diff --git a/config.demo/docker-compose.override.yml b/config.demo/docker-compose.override.yml index dea191b3..b8540bb8 100644 --- a/config.demo/docker-compose.override.yml +++ b/config.demo/docker-compose.override.yml @@ -1,128 +1,134 @@ version: '3' services: proxy: depends_on: imap: condition: service_healthy postfix: condition: service_healthy webapp: condition: service_healthy build: context: ./docker/proxy/ healthcheck: interval: 10s test: "kill -0 $$(cat /run/nginx.pid)" timeout: 5s retries: 30 environment: - APP_WEBSITE_DOMAIN=${APP_WEBSITE_DOMAIN:?err} - SSL_CERTIFICATE=${PROXY_SSL_CERTIFICATE:?err} - SSL_CERTIFICATE_KEY=${PROXY_SSL_CERTIFICATE_KEY:?err} container_name: kolab-proxy restart: on-failure hostname: proxy image: kolab-proxy extra_hosts: - "meet:${MEET_LISTENING_HOST}" networks: kolab: ipv4_address: 172.18.0.7 tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro ports: # - "25:25" # - "80:80" - "443:443" - "465:465" - "587:587" - "143:143" - "993:993" imap: build: context: ./docker/imap/ environment: - APP_DOMAIN=${APP_DOMAIN} - IMAP_ADMIN_LOGIN=${IMAP_ADMIN_LOGIN} - IMAP_ADMIN_PASSWORD=${IMAP_ADMIN_PASSWORD} + - SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?"KOLAB_SSL_CERTIFICATE is missing"} + - SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?"KOLAB_SSL_CERTIFICATE_FULLCHAIN is missing"} + - SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?"KOLAB_SSL_CERTIFICATE_KEY is missing"} healthcheck: interval: 10s test: "kill -0 1" timeout: 5s retries: 30 container_name: kolab-imap restart: on-failure hostname: imap image: kolab-imap networks: kolab: ipv4_address: 172.18.0.12 extra_hosts: - "kolab.mgmt.com:127.0.0.1" - "services.${APP_DOMAIN}:172.18.0.4" tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro - imap-spool:/var/spool/imap - imap-lib:/var/lib/imap ports: - "11080:11080" - "11143:11143" - "11024:11024" postfix: build: context: ./docker/postfix/ healthcheck: interval: 10s test: "kill -0 1" timeout: 5s retries: 30 environment: - APP_DOMAIN=${APP_DOMAIN} - DB_HOST=mariadb - DB_USERNAME=${DB_USERNAME} - DB_PASSWORD=${DB_PASSWORD} - DB_DATABASE=${DB_DATABASE} - LMTP_DESTINATION="imap:11024" + - SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?"KOLAB_SSL_CERTIFICATE is missing"} + - SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?"KOLAB_SSL_CERTIFICATE_FULLCHAIN is missing"} + - SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?"KOLAB_SSL_CERTIFICATE_KEY is missing"} container_name: kolab-postfix restart: on-failure hostname: postfix image: kolab-postfix networks: kolab: ipv4_address: 172.18.0.13 extra_hosts: - "kolab.mgmt.com:127.0.0.1" - "services.${APP_DOMAIN}:172.18.0.4" tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro - postfix-spool:/var/spool/postfix - postfix-lib:/var/lib/postfix ports: - "10587:10587" - "10025:10025" volumes: postfix-spool: postfix-lib: imap-spool: imap-lib: diff --git a/docker/imap/Dockerfile b/docker/imap/Dockerfile index 375feaa1..984061fe 100644 --- a/docker/imap/Dockerfile +++ b/docker/imap/Dockerfile @@ -1,84 +1,79 @@ FROM almalinux:8 LABEL maintainer="contact@apheleia-it.ch" LABEL dist=centos8 LABEL tier=${TIER} ENV DISTRO=centos8 # ENV LANG=en_US.utf8 # ENV LC_ALL=en_US.utf8 # Add EPEL. RUN dnf -y install dnf-plugin-config-manager && \ dnf config-manager --set-enabled powertools && \ dnf -y install epel-release && \ dnf -y install iputils vim-enhanced bind-utils && \ dnf clean all RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 # Install kolab RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \ rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8.rpm RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \ dnf config-manager --enable kolab-16-testing &&\ dnf -y --setopt tsflags= install patch &&\ dnf clean all RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : WORKDIR /root/ -RUN dnf -y group install "Development Tools" -RUN dnf -y builddep cyrus-imapd -RUN dnf -y install git perl-devel cyrus-sasl cyrus-sasl-plain procps-ng iputils bind-utils sudo rsyslog +RUN dnf -y group install "Development Tools"; \ + dnf -y builddep cyrus-imapd; \ + dnf -y install git perl-devel cyrus-sasl cyrus-sasl-plain procps-ng iputils bind-utils sudo RUN git clone --branch dev/mollekopf https://git.kolab.org/source/cyrus-imapd && \ cd cyrus-imapd && \ autoreconf -i && \ ./configure CFLAGS="-W -Wno-unused-parameter -g -O0 -Wall -Wextra -Werror -fPIC" --enable-murder --enable-http --enable-calalarmd --enable-autocreate --enable-idled --with-openssl=yes --enable-replication --prefix=/usr && \ make -j6 && \ make install COPY cyrus.conf /etc/cyrus.conf COPY imapd.conf /etc/imapd.conf COPY imapd.annotations.conf /etc/imapd.annotations.conf COPY saslauthd.conf /etc/saslauthd.conf -COPY rsyslog.conf /etc/rsyslog.conf -ADD kolab.hosted.com.cert /etc/pki/tls/certs/kolab.hosted.com.cert -ADD kolab.hosted.com.chain.pem /etc/pki/tls/certs/kolab.hosted.com.chain.pem -ADD kolab.hosted.com.key /etc/pki/tls/certs/kolab.hosted.com.key ADD init.sh /init.sh -RUN mkdir -p /etc/pki/cyrus-imapd/ && cat /etc/pki/tls/certs/kolab.hosted.com.cert /etc/pki/tls/certs/kolab.hosted.com.chain.pem /etc/pki/tls/certs/kolab.hosted.com.key > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem && \ - chown 1001:0 /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem - # RUN chgrp -R 0 /opt/app-root/src && \ # chmod -R g=u /opt/app-root/src RUN mkdir -p /run/saslauthd && \ chmod 777 /run/saslauthd && \ chmod -R 777 /run && \ mkdir -p /var/run && \ chmod -R 777 /var/run && \ mkdir -p /var/lib/imap && \ chmod 777 /var/lib/imap && \ mkdir -p /var/spool/imap && \ - chmod 777 /var/spool/imap + chmod 777 /var/spool/imap && \ + mkdir -p /etc/pki/cyrus-imapd/ && \ + chmod 777 /etc/pki/cyrus-imapd/ VOLUME [ "/var/spool/imap" ] VOLUME [ "/var/lib/imap" ] -RUN chown -R 1001:0 /etc /var/lib/imap /var/spool/imap /var/run /run && \ - chmod -R g=u /etc /var/lib/imap /var/spool/imap /var/run /run +RUN chown -R 1001:0 /etc /var/lib/imap /var/spool/imap /var/run /run /etc/pki/cyrus-imapd/ && \ + chmod -R g=u /etc /var/lib/imap /var/spool/imap /var/run /run /etc/pki/cyrus-imapd/ RUN echo 'default ALL=NOPASSWD: ALL' >> /etc/sudoers && \ chown root:root /etc/sudoers /etc/sudo.conf /etc/sudoers.d RUN id default || (groupadd -g 1001 default && useradd -d /opt/app-root/ -u 1001 -g 1001 default) USER 1001 CMD ["/init.sh"] EXPOSE 11143/tcp 11993/tcp 11080/tcp 11443/tcp 11024/tcp diff --git a/docker/imap/init.sh b/docker/imap/init.sh index 5573020c..2bebc44a 100755 --- a/docker/imap/init.sh +++ b/docker/imap/init.sh @@ -1,29 +1,31 @@ #!/bin/bash sed -i -r \ -e "s|IMAP_ADMIN_LOGIN|$IMAP_ADMIN_LOGIN|g" \ -e "s|IMAP_ADMIN_PASSWORD|$IMAP_ADMIN_PASSWORD|g" \ /etc/imapd.conf sed -i -r \ -e "s|APP_DOMAIN|$APP_DOMAIN|g" \ /etc/saslauthd.conf +cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem +chown 1001:0 /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /usr/sbin/saslauthd -m /run/saslauthd -a httpform -d & # Can't run as user because of /dev/ permissions so far. # Cyrus imap only logs to /dev/log, no way around it it seems. # sudo rsyslogd # Cyrus needs an entry in /etc/passwd. THe alternative would be perhaps the nss_wrapper # https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines # FIXME: This probably currently just works because we make /etc/ writable, which I suppose we shouldn't. ID=$(id -u) GID=$(id -g) echo "$ID:x:$ID:$GID::/opt/app-root/:/bin/bash" > /etc/passwd exec env CYRUS_VERBOSE=2 CYRUS_USER="$ID" /usr/libexec/master -D -p /var/run/master.pid -M /etc/cyrus.conf -C /etc/imapd.conf diff --git a/docker/imap/rsyslog.conf b/docker/imap/rsyslog.conf deleted file mode 100644 index 679e8445..00000000 --- a/docker/imap/rsyslog.conf +++ /dev/null @@ -1,20 +0,0 @@ -module(load="imuxsock" # provides support for local system logging (e.g. via logger command) - SysSock.Use="on" - ) # Turn off message reception via local log socket; -module(load="omstdout") -action(type="omstdout") -# action(type="omfwd" Target="127.0.0.1" Port="5140" Protocol="tcp") - # local messages are retrieved through imjournal now. -# Where to place auxiliary files -global(workDirectory="/var/lib/rsyslog") - -# Use default timestamp format -module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") - -# Include all config files in /etc/rsyslog.d/ -include(file="/etc/rsyslog.d/*.conf" mode="optional") - -# Log anything (except mail) of level info or higher. -# Don't log private authentication messages! -*.info;mail.none;authpriv.none;cron.none /var/log/messages - diff --git a/docker/postfix/rootfs/init.sh b/docker/postfix/rootfs/init.sh index 69f7918b..2b3129aa 100755 --- a/docker/postfix/rootfs/init.sh +++ b/docker/postfix/rootfs/init.sh @@ -1,38 +1,42 @@ #!/bin/bash +cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/tls/private/postfix.pem +chown postfix:mail /etc/pki/tls/private/postfix.pem +chmod 655 /etc/pki/tls/private/postfix.pem + sed -i -r \ -e "s|APP_DOMAIN|$APP_DOMAIN|g" \ /etc/saslauthd.conf /usr/sbin/saslauthd -m /run/saslauthd -a httpform -d & # If host mounting /var/spool/postfix, we need to delete old pid file before # starting services rm -f /var/spool/postfix/pid/master.pid /usr/libexec/postfix/aliasesdb /usr/libexec/postfix/chroot-update sed -i -r \ -e "s|LMTP_DESTINATION|$LMTP_DESTINATION|g" \ /etc/postfix/main.cf sed -i -r \ -e "s|APP_DOMAIN|$APP_DOMAIN|g" \ /etc/postfix/main.cf sed -i -r \ -e "s|APP_DOMAIN|$APP_DOMAIN|g" \ /usr/libexec/postfix/kolab_policy* sed -i -r \ -e "s|DB_HOST|$DB_HOST|g" \ -e "s|DB_USERNAME|$DB_USERNAME|g" \ -e "s|DB_PASSWORD|$DB_PASSWORD|g" \ -e "s|DB_DATABASE|$DB_DATABASE|g" \ /etc/postfix/sql/* # echo "/$APP_DOMAIN/ lmtp:$LMTP_DESTINATION" >> /etc/postfix/transport # postmap /etc/postfix/transport exec /usr/sbin/postfix -c /etc/postfix start-fg