From 5e8c2122ad69911962d9a7d3fcce0d1ad9a5a608 Mon Sep 17 00:00:00 2001 From: Andreas Weigel Date: Wed, 19 Oct 2022 15:51:11 -0400 Subject: [PATCH] entrypoint: add docker secret friendly _FILE options to prevent having to define secrets in docker compose file when using docker stack, add a _FILE option for sensitive information so that docker secrets may be used; update README accordingly --- README.md | 8 +++++--- run-document-server.sh | 25 ++++++++++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5020dfd..428be3b 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Below is the complete list of parameters that can be set using environment varia - **DB_PORT**: The database server port number. - **DB_NAME**: The name of a database to use. Should be existing on container startup. - **DB_USER**: The new user name with superuser permissions for the database account. -- **DB_PWD**: The password set for the database account. +- **DB_PWD[_FILE]**: The password set for the database account. - **AMQP_URI**: The [AMQP URI](https://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server. - **AMQP_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`. - **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running. @@ -188,9 +188,9 @@ Below is the complete list of parameters that can be set using environment varia - **REDIS_SERVER_PASS**: The Redis server password. The password is not set by default. - **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes. - **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process. -- **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`. +- **SECURE_LINK_SECRET[_FILE]**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`. - **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`. -- **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`. +- **JWT_SECRET[_FILE]**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`. - **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`. - **JWT_IN_BODY**: Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to `false`. - **WOPI_ENABLED**: Specifies the enabling the wopi handlers. Defaults to `false`. @@ -203,6 +203,8 @@ Below is the complete list of parameters that can be set using environment varia - **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate. - **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate. +Parameters ending in **[_FILE]** can alternatively be given as a path to a file from which the value is read to faciliate using docker secrets for sensitive information. If the parameter is specified both as **PARAM** and **PARAM_FILE**, the latter takes precedence. + ## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps: diff --git a/run-document-server.sh b/run-document-server.sh index fd183a3..7bf0d86 100755 --- a/run-document-server.sh +++ b/run-document-server.sh @@ -8,6 +8,23 @@ function clean_exit { trap clean_exit SIGTERM +function file_env { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo "Both $var and $fileVar are set; $fileVar takes precedence" + fi + local val="$def" + if [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + elif [ "${!var:-}" ]; then + val="${!var}" + fi + export "$var"="$val" + unset "$fileVar" +} + # Define '**' behavior explicitly shopt -s globstar @@ -84,9 +101,10 @@ else JWT_ENABLED="false" fi -[ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.' +[ -z "$JWT_SECRET" ] && [ -z "$JWT_SECRET_FILE" ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.' -JWT_SECRET=${JWT_SECRET:-$(pwgen -s 20)} +file_env JWT_SECRET +[ -z "$JWT_SECRET" ] && JWT_SECRET=$(pwgen -s 20) JWT_HEADER=${JWT_HEADER:-Authorization} JWT_IN_BODY=${JWT_IN_BODY:-false} @@ -158,7 +176,7 @@ read_setting(){ esac DB_NAME=${DB_NAME:-${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}} DB_USER=${DB_USER:-${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}} - DB_PWD=${DB_PWD:-${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}} + file_env DB_PWD ${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)} RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)} AMQP_URI=${AMQP_URI:-${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}} @@ -488,6 +506,7 @@ update_nginx_settings(){ sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF} fi + file_env SECURE_LINK_SECRET documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false }