* Better comments in our Docker images
* Make `cli/access-permissions.sh` compatible with other Apache groups such as `http` for Linux Arch
* Better `/Docker/entrypoint.sh` supporting various Apache configuration paths (and slightly faster).
* Add test image for Linux Arch (not sure we will keep it)
See
* https://github.com/FreshRSS/FreshRSS/pull/8279#issuecomment-3620674818
* Optimize how much data needs to be `chown`/`chmod`ed on container startup
This works around an issue where `chmod`/`chown` operations inside a
container can be extremely slow when using the `overlay2` storage
driver, resulting in 10min+ container startup times.
It modifies the owner of the webapp when building the container so that
only the `data` and `extensions` directories (which are commonly mapped
as volumes into the container) have to be modified by the
`access-permissions.sh` script at container startup.
When not running via docker the behaviour of the `access-permissions.sh`
script is unchanged.
* Take DATA_PATH environment variable into account when fixing permissions
* Revert change to using bash for arrays
(the alpine image doesn't include `bash`)
* A few more improvements
* Slightly tweak reapply permissions variable
- lowercase to indicate it's not an env variable
- use 0/1 to address potentially-irrational paranoia about unset variables
* Remove conditional logic to skip reapplying permissions
Also documents why in a comment so it's not missed in the future.
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* Fix OIDC session params definition
- standardize environment variable names
- group all in the same configuration file
- use mod_auth_openidc default values
- fix `OIDCSessionMaxDuration` because it was not set with the previous
code
- add documentation
* Add double quoting to prevent globbing and word splitting
* Revert line deleted by mistake
* Prepare Alpine OIDC
* Prepare syntax for OpenID Connect in Alpine.
* Update :newest Alpine development image to PHP 8.3
* Fix a little bug in test of OIDC_SCOPES
* Changelog + syntax
* shellchecks
* Use RemoteIPInternalProxy directive of remoteip Apache module
instead of RemoteIPTrustedProxy directive
To allow internal IPs to be trusted: for internal clients,
and also for the case of chained internal reverse-proxies
Fixes#5726
* One last reference forgotten
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Quiet output for a2enmod, a2dismod, a2disconf, a2dissite, a2ensite to avoid many messages the following, which are not even relevant because Apache is not yet started at this stage:
```
To activate the new configuration, you need to run:
systemctl restart apache2
```
Related to https://github.com/FreshRSS/FreshRSS/pull/5463
* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037
* Minor simplification
* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
* Docker Alpine timezone for :newest and :oldest
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/4903
Forgot the development images Newest and Oldest
* Uniform timezone behaviour
* shellcheck
* A bit more documentation
Remove output buffering during auto-install of FreshRSS and auto-creation of the default user.
We were only getting outputs at the end of each command, which was a problem for getting errors and progress, for instance when automatically importing a very large OPML
Should be done during build and not during entrypoint, to avoid modifying a potential volume (e.g. mounting the source code as a volume is used during development).
Adding the crontab as part of the image build makes it more complicated
to add custom entries to the crontab. Adjusting the image and entrypoint
to make it so that the crontab is only added when CRON_MIN is set
simplifies having a custom crontab.
* Possiblity to autoinstall in Docker Compose
#fix https://github.com/FreshRSS/FreshRSS/issues/3349
It is simply calling our existing CLI: do-install.php and
create-user.php
https://github.com/FreshRSS/FreshRSS/tree/master/cli
FreshRSS will typically be ready a few seconds before the database, so
introduce a tolerance when the database is not available / up (yet) by
trying a few times to connect. Also useful to avoid service interruption
when DB service is restarted.
Example:
```yml
freshrss-app:
image: freshrss/freshrss
container_name:
freshrss-app
hostname: freshrss-app
restart: unless-stopped
ports:
- "8080:80"
depends_on:
- freshrss-db
volumes:
- data:/var/www/FreshRSS/data
-
extensions:/var/www/FreshRSS/extensions
environment:
CRON_MIN:
'*/20'
FRESHRSS_ENV: development
FRESHRSS_INSTALL: |-
--api_enabled
--base_url https://rss.example.net
--db-base freshrss
--db-host freshrss-db
--db-password
freshrss
--db-type pgsql
--db-user freshrss
--default_user admin
--language en
FRESHRSS_USER: |-
--api_password freshrss
--email user@example.net
--language en
--password freshrss
--user admin
TZ:
Europe/Paris
```
* Minor type f in find
* shellcheck
cron job was not passed the environment variable FRESHRSS_ENV as it
should
This resulted in messages during cron to not be logged according to
FRESHRSS_ENV level
* New environment variable COPY_LOG_TO_SYSLOG
False by default.
Makes it easy to monitor all logs from Syslog or STDERR (e.g. docker
logs).
* Suggestion of native constants
* Increase import size
This is merely a temporary workaround to allow at least some medium size
imports
https://framateam.org/freshrss/pl/7wbt4tcyetrfmris9xdcbq7uuw
The import module should be rewritten to process files one by one and as
data streams instead of loading multiple copies of the whole dataset in
memory as is the case now :-(
https://github.com/FreshRSS/FreshRSS/issues/1890
Note that the new SQLite export/import is distinct from this case.
* Use parameter
* [CI] Run shellcheck and shfmt
Cf. https://github.com/FreshRSS/FreshRSS/pull/2436#discussion_r305640019
* rename
* no need for disable anymore
* also remove leftover indentation flags even if it makes no difference to syntax checking
* define colors and reset before exit for local use
* Apache performance
API: Use SetEnvIf if available and fallback to RewriteRule
Docker: Disable unused modules.
Docker: Hard-include .htaccess to avoid having to scan for changes in
that file.
Docker: Disable security check of symlinks, which we do not use ayway.
* Apache readme
* Docker/Apache tuning
Run cron job with correct www-data user instead of root
Remove PHP GMP module uneeded for 64-bit Docker image
Add option to mount custom .htaccess for HTTP authentication
Re-add Apache module for HTTP authentication
Move Alpine-specific instructions to Docker file (instead of Apache
conf) to make it easier to have other base images than Alpine
* cron in Docker image
https://github.com/FreshRSS/FreshRSS/issues/1869
* Fix cron CMD
* Minor readme
* Docker run d instead of dit
There should not be a need for STDIN or TTY
* Minor sed param
