Change nginx container to unprivileged (#525)

* Update README.md

* Update README.md

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

* Update README.md

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

* Update README.md

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

Co-authored-by: Carrie Warner (Mattermost) <74422101+cwarnermm@users.noreply.github.com>

MAINTENANCE.md

@@ -20,7 +20,7 @@ The following people help to maintain this open source project:
 |:--------------------------------------|:--------------|
 | Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018   |
 
-In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
+In case something happens where no maintainers are able to complete their responsibilities, the following sponsoring organization can help find a new maintainer:
 
 | Sponsoring Organization        | Start Date    |
 |:-------------------------------|:--------------|

README.md

@@ -1,6 +1,12 @@
 # Production Docker deployment for Mattermost
 
-This project enables deployment of a Mattermost server in a multi-node production configuration using Docker.
+## WARNING:
+
+The current state of this repository doesn't work out-of-the box since Mattermost server v5.31+ requires PostgreSQL versions of 10 or higher.
+
+We're actively working on a fix to this repository. Until then, please refer to these upgrade instructions: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661
+
+This project enables a deployment of a Mattermost server in a multi-node production configuration using Docker.
 
 [![Build Status](https://travis-ci.org/mattermost/mattermost-docker.svg?branch=master)](https://travis-ci.org/mattermost/mattermost-docker)
 
@@ -196,7 +202,7 @@ docker-compose build app
 docker-compose run app -upgrade_db_30
 docker-compose up -d
 ```
-See the [offical Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
+See the [official Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
 
 ## Installation using Docker Swarm Mode
 

app/Dockerfile

@@ -2,7 +2,6 @@ FROM alpine:3.10
 
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
-ENV MM_VERSION=5.30.1
 ENV MM_INSTALL_TYPE=docker
 
 # Build argument to set Mattermost edition
@@ -10,6 +9,7 @@ ARG edition=enterprise
 ARG PUID=2000
 ARG PGID=2000
 ARG MM_BINARY=
+ARG MM_VERSION=5.31.0
 
 
 # Install some needed packages

app/entrypoint.sh

@@ -2,7 +2,7 @@
 
 # Function to generate a random salt
 generate_salt() {
-	tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
+  tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 48 | head -n 1
 }
 
 # Read environment variables or set default values
@@ -21,7 +21,7 @@ DB_USE_SSL=${DB_USE_SSL:-disable}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 
-_1=$(echo "$1" | awk  '{ s=substr($0, 0, 1); print s; }' )
+_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }')
 if [ "$_1" = '-' ]; then
   set -- mattermost "$@"
 fi
@@ -30,7 +30,7 @@ if [ "$1" = 'mattermost' ]; then
   # Check CLI args for a -config option
   for ARG in "$@"; do
     case "$ARG" in
-			-config=*) MM_CONFIG=${ARG#*=};;
+    -config=*) MM_CONFIG=${ARG#*=} ;;
     esac
   done
 
@@ -41,22 +41,22 @@ if [ "$1" = 'mattermost' ]; then
     # Copy default configuration file
     cp /config.json.save "$MM_CONFIG"
     # Substitute some parameters with jq
-		jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
   else
     echo "Using existing config file $MM_CONFIG"
   fi

db/entrypoint.sh

@@ -5,7 +5,7 @@ export WAL_LEVEL=${WAL_LEVEL:-minimal}
 export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
 export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
 
-function update_conf () {
+function update_conf() {
   wal=$1
   # PGDATA is defined in upstream postgres dockerfile
   config_file=$PGDATA/postgresql.conf
@@ -23,11 +23,11 @@ function update_conf () {
   sed -i "s/archive_command =.*$//g" $config_file
 
   # Configure wal-e
-  if [ "$wal" = true ] ; then
+  if [ "$wal" = true ]; then
     /docker-entrypoint-initdb.d/setup-wale.sh
   fi
-  echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
-  echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
+  echo "log_timezone = $DEFAULT_TIMEZONE" >>$config_file
+  echo "timezone = $DEFAULT_TIMEZONE" >>$config_file
 }
 
 if [ "${1:0:1}" = '-' ]; then
@@ -46,7 +46,7 @@ if [ "$1" = 'postgres' ]; then
   done
 
   # Setup wal-e env variables
-  if [ "$wal_enable" = true ] ; then
+  if [ "$wal_enable" = true ]; then
     for v in ${VARS[@]}; do
       export $v="${!v}"
     done

db/setup-wale.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # wal-e specific configuration
-echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
-echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
-echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
-echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf
+echo "wal_level = $WAL_LEVEL" >>$PGDATA/postgresql.conf
+echo "archive_mode = $ARCHIVE_MODE" >>$PGDATA/postgresql.conf
+echo "archive_command = '/usr/bin/wal-e wal-push %p'" >>$PGDATA/postgresql.conf
+echo "archive_timeout = $ARCHIVE_TIMEOUT" >>$PGDATA/postgresql.conf

docker-compose.yml

@@ -27,6 +27,7 @@ services:
       #   - edition=team
       #   - PUID=1000
       #   - PGID=1000
+      #   - MM_VERSION=5.31
     restart: unless-stopped
     volumes:
       - ./volumes/app/mattermost/config:/mattermost/config:rw
@@ -54,11 +55,13 @@ services:
   web:
     build: web
     ports:
-      - "80:80"
-      - "443:443"
+      - "80:8080"
+      - "443:8443"
     read_only: true
     restart: unless-stopped
     volumes:
       # This directory must have cert files if you want to enable SSL
       - ./volumes/web/cert:/cert:ro
       - /etc/localtime:/etc/localtime:ro
+    cap_drop:
+      - ALL

web/Dockerfile

@@ -1,17 +1,38 @@
-FROM nginx:mainline-alpine
+FROM nginxinc/nginx-unprivileged:mainline-alpine
+
+USER root
 
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf \
     && apk add --no-cache curl
 
 COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
-COPY ./security.conf /etc/nginx/conf.d/
 
 # Add and setup entrypoint
 COPY entrypoint.sh /
 
+RUN chown -R nginx:nginx /etc/nginx/sites-available && \
+         chown -R nginx:nginx /var/cache/nginx && \
+         chown -R nginx:nginx /var/log/nginx && \
+         chown -R nginx:nginx /etc/nginx/conf.d && \
+         chown nginx:nginx entrypoint.sh
+RUN touch /var/run/nginx.pid && \
+         chown -R nginx:nginx /var/run/nginx.pid
+
+COPY ./security.conf /etc/nginx/conf.d/
+
+RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
+
+RUN chmod u+x /entrypoint.sh
+
+RUN sed -i "/^http {/a \    proxy_buffering off;\n" /etc/nginx/nginx.conf
+RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
+    && sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
+
+USER nginx
+
 #Healthcheck to make sure container is ready
-HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
+HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
 
 ENTRYPOINT ["/entrypoint.sh"]
 

web/mattermost

@@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 80;
+    listen 8080;
 
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;

web/mattermost-ssl

@@ -1,5 +1,5 @@
 server {
-    listen 80 default_server;
+    listen 8080 default_server;
     server_name _;
     return 301 https://$host$request_uri;
 }
@@ -10,7 +10,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 8443 ssl http2;
 
     ssl_certificate /cert/cert.pem;
     ssl_certificate_key /cert/key-no-password.pem;