From b4c83b31f26ccd333b95bf4fa348f55b60e76aa3 Mon Sep 17 00:00:00 2001 From: Dennis Gaida <2392217+DennisGaida@users.noreply.github.com> Date: Thu, 9 Oct 2025 16:25:36 +0200 Subject: Support docker secrets via startup script Add docker secrets support --- .docker/app/startup.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.docker/app/startup.sh b/.docker/app/startup.sh index 64111dd19..3daeb9477 100644 --- a/.docker/app/startup.sh +++ b/.docker/app/startup.sh @@ -13,6 +13,23 @@ done unset HTTP_PORT unset HTTP_HOST +# allow setting environment variables with docker secrets +# the format is _FILE +suffix="_FILE" + +# Loop through all environment variables +for var in $(printenv | awk -F= '{print $1}'); do + if [[ $var == *"$suffix" ]]; then + envFileName=`printenv ${var}` + if [[ -f "$envFileName" ]]; then + envVar="${var%$suffix}" # generate the original env var without suffix + val=`cat $envFileName` # get the value of the secret from file + export "${envVar}"="$val" # set the original env var + echo "${envVar} environment variable was set by secret ${envFileName}" + fi + fi +done + if ! id app >/dev/null 2>&1; then addgroup -g $OWNER_GID app adduser -D -h $APP_INSTALL_BASE_DIR -G app -u $OWNER_UID app -- cgit v1.2.3-54-g00ecf From 16b7894aeab8c4204294875497aacd56b4065306 Mon Sep 17 00:00:00 2001 From: Dennis Gaida <2392217+DennisGaida@users.noreply.github.com> Date: Thu, 9 Oct 2025 16:39:37 +0200 Subject: add docker secrets support - forgot update & updater --- .docker/app/update.sh | 17 +++++++++++++++++ .docker/app/updater.sh | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/.docker/app/update.sh b/.docker/app/update.sh index e383091d1..a509a9d69 100644 --- a/.docker/app/update.sh +++ b/.docker/app/update.sh @@ -8,6 +8,23 @@ unset HTTP_PORT unset HTTP_HOST +# allow setting environment variables with docker secrets +# the format is _FILE +suffix="_FILE" + +# Loop through all environment variables +for var in $(printenv | awk -F= '{print $1}'); do + if [[ $var == *"$suffix" ]]; then + envFileName=`printenv ${var}` + if [[ -f "$envFileName" ]]; then + envVar="${var%$suffix}" # generate the original env var without suffix + val=`cat $envFileName` # get the value of the secret from file + export "${envVar}"="$val" # set the original env var + echo "${envVar} environment variable was set by secret ${envFileName}" + fi + fi +done + if ! id app >/dev/null 2>&1; then addgroup -g $OWNER_GID app adduser -D -h $APP_INSTALL_BASE_DIR -G app -u $OWNER_UID app diff --git a/.docker/app/updater.sh b/.docker/app/updater.sh index c34cf5225..681ef75e1 100644 --- a/.docker/app/updater.sh +++ b/.docker/app/updater.sh @@ -10,6 +10,23 @@ unset HTTP_HOST unset ADMIN_USER_PASS unset AUTO_CREATE_USER_PASS +# allow setting environment variables with docker secrets +# the format is _FILE +suffix="_FILE" + +# Loop through all environment variables +for var in $(printenv | awk -F= '{print $1}'); do + if [[ $var == *"$suffix" ]]; then + envFileName=`printenv ${var}` + if [[ -f "$envFileName" ]]; then + envVar="${var%$suffix}" # generate the original env var without suffix + val=`cat $envFileName` # get the value of the secret from file + export "${envVar}"="$val" # set the original env var + echo "${envVar} environment variable was set by secret ${envFileName}" + fi + fi +done + # wait for the app container to delete .app_is_ready and perform rsync, etc. sleep 30 -- cgit v1.2.3-54-g00ecf From 76f8bf89dbb9c3bb894db5829da7ba8721541680 Mon Sep 17 00:00:00 2001 From: Dennis Gaida <2392217+DennisGaida@users.noreply.github.com> Date: Fri, 10 Oct 2025 11:08:23 +0200 Subject: change suffix to __FILE, fix variable names, add warnings, spaces>tabs --- .docker/app/startup.sh | 34 ++++++++++++++++++++------------- .docker/app/update.sh | 34 ++++++++++++++++++++------------- .docker/app/updater.sh | 51 ++++++++++++++++++++++++-------------------------- 3 files changed, 66 insertions(+), 53 deletions(-) diff --git a/.docker/app/startup.sh b/.docker/app/startup.sh index 3daeb9477..72ee24f80 100644 --- a/.docker/app/startup.sh +++ b/.docker/app/startup.sh @@ -14,20 +14,28 @@ unset HTTP_PORT unset HTTP_HOST # allow setting environment variables with docker secrets -# the format is _FILE -suffix="_FILE" - -# Loop through all environment variables -for var in $(printenv | awk -F= '{print $1}'); do - if [[ $var == *"$suffix" ]]; then - envFileName=`printenv ${var}` - if [[ -f "$envFileName" ]]; then - envVar="${var%$suffix}" # generate the original env var without suffix - val=`cat $envFileName` # get the value of the secret from file - export "${envVar}"="$val" # set the original env var - echo "${envVar} environment variable was set by secret ${envFileName}" +# the format is __FILE +SUFFIX="__FILE" + +# loop through all environment variables +for VAR in $(printenv | awk -F= '{print $1}'); do + if [[ $VAR == *"$SUFFIX" ]]; then + ENV_FILE_NAME="$(printenv "${VAR}")" + ENV_VAR="${VAR%$SUFFIX}" + + if printenv "$ENV_VAR" &>/dev/null; then + echo "warning: Both $ENV_VAR and $VAR are set. $VAR will override $ENV_VAR." + fi + + if [[ -f "$ENV_FILE_NAME" ]]; then + VALUE="$(cat "$ENV_FILE_NAME")" + export "$ENV_VAR"="$VALUE" + echo "$ENV_VAR environment variable was set by secret file $ENV_FILE_NAME" + else + echo "warning: Secret file $ENV_FILE_NAME for $VAR does not exist or is not a regular file." + fi - fi + fi done if ! id app >/dev/null 2>&1; then diff --git a/.docker/app/update.sh b/.docker/app/update.sh index a509a9d69..5c056f0d2 100644 --- a/.docker/app/update.sh +++ b/.docker/app/update.sh @@ -9,20 +9,28 @@ unset HTTP_PORT unset HTTP_HOST # allow setting environment variables with docker secrets -# the format is _FILE -suffix="_FILE" - -# Loop through all environment variables -for var in $(printenv | awk -F= '{print $1}'); do - if [[ $var == *"$suffix" ]]; then - envFileName=`printenv ${var}` - if [[ -f "$envFileName" ]]; then - envVar="${var%$suffix}" # generate the original env var without suffix - val=`cat $envFileName` # get the value of the secret from file - export "${envVar}"="$val" # set the original env var - echo "${envVar} environment variable was set by secret ${envFileName}" +# the format is __FILE +SUFFIX="__FILE" + +# loop through all environment variables +for VAR in $(printenv | awk -F= '{print $1}'); do + if [[ $VAR == *"$SUFFIX" ]]; then + ENV_FILE_NAME="$(printenv "${VAR}")" + ENV_VAR="${VAR%$SUFFIX}" + + if printenv "$ENV_VAR" &>/dev/null; then + echo "warning: Both $ENV_VAR and $VAR are set. $VAR will override $ENV_VAR." + fi + + if [[ -f "$ENV_FILE_NAME" ]]; then + VALUE="$(cat "$ENV_FILE_NAME")" + export "$ENV_VAR"="$VALUE" + echo "$ENV_VAR environment variable was set by secret file $ENV_FILE_NAME" + else + echo "warning: Secret file $ENV_FILE_NAME for $VAR does not exist or is not a regular file." + fi - fi + fi done if ! id app >/dev/null 2>&1; then diff --git a/.docker/app/updater.sh b/.docker/app/updater.sh index 681ef75e1..78cc415c8 100644 --- a/.docker/app/updater.sh +++ b/.docker/app/updater.sh @@ -1,7 +1,4 @@ #!/bin/sh -e -# -# this scripts waits for startup.sh to finish (implying a shared volume) and runs multiprocess daemon when working copy is available -# # We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures) unset HTTP_PORT @@ -11,20 +8,28 @@ unset ADMIN_USER_PASS unset AUTO_CREATE_USER_PASS # allow setting environment variables with docker secrets -# the format is _FILE -suffix="_FILE" - -# Loop through all environment variables -for var in $(printenv | awk -F= '{print $1}'); do - if [[ $var == *"$suffix" ]]; then - envFileName=`printenv ${var}` - if [[ -f "$envFileName" ]]; then - envVar="${var%$suffix}" # generate the original env var without suffix - val=`cat $envFileName` # get the value of the secret from file - export "${envVar}"="$val" # set the original env var - echo "${envVar} environment variable was set by secret ${envFileName}" +# the format is __FILE +SUFFIX="__FILE" + +# loop through all environment variables +for VAR in $(printenv | awk -F= '{print $1}'); do + if [[ $VAR == *"$SUFFIX" ]]; then + ENV_FILE_NAME="$(printenv "${VAR}")" + ENV_VAR="${VAR%$SUFFIX}" + + if printenv "$ENV_VAR" &>/dev/null; then + echo "warning: Both $ENV_VAR and $VAR are set. $VAR will override $ENV_VAR." fi - fi + + if [[ -f "$ENV_FILE_NAME" ]]; then + VALUE="$(cat "$ENV_FILE_NAME")" + export "$ENV_VAR"="$VALUE" + echo "$ENV_VAR environment variable was set by secret file $ENV_FILE_NAME" + else + echo "warning: Secret file $ENV_FILE_NAME for $VAR does not exist or is not a regular file." + + fi + fi done # wait for the app container to delete .app_is_ready and perform rsync, etc. @@ -32,12 +37,9 @@ sleep 30 if ! id app; then addgroup -g $OWNER_GID app - adduser -D -h $APP_INSTALL_BASE_DIR -G app -u $OWNER_UID app + adduser -D -h /var/www/html -G app -u $OWNER_UID app fi -update-ca-certificates || true - -# TODO this should do a reasonable amount of attempts and terminate with an error while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER -p $TTRSS_DB_PORT; do echo waiting until $TTRSS_DB_HOST is ready... sleep 3 @@ -46,16 +48,11 @@ done sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \ /etc/php${PHP_SUFFIX}/php.ini -DST_DIR=$APP_INSTALL_BASE_DIR/tt-rss +DST_DIR=/var/www/html/tt-rss while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do echo waiting for app container... sleep 3 done -# this is some next level bullshit -# - https://stackoverflow.com/questions/65622914/why-would-i-get-a-php-pdoexception-complaining-that-it-cant-make-a-postgres-con -# - fatal error: could not open certificate file "/root/.postgresql/postgresql.crt": Permission denied -chown -R app:app /root # /.postgresql - -sudo -E -u app "${TTRSS_PHP_EXECUTABLE}" $APP_INSTALL_BASE_DIR/tt-rss/update_daemon2.php "$@" +sudo -E -u app "${TTRSS_PHP_EXECUTABLE}" /var/www/html/tt-rss/update_daemon2.php "$@" -- cgit v1.2.3-54-g00ecf From 6acec51a27bf07e6468054ad67decc4443d07a00 Mon Sep 17 00:00:00 2001 From: Dennis Gaida <2392217+DennisGaida@users.noreply.github.com> Date: Fri, 10 Oct 2025 14:43:30 +0200 Subject: replace -f with -r and warning message update --- .docker/app/startup.sh | 5 ++--- .docker/app/update.sh | 5 ++--- .docker/app/updater.sh | 5 ++--- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.docker/app/startup.sh b/.docker/app/startup.sh index 72ee24f80..fd2e92f97 100644 --- a/.docker/app/startup.sh +++ b/.docker/app/startup.sh @@ -27,13 +27,12 @@ for VAR in $(printenv | awk -F= '{print $1}'); do echo "warning: Both $ENV_VAR and $VAR are set. $VAR will override $ENV_VAR." fi - if [[ -f "$ENV_FILE_NAME" ]]; then + if [[ -r "$ENV_FILE_NAME" ]]; then VALUE="$(cat "$ENV_FILE_NAME")" export "$ENV_VAR"="$VALUE" echo "$ENV_VAR environment variable was set by secret file $ENV_FILE_NAME" else - echo "warning: Secret file $ENV_FILE_NAME for $VAR does not exist or is not a regular file." - + echo "warning: Secret file $ENV_FILE_NAME for $VAR is not readable or does not exist." fi fi done diff --git a/.docker/app/update.sh b/.docker/app/update.sh index 5c056f0d2..4c89a7efc 100644 --- a/.docker/app/update.sh +++ b/.docker/app/update.sh @@ -22,13 +22,12 @@ for VAR in $(printenv | awk -F= '{print $1}'); do echo "warning: Both $ENV_VAR and $VAR are set. $VAR will override $ENV_VAR." fi - if [[ -f "$ENV_FILE_NAME" ]]; then + if [[ -r "$ENV_FILE_NAME" ]]; then VALUE="$(cat "$ENV_FILE_NAME")" export "$ENV_VAR"="$VALUE" echo "$ENV_VAR environment variable was set by secret file $ENV_FILE_NAME" else - echo "warning: Secret file $ENV_FILE_NAME for $VAR does not exist or is not a regular file." - + echo "warning: Secret file $ENV_FILE_NAME for $VAR is not readable or does not exist." fi fi done diff --git a/.docker/app/updater.sh b/.docker/app/updater.sh index 78cc415c8..5d4d183b8 100644 --- a/.docker/app/updater.sh +++ b/.docker/app/updater.sh @@ -21,13 +21,12 @@ for VAR in $(printenv | awk -F= '{print $1}'); do echo "warning: Both $ENV_VAR and $VAR are set. $VAR will override $ENV_VAR." fi - if [[ -f "$ENV_FILE_NAME" ]]; then + if [[ -r "$ENV_FILE_NAME" ]]; then VALUE="$(cat "$ENV_FILE_NAME")" export "$ENV_VAR"="$VALUE" echo "$ENV_VAR environment variable was set by secret file $ENV_FILE_NAME" else - echo "warning: Secret file $ENV_FILE_NAME for $VAR does not exist or is not a regular file." - + echo "warning: Secret file $ENV_FILE_NAME for $VAR is not readable or does not exist." fi fi done -- cgit v1.2.3-54-g00ecf From 22008fbb00352c19e128978f4f75ee5f1f346cf8 Mon Sep 17 00:00:00 2001 From: Dennis Gaida <2392217+DennisGaida@users.noreply.github.com> Date: Fri, 10 Oct 2025 15:15:11 +0200 Subject: merged with current version from main branch --- .docker/app/startup.sh | 6 ++++++ .docker/app/updater.sh | 17 ++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.docker/app/startup.sh b/.docker/app/startup.sh index fd2e92f97..535d9f4ab 100644 --- a/.docker/app/startup.sh +++ b/.docker/app/startup.sh @@ -120,6 +120,12 @@ if [ -z "$TTRSS_NO_STARTUP_PLUGIN_UPDATES" ]; then https://gitlab.tt-rss.org/tt-rss/plugins/ttrss-*.git) NEW_ORIGIN_URL="https://github.com/tt-rss/tt-rss-plugin-${ORIGIN_URL#'https://gitlab.tt-rss.org/tt-rss/plugins/ttrss-'}" ;; + https://dev.tt-rss.org/tt-rss/ttrss-*.git) + NEW_ORIGIN_URL="https://github.com/tt-rss/tt-rss-plugin-${ORIGIN_URL#'https://dev.tt-rss.org/tt-rss/ttrss-'}" + ;; + https://dev.tt-rss.org/tt-rss/plugins/ttrss-*.git) + NEW_ORIGIN_URL="https://github.com/tt-rss/tt-rss-plugin-${ORIGIN_URL#'https://dev.tt-rss.org/tt-rss/plugins/ttrss-'}" + ;; *) NEW_ORIGIN_URL="" ;; diff --git a/.docker/app/updater.sh b/.docker/app/updater.sh index 5d4d183b8..c38ddd20d 100644 --- a/.docker/app/updater.sh +++ b/.docker/app/updater.sh @@ -1,4 +1,7 @@ #!/bin/sh -e +# +# this scripts waits for startup.sh to finish (implying a shared volume) and runs multiprocess daemon when working copy is available +# # We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures) unset HTTP_PORT @@ -36,9 +39,12 @@ sleep 30 if ! id app; then addgroup -g $OWNER_GID app - adduser -D -h /var/www/html -G app -u $OWNER_UID app + adduser -D -h $APP_INSTALL_BASE_DIR -G app -u $OWNER_UID app fi +update-ca-certificates || true + +# TODO this should do a reasonable amount of attempts and terminate with an error while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER -p $TTRSS_DB_PORT; do echo waiting until $TTRSS_DB_HOST is ready... sleep 3 @@ -47,11 +53,16 @@ done sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \ /etc/php${PHP_SUFFIX}/php.ini -DST_DIR=/var/www/html/tt-rss +DST_DIR=$APP_INSTALL_BASE_DIR/tt-rss while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do echo waiting for app container... sleep 3 done -sudo -E -u app "${TTRSS_PHP_EXECUTABLE}" /var/www/html/tt-rss/update_daemon2.php "$@" +# this is some next level bullshit +# - https://stackoverflow.com/questions/65622914/why-would-i-get-a-php-pdoexception-complaining-that-it-cant-make-a-postgres-con +# - fatal error: could not open certificate file "/root/.postgresql/postgresql.crt": Permission denied +chown -R app:app /root # /.postgresql + +sudo -E -u app "${TTRSS_PHP_EXECUTABLE}" $APP_INSTALL_BASE_DIR/tt-rss/update_daemon2.php "$@" -- cgit v1.2.3-54-g00ecf