From a0e812395fc1f64d86779c1b230c190bfc691196 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 25 Feb 2024 22:49:04 +0100 Subject: [PATCH] feat(docker)!: use scratch as base image This change modifies the docker image so that it uses the scratch image instead of alpine. This is possible because the Vikunja binary is now entirely statically compiled, wich no dependencies on any system c libraries. This also changes the default path for the sqlite file in the docker image (breaking). When using sqlite in docker, the VIKUNJA_DATABASE_PATH config variable or the file mount must be changed to prevent data loss. --- .dockerignore | 1 + Dockerfile | 16 ++----- .../doc/setup/docker-start-to-finish.md | 13 ++++- docs/content/doc/setup/full-docker-example.md | 48 +++++++++++++++++-- docs/content/doc/setup/install.md | 21 ++++---- 5 files changed, 71 insertions(+), 28 deletions(-) diff --git a/.dockerignore b/.dockerignore index fe8d3f15d..2b0c10394 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,6 +1,7 @@ files/ dist/ logs/ +docs/ Dockerfile docker-manifest.tmpl diff --git a/Dockerfile b/Dockerfile index 7641d1c34..394aac94c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,22 +33,14 @@ RUN export PATH=$PATH:$GOPATH/bin && \ # ┘└┘┘─┘┘└┘┘└┘┴─┘┘└┘ # The actual image -# Note: I wanted to use the scratch image here, but unfortunatly the go-sqlite bindings require cgo and -# because of this, the container would not start when I compiled the image without cgo. -FROM alpine:3.19 AS runner +FROM scratch LABEL maintainer="maintainers@vikunja.io" WORKDIR /app/vikunja -ENTRYPOINT [ "/sbin/tini", "-g", "--", "/entrypoint.sh" ] +ENTRYPOINT [ "/app/vikunja/vikunja" ] EXPOSE 3456 +USER 1000 ENV VIKUNJA_SERVICE_ROOTPATH=/app/vikunja/ -ENV PUID 1000 -ENV PGID 1000 - -RUN apk --update --no-cache add tzdata tini shadow && \ - addgroup vikunja && \ - adduser -s /bin/sh -D -G vikunja vikunja -h /app/vikunja -H -COPY docker/entrypoint.sh /entrypoint.sh -RUN chmod 0755 /entrypoint.sh && mkdir files +ENV VIKUNJA_DATABASE_PATH=/db/vikunja.db COPY --from=apibuilder /build/vikunja-* vikunja diff --git a/docs/content/doc/setup/docker-start-to-finish.md b/docs/content/doc/setup/docker-start-to-finish.md index be83a33f1..d1fb30ac9 100644 --- a/docs/content/doc/setup/docker-start-to-finish.md +++ b/docs/content/doc/setup/docker-start-to-finish.md @@ -27,7 +27,6 @@ Create a directory for the project where all data and the compose file will live Create a `docker-compose.yml` file with the following contents in your directory: - ```yaml version: '3' @@ -80,6 +79,18 @@ The number before the colon is the host port - This is where you can reach vikun You'll need to change the value of the `VIKUNJA_SERVICE_PUBLICURL` environment variable to the public port or hostname where Vikunja is reachable. +## Ensure adequate file permissions + +Vikunja runs as user `1000` and no group by default. + +To be able to upload task attachments or change the background of project, Vikunja must be able to write into the `files` directory. +To do this, create the folder and chown it before starting the stack: + +``` +mkdir $PWD/files +chown 1000 $PWD/files +``` + ## Run it Run `sudo docker-compose up` in your directory and take a look at the output you get. diff --git a/docs/content/doc/setup/full-docker-example.md b/docs/content/doc/setup/full-docker-example.md index 2b50c5f0a..e7ecb037d 100644 --- a/docs/content/doc/setup/full-docker-example.md +++ b/docs/content/doc/setup/full-docker-example.md @@ -15,8 +15,6 @@ It uses a proxy configuration to make it available under a domain. For all available configuration options, see [configuration]({{< ref "config.md">}}). -Once deployed, you might want to change the [`PUID` and `GUID` settings]({{< ref "install.md">}}#setting-user-and-group-id-of-the-user-running-vikunja) or [set the time zone]({{< ref "config.md">}}#timezone). - After registering all your users, you might also want to [disable the user registration]({{}}#enableregistration).
@@ -27,6 +25,23 @@ All examples on this page already reflect this and do not require additional wor {{< table_of_contents >}} +## File permissions + +Vikunja runs as user `1000` and no group by default. +You can use Docker's [`--user`](https://docs.docker.com/engine/reference/run/#user) flag to change that. + +You must ensure Vikunja is able to write into the `files` directory. +To do this, create the folder and chown it before starting the stack: + +``` +mkdir $PWD/files +chown 1000 $PWD/files +``` + +You'll need to do this before running any of the examples on this page. + +Vikunja will not try to aquire ownership of the files folder, as that would mean it had to run as root. + ## PostgreSQL Vikunja supports postgres, mysql and sqlite as a database backend. The examples on this page use mysql with a mariadb container. @@ -78,6 +93,13 @@ You'll also need to remove or change the `VIKUNJA_DATABASE_TYPE` to `sqlite` on You can also remove the db section. +To run the container, you need to create the directories first and make sure they have all required permissions: + +``` +mkdir $PWD/files $PWD/db +chown 1000 $PWD/files $PWD/db +``` +
NOTE: If you'll use your instance with more than a handful of users, we recommend using mysql or postgres.
@@ -91,6 +113,11 @@ If you want to make Vikunja available on a domain or need tls termination, check Note that you need to change the [`VIKUNJA_SERVICE_PUBLICURL`]({{< ref "config.md" >}}#publicurl) environment variable to the public ip or hostname including the port (the docker host you're running this on) is reachable at, prefixed with `http://`. Because the browser you'll use to access the Vikunja frontend uses that url to make the requests, it has to be able to reach it from the outside. +
+NOTE: You must ensure Vikunja has write permissions on the `files` directory before starting the stack. +To do this, check out the related commands here. +
+ ```yaml version: '3' @@ -140,6 +167,11 @@ We also make a few assumptions here which you'll most likely need to adjust for * The entrypoint you want to make vikunja available from is called `https` * The tls cert resolver is called `acme` +
+NOTE: You must ensure Vikunja has write permissions on the `files` directory before starting the stack. +To do this, check out the related commands here. +
+ ```yaml version: '3' @@ -203,6 +235,11 @@ vikunja.example.com { Note that you need to change the [`VIKUNJA_SERVICE_PUBLICURL`]({{< ref "config.md" >}}#publicurl) environment variable to the ip (the docker host you're running this on) is reachable at. Because the browser you'll use to access the Vikunja frontend uses that url to make the requests, it has to be able to reach that ip + port from the outside. +
+NOTE: You must ensure Vikunja has write permissions on the `files` directory before starting the stack. +To do this, check out the related commands here. +
+ Docker Compose config: ```yaml @@ -286,10 +323,13 @@ The docker-compose file we're going to use is exactly the same from the [example You may want to change the volumes to match the rest of your setup. -Once deployed, you might want to change the [`PUID` and `GUID` settings]({{< ref "install.md">}}#setting-user-and-group-id-of-the-user-running-vikunja) or [set the time zone]({{< ref "config.md">}}#timezone). - After registering all your users, you might also want to [disable the user registration]({{}}#enableregistration). +
+NOTE: You must ensure Vikunja has write permissions on the `files` directory before starting the stack. +To do this, check out the related commands here. +
+ ## Redis While Vikunja has support to use redis as a caching backend, you'll probably not need it unless you're using Vikunja with more than a handful of users. diff --git a/docs/content/doc/setup/install.md b/docs/content/doc/setup/install.md index eda57b58d..1fb559658 100644 --- a/docs/content/doc/setup/install.md +++ b/docs/content/doc/setup/install.md @@ -140,17 +140,23 @@ It will automatically run all necessary database migrations. To get up and running quickly, use this command: ``` -touch vikunja.db -docker run -p 3456:3456 -v $PWD/files:/app/vikunja/files -v $PWD/vikunja.db:/app/vikunja/vikunja.db vikunja/vikunja +mkdir $PWD/files $PWD/db +chown 1000 $PWD/files $PWD/db +docker run -p 3456:3456 -v $PWD/files:/app/vikunja/files -v $PWD/db:/db vikunja/vikunja ``` This will expose vikunja on port `3456` on the host running the container and use sqlite as database backend. +**Note**: The container runs as the user `1000` and no group by default. +You can use Docker's [`--user`](https://docs.docker.com/engine/reference/run/#user) flag to change that. +Make sure the new user has required permissions on the `db` and `files` folder. + You can mount a local configuration like so: ``` -touch vikunja.db -docker run -p 3456:3456 -v /path/to/config/on/host.yml:/app/vikunja/config.yml:ro -v $PWD/files:/app/vikunja/files -v $PWD/vikunja.db:/app/vikunja/vikunja.db vikunja/vikunja +mkdir $PWD/files $PWD/db +chown 1000 $PWD/files $PWD/db +docker run -p 3456:3456 -v /path/to/config/on/host.yml:/app/vikunja/config.yml:ro -v $PWD/files:/app/vikunja/files -v $PWD/db:/db vikunja/vikunja ``` Though it is recommended to use environment variables or `.env` files to configure Vikunja in docker. @@ -163,13 +169,6 @@ Check out the [docker examples]({{}}) for more adv By default, the container stores all files uploaded and used through vikunja inside of `/app/vikunja/files` which is created as a docker volume. You should mount the volume somewhere to the host to permanently store the files and don't lose them if the container restarts. -### Setting user and group id of the user running vikunja - -You can set the user and group id of the user running vikunja with the `PUID` and `PGID` environment variables. -This follows the pattern used by [the linuxserver.io](https://docs.linuxserver.io/general/understanding-puid-and-pgid) docker images. - -This is useful to solve general permission problems when host-mounting volumes such as the volume used for task attachments. - ### Docker compose Check out the [docker examples]({{}}) for more advanced configuration using docker compose.