Change nginx container to unprivileged (#525)

* Update README.md

* Update README.md

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

* Update README.md

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

* Update README.md

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

MAINTENANCE.md

@@ -20,7 +20,7 @@ The following people help to maintain this open source project:
 |:--------------------------------------|:--------------|
 | Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018   |
 
-In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
+In case something happens where no maintainers are able to complete their responsibilities, the following sponsoring organization can help find a new maintainer:
 
 | Sponsoring Organization        | Start Date    |
 |:-------------------------------|:--------------|

README.md

@@ -1,6 +1,12 @@
 # Production Docker deployment for Mattermost
 
-This project enables deployment of a Mattermost server in a multi-node production configuration using Docker.
+## WARNING:
+
+The current state of this repository doesn't work out-of-the box since Mattermost server v5.31+ requires PostgreSQL versions of 10 or higher.
+
+We're actively working on a fix to this repository. Until then, please refer to these upgrade instructions: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661
+
+This project enables a deployment of a Mattermost server in a multi-node production configuration using Docker.
 
 [![Build Status](https://travis-ci.org/mattermost/mattermost-docker.svg?branch=master)](https://travis-ci.org/mattermost/mattermost-docker)
 
@@ -67,6 +73,13 @@ If your database use some custom host and port, it is also possible to configure
 * `DB_HOST`: database host address
 * `DB_PORT_NUMBER`: database port
 
+Use this optional variable if your PostgreSQL connection requires encryption (you may need a certificate authority file and/or a certificate revocation list - check the documentation for your database provider).  See the [PostgreSQL notes on encrypted connections](https://www.postgresql.org/docs/current/libpq-ssl.html) for recommendations on what values to use when encryption is needed.
+* `DB_SSLMODE`: defaults to `disable`, indicating no encryption
+
+PostgreSQL allows two other variables `sslrootcert` and `sslcrl` for connection strings.  However these are not broadly supported when the connection string is specified as a URI. If you need these parameters, use the PostgreSQL-specified environment variables
+* `PGSSLROOTCERT` specifies the location of CA file
+* `PGSSLCRL` specifies the location of a certificate revocation list file
+
 If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) :
 * `MM_CONFIG`: configuration file location inside the container.
 
@@ -189,7 +202,7 @@ docker-compose build app
 docker-compose run app -upgrade_db_30
 docker-compose up -d
 ```
-See the [offical Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
+See the [official Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
 
 ## Installation using Docker Swarm Mode
 

app/Dockerfile

@@ -2,7 +2,6 @@ FROM alpine:3.10
 
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
-ENV MM_VERSION=5.29.0
 ENV MM_INSTALL_TYPE=docker
 
 # Build argument to set Mattermost edition
@@ -10,6 +9,7 @@ ARG edition=enterprise
 ARG PUID=2000
 ARG PGID=2000
 ARG MM_BINARY=
+ARG MM_VERSION=5.31.0
 
 
 # Install some needed packages
@@ -19,7 +19,7 @@ RUN apk add --no-cache \
 	jq \
 	libc6-compat \
 	libffi-dev \
-    libcap \
+	libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
@@ -29,15 +29,15 @@ RUN apk add --no-cache \
 
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
-    && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
+	&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
-      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
+		elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
-      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
+		else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
-    && cp /mattermost/config/config.json /config.json.save \
+	&& cp /mattermost/config/config.json /config.json.save \
-    && rm -rf /mattermost/config/config.json \
+	&& rm -rf /mattermost/config/config.json \
-    && addgroup -g ${PGID} mattermost \
+	&& addgroup -g ${PGID} mattermost \
-    && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
+	&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
-    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
+	&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
-    && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
+	&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 
 USER mattermost
 

app/entrypoint.sh

@@ -2,63 +2,71 @@
 
 # Function to generate a random salt
 generate_salt() {
-  tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
+  tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 48 | head -n 1
 }
 
 # Read environment variables or set default values
 DB_HOST=${DB_HOST:-db}
 DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
+# see https://www.postgresql.org/docs/current/libpq-ssl.html
+# for usage when database connection requires encryption
+# filenames should be escaped if they contain spaces
+#  i.e. $(printf %s ${MY_ENV_VAR:-''}  | jq -s -R -r @uri)
+# the location of the CA file can be set using environment var PGSSLROOTCERT
+# the location of the CRL file can be set using PGSSLCRL
+# The URL syntax for connection string does not support the parameters
+# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
+# to set names if using a location other than default
+DB_USE_SSL=${DB_USE_SSL:-disable}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 
-if [ "${1:0:1}" = '-' ]; then
+_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }')
-    set -- mattermost "$@"
+if [ "$_1" = '-' ]; then
+  set -- mattermost "$@"
 fi
 
 if [ "$1" = 'mattermost' ]; then
   # Check CLI args for a -config option
-  for ARG in $@;
+  for ARG in "$@"; do
-  do
+    case "$ARG" in
-      case "$ARG" in
+    -config=*) MM_CONFIG=${ARG#*=} ;;
-          -config=*)
+    esac
-              MM_CONFIG=${ARG#*=};;
-      esac
   done
 
   if [ ! -f "$MM_CONFIG" ]; then
     # If there is no configuration file, create it with some default values
-    echo "No configuration file" $MM_CONFIG
+    echo "No configuration file $MM_CONFIG"
     echo "Creating a new one"
     # Copy default configuration file
     cp /config.json.save "$MM_CONFIG"
     # Substitute some parameters with jq
-    jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
   else
     echo "Using existing config file $MM_CONFIG"
   fi
 
   # Configure database access
-  if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
+  if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
-  then
+    echo "Configure database connection..."
-    echo -ne "Configure database connection..."
     # URLEncode the password, allowing for special characters
-    ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
+    ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
-    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
+    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
     echo "OK"
   else
     echo "Using existing database connection"

db/entrypoint.sh

@@ -5,7 +5,7 @@ export WAL_LEVEL=${WAL_LEVEL:-minimal}
 export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
 export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
 
-function update_conf () {
+function update_conf() {
   wal=$1
   # PGDATA is defined in upstream postgres dockerfile
   config_file=$PGDATA/postgresql.conf
@@ -23,11 +23,11 @@ function update_conf () {
   sed -i "s/archive_command =.*$//g" $config_file
 
   # Configure wal-e
-  if [ "$wal" = true ] ; then
+  if [ "$wal" = true ]; then
     /docker-entrypoint-initdb.d/setup-wale.sh
   fi
-  echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
+  echo "log_timezone = $DEFAULT_TIMEZONE" >>$config_file
-  echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
+  echo "timezone = $DEFAULT_TIMEZONE" >>$config_file
 }
 
 if [ "${1:0:1}" = '-' ]; then
@@ -46,7 +46,7 @@ if [ "$1" = 'postgres' ]; then
   done
 
   # Setup wal-e env variables
-  if [ "$wal_enable" = true ] ; then
+  if [ "$wal_enable" = true ]; then
     for v in ${VARS[@]}; do
       export $v="${!v}"
     done

db/setup-wale.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # wal-e specific configuration
-echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
+echo "wal_level = $WAL_LEVEL" >>$PGDATA/postgresql.conf
-echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
+echo "archive_mode = $ARCHIVE_MODE" >>$PGDATA/postgresql.conf
-echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
+echo "archive_command = '/usr/bin/wal-e wal-push %p'" >>$PGDATA/postgresql.conf
-echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf
+echo "archive_timeout = $ARCHIVE_TIMEOUT" >>$PGDATA/postgresql.conf

docker-compose.yml

@@ -27,6 +27,7 @@ services:
       #   - edition=team
       #   - PUID=1000
       #   - PGID=1000
+      #   - MM_VERSION=5.31
     restart: unless-stopped
     volumes:
       - ./volumes/app/mattermost/config:/mattermost/config:rw
@@ -54,11 +55,13 @@ services:
   web:
     build: web
     ports:
-      - "80:80"
+      - "80:8080"
-      - "443:443"
+      - "443:8443"
     read_only: true
     restart: unless-stopped
     volumes:
       # This directory must have cert files if you want to enable SSL
       - ./volumes/web/cert:/cert:ro
       - /etc/localtime:/etc/localtime:ro
+    cap_drop:
+      - ALL

web/Dockerfile

@@ -1,17 +1,38 @@
-FROM nginx:mainline-alpine
+FROM nginxinc/nginx-unprivileged:mainline-alpine
+
+USER root
 
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf \
     && apk add --no-cache curl
 
 COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
-COPY ./security.conf /etc/nginx/conf.d/
 
 # Add and setup entrypoint
 COPY entrypoint.sh /
 
+RUN chown -R nginx:nginx /etc/nginx/sites-available && \
+         chown -R nginx:nginx /var/cache/nginx && \
+         chown -R nginx:nginx /var/log/nginx && \
+         chown -R nginx:nginx /etc/nginx/conf.d && \
+         chown nginx:nginx entrypoint.sh
+RUN touch /var/run/nginx.pid && \
+         chown -R nginx:nginx /var/run/nginx.pid
+
+COPY ./security.conf /etc/nginx/conf.d/
+
+RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
+
+RUN chmod u+x /entrypoint.sh
+
+RUN sed -i "/^http {/a \    proxy_buffering off;\n" /etc/nginx/nginx.conf
+RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
+    && sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
+
+USER nginx
+
 #Healthcheck to make sure container is ready
-HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
+HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
 
 ENTRYPOINT ["/entrypoint.sh"]
 

web/mattermost

@@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 80;
+    listen 8080;
 
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;

web/mattermost-ssl

@@ -1,5 +1,5 @@
 server {
-    listen 80 default_server;
+    listen 8080 default_server;
     server_name _;
     return 301 https://$host$request_uri;
 }
@@ -10,7 +10,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 8443 ssl http2;
 
     ssl_certificate /cert/cert.pem;
     ssl_certificate_key /cert/key-no-password.pem;