Compare commits

..

1 Commits

Author SHA1 Message Date
Alexey Golubev
862fbd41d4 Add prof of concept none pivilage execution
Use 'DS_PORT' env to use custom https port
  sudo docker run -e DS_PORT=1234 -itd -p80:1234  \
  onlyoffice/documentserver
2020-01-13 15:22:54 +03:00
46 changed files with 596 additions and 4787 deletions

1
.envrc

@ -1 +0,0 @@
use nix

@ -1,174 +0,0 @@
### This workflow setup instance then build and push images ###
name: 4testing multiarch-build
run-name: >-
Build #${{ inputs.build }} [
${{ inputs.amd64 && 'AMD64' || '-' }}
${{ inputs.arm64 && 'ARM64' || '-' }}
] [
${{ inputs.community && 'CE' || '-' }}
${{ inputs.developer && 'DE' || '-' }}
${{ inputs.enterprise && 'EE' || '-' }}
]
on:
workflow_dispatch:
inputs:
build:
description: 'Build number (ex. 45)'
type: string
required: true
amd64:
type: boolean
description: 'Build AMD64'
default: true
arm64:
type: boolean
description: 'Build ARM64'
default: true
community:
type: boolean
description: 'Build Community Edition'
default: true
enterprise:
type: boolean
description: 'Build Enterprise Edition'
default: true
developer:
type: boolean
description: 'Build Developer Edition'
default: true
env:
COMPANY_NAME: "onlyoffice"
PRODUCT_NAME: "documentserver"
jobs:
prepare:
runs-on: ubuntu-latest
steps:
- id: matrix
run: |
set -ex
BRANCH_NAME=${GITHUB_REF#refs/heads/}
if ! [[ $BRANCH_NAME == develop || $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then
echo "Wrong branch."
exit 1
fi
[ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64")
[ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64")
if [ -z ${PLATFORMS} ]; then
echo "None of the platforms are selected."
exit 1
fi
[ ${{ github.event.inputs.community }} = true ] && EDITIONS+=("community")
[ ${{ github.event.inputs.enterprise }} = true ] && EDITIONS+=("enterprise")
[ ${{ github.event.inputs.developer }} = true ] && EDITIONS+=("developer")
if [ -z ${EDITIONS} ]; then
echo "None of the editions are selected."
exit 1
fi
echo "editions=$(jq -n -c --arg s "${EDITIONS[*]}" '($s|split(" "))')" >> $GITHUB_OUTPUT
outputs:
editions: ${{ steps.matrix.outputs.editions }}
build:
name: "Build ${{ matrix.image }}-${{ matrix.edition }}"
runs-on: ubuntu-latest
needs: prepare
strategy:
fail-fast: false
matrix:
image: ["documentserver"]
edition: ${{ fromJSON(needs.prepare.outputs.editions) }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Build 4testing
id: build-ds
run: |
set -eux
### ==>> At this step build variable declaration ###
case ${{ matrix.edition }} in
community)
PRODUCT_EDITION=""
;;
enterprise)
PRODUCT_EDITION="-ee"
;;
developer)
PRODUCT_EDITION="-de"
;;
esac
[ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64")
[ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64")
PLATFORM=$(echo ${PLATFORMS[*]/#/linux/} | tr ' ' ',')
BRANCH_NAME=${GITHUB_REF#refs/heads/}
if [ $BRANCH_NAME = develop ]; then
BUILD_CHANNEL=nightly
PRODUCT_VERSION=99.99.99
elif [[ $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then
BUILD_CHANNEL=test
PRODUCT_VERSION=${BRANCH_NAME#*/v}
fi
BUILD_NUMBER=${{ github.event.inputs.build }}
export PRODUCT_EDITION
export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}
export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
export BUILD_CHANNEL
export PLATFORM
export DOCKERFILE=Dockerfile
export PREFIX_NAME=4testing-
export TAG=${PRODUCT_VERSION}.${BUILD_NUMBER}
### ==>> Build and push images at this step ###
docker buildx bake -f docker-bake.hcl ${{ matrix.image }} --push
echo "DONE: Build success"
### Set output for Zap scanner
### NOTE: Output will be used only in release/hotfix branches
echo "version=${TAG}" >> "$GITHUB_OUTPUT"
echo "branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
shell: bash
# Run scanner only when edition is community
# and branch hit release/ or hotfix/
- name: Trigger zap manualy
if: >-
matrix.edition == 'community' &&
(startsWith(steps.build-ds.outputs.branch, 'release/') ||
startsWith(steps.build-ds.outputs.branch, 'hotfix/'))
env:
VERSION: ${{ steps.build-ds.outputs.version }}
BRANCH: ${{ steps.build-ds.outputs.branch }}
GITHUB_TOKEN: ${{ secrets.TOKEN }}
run: |
gh workflow run zap-ds.yaml \
--repo ${{ github.repository }} \
-f branch=${BRANCH} \
-f version=${VERSION}
shell: bash

@ -1,66 +0,0 @@
name: Build
on:
schedule:
- cron: "0 0 * * 1"
push:
tags:
- 'manual_build'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Get upstream repository
run: |
git clone https://github.com/ONLYOFFICE/DocumentServer/ upstream
- name: Extract tags and labels for Docker
id: meta
run: |
export VERSION="$(cd upstream && git describe --tags --abbrev=0 | cut -d 'v' -f2-)"
echo "Version: ${VERSION}"
echo "tag=${VERSION}" >> $GITHUB_OUTPUT
shell: bash
- name: Check if the image was already built
id: check-build-status
run: |
echo ${{ steps.meta.outputs.tag }}
if curl --silent -f -lSL "https://hub.docker.com/v2/repositories/jiriks74/onlyoffice-documentserver/tags/$(echo ${{ steps.meta.outputs.tag }})" > /dev/null; then echo "Already exists" && exit 1; else echo "Desn't exist" && exit 0; fi
- name: Set tag in Dockerfile
run: |
sed -i "s/ARG PACKAGE_VERSION=/ARG PACKAGE_VERSION=$(echo ${{ steps.meta.outputs.tag }} | cut -d ':' -f2)/g" Dockerfile
- name: Update repositories
run: sudo apt update
- name: Install Docker
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: docker.io
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
with:
platforms: linux/amd64,linux/arm64
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push image
uses: docker/build-push-action@v2
with:
push: true
tags: jiriks74/onlyoffice-documentserver:${{ steps.meta.outputs.tag }},jiriks74/onlyoffice-documentserver:latest
platforms: linux/amd64,linux/arm64
context: .
file: ./Dockerfile

@ -1,22 +0,0 @@
---
name: Trigger 4testing rebuild
run-name: "Weekly 4testing rebuild trigger"
on:
schedule:
# Run every Saturday at 10 p.m.
- cron: '00 22 * * 6'
jobs:
trigger-rebuild:
name: "trigget-rebuild"
runs-on: "ubuntu-latest"
steps:
- name: Rebuild 4testing manualy
env:
GITHUB_TOKEN: ${{ secrets.TOKEN }}
run: |
gh workflow run rebuild.yml \
--repo ONLYOFFICE/Docker-DocumentServer \
-f repo=4test

@ -1,224 +0,0 @@
---
name: Rebuild Docker-Documentserver
run-name: >
Rebuild DocumentServer with secure updates for repo: ${{ github.event.inputs.repo }}
on:
workflow_dispatch:
inputs:
repo:
type: choice
description: Please, choose upload repo..
options:
- '4test'
- 'stable'
permissions:
# All other permissions are set to none
contents: read
# Technically read access while waiting for images should be more than enough. However,
# there is a bug in GitHub Actions/Packages and in case private repositories are used, you get a permission
# denied error when attempting to just pull private image, changing the token permission to write solves the
# issue. This is not dangerous, because if it is for "ONLYOFFICE/Docker-DocumentServer", only maintainers can use ds-rebuild.yaml
# If it is for a fork, then the token is read-only anyway.
packages: read
env:
COMPANY_NAME: "onlyoffice"
PRODUCT_NAME: "documentserver"
REGISTRY_URL: "https://hub.docker.com/v2/repositories"
jobs:
rebuild-info:
name: "Rebuild-info"
runs-on: "ubuntu-22.04"
env:
REPO_INPUTS: ${{ github.event.inputs.repo }}
EVENT: ${{ github.event_name }}
outputs:
stable-versions: ${{ steps.selective-checks.outputs.stable-versions }}
ucs-versions: ${{ steps.selective-checks.outputs.ucs-versions }}
minor-tags: ${{ steps.selective-checks.outputs.minor-tags }}
ucs-rebuild-condition: ${{ steps.selective-checks.outputs.ucs-rebuild-condition }}
prefix-name: ${{ steps.selective-checks.outputs.prefix-name }}
repo: ${{ steps.selective-checks.outputs.repo }}
steps:
- name: Selective checks
id: selective-checks
run: |
set -e
REPO=${REPO_INPUTS:-"4test"}
if [ "${REPO}" == "stable" ]; then
UCS_REBUILD=true
UCS_VERSIONS=($(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}-ucs/tags/?page_size=100 | \
jq -r '.results|.[]|.name' | grep -oxE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.1' || true))
echo "ucs-versions=$(jq -c -n '$ARGS.positional' --args "${UCS_VERSIONS[@]}")" >> "$GITHUB_OUTPUT"
elif
[ "${REPO}" == "4test" ]; then
UCS_REBUILD=false
PREFIX_NAME=4testing-
fi
STABLE_VERSIONS=($(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}/tags/?page_size=100 | \
jq -r '.results|.[]|.name' | grep -oxE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.1' || true))
# When rebuilding stable versions of the document server,
# it is necessary to determine the version from which the
# minor x.x tag will need to be pushed.
VERSIONS=(${STABLE_VERSIONS[@]})
for i in {1..10}; do
if [ -z "${VERSIONS}" ]; then
break
else
TEMPLATE=${VERSIONS[0]%.*.*}
TEMPLATE_MINOR=$(printf -- '%s\n' "${VERSIONS[@]}" | grep -o -m 1 "${VERSIONS[0]%.*.*}.[0-9].[0-9]")
MINOR_TAGS+=(${TEMPLATE_MINOR%.*})
for v in ${MINOR_TAGS[@]}; do
VERSIONS=(${VERSIONS[@]//${v%.*}.*.*})
done
fi
done
echo "Stable releases that will be rebuilded"
echo "--------------------------------------"
echo "${STABLE_VERSIONS[@]}"
echo
echo
echo "Ucs releases that will be rebuilded"
echo "-----------------------------------"
echo "${UCS_VERSIONS[@]}"
echo "stable-versions=$(jq -c -n '$ARGS.positional' --args "${STABLE_VERSIONS[@]}")" >> "$GITHUB_OUTPUT"
echo "minor-tags=${MINOR_TAGS[@]}" >> "$GITHUB_OUTPUT"
echo "ucs-rebuild-condition=${UCS_REBUILD}" >> "$GITHUB_OUTPUT"
echo "prefix-name=${PREFIX_NAME}" >> "$GITHUB_OUTPUT"
echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
shell: bash
re-build-stable:
name: "Rebuild stable:${{ matrix.version }} ${{ matrix.edition }}"
needs: [rebuild-info]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
type: ["stable"]
edition: ["", "-ee", "-de"]
version: ${{fromJSON(needs.rebuild-info.outputs.stable-versions)}}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
# Determines the new build number based
# on data from the hub.docker registry
- name: Declare release number
id: release-number
env:
REBUILD_VERSION: ${{ matrix.version }}
run: |
MINOR_VERSION=${REBUILD_VERSION%.*}
LAST_RELEASE=$(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}/tags/?page_size=100 \
| jq -r '.results|.[]|.name' | grep -Eo -m1 "${MINOR_VERSION}.[0-9]{1,}")
LAST_RELEASE=${LAST_RELEASE#*.*.*.}
echo "release-number=$((LAST_RELEASE+1))" >> "$GITHUB_OUTPUT"
shell: bash
# Note: Rebuilding images with an
# extra layer to update security and
# all dependencies. Update tags got +1 to previous release.
- name: Re-build documentserver-stable
env:
MINOR_TAGS_ST: ${{ needs.rebuild-info.outputs.minor-tags }}
VERSION: ${{ matrix.version }}
RELEASE_NUMBER: ${{ steps.release-number.outputs.release-number }}
PREFIX_NAME: ${{ needs.rebuild-info.outputs.prefix-name }}
REPO: ${{ needs.rebuild-info.outputs.repo }}
PRODUCT_EDITION: ${{ matrix.edition }}
run: |
set -eux
export PULL_TAG=${VERSION}
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
export SHORTER_TAG=${VERSION%.*}
export SHORTEST_TAG=${VERSION%.*.*}
if [ "${REPO}" == "stable" ]; then
MINOR_TAGS=(${MINOR_TAGS_ST})
for v in ${MINOR_TAGS[@]}; do
if [ "${SHORTER_TAG}" == "${v}" ]; then
export PUSH_MAJOR="true"
fi
done
if [ "${SHORTER_TAG}" == "${MINOR_TAGS[0]}" ]; then
export LATEST="true"
fi
fi
docker buildx bake -f docker-bake.hcl documentserver-stable-rebuild --push
shell: bash
re-build-ucs:
name: "Rebuild ucs: ${{ matrix.version }} ${{ matrix.edition }}"
if: needs.rebuild-info.outputs.ucs-rebuild-condition == 'true'
needs: [rebuild-info]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
type: ["ucs"]
edition: ["", "-ee"]
version: ${{fromJSON(needs.rebuild-info.outputs.ucs-versions)}}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
# Determines the new build number based
# on data from the hub.docker registry
- name: Declare release number
id: release-number
env:
REBUILD_VERSION: ${{ matrix.version }}
run: |
MINOR_VERSION=${REBUILD_VERSION%.*}
LAST_RELEASE=$(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}/tags/?page_size=100 \
| jq -r '.results|.[]|.name' | grep -Eo -m1 "${MINOR_VERSION}.[0-9]{1,}")
LAST_RELEASE=${LAST_RELEASE#*.*.*.}
echo "release-number=$((LAST_RELEASE+1))" >> "$GITHUB_OUTPUT"
shell: bash
# Note: Rebuilding images with an
# extra layer to update security and
# all dependencies. Update tags +1 to previous release.
- name: Re-build documentserver-ucs
env:
VERSION: ${{ matrix.version }}
RELEASE_NUMBER: ${{ steps.release-number.outputs.release-number }}
PRODUCT_EDITION: ${{ matrix.edition }}
run: |
set -eux
export PULL_TAG=${VERSION}
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
export SHORTER_TAG=${VERSION%.*}
export SHORTEST_TAG=${VERSION%.*.*}
export UCS_REBUILD=true
export UCS_PREFIX=-ucs
docker buildx bake -f docker-bake.hcl documentserver-stable-rebuild --push
shell: bash

@ -1,137 +0,0 @@
### This workflow setup instance then build and push images ###
name: Multi-arch build stable
run-name: ${{ inputs.tag }} (${{ inputs.release_number }})
on:
workflow_dispatch:
inputs:
tag:
description: 'Tag for release (ex. 1.2.3.45)'
type: string
required: true
release_number:
description: 'Sequence number of the release (ex. x.x.x.<number>)'
type: string
required: true
default: '1'
env:
COMPANY_NAME: "onlyoffice"
PRODUCT_NAME: "documentserver"
jobs:
build:
name: "Release image: DocumentServer${{ matrix.edition }}"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
images: ["documentserver-stable"]
edition: ["", "-ee", "-de"]
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Build documentserver-release
run: |
set -eux
VERSION=${{ github.event.inputs.tag }}
RELEASE_NUMBER=${{ github.event.inputs.release_number }}
PRODUCT_EDITION=${{ matrix.edition }}
TESTING_IMAGE=${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}
export PRODUCT_EDITION
export PULL_TAG=${VERSION}
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
export SHORTER_TAG=${VERSION%.*}
export SHORTEST_TAG=${VERSION%.*.*}
docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
echo "DONE: Build success >> exit with 0"
exit 0
shell: bash
build-nonexample:
name: "Release image: DocumentServer${{ matrix.edition }}-nonExample"
runs-on: ubuntu-latest
needs: [build]
if: ${{ false }}
strategy:
fail-fast: false
matrix:
images: ["documentserver-nonexample"]
edition: ["", "-ee", "-de"]
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: build image
run: |
set -eux
VERSION=${{ github.event.inputs.tag }}
RELEASE_NUMBER=${{ github.event.inputs.release_number }}
export PULL_TAG=${VERSION%.*}.${RELEASE_NUMBER}
export PRODUCT_EDITION=${{ matrix.edition }}
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
shell: bash
build-ucs-ubuntu20:
name: "Release image: DocumentServer${{ matrix.edition }}-ucs"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
edition: ["", "-ee"]
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: build UCS
run: |
set -eux
VERSION=${{ github.event.inputs.tag }}
RELEASE_NUMBER=${{ github.event.inputs.release_number }}
export PRODUCT_EDITION=${{ matrix.edition }}
export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
export DOCKERFILE=Dockerfile
export BASE_IMAGE=ubuntu:20.04
export PG_VERSION=12
export TAG=${VERSION%.*}.${RELEASE_NUMBER}
export PACKAGE_VERSION=$( echo ${VERSION} | sed -E 's/(.*)\./\1-/')
docker buildx bake -f docker-bake.hcl documentserver-ucs --push
shell: bash

@ -1,70 +0,0 @@
---
name: Scanning DocumentServer with ZAP
run-name: >
ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
on:
workflow_dispatch:
inputs:
version:
description: 'Set DocumentServer version that will be deployed'
type: string
required: true
branch:
description: 'The branch from which the scan will be performed'
type: string
required: true
jobs:
zap:
name: "Zap scanning DocumentServer"
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run DS
id: run-ds
env:
TAG: ${{ github.event.inputs.version }}
run: |
# Create ssl certs
openssl genrsa -out tls.key 2048
openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
openssl dhparam -out dhparam.pem 2048
sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
rm ./tls.key ./tls.crt ./dhparam.pem
# Run Ds with enabled ssl
export CONTAINER_NAME="documentserver"
sudo docker run -itd \
--name ${CONTAINER_NAME} \
-p 80:80 \
-p 443:443 \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
onlyoffice/4testing-documentserver:${TAG}
sleep 60
sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
LOCAL_IP=$(hostname -I | awk '{print $1}')
echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
# Scan DocumentServer with ZAP.
# NOTE: Full scan get a lot of time.
# If you want make scan more faster (but less accurate) remove `cmd options` field
# -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
# Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.8.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
allow_issue_writing: false
cmd_options: '-j'

2
.gitignore vendored

@ -1,2 +0,0 @@
# Nix, direnv
.direnv

@ -1,131 +0,0 @@
language: generic
dist: trusty
env:
# community edition
- config: standalone.yml
# integration edition
- config: standalone.yml
PRODUCT_NAME: documentserver-ie
# certificates (default tls if onlyoffice not exists)
- config: certs.yml
ssl: true
# certificates (default onlyoffice if exists)
- config: certs.yml
ssl: true
private_key: onlyoffice.key
certificate_request: onlyoffice.csr
certificate: onlyoffice.crt
# custom certificates
- config: certs-customized.yml
ssl: true
private_key: mycert.key
certificate_request: mycert.csr
certificate: mycert.crt
SSL_CERTIFICATE_PATH: /var/www/onlyoffice/Data/certs/mycert.crt
SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key
# postgresql 16
- config: postgres.yml
POSTGRES_VERSION: 16
# postgresql 15
- config: postgres.yml
POSTGRES_VERSION: 15
# postgresql 14
- config: postgres.yml
POSTGRES_VERSION: 14
# postgresql 13
- config: postgres.yml
POSTGRES_VERSION: 13
# postgresql 12
- config: postgres.yml
# postgresql custom values
- config: postgres.yml
DB_NAME: mydb
DB_USER: myuser
DB_PWD: password
POSTGRES_DB: mydb
POSTGRES_USER: myuser
# postgresql deprecated variables
- config: postgres-old.yml
# mysql 8
- config: mysql.yml
MYSQL_VERSION: 8
# mysql 5
- config: mysql.yml
MYSQL_VERSION: 5
# mysql 5.7
- config: mysql.yml
# mariadb 10
- config: mariadb.yml
MARIADB_VERSION: 10
# mariadb 10.5
- config: mariadb.yml
- config: activemq.yml
ACTIVEMQ_VERSION: latest
# activemq 5.14.3
- config: activemq.yml
# rabbitmq latest
- config: rabbitmq.yml
# rabbitmq 3
- config: rabbitmq.yml
RABBITMQ_VERSION: 3
# rabbitmq old variables
- config: rabbitmq-old.yml
# redis latest with community edition
- config: redis.yml
# redis latest with integraion edition
- config: redis.yml
PRODUCT_NAME: documentserver-ie
# redis 6
- config: redis.yml
REDIS_VERSION: 6
# redis 5
- config: redis.yml
REDIS_VERSION: 5
# graphite
- config: graphite.yml
services:
- docker
script:
# Go to tests dir
- cd ${PWD}/tests
# Run test.
- ./test.sh

@ -1,44 +1,39 @@
ARG BASE_IMAGE=ubuntu:22.04 FROM ubuntu:16.04
LABEL maintainer Ascensio System SIA <support@onlyoffice.com>
FROM ${BASE_IMAGE} as documentserver ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive
LABEL maintainer Jiří Štefka <jiri.stefka.js@gmail.com>
ARG PG_VERSION=14
ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive PG_VERSION=${PG_VERSION}
ARG ONLYOFFICE_VALUE=onlyoffice ARG ONLYOFFICE_VALUE=onlyoffice
RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
apt-get -y update && \ apt-get -y update && \
apt-get -yq install wget apt-transport-https gnupg locales lsb-release && \ apt-get -yq install wget apt-transport-https curl locales && \
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x8320ca65cb2de8e5 && \
locale-gen en_US.UTF-8 && \ locale-gen en_US.UTF-8 && \
echo ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true | debconf-set-selections && \ curl -sL https://deb.nodesource.com/setup_8.x | bash - && \
apt-get -y update && \
apt-get -yq install \ apt-get -yq install \
adduser \ adduser \
apt-utils \
bomstrip \ bomstrip \
certbot \
cron \
curl \
htop \ htop \
libasound2 \ libasound2 \
libboost-regex-dev \ libboost-regex-dev \
libcairo2 \ libcairo2 \
libcurl3-gnutls \ libcurl3 \
libcurl4 \ libgconf2-4 \
libgtk-3-0 \ libgtkglext1 \
libnspr4 \ libnspr4 \
libnss3 \ libnss3 \
libnss3-nssdb \
libstdc++6 \ libstdc++6 \
libxml2 \ libxml2 \
libxss1 \ libxss1 \
libxtst6 \ libxtst6 \
mysql-client \
nano \ nano \
net-tools \ net-tools \
netcat-openbsd \ netcat \
nginx-extras \ nginx-extras \
nodejs \
postgresql \ postgresql \
postgresql-client \ postgresql-client \
pwgen \ pwgen \
@ -47,18 +42,11 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
software-properties-common \ software-properties-common \
sudo \ sudo \
supervisor \ supervisor \
ttf-mscorefonts-installer \
xvfb \ xvfb \
zlib1g && \ zlib1g && \
if [ $(ls -l /usr/share/fonts/truetype/msttcorefonts | wc -l) -ne 61 ]; \ sudo -u postgres psql -c "CREATE DATABASE $ONLYOFFICE_VALUE;" && \
then echo 'msttcorefonts failed to download'; exit 1; fi && \
echo "SERVER_ADDITIONAL_ERL_ARGS=\"+S 1:1\"" | tee -a /etc/rabbitmq/rabbitmq-env.conf && \
sed -i "s/bind .*/bind 127.0.0.1/g" /etc/redis/redis.conf && \
sed 's|\(application\/zip.*\)|\1\n application\/wasm wasm;|' -i /etc/nginx/mime.types && \
pg_conftool $PG_VERSION main set listen_addresses 'localhost' && \
service postgresql restart && \
sudo -u postgres psql -c "CREATE USER $ONLYOFFICE_VALUE WITH password '$ONLYOFFICE_VALUE';" && \ sudo -u postgres psql -c "CREATE USER $ONLYOFFICE_VALUE WITH password '$ONLYOFFICE_VALUE';" && \
sudo -u postgres psql -c "CREATE DATABASE $ONLYOFFICE_VALUE OWNER $ONLYOFFICE_VALUE;" && \ sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE $ONLYOFFICE_VALUE TO $ONLYOFFICE_VALUE;" && \
service postgresql stop && \ service postgresql stop && \
service redis-server stop && \ service redis-server stop && \
service rabbitmq-server stop && \ service rabbitmq-server stop && \
@ -66,38 +54,27 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
service nginx stop && \ service nginx stop && \
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
COPY config/supervisor/supervisor /etc/init.d/ COPY config /app/ds/setup/config/
COPY config/supervisor/ds/*.conf /etc/supervisor/conf.d/
COPY run-document-server.sh /app/ds/run-document-server.sh COPY run-document-server.sh /app/ds/run-document-server.sh
EXPOSE 80 443 EXPOSE 80 443
ARG REPO_URL="deb http://download.onlyoffice.com/repo/debian squeeze main"
ARG COMPANY_NAME=onlyoffice ARG COMPANY_NAME=onlyoffice
ARG PRODUCT_NAME=documentserver ARG PRODUCT_NAME=documentserver
ARG PRODUCT_EDITION=
ARG PACKAGE_VERSION=
ARG TARGETARCH
ARG PACKAGE_BASEURL="http://download.onlyoffice.com/install/documentserver/linux"
ENV COMPANY_NAME=$COMPANY_NAME \ ENV COMPANY_NAME=$COMPANY_NAME
PRODUCT_NAME=$PRODUCT_NAME \
PRODUCT_EDITION=$PRODUCT_EDITION \
DS_DOCKER_INSTALLATION=true
RUN PACKAGE_FILE="${COMPANY_NAME}-${PRODUCT_NAME}${PRODUCT_EDITION}${PACKAGE_VERSION:+_$PACKAGE_VERSION}_${TARGETARCH:-$(dpkg --print-architecture)}.deb" && \ RUN echo "$REPO_URL" | tee /etc/apt/sources.list.d/ds.list && \
wget -q -P /tmp "$PACKAGE_BASEURL/$PACKAGE_FILE" && \
apt-get -y update && \ apt-get -y update && \
service postgresql start && \ service postgresql start && \
apt-get -yq install /tmp/$PACKAGE_FILE && \ apt-get -yq install $COMPANY_NAME-$PRODUCT_NAME && \
service postgresql stop && \ service postgresql stop && \
chmod 755 /etc/init.d/supervisor && \
sed "s/COMPANY_NAME/${COMPANY_NAME}/g" -i /etc/supervisor/conf.d/*.conf && \
service supervisor stop && \ service supervisor stop && \
chmod 755 /app/ds/*.sh && \ chmod 755 /app/ds/*.sh && \
rm -f /tmp/$PACKAGE_FILE && \
rm -rf /var/log/$COMPANY_NAME && \ rm -rf /var/log/$COMPANY_NAME && \
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
VOLUME /var/log/$COMPANY_NAME /var/lib/$COMPANY_NAME /var/www/$COMPANY_NAME/Data /var/lib/postgresql /var/lib/rabbitmq /var/lib/redis /usr/share/fonts/truetype/custom VOLUME /var/log/$COMPANY_NAME /var/lib/$COMPANY_NAME /var/www/$COMPANY_NAME/Data /var/lib/postgresql /usr/share/fonts/truetype/custom
ENTRYPOINT ["/app/ds/run-document-server.sh"] ENTRYPOINT /app/ds/run-document-server.sh

@ -1,66 +1,66 @@
COMPANY_NAME ?= ONLYOFFICE COMPANY_NAME ?= onlyoffice
GIT_BRANCH ?= develop GIT_BRANCH ?= develop
PRODUCT_NAME ?= documentserver PRODUCT_NAME ?= documentserver-ie
PRODUCT_EDITION ?=
PRODUCT_VERSION ?= 0.0.0 PRODUCT_VERSION ?= 0.0.0
BUILD_NUMBER ?= 0 BUILD_NUMBER ?= 0
BUILD_CHANNEL ?= nightly
ONLYOFFICE_VALUE ?= onlyoffice ONLYOFFICE_VALUE ?= onlyoffice
COMPANY_NAME_LOW = $(shell echo $(COMPANY_NAME) | tr A-Z a-z) PACKAGE_VERSION := $(PRODUCT_VERSION)-$(BUILD_NUMBER)
PACKAGE_NAME := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)$(PRODUCT_EDITION) REPO_URL := "deb [trusted=yes] http://repo-doc-onlyoffice-com.s3.amazonaws.com/ubuntu/trusty/$(COMPANY_NAME)-$(PRODUCT_NAME)/$(GIT_BRANCH)/$(PACKAGE_VERSION)/ repo/"
PACKAGE_VERSION ?= $(PRODUCT_VERSION)-$(BUILD_NUMBER)~stretch
PACKAGE_BASEURL ?= https://s3.eu-west-1.amazonaws.com/repo-doc-onlyoffice-com/server/linux/debian
ifeq ($(BUILD_CHANNEL),$(filter $(BUILD_CHANNEL),nightly test)) UPDATE_LATEST := false
DOCKER_TAG := $(PRODUCT_VERSION).$(BUILD_NUMBER)
ifneq (,$(findstring develop,$(GIT_BRANCH)))
DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))
DOCKER_TAGS += latest
else ifneq (,$(findstring release,$(GIT_BRANCH)))
DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))
else ifneq (,$(findstring hotfix,$(GIT_BRANCH)))
DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))
else else
DOCKER_TAG := $(PRODUCT_VERSION).$(BUILD_NUMBER)-$(subst /,-,$(GIT_BRANCH)) DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))-$(subst /,-,$(GIT_BRANCH))
endif endif
DOCKER_ORG ?= $(COMPANY_NAME_LOW) DOCKER_TAGS += $(DOCKER_TAG)
DOCKER_IMAGE := $(DOCKER_ORG)/4testing-$(PRODUCT_NAME)$(PRODUCT_EDITION)
DOCKER_DUMMY := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)$(PRODUCT_EDITION)__$(DOCKER_TAG).dummy
DOCKER_ARCH := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)_$(DOCKER_TAG).tar.gz
.PHONY: all clean clean-docker image deploy docker DOCKER_REPO = $(COMPANY_NAME)/4testing-$(PRODUCT_NAME)
COLON := __colon__
DOCKER_TARGETS := $(foreach TAG,$(DOCKER_TAGS),$(DOCKER_REPO)$(COLON)$(TAG))
DOCKER_ARCH := $(COMPANY_NAME)-$(PRODUCT_NAME)_$(PACKAGE_VERSION).tar.gz
.PHONY: all clean clean-docker deploy docker publish
$(DOCKER_TARGETS): $(DEB_REPO_DATA)
$(DOCKER_DUMMY):
docker pull ubuntu:22.04
docker build \ docker build \
--build-arg COMPANY_NAME=$(COMPANY_NAME_LOW) \ --build-arg REPO_URL=$(REPO_URL) \
--build-arg COMPANY_NAME=$(COMPANY_NAME) \
--build-arg PRODUCT_NAME=$(PRODUCT_NAME) \ --build-arg PRODUCT_NAME=$(PRODUCT_NAME) \
--build-arg PRODUCT_EDITION=$(PRODUCT_EDITION) \
--build-arg PACKAGE_VERSION=$(PACKAGE_VERSION) \
--build-arg PACKAGE_BASEURL=$(PACKAGE_BASEURL) \
--build-arg TARGETARCH=amd64 \
--build-arg ONLYOFFICE_VALUE=$(ONLYOFFICE_VALUE) \ --build-arg ONLYOFFICE_VALUE=$(ONLYOFFICE_VALUE) \
-t $(DOCKER_IMAGE):$(DOCKER_TAG) . && \ -t $(subst $(COLON),:,$@) . &&\
mkdir -p $$(dirname $@) &&\ mkdir -p $$(dirname $@) &&\
echo "Done" > $@ echo "Done" > $@
$(DOCKER_ARCH): $(DOCKER_DUMMY) $(DOCKER_ARCH): $(DOCKER_TARGETS)
docker save $(DOCKER_IMAGE):$(DOCKER_TAG) | \ docker save $(DOCKER_REPO):$(DOCKER_TAG) | \
gzip > $@ gzip > $@
all: image all: $(DOCKER_TARGETS)
clean: clean:
rm -rfv *.dummy *.tar.gz rm -rfv $(DOCKER_TARGETS) $(DOCKER_ARCH)
clean-docker: clean-docker:
docker rmi -f $$(docker images -q $(COMPANY_NAME_LOW)/*) || exit 0 docker rmi -f $$(docker images -q $(COMPANY_NAME)/*) || exit 0
image: $(DOCKER_DUMMY) deploy: $(DOCKER_TARGETS)
$(foreach TARGET,$(DOCKER_TARGETS),docker push $(subst $(COLON),:,$(TARGET));)
deploy: $(DOCKER_DUMMY) publish: $(DOCKER_ARCH)
for i in {1..3}; do \ aws s3 cp \
docker push $(DOCKER_IMAGE):$(DOCKER_TAG) && break || sleep 1m; \ $(DOCKER_ARCH) \
done s3://repo-doc-onlyoffice-com.s3.amazonaws.com/docker/amd64/ \
ifeq ($(BUILD_CHANNEL),nightly) --acl public-read
docker tag $(DOCKER_IMAGE):$(DOCKER_TAG) $(DOCKER_IMAGE):latest
for i in {1..3}; do \
docker push $(DOCKER_IMAGE):latest && break || sleep 1m; \
done
endif

325
README.md

@ -1,190 +1,3 @@
[![Docker Pulls](https://img.shields.io/docker/pulls/jiriks74/onlyoffice-documentserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/jiriks74/onlyoffice-documentserver)
[![Docker Stars](https://img.shields.io/docker/stars/jiriks74/onlyoffice-documentserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/jiriks74/onlyoffice-documentserver)
[![Docker Size](https://img.shields.io/docker/image-size/jiriks74/onlyoffice-documentserver/latest.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Size&logo=docker)](https://hub.docker.com/r/jiriks74/onlyoffice-documentserver)
#### This repository is based on the official `Dockerfile` and `docker-compose.yml` files with all the needed files as well
# Table of contents
- [Usage](#usage)
- [Setting up secret key with nextcloud](#setting-up-secret-key-with-nextcloud)
- [Larger file limits](#setting-up-larger-file-limits)
- [Generating custom presentation themes](#generating-custom-presentation-themes)
- [Tags on DockerHub](#tags-used-on-dockerhub)
- [Building the image from source](#building-the-image-yourself-not-recommended---may-take-a-lot-of-time)
- [Updating the image yourself](#updating-the-image-yourself)
## Usage
#### docker-compose with prebuilt image (recommended)
- Docker will pull the correct architecture automatically
- Below in `Details` you'll find a `docker-compose.yml` templete.
To use it, make a directory where data from the container will be saved, create
`docker-compose.yml` file in it and put the template from below in it.
Then modify the template to your needs.
<details>
```yml
version: '2'
services:
onlyoffice-documentserver:
image: jiriks74/onlyoffice-documentserver:latest
container_name: onlyoffice-documentserver
depends_on:
- onlyoffice-postgresql
- onlyoffice-rabbitmq
environment:
- DB_TYPE=postgres
- DB_HOST=onlyoffice-postgresql
- DB_PORT=5432
- DB_NAME=onlyoffice
- DB_USER=onlyoffice
- AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
# Uncomment strings below to enable the JSON Web Token validation.
#- JWT_ENABLED=true
#- JWT_SECRET=secret
#- JWT_HEADER=AuthorizationJwt
#- JWT_IN_BODY=true
# Uncomment the line below to set larger file limits (about 1GB)
#- LARGER_FILE_LIMITS=true
ports:
- '80:80'
- '443:443'
stdin_open: true
restart: always
stop_grace_period: 120s
volumes:
# Uncomment the line below to get access to the slide themes directory.
# To use the themes, copy them to the slideThemes directory and run `docker exec -it <container-name> /usr/bin/documentserver-generate-allfonts.sh`
#- ./slideThemes:/var/www/onlyoffice/documentserver/sdkjs/slide/themes/src
- /var/www/onlyoffice/Data
- /var/log/onlyoffice
- /var/lib/onlyoffice/documentserver/App_Data/cache/files
- /var/www/onlyoffice/documentserver-example/public/files
- /usr/share/fonts
onlyoffice-rabbitmq:
container_name: onlyoffice-rabbitmq
image: rabbitmq
restart: always
expose:
- '5672'
onlyoffice-postgresql:
container_name: onlyoffice-postgresql
image: postgres:9.5
environment:
- POSTGRES_DB=onlyoffice
- POSTGRES_USER=onlyoffice
- POSTGRES_HOST_AUTH_METHOD=trust
restart: always
expose:
- '5432'
volumes:
- postgresql_data:/var/lib/postgresql
volumes:
postgresql_data:
```
</details>
### Setting up `Secret key` with Nextcloud
1. Uncomment four lines starting with `JWT` in `docker-compose`
2. Set your secret on line `JWT_SECRET=yourSecret`
3. Open Nexcloud's `config.php` (by default `/var/www/nextcloud/config/config.php`)
4. Add this to the 2nd last line (before the line with `);`) and paste in your secret (3rd last line)
```php
'onlyoffice' =>
array (
"jwt_secret" => "yourSecret",
"jwt_header" => "AuthorizationJwt"
)
```
5. Go to your Nextcloud settings, navigate to Onlyoffice settings
6. Add your server Address and Secret key
7. Save
### Setting up larger file limits
- Uncomment the `- LARGER_FILE_LIMITS=true` line in `docker-compose.yml`
### Generating custom presentation themes
1. Uncomment the
`- ./slideThemes:/var/www/onlyoffice/documentserver/sdkjs/slide/themes/src`
line in `docker-compose.yml`
2. Put your themes into the `slideThemes` directory
3. Run `docker exec -it <container-name> /usr/bin/documentserver-generate-allfonts.sh`
- (This will take some time. I have totally 35 themes and it took about 30 minutes to generate them on a Raspberry Pi 4 4GB on an external HDD - SSD may be faster)
4. If you want to add more themes later, repeat step 2 and 3.
## Tags used on DockerHub
- `latest` - the latest version of the Documentserver
- Version tags (eg. `7.0.1-37`) - these tags are equal to the Documentserver
version of the `onlyoffice-documentserver` debian package used in the image
## Building the image yourself (not recommended - may take a lot of time)
#### 1. Clone the repository (for example to your home directory `cd /home/$USER/`)
`git clone https://github.com/jiriks74/Docker-DocumentServer.git && cd Docker-DocumentServer`
#### 2. Build the docker image
##### Building only for the architecture you are building the image on (when building on Raspberry Pi result will be `arm64`, when on pc result will be `amd64`)
`docker-compose build`
##### Building for all supported architectures (you have to have your environment setup for emulation of arm64 with `qemu` and build it on `amd64`) - you have to push to DockerHub
`docker buildx build --push --platform linux/arm64,linux/amd64,linux/386 .`
#### 3. Create and start the container
`docker-compose up -d`
- This will start the server. It is set to be automatically started/restarted so as long you have docker running on startup this will start automatically
### Updating the image yourself
#### 1. Stop and delete the old container
`docker-compose down`
#### 2. (optional) Clear the docker cache
#### - ! This will remove all unused cache images ! (good for saving space, bad if you develop with and need cache, but you understand it at that point)
`docker rmi $(docker images -f "dangling=true" -q)`
#### 4. Rebuild the image without cache
##### Building only for the architecture you are building the image on (when building on Raspberry Pi result will be `arm64`, when on pc result will be `amd64`)
`docker-compose build`
##### Building for all supported architectures (you have to have your environment setup for emulation of arm64 with `qemu`) - you'll have to push to DockerHub, multiplatform images cannot be saved locally (for whatever reason)
`docker buildx build --push --platform linux/arm64,linux/amd64,linux/386 .`
#### 3. Create and start the new container
`docker-compose up -d`
---
## The rest of this file is the official [`README.md` from OnlyOffice-Documentserver repository](https://github.com/ONLYOFFICE/Docker-DocumentServer). I will not change anything in it, it may not work, but considering the changes I made, it should be fully compatible (beware that you must change the `docker-compose.yml` from building the image locally to using this repository). If you want to change something, make a issue on my repository and we'll figure it out.
<details>
* [Overview](#overview) * [Overview](#overview)
* [Functionality](#functionality) * [Functionality](#functionality)
* [Recommended System Requirements](#recommended-system-requirements) * [Recommended System Requirements](#recommended-system-requirements)
@ -198,7 +11,6 @@ version of the `onlyoffice-documentserver` debian package used in the image
+ [Installation of the SSL Certificates](#installation-of-the-ssl-certificates) + [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)
+ [Available Configuration Parameters](#available-configuration-parameters) + [Available Configuration Parameters](#available-configuration-parameters)
* [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers) * [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers)
* [ONLYOFFICE Document Server ipv6 setup](#onlyoffice-document-server-ipv6-setup)
* [Issues](#issues) * [Issues](#issues)
- [Docker Issues](#docker-issues) - [Docker Issues](#docker-issues)
- [Document Server usage Issues](#document-server-usage-issues) - [Document Server usage Issues](#document-server-usage-issues)
@ -209,12 +21,6 @@ version of the `onlyoffice-documentserver` debian package used in the image
ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time. ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
Starting from version 6.0, Document Server is distributed as ONLYOFFICE Docs. It has [three editions](https://github.com/ONLYOFFICE/DocumentServer#onlyoffice-document-server-editions). With this image, you will install the free Community version.
ONLYOFFICE Docs can be used as a part of ONLYOFFICE Workspace or with third-party sync&share solutions (e.g. Nextcloud, ownCloud, Seafile) to enable collaborative editing within their interface.
***Important*** Please update `docker-engine` to latest version (`20.10.21` as of writing this doc) before using it. We use `ubuntu:22.04` as base image and it older versions of docker have compatibility problems with it
## Functionality ## ## Functionality ##
* ONLYOFFICE Document Editor * ONLYOFFICE Document Editor
* ONLYOFFICE Spreadsheet Editor * ONLYOFFICE Spreadsheet Editor
@ -261,8 +67,6 @@ To get access to your data from outside the container, you need to mount the vol
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \ -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \ -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \ -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
-v /app/onlyoffice/DocumentServer/rabbitmq:/var/lib/rabbitmq \
-v /app/onlyoffice/DocumentServer/redis:/var/lib/redis \
-v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver
Normally, you do not need to store container data because the container's operation does not depend on its state. Saving data will be useful: Normally, you do not need to store container data because the container's operation does not depend on its state. Saving data will be useful:
@ -290,17 +94,10 @@ To secure the application via SSL basically two things are needed:
So you need to create and install the following files: So you need to create and install the following files:
/app/onlyoffice/DocumentServer/data/certs/tls.key /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/app/onlyoffice/DocumentServer/data/certs/tls.crt /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
When using CA certified certificates (e.g [Let's encrypt](https://letsencrypt.org)), these files are provided to you by the CA. If you are using self-signed certificates you need to generate these files [yourself](#generation-of-self-signed-certificates). When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
#### Using the automatically generated Let's Encrypt SSL Certificates
sudo docker run -i -t -d -p 80:80 -p 443:443 \
-e LETS_ENCRYPT_DOMAIN=your_domain -e LETS_ENCRYPT_MAIL=your_mail onlyoffice/documentserver
If you want to get and extend Let's Encrypt SSL Certificates automatically just set LETS_ENCRYPT_DOMAIN and LETS_ENCRYPT_MAIL variables.
#### Generation of Self Signed Certificates #### Generation of Self Signed Certificates
@ -309,19 +106,19 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure.
**STEP 1**: Create the server private key **STEP 1**: Create the server private key
```bash ```bash
openssl genrsa -out tls.key 2048 openssl genrsa -out onlyoffice.key 2048
``` ```
**STEP 2**: Create the certificate signing request (CSR) **STEP 2**: Create the certificate signing request (CSR)
```bash ```bash
openssl req -new -key tls.key -out tls.csr openssl req -new -key onlyoffice.key -out onlyoffice.csr
``` ```
**STEP 3**: Sign the certificate using the private key and CSR **STEP 3**: Sign the certificate using the private key and CSR
```bash ```bash
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
``` ```
You have now generated an SSL certificate that's valid for 365 days. You have now generated an SSL certificate that's valid for 365 days.
@ -337,18 +134,18 @@ openssl dhparam -out dhparam.pem 2048
#### Installation of the SSL Certificates #### Installation of the SSL Certificates
Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner. The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner.
```bash ```bash
mkdir -p /app/onlyoffice/DocumentServer/data/certs mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp tls.key /app/onlyoffice/DocumentServer/data/certs/ cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/
cp tls.crt /app/onlyoffice/DocumentServer/data/certs/ cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/ cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
``` ```
You are now just one step away from having our application secured. You are now just one step away from having our application secured.
@ -361,39 +158,24 @@ Below is the complete list of parameters that can be set using environment varia
- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. - **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. - **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`. - **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`.
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`. - **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`.
- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`. - **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false` - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`. - **POSTGRESQL_SERVER_HOST**: The IP address or the name of the host where the PostgreSQL server is running.
- **DB_HOST**: The IP address or the name of the host where the database server is running. - **POSTGRESQL_SERVER_PORT**: The PostgreSQL server port number.
- **DB_PORT**: The database server port number. - **POSTGRESQL_SERVER_DB_NAME**: The name of a PostgreSQL database to be created on the image startup.
- **DB_NAME**: The name of a database to use. Should be existing on container startup. - **POSTGRESQL_SERVER_USER**: The new user name with superuser permissions for the PostgreSQL account.
- **DB_USER**: The new user name with superuser permissions for the database account. - **POSTGRESQL_SERVER_PASS**: The password set for the PostgreSQL account.
- **DB_PWD**: The password set for the database account. - **AMQP_SERVER_URL**: The [AMQP URL](http://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server.
- **AMQP_URI**: The [AMQP URI](https://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server. - **AMQP_SERVER_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`.
- **AMQP_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`.
- **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running. - **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running.
- **REDIS_SERVER_PORT**: The Redis server port number. - **REDIS_SERVER_PORT**: The Redis server port number.
- **REDIS_SERVER_PASS**: The Redis server password. The password is not set by default.
- **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes. - **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes.
- **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process. - **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process.
- **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](https://nginx.org/en/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`. - **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`.
- **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `true`. - **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`.
- **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to random value.
- **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`. - **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`.
- **JWT_IN_BODY**: Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to `false`.
- **WOPI_ENABLED**: Specifies the enabling the wopi handlers. Defaults to `false`.
- **ALLOW_META_IP_ADDRESS**: Defines if it is allowed to connect meta IP address or not. Defaults to `false`.
- **ALLOW_PRIVATE_IP_ADDRESS**: Defines if it is allowed to connect private IP address or not. Defaults to `false`.
- **USE_UNAUTHORIZED_STORAGE**: Set to `true`if using selfsigned certificates for your storage server e.g. Nextcloud. Defaults to `false`
- **GENERATE_FONTS**: When 'true' regenerates fonts list and the fonts thumbnails etc. at each start. Defaults to `true`
- **METRICS_ENABLED**: Specifies the enabling StatsD for ONLYOFFICE Document Server. Defaults to `false`.
- **METRICS_HOST**: Defines StatsD listening host. Defaults to `localhost`.
- **METRICS_PORT**: Defines StatsD listening port. Defaults to `8125`.
- **METRICS_PREFIX**: Defines StatsD metrics prefix for backend services. Defaults to `ds.`.
- **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
- **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers ## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
@ -410,20 +192,10 @@ Then launch containers on it using the 'docker run --net onlyoffice' option:
Follow [these steps](#installing-mysql) to install MySQL server. Follow [these steps](#installing-mysql) to install MySQL server.
**STEP 3**: Generate JWT Secret **STEP 3**: Install ONLYOFFICE Document Server.
JWT secret defines the secret key to validate the JSON Web Token in the request to the **ONLYOFFICE Document Server**. You can specify it yourself or easily get it using the command:
```
JWT_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 12);
```
**STEP 4**: Install ONLYOFFICE Document Server.
```bash ```bash
sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-document-server \ sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-document-server \
-e JWT_ENABLED=true \
-e JWT_SECRET=${JWT_SECRET} \
-e JWT_HEADER=AuthorizationJwt \
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \ -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \ -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \ -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
@ -431,7 +203,7 @@ sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-doc
onlyoffice/documentserver onlyoffice/documentserver
``` ```
**STEP 5**: Install ONLYOFFICE Mail Server. **STEP 4**: Install ONLYOFFICE Mail Server.
For the mail server correct work you need to specify its hostname 'yourdomain.com'. For the mail server correct work you need to specify its hostname 'yourdomain.com'.
@ -449,14 +221,14 @@ sudo docker run --init --net onlyoffice --privileged -i -t -d --restart=always -
onlyoffice/mailserver onlyoffice/mailserver
``` ```
The additional parameters for mail server are available [here](https://github.com/ONLYOFFICE/Docker-CommunityServer/blob/master/docker-compose.workspace_enterprise.yml#L87). The additional parameters for mail server are available [here](https://github.com/ONLYOFFICE/Docker-CommunityServer/blob/master/docker-compose.yml#L75).
To learn more, refer to the [ONLYOFFICE Mail Server documentation](https://github.com/ONLYOFFICE/Docker-MailServer "ONLYOFFICE Mail Server documentation"). To learn more, refer to the [ONLYOFFICE Mail Server documentation](https://github.com/ONLYOFFICE/Docker-MailServer "ONLYOFFICE Mail Server documentation").
**STEP 6**: Install ONLYOFFICE Community Server **STEP 5**: Install ONLYOFFICE Community Server
```bash ```bash
sudo docker run --net onlyoffice -i -t -d --privileged --restart=always --name onlyoffice-community-server -p 80:80 -p 443:443 -p 5222:5222 --cgroupns=host \ sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-community-server -p 80:80 -p 443:443 -p 5222:5222 \
-e MYSQL_SERVER_ROOT_PASSWORD=my-secret-pw \ -e MYSQL_SERVER_ROOT_PASSWORD=my-secret-pw \
-e MYSQL_SERVER_DB_NAME=onlyoffice \ -e MYSQL_SERVER_DB_NAME=onlyoffice \
-e MYSQL_SERVER_HOST=onlyoffice-mysql-server \ -e MYSQL_SERVER_HOST=onlyoffice-mysql-server \
@ -464,9 +236,6 @@ sudo docker run --net onlyoffice -i -t -d --privileged --restart=always --name o
-e MYSQL_SERVER_PASS=onlyoffice_pass \ -e MYSQL_SERVER_PASS=onlyoffice_pass \
-e DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server \ -e DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server \
-e DOCUMENT_SERVER_JWT_ENABLED=true \
-e DOCUMENT_SERVER_JWT_SECRET=${JWT_SECRET} \
-e DOCUMENT_SERVER_JWT_HEADER=AuthorizationJwt \
-e MAIL_SERVER_API_HOST=${MAIL_SERVER_IP} \ -e MAIL_SERVER_API_HOST=${MAIL_SERVER_IP} \
-e MAIL_SERVER_DB_HOST=onlyoffice-mysql-server \ -e MAIL_SERVER_DB_HOST=onlyoffice-mysql-server \
@ -477,14 +246,12 @@ sudo docker run --net onlyoffice -i -t -d --privileged --restart=always --name o
-v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \ -v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \ -v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/CommunityServer/letsencrypt:/etc/letsencrypt \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
onlyoffice/communityserver onlyoffice/communityserver
``` ```
Where `${MAIL_SERVER_IP}` is the IP address for **ONLYOFFICE Mail Server**. You can easily get it using the command: Where `${MAIL_SERVER_IP}` is the IP address for **ONLYOFFICE Mail Server**. You can easily get it using the command:
``` ```
MAIL_SERVER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' onlyoffice-mail-server) docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' onlyoffice-mail-server
``` ```
Alternatively, you can use an automatic installation script to install the whole ONLYOFFICE Community Edition at once. For the mail server correct work you need to specify its hostname 'yourdomain.com'. Alternatively, you can use an automatic installation script to install the whole ONLYOFFICE Community Edition at once. For the mail server correct work you need to specify its hostname 'yourdomain.com'.
@ -492,7 +259,7 @@ Alternatively, you can use an automatic installation script to install the whole
**STEP 1**: Download the Community Edition Docker script file **STEP 1**: Download the Community Edition Docker script file
```bash ```bash
wget https://download.onlyoffice.com/install/opensource-install.sh wget http://download.onlyoffice.com/install/opensource-install.sh
``` ```
**STEP 2**: Install ONLYOFFICE Community Edition executing the following command: **STEP 2**: Install ONLYOFFICE Community Edition executing the following command:
@ -504,34 +271,10 @@ bash opensource-install.sh -md yourdomain.com
Or, use [docker-compose](https://docs.docker.com/compose/install "docker-compose"). For the mail server correct work you need to specify its hostname 'yourdomain.com'. Assuming you have docker-compose installed, execute the following command: Or, use [docker-compose](https://docs.docker.com/compose/install "docker-compose"). For the mail server correct work you need to specify its hostname 'yourdomain.com'. Assuming you have docker-compose installed, execute the following command:
```bash ```bash
wget https://raw.githubusercontent.com/ONLYOFFICE/Docker-CommunityServer/master/docker-compose.groups.yml wget https://raw.githubusercontent.com/ONLYOFFICE/Docker-CommunityServer/master/docker-compose.yml
docker-compose up -d docker-compose up -d
``` ```
## ONLYOFFICE Document Server ipv6 setup
(Works and is supported only for Linux hosts)
Docker does not currently provide ipv6 addresses to containers by default. This function is experimental now.
To set up interaction via ipv6, you need to enable support for this feature in your Docker. For this you need:
- create the `/etc/docker/daemon.json` file with the following content:
```
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:abc1::/64"
}
```
- restart docker with the following command: `systemctl restart docker`
After that, all running containers receive an ipv6 address and have an inet6 interface.
You can check your default bridge network and see the field there
`EnableIPv6=true`. A new ipv6 subnet will also be added.
For more information, visit the official [Docker manual site](https://docs.docker.com/config/daemon/ipv6/)
## Issues ## Issues
### Docker Issues ### Docker Issues
@ -566,9 +309,7 @@ SaaS version: [https://www.onlyoffice.com/cloud-office.aspx](https://www.onlyoff
## User Feedback and Support ## User Feedback and Support
If you have any problems with or questions about this image, please visit our official forum to find answers to your questions: [forum.onlyoffice.com][1] or you can ask and answer ONLYOFFICE development questions on [Stack Overflow][2]. If you have any problems with or questions about this image, please visit our official forum to find answers to your questions: [dev.onlyoffice.org][1] or you can ask and answer ONLYOFFICE development questions on [Stack Overflow][2].
[1]: https://forum.onlyoffice.com [1]: http://dev.onlyoffice.org
[2]: https://stackoverflow.com/questions/tagged/onlyoffice [2]: http://stackoverflow.com/questions/tagged/onlyoffice
</details>

31
activemq.yml Normal file

@ -0,0 +1,31 @@
version: '2'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
environment:
- AMQP_SERVER_URL=amqp://guest:guest@onlyoffice-activemq
- AMQP_SERVER_TYPE=activemq
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
networks:
- onlyoffice
onlyoffice-activemq:
container_name: onlyoffice-activemq
image: webcenter/activemq:5.14.3
environment:
- ACTIVEMQ_USERS_guest=guest
- ACTIVEMQ_GROUPS_owners=guest
restart: always
networks:
- onlyoffice
expose:
- '5672'
networks:
onlyoffice:
driver: 'bridge'

@ -1,18 +0,0 @@
import requests
import os
response = requests.get("https://api.github.com/repos/ONLYOFFICE/DocumentServer/releases/latest")
print('docker buildx build --push --platform linux/arm64,linux/amd64 --tag jiriks74/onlyoffice-documentserver:latest .')
os.system(f'docker buildx build --push --platform linux/arm64,linux/amd64 --tag jiriks74/onlyoffice-documentserver:latest .')
print("///////////////////////////////////////////////////////////////////////////")
print('Build and push ":latest" .........................................finished')
print("///////////////////////////////////////////////////////////////////////////")
print()
print(f'docker buildx build --push --platform linux/arm64,linux/amd64 --tag jiriks74/onlyoffice-documentserver:{response.json()["name"].replace("ONLYOFFICE-DocumentServer-", "")} .')
os.system(f'docker buildx build --push --platform linux/arm64,linux/amd64 --tag jiriks74/onlyoffice-documentserver:{response.json()["name"].replace("ONLYOFFICE-DocumentServer-", "")} .')
print("///////////////////////////////////////////////////////////////////////////")
print(f'Build and push ":{response.json()["name"].replace("ONLYOFFICE-DocumentServer-", "")}".........................................finished')
print("///////////////////////////////////////////////////////////////////////////")

196
config/nginx/nginx Normal file

@ -0,0 +1,196 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network $syslog $named
# Required-Stop: $local_fs $remote_fs $network $syslog $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=nginx
DESC=nginx
# Include nginx defaults if available
if [ -r /etc/default/nginx ]; then
. /etc/default/nginx
fi
STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/5/KILL/5}"
test -x $DAEMON || exit 0
. /lib/init/vars.sh
. /lib/lsb/init-functions
# Try to extract nginx pidfile
PID=$(cat /etc/nginx/nginx.conf | grep -Ev '^\s*#' | awk 'BEGIN { RS="[;{}]" } { if ($1 == "pid") print $2 }' | head -n1)
if [ -z "$PID" ]; then
PID=/tmp/nginx.pid
fi
if [ -n "$ULIMIT" ]; then
# Set ulimit if it is set in /etc/default/nginx
ulimit $ULIMIT
fi
start_nginx() {
# Start the daemon/service
#
# Returns:
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PID --chuid www-data:www-data --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PID --chuid www-data:www-data --exec $DAEMON -- \
$DAEMON_OPTS 2>/dev/null \
|| return 2
}
test_config() {
# Test the nginx configuration
$DAEMON -t $DAEMON_OPTS >/dev/null 2>&1
}
stop_nginx() {
# Stops the daemon/service
#
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PID --name $NAME
RETVAL="$?"
sleep 1
return "$RETVAL"
}
reload_nginx() {
# Function that sends a SIGHUP to the daemon/service
start-stop-daemon --stop --signal HUP --quiet --pidfile $PID --name $NAME
return 0
}
rotate_logs() {
# Rotate log files
start-stop-daemon --stop --signal USR1 --quiet --pidfile $PID --name $NAME
return 0
}
upgrade_nginx() {
# Online upgrade nginx executable
# http://nginx.org/en/docs/control.html
#
# Return
# 0 if nginx has been successfully upgraded
# 1 if nginx is not running
# 2 if the pid files were not created on time
# 3 if the old master could not be killed
if start-stop-daemon --stop --signal USR2 --quiet --pidfile $PID --name $NAME; then
# Wait for both old and new master to write their pid file
while [ ! -s "${PID}.oldbin" ] || [ ! -s "${PID}" ]; do
cnt=`expr $cnt + 1`
if [ $cnt -gt 10 ]; then
return 2
fi
sleep 1
done
# Everything is ready, gracefully stop the old master
if start-stop-daemon --stop --signal QUIT --quiet --pidfile "${PID}.oldbin" --name $NAME; then
return 0
else
return 3
fi
else
return 1
fi
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
start_nginx
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
stop_nginx
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
# Check configuration before stopping nginx
if ! test_config; then
log_end_msg 1 # Configuration error
exit $?
fi
stop_nginx
case "$?" in
0|1)
start_nginx
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
reload|force-reload)
log_daemon_msg "Reloading $DESC configuration" "$NAME"
# Check configuration before stopping nginx
#
# This is not entirely correct since the on-disk nginx binary
# may differ from the in-memory one, but that's not common.
# We prefer to check the configuration and return an error
# to the administrator.
if ! test_config; then
log_end_msg 1 # Configuration error
exit $?
fi
reload_nginx
log_end_msg $?
;;
configtest|testconfig)
log_daemon_msg "Testing $DESC configuration"
test_config
log_end_msg $?
;;
status)
status_of_proc -p $PID "$DAEMON" "$NAME" && exit 0 || exit $?
;;
upgrade)
log_daemon_msg "Upgrading binary" "$NAME"
upgrade_nginx
log_end_msg $?
;;
rotate)
log_daemon_msg "Re-opening $DESC log files" "$NAME"
rotate_logs
log_end_msg $?
;;
*)
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest|rotate|upgrade}" >&2
exit 3
;;
esac

63
config/nginx/nginx.conf Normal file

@ -0,0 +1,63 @@
user www-data;
worker_processes 1;
pid /tmp/nginx.pid;
events {
worker_connections 524288;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log off;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

@ -1,13 +0,0 @@
[program:converter]
command=/var/www/COMPANY_NAME/documentserver/server/FileConverter/converter
directory=/var/www/COMPANY_NAME/documentserver/server/FileConverter
user=ds
environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1,APPLICATION_NAME=COMPANY_NAME
stdout_logfile=/var/log/COMPANY_NAME/documentserver/converter/out.log
stdout_logfile_backups=0
stdout_logfile_maxbytes=0
stderr_logfile=/var/log/COMPANY_NAME/documentserver/converter/err.log
stderr_logfile_backups=0
stderr_logfile_maxbytes=0
autostart=true
autorestart=true

@ -1,13 +0,0 @@
[program:docservice]
command=/var/www/COMPANY_NAME/documentserver/server/DocService/docservice
directory=/var/www/COMPANY_NAME/documentserver/server/DocService
user=ds
environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1
stdout_logfile=/var/log/COMPANY_NAME/documentserver/docservice/out.log
stdout_logfile_backups=0
stdout_logfile_maxbytes=0
stderr_logfile=/var/log/COMPANY_NAME/documentserver/docservice/err.log
stderr_logfile_backups=0
stderr_logfile_maxbytes=0
autostart=true
autorestart=true

@ -1,14 +0,0 @@
[program:example]
command=/var/www/COMPANY_NAME/documentserver-example/example
directory=/var/www/COMPANY_NAME/documentserver-example/
user=ds
environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver-example,NODE_DISABLE_COLORS=1
stdout_logfile=/var/log/COMPANY_NAME/documentserver-example/out.log
stdout_logfile_backups=0
stdout_logfile_maxbytes=0
stderr_logfile=/var/log/COMPANY_NAME/documentserver-example/err.log
stderr_logfile_backups=0
stderr_logfile_maxbytes=0
autostart=false
autorestart=true
redirect_stderr=true

@ -1,13 +0,0 @@
[program:metrics]
command=/var/www/COMPANY_NAME/documentserver/server/Metrics/metrics ./config/config.js
directory=/var/www/COMPANY_NAME/documentserver/server/Metrics
user=ds
environment=NODE_DISABLE_COLORS=1
stdout_logfile=/var/log/COMPANY_NAME/documentserver/metrics/out.log
stdout_logfile_backups=0
stdout_logfile_maxbytes=0
stderr_logfile=/var/log/COMPANY_NAME/documentserver/metrics/err.log
stderr_logfile_backups=0
stderr_logfile_maxbytes=0
autostart=true
autorestart=true

@ -1,2 +0,0 @@
[group:ds]
programs=docservice,converter,metrics,example

@ -30,8 +30,8 @@ DESC=supervisor
test -x $DAEMON || exit 0 test -x $DAEMON || exit 0
LOGDIR=/var/log/supervisor LOGDIR=/tmp
PIDFILE=/var/run/$NAME.pid PIDFILE=/tmp/$NAME.pid
PS_COUNT=0 PS_COUNT=0
DODTIME=5 # Time to wait for the server to die, in seconds DODTIME=5 # Time to wait for the server to die, in seconds
# If this value is set too low you might not # If this value is set too low you might not
@ -101,7 +101,7 @@ case "$1" in
rm -f "$PIDFILE" rm -f "$PIDFILE"
fi fi
echo -n "Starting $DESC: " echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile $PIDFILE \ start-stop-daemon --start --quiet --chuid ds:ds --pidfile $PIDFILE \
--startas $DAEMON -- $DAEMON_OPTS --startas $DAEMON -- $DAEMON_OPTS
test -f $PIDFILE || sleep 1 test -f $PIDFILE || sleep 1
if running ; then if running ; then
@ -152,7 +152,7 @@ case "$1" in
echo -n "Restarting $DESC: " echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE
[ -n "$DODTIME" ] && sleep $DODTIME [ -n "$DODTIME" ] && sleep $DODTIME
start-stop-daemon --start --quiet --pidfile $PIDFILE \ start-stop-daemon --start --quiet --chuid ds:ds --pidfile $PIDFILE \
--startas $DAEMON -- $DAEMON_OPTS --startas $DAEMON -- $DAEMON_OPTS
echo "$NAME." echo "$NAME."
;; ;;

@ -0,0 +1,27 @@
; supervisor config file
[inet_http_server]
port = 127.0.0.1:9001
[supervisord]
logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log)
pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP)
; the below section must remain in the config file for RPC
; (supervisorctl/web interface) to work, additional interfaces may be
; added by defining them in separate rpcinterface: sections
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl = http://localhost:9001 ; use a unix:// URL for a unix socket
; The [include] section can just contain the "files" setting. This
; setting can list multiple files (separated by whitespace or
; newlines). It can also contain wildcards. The filenames are
; interpreted as relative to this file. Included files *cannot*
; include files themselves.
[include]
files = /etc/supervisor/conf.d/*.conf

@ -1,11 +0,0 @@
{ pkgs ? (import <nixpkgs> {
config.allowUnfree = true;
}),
}:
pkgs.mkShell {
pure = true;
packages = with pkgs; [
# Choose the build tools that you need
act
];
}

@ -1,169 +0,0 @@
variable "TAG" {
default = ""
}
variable "SHORTER_TAG" {
default = ""
}
variable "SHORTEST_TAG" {
default = ""
}
variable "PULL_TAG" {
default = ""
}
variable "COMPANY_NAME" {
default = ""
}
variable "PREFIX_NAME" {
default = ""
}
variable "PRODUCT_EDITION" {
default = ""
}
variable "PRODUCT_NAME" {
default = ""
}
variable "PACKAGE_VERSION" {
default = ""
}
variable "DOCKERFILE" {
default = ""
}
variable "PLATFORM" {
default = ""
}
variable "PACKAGE_BASEURL" {
default = ""
}
variable "PACKAGE_FILE" {
default = ""
}
variable "BUILD_CHANNEL" {
default = ""
}
variable "PUSH_MAJOR" {
default = "false"
}
variable "LATEST" {
default = "false"
}
### Variables for UCS build
variable "BASE_IMAGE" {
default = ""
}
variable "PG_VERSION" {
default = ""
}
variable "UCS_REBUILD" {
default = ""
}
variable "UCS_PREFIX" {
default = ""
}
### Variables for UCS build
target "documentserver" {
target = "documentserver"
dockerfile = "${DOCKERFILE}"
tags = [
"docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}",
equal("nightly",BUILD_CHANNEL) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest": "",
]
platforms = ["${PLATFORM}"]
args = {
"COMPANY_NAME": "${COMPANY_NAME}"
"PRODUCT_NAME": "${PRODUCT_NAME}"
"PRODUCT_EDITION": "${PRODUCT_EDITION}"
"PACKAGE_VERSION": "${PACKAGE_VERSION}"
"PACKAGE_BASEURL": "${PACKAGE_BASEURL}"
"PLATFORM": "${PLATFORM}"
}
}
target "documentserver-stable" {
target = "documentserver-stable"
dockerfile = "production.dockerfile"
tags = ["docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}",
"docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTER_TAG}",
"docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTEST_TAG}",
"docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest",
equal("-ee",PRODUCT_EDITION) ? "docker.io/${COMPANY_NAME}4enterprise/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}": "",]
platforms = ["linux/amd64", "linux/arm64"]
args = {
"PULL_TAG": "${PULL_TAG}"
"COMPANY_NAME": "${COMPANY_NAME}"
"PRODUCT_NAME": "${PRODUCT_NAME}"
"PRODUCT_EDITION": "${PRODUCT_EDITION}"
}
}
target "documentserver-ucs" {
target = "documentserver"
dockerfile = "${DOCKERFILE}"
tags = [
"docker.io/${COMPANY_NAME}/${PRODUCT_NAME}${PRODUCT_EDITION}-ucs:${TAG}"
]
platforms = ["linux/amd64", "linux/arm64"]
args = {
"PRODUCT_EDITION": "${PRODUCT_EDITION}"
"PRODUCT_NAME": "${PRODUCT_NAME}"
"COMPANY_NAME": "${COMPANY_NAME}"
"PACKAGE_VERSION": "${PACKAGE_VERSION}"
"PACKAGE_BASEURL": "${PACKAGE_BASEURL}"
"BASE_IMAGE": "${BASE_IMAGE}"
"PG_VERSION": "${PG_VERSION}"
}
}
target "documentserver-nonexample" {
target = "documentserver-nonexample"
dockerfile = "production.dockerfile"
tags = [ "docker.io/${COMPANY_NAME}/${PRODUCT_NAME}${PREFIX_NAME}${PRODUCT_EDITION}:${TAG}-nonexample" ]
platforms = ["linux/amd64", "linux/arm64"]
args = {
"PULL_TAG": "${PULL_TAG}"
"COMPANY_NAME": "${COMPANY_NAME}"
"PRODUCT_NAME": "${PRODUCT_NAME}"
"PRODUCT_EDITION": "${PRODUCT_EDITION}"
}
}
target "documentserver-stable-rebuild" {
target = "documentserver-stable-rebuild"
dockerfile = "production.dockerfile"
tags = equal("true",UCS_REBUILD) ? ["docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}-ucs:${TAG}",] : [
"docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}",
equal("",PREFIX_NAME) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTER_TAG}": "",
equal("true",PUSH_MAJOR) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTEST_TAG}": "",
equal("",PREFIX_NAME) && equal("true",LATEST) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest": "",
equal("-ee",PRODUCT_EDITION) && equal("",PREFIX_NAME) ? "docker.io/${COMPANY_NAME}4enterprise/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}": "",
]
platforms = ["linux/amd64", "linux/arm64"]
args = {
"UCS_PREFIX": "${UCS_PREFIX}"
"PULL_TAG": "${PULL_TAG}"
"COMPANY_NAME": "${COMPANY_NAME}"
"PRODUCT_NAME": "${PRODUCT_NAME}"
"PRODUCT_EDITION": "${PRODUCT_EDITION}"
}
}

@ -1,61 +1,117 @@
version: '2' version: '2'
services: services:
onlyoffice-documentserver: onlyoffice-documentserver-data:
build: container_name: onlyoffice-documentserver-data
context: . image: onlyoffice/documentserver:latest
container_name: onlyoffice-documentserver
depends_on:
- onlyoffice-postgresql
- onlyoffice-rabbitmq
environment: environment:
- DB_TYPE=postgres - ONLYOFFICE_DATA_CONTAINER=true
- DB_HOST=onlyoffice-postgresql - POSTGRESQL_SERVER_HOST=onlyoffice-postgresql
- DB_PORT=5432 - POSTGRESQL_SERVER_PORT=5432
- DB_NAME=onlyoffice - POSTGRESQL_SERVER_DB_NAME=onlyoffice
- DB_USER=onlyoffice - POSTGRESQL_SERVER_USER=onlyoffice
- AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq - AMQP_SERVER_URL=amqp://guest:guest@onlyoffice-rabbitmq
- REDIS_SERVER_HOST=onlyoffice-redis
- REDIS_SERVER_PORT=6379
# Uncomment strings below to enable the JSON Web Token validation. # Uncomment strings below to enable the JSON Web Token validation.
#- JWT_ENABLED=true #- JWT_ENABLED=true
#- JWT_SECRET=secret #- JWT_SECRET=secret
#- JWT_HEADER=AuthorizationJwt #- JWT_HEADER=Authorization
#- JWT_IN_BODY=true
# Uncomment the line below to set larger file limits (about 1GB)
#- LARGER_FILE_LIMITS=true
ports:
- '80:80'
- '443:443'
stdin_open: true stdin_open: true
restart: always restart: always
stop_grace_period: 120s networks:
- onlyoffice
volumes: volumes:
# Uncomment the line below to get access to the slide themes directory. - /etc/onlyoffice
# To use the themes, copy them to the slideThemes directory and run `docker exec -it <container-name> /usr/bin/documentserver-generate-allfonts.sh`
#- ./slideThemes:/var/www/onlyoffice/documentserver/sdkjs/slide/themes/src
- /var/www/onlyoffice/Data - /var/www/onlyoffice/Data
- /var/log/onlyoffice - /var/log/onlyoffice
- /var/lib/onlyoffice/documentserver/App_Data/cache/files - /var/lib/onlyoffice/documentserver/App_Data/cache/files
- /var/www/onlyoffice/documentserver-example/public/files - /var/www/onlyoffice/documentserver-example/public/files
- /usr/share/fonts - /usr/share/fonts
onlyoffice-documentserver:
image: onlyoffice/documentserver:latest
depends_on:
- onlyoffice-documentserver-data
- onlyoffice-postgresql
- onlyoffice-redis
- onlyoffice-rabbitmq
environment:
- ONLYOFFICE_DATA_CONTAINER_HOST=onlyoffice-documentserver-data
- BALANCE=uri depth 3
- EXCLUDE_PORTS=443
- HTTP_CHECK=GET /healthcheck
- EXTRA_SETTINGS=http-check expect string true
# Uncomment the string below to redirect HTTP request to HTTPS request.
#- FORCE_SSL=true
stdin_open: true
restart: always
networks:
- onlyoffice
expose:
- '80'
volumes_from:
- onlyoffice-documentserver-data
onlyoffice-haproxy:
container_name: onlyoffice-haproxy
image: dockercloud/haproxy:1.5.1
depends_on:
- onlyoffice-documentserver
environment:
- MODE=http
# Uncomment the string below to specify the path of ssl certificates
#- CERT_FOLDER=/certs/
stdin_open: true
links:
- onlyoffice-documentserver
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Uncomment the string below to map a ssl certificate from host
# to the proxy container
#- /app/onlyoffice/DocumentServer/data/certs/onlyoffice.pem:/certs/cert1.pem
restart: always
networks:
- onlyoffice
ports:
- '80:80'
- '443:443'
- '1936:1936'
onlyoffice-redis:
container_name: onlyoffice-redis
image: redis
restart: always
networks:
- onlyoffice
expose:
- '6379'
onlyoffice-rabbitmq: onlyoffice-rabbitmq:
container_name: onlyoffice-rabbitmq container_name: onlyoffice-rabbitmq
image: rabbitmq image: rabbitmq
restart: always restart: always
networks:
- onlyoffice
expose: expose:
- '5672' - '5672'
onlyoffice-postgresql: onlyoffice-postgresql:
container_name: onlyoffice-postgresql container_name: onlyoffice-postgresql
image: postgres:12 image: postgres:9.5
environment: environment:
- POSTGRES_DB=onlyoffice - POSTGRES_DB=onlyoffice
- POSTGRES_USER=onlyoffice - POSTGRES_USER=onlyoffice
- POSTGRES_HOST_AUTH_METHOD=trust networks:
- onlyoffice
restart: always restart: always
expose: expose:
- '5432' - '5432'
volumes: volumes:
- postgresql_data:/var/lib/postgresql - postgresql_data:/var/lib/postgresql
networks:
onlyoffice:
driver: 'bridge'
volumes: volumes:
postgresql_data: postgresql_data:

@ -1,33 +0,0 @@
### Arguments avavlivable only for FROM instruction ###
ARG PULL_TAG=latest
ARG COMPANY_NAME=onlyoffice
ARG PRODUCT_EDITION=
### Rebuild arguments
ARG UCS_PREFIX=
ARG IMAGE=${COMPANY_NAME}/documentserver${PRODUCT_EDITION}${UCS_PREFIX}:${PULL_TAG}
### Build main-release ###
FROM ${COMPANY_NAME}/4testing-documentserver${PRODUCT_EDITION}:${PULL_TAG} as documentserver-stable
### Rebuild stable images with secure updates
FROM ${IMAGE} as documentserver-stable-rebuild
RUN echo "This is rebuild" \
&& apt-get update -y \
&& apt-get upgrade -y
### Build nonexample ###
FROM ${COMPANY_NAME}/documentserver${PRODUCT_EDITION}:${PULL_TAG} as documentserver-nonexample
ARG COMPANY_NAME=onlyoffice
ARG PRODUCT_NAME=documentserver
ARG DS_SUPERVISOR_CONF=/etc/supervisor/conf.d/ds.conf
### Remove all documentserver-example data ###
RUN rm -rf /var/www/$COMPANY_NAME/$PRODUCT_NAME-example \
&& rm -rf /etc/$COMPANY_NAME/$PRODUCT_NAME-example \
&& rm -f $DS_SUPERVISOR_CONF \
&& rm -f /etc/nginx/includes/ds-example.conf \
&& ln -s /etc/$COMPANY_NAME/$PRODUCT_NAME/supervisor/ds.conf $DS_SUPERVISOR_CONF

400
run-document-server.sh Normal file → Executable file

@ -1,69 +1,26 @@
#!/bin/bash #!/bin/bash
umask 0022
function clean_exit {
if [ ${ONLYOFFICE_DATA_CONTAINER} == "false" ] && \
[ ${ONLYOFFICE_DATA_CONTAINER_HOST} == "localhost" ]; then
/usr/bin/documentserver-prepare4shutdown.sh
fi
}
trap clean_exit SIGTERM
# Define '**' behavior explicitly # Define '**' behavior explicitly
shopt -s globstar shopt -s globstar
APP_DIR="/var/www/${COMPANY_NAME}/documentserver" APP_DIR="/var/www/${COMPANY_NAME}/documentserver"
DATA_DIR="/var/www/${COMPANY_NAME}/Data" DATA_DIR="/var/www/${COMPANY_NAME}/Data"
PRIVATE_DATA_DIR="${DATA_DIR}/.private"
DS_RELEASE_DATE="${PRIVATE_DATA_DIR}/ds_release_date"
LOG_DIR="/var/log/${COMPANY_NAME}" LOG_DIR="/var/log/${COMPANY_NAME}"
DS_LOG_DIR="${LOG_DIR}/documentserver" DS_LOG_DIR="${LOG_DIR}/documentserver"
LIB_DIR="/var/lib/${COMPANY_NAME}" LIB_DIR="/var/lib/${COMPANY_NAME}"
DS_LIB_DIR="${LIB_DIR}/documentserver" DS_LIB_DIR="${LIB_DIR}/documentserver"
CONF_DIR="/etc/${COMPANY_NAME}/documentserver" CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
IS_UPGRADE="false"
ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false} ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost} ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
ONLYOFFICE_DATA_CONTAINER_PORT=80 ONLYOFFICE_DATA_CONTAINER_PORT=80
RELEASE_DATE="$(stat -c="%y" ${APP_DIR}/server/DocService/docservice | sed -r 's/=([0-9]+)-([0-9]+)-([0-9]+) ([0-9:.+ ]+)/\1-\2-\3/')"; SSL_CERTIFICATES_DIR="${DATA_DIR}/certs"
if [ -f ${DS_RELEASE_DATE} ]; then SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt}
PREV_RELEASE_DATE=$(head -n 1 ${DS_RELEASE_DATE}) SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key}
else
PREV_RELEASE_DATE="0"
fi
if [ "${RELEASE_DATE}" != "${PREV_RELEASE_DATE}" ]; then
if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
IS_UPGRADE="true";
fi
fi
SSL_CERTIFICATES_DIR="/usr/share/ca-certificates/ds"
mkdir -p ${SSL_CERTIFICATES_DIR}
if [[ -d ${DATA_DIR}/certs ]] && [ -e ${DATA_DIR}/certs/*.crt ]; then
cp -f ${DATA_DIR}/certs/* ${SSL_CERTIFICATES_DIR}
chmod 644 ${SSL_CERTIFICATES_DIR}/*.crt ${SSL_CERTIFICATES_DIR}/*.pem
chmod 400 ${SSL_CERTIFICATES_DIR}/*.key
fi
if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.crt ]]; then
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.crt
else
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
fi
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.key ]]; then
SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.key
else
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
fi
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem} CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
USE_UNAUTHORIZED_STORAGE=${USE_UNAUTHORIZED_STORAGE:-false}
ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true} ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true}
ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAGE:-31536000} ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAGE:-31536000}
SYSCONF_TEMPLATES_DIR="/app/ds/setup/config" SYSCONF_TEMPLATES_DIR="/app/ds/setup/config"
@ -76,100 +33,42 @@ NGINX_ONLYOFFICE_EXAMPLE_CONF="${NGINX_ONLYOFFICE_EXAMPLE_PATH}/includes/ds-exam
NGINX_CONFIG_PATH="/etc/nginx/nginx.conf" NGINX_CONFIG_PATH="/etc/nginx/nginx.conf"
NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1} NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
# Limiting the maximum number of simultaneous connections due to possible memory shortage NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-$(ulimit -n)}
[ $(ulimit -n) -gt 1048576 ] && NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-1048576} || NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-$(ulimit -n)}
JWT_ENABLED=${JWT_ENABLED:-true} JWT_ENABLED=${JWT_ENABLED:-false}
JWT_SECRET=${JWT_SECRET:-secret}
# validate user's vars before usinig in json
if [ "${JWT_ENABLED}" == "true" ]; then
JWT_ENABLED="true"
else
JWT_ENABLED="false"
fi
[ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
JWT_SECRET=${JWT_SECRET:-$(pwgen -s 32)}
JWT_HEADER=${JWT_HEADER:-Authorization} JWT_HEADER=${JWT_HEADER:-Authorization}
JWT_IN_BODY=${JWT_IN_BODY:-false}
WOPI_ENABLED=${WOPI_ENABLED:-false}
ALLOW_META_IP_ADDRESS=${ALLOW_META_IP_ADDRESS:-false}
ALLOW_PRIVATE_IP_ADDRESS=${ALLOW_PRIVATE_IP_ADDRESS:-false}
GENERATE_FONTS=${GENERATE_FONTS:-true}
if [[ ${PRODUCT_NAME}${PRODUCT_EDITION} == "documentserver" ]]; then
REDIS_ENABLED=false
else
REDIS_ENABLED=true
fi
ONLYOFFICE_DEFAULT_CONFIG=${CONF_DIR}/local.json ONLYOFFICE_DEFAULT_CONFIG=${CONF_DIR}/local.json
ONLYOFFICE_LOG4JS_CONFIG=${CONF_DIR}/log4js/production.json ONLYOFFICE_LOG4JS_CONFIG=${CONF_DIR}/log4js/production.json
ONLYOFFICE_EXAMPLE_CONFIG=${CONF_DIR}-example/local.json ONLYOFFICE_EXAMPLE_CONFIG=${CONF_DIR}-example/local.json
JSON_BIN=${APP_DIR}/npm/json JSON_BIN=${APP_DIR}/npm/node_modules/.bin/json
JSON="${JSON_BIN} -q -f ${ONLYOFFICE_DEFAULT_CONFIG}" JSON="${JSON_BIN} -q -f ${ONLYOFFICE_DEFAULT_CONFIG}"
JSON_LOG="${JSON_BIN} -q -f ${ONLYOFFICE_LOG4JS_CONFIG}" JSON_LOG="${JSON_BIN} -q -f ${ONLYOFFICE_LOG4JS_CONFIG}"
JSON_EXAMPLE="${JSON_BIN} -q -f ${ONLYOFFICE_EXAMPLE_CONFIG}" JSON_EXAMPLE="${JSON_BIN} -q -f ${ONLYOFFICE_EXAMPLE_CONFIG}"
DS_PORT=${DS_PORT:-80}
LOCAL_SERVICES=() LOCAL_SERVICES=()
PG_ROOT=/var/lib/postgresql PG_ROOT=/var/lib/postgresql
PG_VERSION=9.5
PG_NAME=main PG_NAME=main
PGDATA=${PG_ROOT}/${PG_VERSION}/${PG_NAME} PGDATA=${PG_ROOT}/${PG_VERSION}/${PG_NAME}
PG_NEW_CLUSTER=false PG_NEW_CLUSTER=false
RABBITMQ_DATA=/var/lib/rabbitmq
REDIS_DATA=/var/lib/redis
if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
LETSENCRYPT_ROOT_DIR="/etc/letsencrypt/live"
SSL_CERTIFICATE_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/fullchain.pem
SSL_KEY_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/privkey.pem
fi
read_setting(){ read_setting(){
deprecated_var POSTGRESQL_SERVER_HOST DB_HOST POSTGRESQL_SERVER_HOST=${POSTGRESQL_SERVER_HOST:-$(${JSON} services.CoAuthoring.sql.dbHost)}
deprecated_var POSTGRESQL_SERVER_PORT DB_PORT POSTGRESQL_SERVER_PORT=${POSTGRESQL_SERVER_PORT:-5432}
deprecated_var POSTGRESQL_SERVER_DB_NAME DB_NAME POSTGRESQL_SERVER_DB_NAME=${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}
deprecated_var POSTGRESQL_SERVER_USER DB_USER POSTGRESQL_SERVER_USER=${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}
deprecated_var POSTGRESQL_SERVER_PASS DB_PWD POSTGRESQL_SERVER_PASS=${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}
deprecated_var RABBITMQ_SERVER_URL AMQP_URI
deprecated_var AMQP_SERVER_URL AMQP_URI
deprecated_var AMQP_SERVER_TYPE AMQP_TYPE
METRICS_ENABLED="${METRICS_ENABLED:-false}"
METRICS_HOST="${METRICS_HOST:-localhost}"
METRICS_PORT="${METRICS_PORT:-8125}"
METRICS_PREFIX="${METRICS_PREFIX:-.ds}"
DB_HOST=${DB_HOST:-${POSTGRESQL_SERVER_HOST:-$(${JSON} services.CoAuthoring.sql.dbHost)}}
DB_TYPE=${DB_TYPE:-$(${JSON} services.CoAuthoring.sql.type)}
case $DB_TYPE in
"postgres")
DB_PORT=${DB_PORT:-"5432"}
;;
"mariadb"|"mysql")
DB_PORT=${DB_PORT:-"3306"}
;;
"")
DB_PORT=${DB_PORT:-${POSTGRESQL_SERVER_PORT:-$(${JSON} services.CoAuthoring.sql.dbPort)}}
;;
*)
echo "ERROR: unknown database type"
exit 1
;;
esac
DB_NAME=${DB_NAME:-${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}}
DB_USER=${DB_USER:-${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}}
DB_PWD=${DB_PWD:-${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}}
RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)} RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)}
AMQP_URI=${AMQP_URI:-${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}} AMQP_SERVER_URL=${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}
AMQP_TYPE=${AMQP_TYPE:-${AMQP_SERVER_TYPE:-rabbitmq}} AMQP_SERVER_TYPE=${AMQP_SERVER_TYPE:-rabbitmq}
parse_rabbitmq_url ${AMQP_URI} parse_rabbitmq_url ${AMQP_SERVER_URL}
REDIS_SERVER_HOST=${REDIS_SERVER_HOST:-$(${JSON} services.CoAuthoring.redis.host)} REDIS_SERVER_HOST=${REDIS_SERVER_HOST:-$(${JSON} services.CoAuthoring.redis.host)}
REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-6379} REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-6379}
@ -177,12 +76,6 @@ read_setting(){
DS_LOG_LEVEL=${DS_LOG_LEVEL:-$(${JSON_LOG} categories.default.level)} DS_LOG_LEVEL=${DS_LOG_LEVEL:-$(${JSON_LOG} categories.default.level)}
} }
deprecated_var() {
if [[ -n ${!1} ]]; then
echo "Variable $1 is deprecated. Use $2 instead."
fi
}
parse_rabbitmq_url(){ parse_rabbitmq_url(){
local amqp=$1 local amqp=$1
@ -205,7 +98,7 @@ parse_rabbitmq_url(){
# extract the host # extract the host
local hostport="$(echo ${url/$userpass@/} | cut -d/ -f1)" local hostport="$(echo ${url/$userpass@/} | cut -d/ -f1)"
# by request - try to extract the port # by request - try to extract the port
local port="$(echo $hostport | grep : | sed -r 's_^.*:+|/.*$__g')" local port="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')"
local host local host
if [ -n "$port" ]; then if [ -n "$port" ]; then
@ -232,8 +125,8 @@ waiting_for_connection(){
done done
} }
waiting_for_db(){ waiting_for_postgresql(){
waiting_for_connection $DB_HOST $DB_PORT waiting_for_connection ${POSTGRESQL_SERVER_HOST} ${POSTGRESQL_SERVER_PORT}
} }
waiting_for_amqp(){ waiting_for_amqp(){
@ -246,32 +139,22 @@ waiting_for_redis(){
waiting_for_datacontainer(){ waiting_for_datacontainer(){
waiting_for_connection ${ONLYOFFICE_DATA_CONTAINER_HOST} ${ONLYOFFICE_DATA_CONTAINER_PORT} waiting_for_connection ${ONLYOFFICE_DATA_CONTAINER_HOST} ${ONLYOFFICE_DATA_CONTAINER_PORT}
} }
update_postgresql_settings(){
update_statsd_settings(){ ${JSON} -I -e "this.services.CoAuthoring.sql.dbHost = '${POSTGRESQL_SERVER_HOST}'"
${JSON} -I -e "if(this.statsd===undefined)this.statsd={};" ${JSON} -I -e "this.services.CoAuthoring.sql.dbPort = '${POSTGRESQL_SERVER_PORT}'"
${JSON} -I -e "this.statsd.useMetrics = '${METRICS_ENABLED}'" ${JSON} -I -e "this.services.CoAuthoring.sql.dbName = '${POSTGRESQL_SERVER_DB_NAME}'"
${JSON} -I -e "this.statsd.host = '${METRICS_HOST}'" ${JSON} -I -e "this.services.CoAuthoring.sql.dbUser = '${POSTGRESQL_SERVER_USER}'"
${JSON} -I -e "this.statsd.port = '${METRICS_PORT}'" ${JSON} -I -e "this.services.CoAuthoring.sql.dbPass = '${POSTGRESQL_SERVER_PASS}'"
${JSON} -I -e "this.statsd.prefix = '${METRICS_PREFIX}'"
}
update_db_settings(){
${JSON} -I -e "this.services.CoAuthoring.sql.type = '${DB_TYPE}'"
${JSON} -I -e "this.services.CoAuthoring.sql.dbHost = '${DB_HOST}'"
${JSON} -I -e "this.services.CoAuthoring.sql.dbPort = '${DB_PORT}'"
${JSON} -I -e "this.services.CoAuthoring.sql.dbName = '${DB_NAME}'"
${JSON} -I -e "this.services.CoAuthoring.sql.dbUser = '${DB_USER}'"
${JSON} -I -e "this.services.CoAuthoring.sql.dbPass = '${DB_PWD}'"
} }
update_rabbitmq_setting(){ update_rabbitmq_setting(){
if [ "${AMQP_TYPE}" == "rabbitmq" ]; then if [ "${AMQP_SERVER_TYPE}" == "rabbitmq" ]; then
${JSON} -I -e "if(this.queue===undefined)this.queue={};" ${JSON} -I -e "if(this.queue===undefined)this.queue={};"
${JSON} -I -e "this.queue.type = 'rabbitmq'" ${JSON} -I -e "this.queue.type = 'rabbitmq'"
${JSON} -I -e "this.rabbitmq.url = '${AMQP_URI}'" ${JSON} -I -e "this.rabbitmq.url = '${AMQP_SERVER_URL}'"
fi fi
if [ "${AMQP_TYPE}" == "activemq" ]; then if [ "${AMQP_SERVER_TYPE}" == "activemq" ]; then
${JSON} -I -e "if(this.queue===undefined)this.queue={};" ${JSON} -I -e "if(this.queue===undefined)this.queue={};"
${JSON} -I -e "this.queue.type = 'activemq'" ${JSON} -I -e "this.queue.type = 'activemq'"
${JSON} -I -e "if(this.activemq===undefined)this.activemq={};" ${JSON} -I -e "if(this.activemq===undefined)this.activemq={};"
@ -309,17 +192,12 @@ update_rabbitmq_setting(){
} }
update_redis_settings(){ update_redis_settings(){
${JSON} -I -e "if(this.services.CoAuthoring.redis===undefined)this.services.CoAuthoring.redis={};"
${JSON} -I -e "this.services.CoAuthoring.redis.host = '${REDIS_SERVER_HOST}'" ${JSON} -I -e "this.services.CoAuthoring.redis.host = '${REDIS_SERVER_HOST}'"
${JSON} -I -e "this.services.CoAuthoring.redis.port = '${REDIS_SERVER_PORT}'" ${JSON} -I -e "this.services.CoAuthoring.redis.port = '${REDIS_SERVER_PORT}'"
if [ -n "${REDIS_SERVER_PASS}" ]; then
${JSON} -I -e "this.services.CoAuthoring.redis.options = {'password':'${REDIS_SERVER_PASS}'}"
fi
} }
update_ds_settings(){ update_jwt_settings(){
if [ "${JWT_ENABLED}" == "true" ]; then
${JSON} -I -e "this.services.CoAuthoring.token.enable.browser = ${JWT_ENABLED}" ${JSON} -I -e "this.services.CoAuthoring.token.enable.browser = ${JWT_ENABLED}"
${JSON} -I -e "this.services.CoAuthoring.token.enable.request.inbox = ${JWT_ENABLED}" ${JSON} -I -e "this.services.CoAuthoring.token.enable.request.inbox = ${JWT_ENABLED}"
${JSON} -I -e "this.services.CoAuthoring.token.enable.request.outbox = ${JWT_ENABLED}" ${JSON} -I -e "this.services.CoAuthoring.token.enable.request.outbox = ${JWT_ENABLED}"
@ -331,29 +209,11 @@ update_ds_settings(){
${JSON} -I -e "this.services.CoAuthoring.token.inbox.header = '${JWT_HEADER}'" ${JSON} -I -e "this.services.CoAuthoring.token.inbox.header = '${JWT_HEADER}'"
${JSON} -I -e "this.services.CoAuthoring.token.outbox.header = '${JWT_HEADER}'" ${JSON} -I -e "this.services.CoAuthoring.token.outbox.header = '${JWT_HEADER}'"
${JSON} -I -e "this.services.CoAuthoring.token.inbox.inBody = ${JWT_IN_BODY}" if [ -f "${ONLYOFFICE_EXAMPLE_CONFIG}" ] && [ "${JWT_ENABLED}" == "true" ]; then
${JSON} -I -e "this.services.CoAuthoring.token.outbox.inBody = ${JWT_IN_BODY}"
if [ -f "${ONLYOFFICE_EXAMPLE_CONFIG}" ]; then
${JSON_EXAMPLE} -I -e "this.server.token.enable = ${JWT_ENABLED}" ${JSON_EXAMPLE} -I -e "this.server.token.enable = ${JWT_ENABLED}"
${JSON_EXAMPLE} -I -e "this.server.token.secret = '${JWT_SECRET}'" ${JSON_EXAMPLE} -I -e "this.server.token.secret = '${JWT_SECRET}'"
${JSON_EXAMPLE} -I -e "this.server.token.authorizationHeader = '${JWT_HEADER}'" ${JSON_EXAMPLE} -I -e "this.server.token.authorizationHeader = '${JWT_HEADER}'"
fi fi
if [ "${USE_UNAUTHORIZED_STORAGE}" == "true" ]; then
${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults===undefined)this.services.CoAuthoring.requestDefaults={}"
${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults.rejectUnauthorized===undefined)this.services.CoAuthoring.requestDefaults.rejectUnauthorized=false"
fi
if [ "${WOPI_ENABLED}" == "true" ]; then
${JSON} -I -e "if(this.wopi===undefined)this.wopi={}"
${JSON} -I -e "this.wopi.enable = true"
fi
if [ "${ALLOW_META_IP_ADDRESS}" = "true" ] || [ "${ALLOW_PRIVATE_IP_ADDRESS}" = "true" ]; then
${JSON} -I -e "if(this.services.CoAuthoring['request-filtering-agent']===undefined)this.services.CoAuthoring['request-filtering-agent']={}"
[ "${ALLOW_META_IP_ADDRESS}" = "true" ] && ${JSON} -I -e "this.services.CoAuthoring['request-filtering-agent'].allowMetaIPAddress = true"
[ "${ALLOW_PRIVATE_IP_ADDRESS}" = "true" ] && ${JSON} -I -e "this.services.CoAuthoring['request-filtering-agent'].allowPrivateIPAddress = true"
fi fi
} }
@ -369,86 +229,26 @@ create_postgresql_cluster(){
} }
create_postgresql_db(){ create_postgresql_db(){
sudo -u postgres psql -c "CREATE USER $DB_USER WITH password '"$DB_PWD"';" sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
sudo -u postgres psql -c "CREATE DATABASE $DB_NAME OWNER $DB_USER;" sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';"
} sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"
create_db_tbl() {
case $DB_TYPE in
"postgres")
create_postgresql_tbl
;;
"mariadb"|"mysql")
create_mysql_tbl
;;
esac
}
upgrade_db_tbl() {
case $DB_TYPE in
"postgres")
upgrade_postgresql_tbl
;;
"mariadb"|"mysql")
upgrade_mysql_tbl
;;
esac
}
upgrade_postgresql_tbl() {
if [ -n "$DB_PWD" ]; then
export PGPASSWORD=$DB_PWD
fi
PSQL="psql -q -h$DB_HOST -p$DB_PORT -d$DB_NAME -U$DB_USER -w"
$PSQL -f "$APP_DIR/server/schema/postgresql/removetbl.sql"
$PSQL -f "$APP_DIR/server/schema/postgresql/createdb.sql"
}
upgrade_mysql_tbl() {
CONNECTION_PARAMS="-h$DB_HOST -P$DB_PORT -u$DB_USER -p$DB_PWD -w"
MYSQL="mysql -q $CONNECTION_PARAMS"
$MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/removetbl.sql" >/dev/null 2>&1
$MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/createdb.sql" >/dev/null 2>&1
} }
create_postgresql_tbl(){ create_postgresql_tbl(){
if [ -n "$DB_PWD" ]; then CONNECTION_PARAMS="-h${POSTGRESQL_SERVER_HOST} -p${POSTGRESQL_SERVER_PORT} -U${POSTGRESQL_SERVER_USER} -w"
export PGPASSWORD=$DB_PWD if [ -n "${POSTGRESQL_SERVER_PASS}" ]; then
export PGPASSWORD=${POSTGRESQL_SERVER_PASS}
fi fi
PSQL="psql -q -h$DB_HOST -p$DB_PORT -d$DB_NAME -U$DB_USER -w" PSQL="psql -q $CONNECTION_PARAMS"
$PSQL -f "$APP_DIR/server/schema/postgresql/createdb.sql" CREATEDB="createdb $CONNECTION_PARAMS"
}
create_mysql_tbl() {
CONNECTION_PARAMS="-h$DB_HOST -P$DB_PORT -u$DB_USER -p$DB_PWD -w"
MYSQL="mysql -q $CONNECTION_PARAMS"
# Create db on remote server # Create db on remote server
$MYSQL -e "CREATE DATABASE IF NOT EXISTS $DB_NAME DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;" >/dev/null 2>&1 if $PSQL -lt | cut -d\| -f 1 | grep -qw | grep 0; then
$CREATEDB $POSTGRESQL_SERVER_DB_NAME
fi
$MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/createdb.sql" >/dev/null 2>&1 $PSQL -d "${POSTGRESQL_SERVER_DB_NAME}" -f "${APP_DIR}/server/schema/postgresql/createdb.sql"
}
update_welcome_page() {
WELCOME_PAGE="${APP_DIR}-example/welcome/docker.html"
if [[ -e $WELCOME_PAGE ]]; then
DOCKER_CONTAINER_ID=$(basename $(cat /proc/1/cpuset))
(( ${#DOCKER_CONTAINER_ID} < 12 )) && DOCKER_CONTAINER_ID=$(hostname)
if (( ${#DOCKER_CONTAINER_ID} >= 12 )); then
if [[ -x $(command -v docker) ]]; then
DOCKER_CONTAINER_NAME=$(docker inspect --format="{{.Name}}" $DOCKER_CONTAINER_ID)
sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/' -i $WELCOME_PAGE
JWT_MESSAGE=$(echo $JWT_MESSAGE | sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/')
else
sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/' -i $WELCOME_PAGE
JWT_MESSAGE=$(echo $JWT_MESSAGE | sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/')
fi
fi
fi
} }
update_nginx_settings(){ update_nginx_settings(){
@ -488,6 +288,8 @@ update_nginx_settings(){
fi fi
else else
ln -sf ${NGINX_ONLYOFFICE_PATH}/ds.conf.tmpl ${NGINX_ONLYOFFICE_CONF} ln -sf ${NGINX_ONLYOFFICE_PATH}/ds.conf.tmpl ${NGINX_ONLYOFFICE_CONF}
# set up default listening port
sed 's,\(listen.\+:\)\([0-9]\+\)\(.*;\),'"\1${DS_PORT}\3"',' -i ${NGINX_ONLYOFFICE_CONF}
fi fi
# check if ipv6 supported otherwise remove it from nginx config # check if ipv6 supported otherwise remove it from nginx config
@ -498,8 +300,17 @@ update_nginx_settings(){
if [ -f "${NGINX_ONLYOFFICE_EXAMPLE_CONF}" ]; then if [ -f "${NGINX_ONLYOFFICE_EXAMPLE_CONF}" ]; then
sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF} sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF}
fi fi
}
documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false update_supervisor_settings(){
# Copy modified supervisor start script
cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisor /etc/init.d/
# Copy modified supervisor config
cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
# Copy modified nginx start script
cp ${SYSCONF_TEMPLATES_DIR}/nginx/nginx /etc/init.d/
# Copy modified ngnix config
cp ${SYSCONF_TEMPLATES_DIR}/nginx/nginx.conf /etc/nginx/nginx.conf
} }
update_log_settings(){ update_log_settings(){
@ -510,48 +321,40 @@ update_logrotate_settings(){
sed 's|\(^su\b\).*|\1 root root|' -i /etc/logrotate.conf sed 's|\(^su\b\).*|\1 root root|' -i /etc/logrotate.conf
} }
update_release_date(){
mkdir -p ${PRIVATE_DATA_DIR}
echo ${RELEASE_DATE} > ${DS_RELEASE_DATE}
}
# create base folders # create base folders
for i in converter docservice metrics; do for i in converter docservice spellchecker metrics gc; do
mkdir -p "${DS_LOG_DIR}/$i" mkdir -p "${DS_LOG_DIR}/$i"
done done
mkdir -p ${DS_LOG_DIR}-example mkdir -p ${DS_LOG_DIR}-example
# create app folders # create app folders
for i in ${DS_LIB_DIR}/App_Data/cache/files ${DS_LIB_DIR}/App_Data/docbuilder ${DS_LIB_DIR}-example/files; do for i in App_Data/cache/files App_Data/docbuilder; do
mkdir -p "$i" mkdir -p "${DS_LIB_DIR}/$i"
done done
# change folder rights # change folder rights
for i in ${LOG_DIR} ${LIB_DIR}; do for i in ${LOG_DIR} ${LIB_DIR} ${DATA_DIR}; do
chown -R ds:ds "$i" chown -R ds:ds "$i"
chmod -R 755 "$i" chmod -R 755 "$i"
done done
touch ${DS_LOG_DIR}/nginx.error.log
chown www-data:www-data ${DS_LOG_DIR}/nginx.error.log
if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
read_setting read_setting
if [ $METRICS_ENABLED = "true" ]; then
update_statsd_settings
fi
update_welcome_page
update_log_settings update_log_settings
update_ds_settings update_jwt_settings
# update settings by env variables # update settings by env variables
if [ $DB_HOST != "localhost" ]; then if [ ${POSTGRESQL_SERVER_HOST} != "localhost" ]; then
update_db_settings update_postgresql_settings
waiting_for_db waiting_for_postgresql
create_db_tbl create_postgresql_tbl
else else
# change rights for postgres directory # change rights for postgres directory
chown -R postgres:postgres ${PG_ROOT} chown -R postgres:postgres ${PG_ROOT}
@ -568,29 +371,16 @@ if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
if [ ${AMQP_SERVER_HOST} != "localhost" ]; then if [ ${AMQP_SERVER_HOST} != "localhost" ]; then
update_rabbitmq_setting update_rabbitmq_setting
else else
# change rights for rabbitmq directory
chown -R rabbitmq:rabbitmq ${RABBITMQ_DATA}
chmod -R go=rX,u=rwX ${RABBITMQ_DATA}
if [ -f ${RABBITMQ_DATA}/.erlang.cookie ]; then
chmod 400 ${RABBITMQ_DATA}/.erlang.cookie
fi
LOCAL_SERVICES+=("rabbitmq-server") LOCAL_SERVICES+=("rabbitmq-server")
# allow Rabbitmq startup after container kill # allow Rabbitmq startup after container kill
rm -rf /var/run/rabbitmq rm -rf /var/run/rabbitmq
fi fi
if [ ${REDIS_ENABLED} = "true" ]; then
if [ ${REDIS_SERVER_HOST} != "localhost" ]; then if [ ${REDIS_SERVER_HOST} != "localhost" ]; then
update_redis_settings update_redis_settings
else else
# change rights for redis directory
chown -R redis:redis ${REDIS_DATA}
chmod -R 750 ${REDIS_DATA}
LOCAL_SERVICES+=("redis-server") LOCAL_SERVICES+=("redis-server")
fi fi
fi
else else
# no need to update settings just wait for remote data # no need to update settings just wait for remote data
waiting_for_datacontainer waiting_for_datacontainer
@ -598,12 +388,8 @@ else
# read settings after the data container in ready state # read settings after the data container in ready state
# to prevent get unconfigureted data # to prevent get unconfigureted data
read_setting read_setting
update_welcome_page
fi fi
find /etc/${COMPANY_NAME} ! -path '*logrotate*' -exec chown ds:ds {} \;
#start needed local services #start needed local services
for i in ${LOCAL_SERVICES[@]}; do for i in ${LOCAL_SERVICES[@]}; do
service $i start service $i start
@ -615,19 +401,13 @@ if [ ${PG_NEW_CLUSTER} = "true" ]; then
fi fi
if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
waiting_for_db waiting_for_postgresql
waiting_for_amqp waiting_for_amqp
if [ ${REDIS_ENABLED} = "true" ]; then
waiting_for_redis waiting_for_redis
fi
if [ "${IS_UPGRADE}" = "true" ]; then
upgrade_db_tbl
update_release_date
fi
update_nginx_settings update_nginx_settings
update_supervisor_settings
service supervisor start service supervisor start
# start cron to enable log rotating # start cron to enable log rotating
@ -639,44 +419,8 @@ fi
# it run in all cases. # it run in all cases.
service nginx start service nginx start
if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
if [ ! -f "${SSL_CERTIFICATE_PATH}" -a ! -f "${SSL_KEY_PATH}" ]; then
documentserver-letsencrypt.sh ${LETS_ENCRYPT_MAIL} ${LETS_ENCRYPT_DOMAIN}
fi
fi
# Regenerate the fonts list and the fonts thumbnails # Regenerate the fonts list and the fonts thumbnails
if [ "${GENERATE_FONTS}" == "true" ]; then
documentserver-generate-allfonts.sh ${ONLYOFFICE_DATA_CONTAINER} documentserver-generate-allfonts.sh ${ONLYOFFICE_DATA_CONTAINER}
fi
documentserver-static-gzip.sh ${ONLYOFFICE_DATA_CONTAINER} documentserver-static-gzip.sh ${ONLYOFFICE_DATA_CONTAINER}
echo "${JWT_MESSAGE}" tail -f /var/log/${COMPANY_NAME}/**/*.log
# Check if lager file limits should be set
if [ "$LARGER_FILE_LIMITS" = "true" ]; then
if [ -e /app/ds/file_limits_set ]; then
echo ""
else
touch /app/ds/file_limits_set
sed -i -e 's/104857600/10485760000/g' /etc/onlyoffice/documentserver-example/production-linux.json
sed -i '9iclient_max_body_size 1000M;' /etc/onlyoffice/documentserver-example/nginx/includes/ds-example.conf
sed -i '16iclient_max_body_size 1000M;' /etc/nginx/nginx.conf
sed -i -e 's/104857600/10485760000/g' /etc/onlyoffice/documentserver/default.json
sed -i -e 's/50MB/5000MB/g' /etc/onlyoffice/documentserver/default.json
sed -i -e 's/300MB/3000MB/g' /etc/onlyoffice/documentserver/default.json
sed -i 's/^client_max_body_size 100m;$/client_max_body_size 1000m;/' /etc/onlyoffice/documentserver/nginx/includes/ds-common.conf
service nginx restart
supervisorctl restart all
fi
fi
tail -f /var/log/${COMPANY_NAME}/**/*.log &
wait $!

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

@ -1,35 +0,0 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
depends_on:
- onlyoffice-postgresql
environment:
- DB_TYPE=${DB_TYPE:-postgres}
- DB_HOST=${DB_HOST:-onlyoffice-postgresql}
- DB_PORT=${DB_PORT:-5432}
- DB_NAME=${DB_NAME:-onlyoffice}
- DB_USER=${DB_USER:-onlyoffice}
- DB_PWD=${DB_PWD:-onlyoffice}
stdin_open: true
restart: always
ports:
- '80:80'
onlyoffice-postgresql:
container_name: onlyoffice-postgresql
image: postgres:${POSTGRES_VERSION:-12}
environment:
- POSTGRES_DB=${POSTGRES_DB:-onlyoffice}
- POSTGRES_USER=${POSTGRES_USER:-onlyoffice}
- POSTGRES_HOST_AUTH_METHOD=${POSTGRES_HOST_AUTH_METHOD:-trust}
restart: always
expose:
- '5432'
volumes:
- postgresql_data:/var/lib/postgresql
volumes:
postgresql_data:

@ -1,46 +0,0 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
depends_on:
- onlyoffice-statsd-exporter
environment:
- METRICS_ENABLED=${METRICS_ENABLED:-true}
- METRICS_HOST=${METRICS_HOST:-onlyoffice-statsd-exporter}
- METRICS_PORT=${METRICS_PORT:-9125}
- METRICS_PREFIX=${METRICS_PREFIX:-ds.}
stdin_open: true
restart: always
ports:
- '80:80'
onlyoffice-statsd-exporter:
container_name: onlyoffice-statsd-exporter
image: prom/statsd-exporter
command: --statsd.event-flush-interval=30000ms
ports:
- '9102:9102'
- '9125:9125/tcp'
- '9125:9125/udp'
onlyoffice-prometheus:
container_name: onlyoffice-prometheus
image: prom/prometheus
ports:
- '9090:9090'
volumes:
- ./prometheus/prometheus-scrape/statsd-exporter.yml:/etc/prometheus/prometheus.yml
grafana:
container_name: onlyoffice-grafana
image: bitnami/grafana
ports:
- '3000:3000'
environment:
- 'GF_SECURITY_ADMIN_PASSWORD=G0pGE4'
volumes:
- ./prometheus/grafana/conf/prometheus.yml:/opt/bitnami/grafana/conf/provisioning/datasources/prometheus.yml
- ./prometheus/grafana/conf/default-provider.yaml:/opt/bitnami/grafana/conf/provisioning/dashboards/default-provider.yaml
- ./prometheus/grafana/dashboards:/opt/bitnami/grafana/dashboards

@ -1,23 +0,0 @@
apiVersion: 1
providers:
# <string> an unique provider name
- name: 'default-provider'
# <int> org id. will default to orgId 1 if not specified
orgId: 1
# <string, required> name of the dashboard folder. Required
folder: dashboards
# <string> folder UID. will be automatically generated if not specified
folderUid: ''
# <string, required> provider type. Required
type: file
# <bool> disable dashboard deletion
disableDeletion: false
# <bool> enable dashboard editing
editable: true
# <int> how often Grafana will scan for changed dashboards
updateIntervalSeconds: 10
options:
# <string, required> path to dashboard files on disk. Required
path: /opt/bitnami/grafana/dashboards
# <bool> enable folders creation for dashboards
#foldersFromFilesStructure: true

@ -1,6 +0,0 @@
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://onlyoffice-prometheus:9090
editable: true

@ -1,6 +0,0 @@
scrape_configs:
- job_name: 'statsd'
scrape_interval: 30s
static_configs:
- targets:
- onlyoffice-statsd-exporter:9102