Merge pull request #1212 from theEndBeta/feature_rootless_and_container_repo

Enable rootless container w/ CI tweaks/bugfixes
2025-04-02 13:45:10 -05:00 · 2022-07-15 08:41:09 -07:00 · 2022-07-15 08:41:09 -07:00 · d1f59a6590
commit d1f59a6590
parent ca7a6fe1f1 cdecf8904e
7 changed files with 89 additions and 20 deletions
--- a/.github/scripts/common.py
+++ b/.github/scripts/common.py
@ -11,7 +11,7 @@ def get_image_tag(
    """
    Returns a string representing the normal image for a given package
    """
-    return f"ghcr.io/{repo_name}/builder/{pkg_name}:{pkg_version}"
+    return f"ghcr.io/{repo_name.lower()}/builder/{pkg_name}:{pkg_version}"


 def get_cache_image_tag(
@ -26,7 +26,7 @@ def get_cache_image_tag(
    Registry type caching is utilized for the builder images, to allow fast
    rebuilds, generally almost instant for the same version
    """
-    return f"ghcr.io/{repo_name}/builder/cache/{pkg_name}:{pkg_version}"
+    return f"ghcr.io/{repo_name.lower()}/builder/cache/{pkg_name}:{pkg_version}"


 def get_log_level(args) -> int:
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -68,6 +68,12 @@ jobs:
      - ci-backend
      - ci-frontend
    steps:
+      -
+        name: Set ghcr repository name
+        id: set-ghcr-repository
+        run: |
+          ghcr_name=$(echo "${GITHUB_REPOSITORY}" | awk '{ print tolower($0) }')
+          echo ::set-output name=repository::${ghcr_name}
      -
        name: Checkout
        uses: actions/checkout@v3
@ -115,6 +121,8 @@ jobs:

    outputs:

+      ghcr-repository: ${{ steps.set-ghcr-repository.outputs.repository }}
+
      qpdf-json: ${{ steps.qpdf-setup.outputs.qpdf-json }}

      pikepdf-json: ${{ steps.pikepdf-setup.outputs.pikepdf-json }}
@ -142,7 +150,7 @@ jobs:
        #  a tag
        # Otherwise forks would require a Docker Hub account and secrets setup
        run: |
-          if [[ ${{ github.repository }} == "paperless-ngx/paperless-ngx" && ( ${{ github.ref_name }} == "main" || ${{ github.ref_name }} == "dev" || ${{ github.ref_name }} == "beta" || ${{ startsWith(github.ref, 'refs/tags/v') }} == "true" ) ]] ; then
+          if [[ ${{ needs.prepare-docker-build.outputs.ghcr-repository }} == "paperless-ngx/paperless-ngx" && ( ${{ github.ref_name }} == "main" || ${{ github.ref_name }} == "dev" || ${{ github.ref_name }} == "beta" || ${{ startsWith(github.ref, 'refs/tags/v') }} == "true" ) ]] ; then
            echo "Enabling DockerHub image push"
            echo ::set-output name=enable::"true"
          else
@ -155,7 +163,7 @@ jobs:
        uses: docker/metadata-action@v4
        with:
          images: |
-            ghcr.io/${{ github.repository }}
+            ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}
            name=paperlessngx/paperless-ngx,enable=${{ steps.docker-hub.outputs.enable }}
          tags: |
            # Tag branches with branch name
@ -206,11 +214,11 @@ jobs:
          # Get cache layers from this branch, then dev, then main
          # This allows new branches to get at least some cache benefits, generally from dev
          cache-from: |
-            type=registry,ref=ghcr.io/${{ github.repository }}/builder/cache/app:${{ github.ref_name }}
-            type=registry,ref=ghcr.io/${{ github.repository }}/builder/cache/app:dev
-            type=registry,ref=ghcr.io/${{ github.repository }}/builder/cache/app:main
+            type=registry,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }}
+            type=registry,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:dev
+            type=registry,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:main
          cache-to: |
-            type=registry,mode=max,ref=ghcr.io/${{ github.repository }}/builder/cache/app:${{ github.ref_name }}
+            type=registry,mode=max,ref=ghcr.io/${{ needs.prepare-docker-build.outputs.ghcr-repository }}/builder/cache/app:${{ github.ref_name }}
      -
        name: Inspect image
        run: |
--- a/.github/workflows/installer-library.yml
+++ b/.github/workflows/installer-library.yml
@ -36,6 +36,12 @@ jobs:
    name: Prepare Docker Image Version Data
    runs-on: ubuntu-20.04
    steps:
+      -
+        name: Set ghcr repository name
+        id: set-ghcr-repository
+        run: |
+          ghcr_name=$(echo "${GITHUB_REPOSITORY}" | awk '{ print tolower($0) }')
+          echo ::set-output name=repository::${ghcr_name}
      -
        name: Checkout
        uses: actions/checkout@v3
@ -83,6 +89,8 @@ jobs:

    outputs:

+      ghcr-repository: ${{ steps.set-ghcr-repository.outputs.repository }}
+
      qpdf-json: ${{ steps.qpdf-setup.outputs.qpdf-json }}

      pikepdf-json: ${{ steps.pikepdf-setup.outputs.pikepdf-json }}
@ -134,6 +142,6 @@ jobs:
      dockerfile: ./docker-builders/Dockerfile.pikepdf
      build-json: ${{ needs.prepare-docker-build.outputs.pikepdf-json }}
      build-args: |
-        REPO=${{ github.repository }}
+        REPO=${{ needs.prepare-docker-build.outputs.ghcr-repository }}
        QPDF_VERSION=${{ fromJSON(needs.prepare-docker-build.outputs.qpdf-json).version }}
        PIKEPDF_VERSION=${{ fromJSON(needs.prepare-docker-build.outputs.pikepdf-json).version }}
--- a/32
+++ b/32
@ -117,22 +117,36 @@ COPY gunicorn.conf.py .
 # setup docker-specific things
 # Use mounts to avoid copying installer files into the image
 # These change sometimes, but rarely
-WORKDIR /usr/src/paperless/src/docker/
+ARG DOCKER_SRC=/usr/src/paperless/src/docker/
+WORKDIR ${DOCKER_SRC}

-RUN --mount=type=bind,readwrite,source=docker,target=./ \
-  set -eux \
+COPY [ \
+	"docker/imagemagick-policy.xml", \
+	"docker/supervisord.conf", \
+	"docker/docker-entrypoint.sh", \
+	"docker/docker-prepare.sh", \
+	"docker/paperless_cmd.sh", \
+	"docker/wait-for-redis.py", \
+	"docker/management_script.sh", \
+	"docker/install_management_commands.sh", \
+	"${DOCKER_SRC}" \
+]
+
+RUN set -eux \
  && echo "Configuring ImageMagick" \
-    && cp imagemagick-policy.xml /etc/ImageMagick-6/policy.xml \
+    && mv imagemagick-policy.xml /etc/ImageMagick-6/policy.xml \
  && echo "Configuring supervisord" \
    && mkdir /var/log/supervisord /var/run/supervisord \
-    && cp supervisord.conf /etc/supervisord.conf \
+    && mv supervisord.conf /etc/supervisord.conf \
  && echo "Setting up Docker scripts" \
-    && cp docker-entrypoint.sh /sbin/docker-entrypoint.sh \
+    && mv docker-entrypoint.sh /sbin/docker-entrypoint.sh \
    && chmod 755 /sbin/docker-entrypoint.sh \
-    && cp docker-prepare.sh /sbin/docker-prepare.sh \
+    && mv docker-prepare.sh /sbin/docker-prepare.sh \
    && chmod 755 /sbin/docker-prepare.sh \
-    && cp wait-for-redis.py /sbin/wait-for-redis.py \
+    && mv wait-for-redis.py /sbin/wait-for-redis.py \
    && chmod 755 /sbin/wait-for-redis.py \
+    && mv paperless_cmd.sh /usr/local/bin/paperless_cmd.sh \
+    && chmod 755 /usr/local/bin/paperless_cmd.sh \
  && echo "Installing managment commands" \
    && chmod +x install_management_commands.sh \
    && ./install_management_commands.sh
@ -211,4 +225,4 @@ ENTRYPOINT ["/sbin/docker-entrypoint.sh"]

 EXPOSE 8000

-CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf"]
+CMD ["/usr/local/bin/paperless_cmd.sh"]
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@ -95,7 +95,7 @@ initialize() {
 	done
 	set -e

-	gosu paperless /sbin/docker-prepare.sh
+	${gosu_cmd[@]} /sbin/docker-prepare.sh
 }

 install_languages() {
@ -137,6 +137,11 @@ install_languages() {

 echo "Paperless-ngx docker container starting..."

+gosu_cmd=(gosu paperless)
+if [ $(id -u) == $(id -u paperless) ]; then
+	gosu_cmd=()
+fi
+
 # Install additional languages if specified
 if [[ -n "$PAPERLESS_OCR_LANGUAGES" ]]; then
 	install_languages "$PAPERLESS_OCR_LANGUAGES"
@ -146,7 +151,7 @@ initialize

 if [[ "$1" != "/"* ]]; then
 	echo Executing management command "$@"
-	exec gosu paperless python3 manage.py "$@"
+	exec ${gosu_cmd[@]} python3 manage.py "$@"
 else
 	echo Executing "$@"
 	exec "$@"
--- a/docker/paperless_cmd.sh
+++ b/docker/paperless_cmd.sh
@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+rootless_args=()
+if [ $(id -u) == $(id -u paperless) ]; then
+	rootless_args=(
+		--user
+		paperless
+		--logfile
+		supervisord.log
+		--pidfile
+		supervisord.pid
+	)
+fi
+
+/usr/local/bin/supervisord -c /etc/supervisord.conf ${rootless_args[@]}
--- a/docs/setup.rst
+++ b/docs/setup.rst
@ -184,6 +184,25 @@ Install Paperless from Docker Hub
    port 8000. Modifying the part before the colon will map requests on another
    port to the webserver running on the default port.

+    **Rootless**
+
+    If you want to run Paperless as a rootless container, you will need to do the
+    following in your ``docker-compose.yml``:
+
+    - set the ``user`` running the container to map to the ``paperless`` user in the
+      container.
+      This value (``user_id`` below), should be the same id that ``USERMAP_UID`` and
+      ``USERMAP_GID`` are set to in the next step.
+      See ``USERMAP_UID`` and ``USERMAP_GID`` :ref:`here <configuration-docker>`.
+
+    Your entry for Paperless should contain something like:
+
+     .. code::
+
+        webserver:
+          image: ghcr.io/paperless-ngx/paperless-ngx:latest
+          user: <user_id>
+
 5.  Modify ``docker-compose.env``, following the comments in the file. The
    most important change is to set ``USERMAP_UID`` and ``USERMAP_GID``
    to the uid and gid of your user on the host system. Use ``id -u`` and