.travis.yml

@@ -1,3 +1,5 @@
+sudo: required
+
 services:
     - docker
 

MAINTENANCE.md

@@ -20,7 +20,7 @@ The following people help to maintain this open source project:
 |:--------------------------------------|:--------------|
 | Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018   |
 
-In case something happens where no maintainers are able to complete their responsibilities, the following sponsoring organization can help find a new maintainer:
+In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
 
 | Sponsoring Organization        | Start Date    |
 |:-------------------------------|:--------------|

README.md

@@ -1,12 +1,6 @@
 # Production Docker deployment for Mattermost
 
-## WARNING:
-
-The current state of this repository doesn't work out-of-the box since Mattermost server v5.31+ requires PostgreSQL versions of 10 or higher.
-
-We're actively working on a fix to this repository. Until then, please refer to these upgrade instructions: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661
-
-This project enables a deployment of a Mattermost server in a multi-node production configuration using Docker.
+This project enables deployment of a Mattermost server in a multi-node production configuration using Docker.
 
 [![Build Status](https://travis-ci.org/mattermost/mattermost-docker.svg?branch=master)](https://travis-ci.org/mattermost/mattermost-docker)
 
@@ -73,13 +67,6 @@ If your database use some custom host and port, it is also possible to configure
 * `DB_HOST`: database host address
 * `DB_PORT_NUMBER`: database port
 
-Use this optional variable if your PostgreSQL connection requires encryption (you may need a certificate authority file and/or a certificate revocation list - check the documentation for your database provider).  See the [PostgreSQL notes on encrypted connections](https://www.postgresql.org/docs/current/libpq-ssl.html) for recommendations on what values to use when encryption is needed.
-* `DB_SSLMODE`: defaults to `disable`, indicating no encryption
-
-PostgreSQL allows two other variables `sslrootcert` and `sslcrl` for connection strings.  However these are not broadly supported when the connection string is specified as a URI. If you need these parameters, use the PostgreSQL-specified environment variables
-* `PGSSLROOTCERT` specifies the location of CA file
-* `PGSSLCRL` specifies the location of a certificate revocation list file
-
 If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) :
 * `MM_CONFIG`: configuration file location inside the container.
 
@@ -202,7 +189,7 @@ docker-compose build app
 docker-compose run app -upgrade_db_30
 docker-compose up -d
 ```
-See the [official Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
+See the [offical Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
 
 ## Installation using Docker Swarm Mode
 

app/Dockerfile

@@ -2,14 +2,13 @@ FROM alpine:3.10
 
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
-ENV MM_INSTALL_TYPE=docker
+ENV MM_VERSION=5.24.0
 
 # Build argument to set Mattermost edition
 ARG edition=enterprise
 ARG PUID=2000
 ARG PGID=2000
 ARG MM_BINARY=
-ARG MM_VERSION=5.31.0
 
 
 # Install some needed packages
@@ -19,7 +18,7 @@ RUN apk add --no-cache \
 	jq \
 	libc6-compat \
 	libffi-dev \
-	libcap \
+    libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
@@ -29,15 +28,15 @@ RUN apk add --no-cache \
 
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
-	&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
-		elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
-		else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
-	&& cp /mattermost/config/config.json /config.json.save \
-	&& rm -rf /mattermost/config/config.json \
-	&& addgroup -g ${PGID} mattermost \
-	&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
-	&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
-	&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
+    && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
+      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
+      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
+    && cp /mattermost/config/config.json /config.json.save \
+    && rm -rf /mattermost/config/config.json \
+    && addgroup -g ${PGID} mattermost \
+    && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
+    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
+    && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 
 USER mattermost
 

app/entrypoint.sh

@@ -2,72 +2,65 @@
 
 # Function to generate a random salt
 generate_salt() {
-  tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 48 | head -n 1
+  tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
 }
 
 # Read environment variables or set default values
 DB_HOST=${DB_HOST:-db}
 DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
-# see https://www.postgresql.org/docs/current/libpq-ssl.html
-# for usage when database connection requires encryption
-# filenames should be escaped if they contain spaces
-#  i.e. $(printf %s ${MY_ENV_VAR:-''}  | jq -s -R -r @uri)
-# the location of the CA file can be set using environment var PGSSLROOTCERT
-# the location of the CRL file can be set using PGSSLCRL
-# The URL syntax for connection string does not support the parameters
-# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
-# to set names if using a location other than default
-DB_USE_SSL=${DB_USE_SSL:-disable}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 
-_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }')
-if [ "$_1" = '-' ]; then
-  set -- mattermost "$@"
+if [ "${1:0:1}" = '-' ]; then
+    set -- mattermost "$@"
 fi
 
 if [ "$1" = 'mattermost' ]; then
   # Check CLI args for a -config option
-  for ARG in "$@"; do
-    case "$ARG" in
-    -config=*) MM_CONFIG=${ARG#*=} ;;
-    esac
+  for ARG in $@;
+  do
+      case "$ARG" in
+          -config=*)
+              MM_CONFIG=${ARG#*=};;
+      esac
   done
 
-  if [ ! -f "$MM_CONFIG" ]; then
+  if [ ! -f $MM_CONFIG ]
+  then
     # If there is no configuration file, create it with some default values
-    echo "No configuration file $MM_CONFIG"
+    echo "No configuration file" $MM_CONFIG
     echo "Creating a new one"
     # Copy default configuration file
-    cp /config.json.save "$MM_CONFIG"
-    # Substitute some parameters with jq
-    jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-    jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    cp /config.json.save $MM_CONFIG
+    # Substitue some parameters with jq
+    jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
   else
-    echo "Using existing config file $MM_CONFIG"
+    echo "Using existing config file" $MM_CONFIG
   fi
 
   # Configure database access
-  if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
-    echo "Configure database connection..."
+  if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
+  then
+    echo -ne "Configure database connection..."
     # URLEncode the password, allowing for special characters
-    ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
-    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
-    echo "OK"
+    ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
+    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
+    echo OK
   else
     echo "Using existing database connection"
   fi

db/entrypoint.sh

@@ -5,7 +5,7 @@ export WAL_LEVEL=${WAL_LEVEL:-minimal}
 export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
 export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
 
-function update_conf() {
+function update_conf () {
   wal=$1
   # PGDATA is defined in upstream postgres dockerfile
   config_file=$PGDATA/postgresql.conf
@@ -23,11 +23,11 @@ function update_conf() {
   sed -i "s/archive_command =.*$//g" $config_file
 
   # Configure wal-e
-  if [ "$wal" = true ]; then
+  if [ "$wal" = true ] ; then
     /docker-entrypoint-initdb.d/setup-wale.sh
   fi
-  echo "log_timezone = $DEFAULT_TIMEZONE" >>$config_file
-  echo "timezone = $DEFAULT_TIMEZONE" >>$config_file
+  echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
+  echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
 }
 
 if [ "${1:0:1}" = '-' ]; then
@@ -46,7 +46,7 @@ if [ "$1" = 'postgres' ]; then
   done
 
   # Setup wal-e env variables
-  if [ "$wal_enable" = true ]; then
+  if [ "$wal_enable" = true ] ; then
     for v in ${VARS[@]}; do
       export $v="${!v}"
     done

db/setup-wale.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # wal-e specific configuration
-echo "wal_level = $WAL_LEVEL" >>$PGDATA/postgresql.conf
-echo "archive_mode = $ARCHIVE_MODE" >>$PGDATA/postgresql.conf
-echo "archive_command = '/usr/bin/wal-e wal-push %p'" >>$PGDATA/postgresql.conf
-echo "archive_timeout = $ARCHIVE_TIMEOUT" >>$PGDATA/postgresql.conf
+echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
+echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
+echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
+echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf

docker-compose.yml

@@ -27,7 +27,6 @@ services:
       #   - edition=team
       #   - PUID=1000
       #   - PGID=1000
-      #   - MM_VERSION=5.31
     restart: unless-stopped
     volumes:
       - ./volumes/app/mattermost/config:/mattermost/config:rw
@@ -55,13 +54,11 @@ services:
   web:
     build: web
     ports:
-      - "80:8080"
-      - "443:8443"
+      - "80:80"
+      - "443:443"
     read_only: true
     restart: unless-stopped
     volumes:
       # This directory must have cert files if you want to enable SSL
       - ./volumes/web/cert:/cert:ro
       - /etc/localtime:/etc/localtime:ro
-    cap_drop:
-      - ALL

web/Dockerfile

@@ -1,38 +1,17 @@
-FROM nginxinc/nginx-unprivileged:mainline-alpine
-
-USER root
+FROM nginx:mainline-alpine
 
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf \
     && apk add --no-cache curl
 
 COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
+COPY ./security.conf /etc/nginx/conf.d/
 
 # Add and setup entrypoint
 COPY entrypoint.sh /
 
-RUN chown -R nginx:nginx /etc/nginx/sites-available && \
-         chown -R nginx:nginx /var/cache/nginx && \
-         chown -R nginx:nginx /var/log/nginx && \
-         chown -R nginx:nginx /etc/nginx/conf.d && \
-         chown nginx:nginx entrypoint.sh
-RUN touch /var/run/nginx.pid && \
-         chown -R nginx:nginx /var/run/nginx.pid
-
-COPY ./security.conf /etc/nginx/conf.d/
-
-RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
-
-RUN chmod u+x /entrypoint.sh
-
-RUN sed -i "/^http {/a \    proxy_buffering off;\n" /etc/nginx/nginx.conf
-RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
-    && sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
-
-USER nginx
-
 #Healthcheck to make sure container is ready
-HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
+HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
 
 ENTRYPOINT ["/entrypoint.sh"]
 

web/entrypoint.sh

@@ -11,7 +11,7 @@ if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then
 else
   echo "linking plain config"
 fi
-# Ensure that the configuration file is not present before linking.
+# Ensure that the configuration file is not present before linking. 
 test -w /etc/nginx/conf.d/mattermost.conf && rm /etc/nginx/conf.d/mattermost.conf
 # Linking Nginx configuration file
 ln -s -f /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf

web/mattermost

@@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 8080;
+    listen 80;
 
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;

web/mattermost-ssl

@@ -1,7 +1,7 @@
 server {
-    listen 8080 default_server;
-    server_name _;
-    return 301 https://$host$request_uri;
+	listen 80 default_server;
+	server_name _;
+	return 301 https://$host$request_uri;
 }
 
 map $http_x_forwarded_proto $proxy_x_forwarded_proto {
@@ -10,16 +10,14 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 }
 
 server {
-    listen 8443 ssl http2;
+    listen 443 ssl http2;
 
     ssl_certificate /cert/cert.pem;
     ssl_certificate_key /cert/key-no-password.pem;
     ssl_session_timeout 5m;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    # Please update the ciphers in this file every 6 months.
-    # https://ssl-config.mozilla.org/
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH;
+    ssl_prefer_server_ciphers on;
 
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;
@@ -35,7 +33,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
+	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 
     location / {
@@ -52,7 +50,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
+	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 }