(id -u) == $(id -u paperless) ]; then + rootless_args=( + --user + paperless + --logfile + supervisord.log + --pidfile + supervisord.pid + ) +fi + +/usr/local/bin/supervisord -c /etc/supervisord.conf ${rootless_args[@]} diff --git a/docs/setup.rst b/docs/setup.rst index 10301d29d..60fbc212e 100644 --- a/docs/setup.rst +++ b/docs/setup.rst @@ -186,8 +186,8 @@ Install Paperless from Docker Hub **Rootless** - If you want to run Paperless as a rootless container, you will need to add the - following to your ``docker-compose.yml``: + If you want to run Paperless as a rootless container, you will need to do the + following in your ``docker-compose.yml``: - set the ``user`` running the container to map to the ``paperless`` user in the container. @@ -195,26 +195,13 @@ Install Paperless from Docker Hub ``USERMAP_GID`` are set to in the next step. See ``USERMAP_UID`` and ``USERMAP_GID`` :ref:`here `. - - override some of the ``supervisord`` defaults by setting the docker ``command`` - (`see here `_) to: - - Your ``docker-compose.yml`` entry for Paperless will look something like: + Your entry for Paperless should contain something like: .. code:: webserver: image: ghcr.io/paperless-ngx/paperless-ngx:latest user: - command: - - "/usr/local/bin/supervisord" - - "-c" - - "/etc/supervisord.conf" - - "--user" - - "paperless" - - "--logfile" - - "supervisord.log" - - "--pidfile" - - "supervisord.pid" 5. Modify ``docker-compose.env``, following the comments in the file. The most important change is to set ``USERMAP_UID`` and ``USERMAP_GID``