docker-mailserver/target/scripts/startup/setup.d/mail_state.sh

118 lines
5.6 KiB
Bash
Raw Normal View History

#!/bin/bash
# Consolidate all states into a single directory
# (/var/mail-state) to allow persistence using docker volumes
2023-05-25 23:01:41 +00:00
function _setup_save_states() {
2023-03-12 11:10:45 +00:00
local DEST DESTDIR STATEDIR SERVICEDIR SERVICEDIRS SERVICEFILE SERVICEFILES
STATEDIR='/var/mail-state'
2023-05-24 07:06:59 +00:00
if [[ ${ONE_DIR} -eq 1 ]] && [[ -d ${STATEDIR} ]]; then
_log 'debug' "Consolidating all state onto ${STATEDIR}"
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# Always enabled features:
2023-03-12 11:10:45 +00:00
SERVICEDIRS=(
lib/logrotate
lib/postfix
spool/postfix
)
# Only consolidate state for services that are enabled
# Notably avoids copying over 200MB for the ClamAV database
2023-03-12 11:10:45 +00:00
[[ ${ENABLE_AMAVIS} -eq 1 ]] && SERVICEDIRS+=('lib/amavis')
[[ ${ENABLE_CLAMAV} -eq 1 ]] && SERVICEDIRS+=('lib/clamav')
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && SERVICEDIRS+=('lib/fail2ban')
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && SERVICEDIRS+=('lib/fetchmail')
[[ ${ENABLE_GETMAIL} -eq 1 ]] && SERVICEDIRS+=('lib/getmail')
2023-03-12 11:10:45 +00:00
[[ ${ENABLE_POSTGREY} -eq 1 ]] && SERVICEDIRS+=('lib/postgrey')
[[ ${ENABLE_RSPAMD} -eq 1 ]] && SERVICEDIRS+=('lib/rspamd')
[[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && SERVICEDIRS+=('lib/redis')
[[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && SERVICEDIRS+=('lib/spamassassin')
[[ ${ENABLE_SRS} -eq 1 ]] && SERVICEDIRS+=('lib/postsrsd')
[[ ${SMTP_ONLY} -ne 1 ]] && SERVICEDIRS+=('lib/dovecot')
# Single service files
[[ ${ENABLE_SRS} -eq 1 ]] && SERVICEFILES+=('/etc/postsrsd.secret')
2023-05-26 12:00:40 +00:00
for SERVICEFILE in "${SERVICEFILES[@]}"; do
2023-03-12 11:10:45 +00:00
DEST="${STATEDIR}/${SERVICEFILE}"
DESTDIR="${DEST%/*}"
mkdir -p "${DESTDIR}"
2023-05-24 07:06:59 +00:00
if [[ -f ${DEST} ]]; then
2023-03-12 11:10:45 +00:00
_log 'trace' "Destination ${DEST} exists, linking ${SERVICEFILE} to it"
# Original content from image no longer relevant, remove it:
rm -f "${SERVICEFILE}"
2023-05-24 07:06:59 +00:00
elif [[ -f "${SERVICEFILE}" ]]; then
2023-03-12 11:10:45 +00:00
_log 'trace' "Moving ${SERVICEFILE} to ${DEST}"
# Empty volume was mounted, or new content from enabling a feature ENV:
mv "${SERVICEFILE}" "${DEST}"
fi
# Symlink the original file in the container ($SERVICEFILE) to be
# sourced from assocaiated path in /var/mail-state/ ($DEST):
ln -s "${DEST}" "${SERVICEFILE}"
done
2023-05-26 12:00:40 +00:00
for SERVICEDIR in "${SERVICEDIRS[@]}"; do
2023-03-12 11:10:45 +00:00
DEST="${STATEDIR}/${SERVICEDIR//\//-}"
SERVICEDIR="/var/${SERVICEDIR}"
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# If relevant content is found in /var/mail-state (presumably a volume mount),
# use it instead. Otherwise copy over any missing directories checked.
2023-05-24 07:06:59 +00:00
if [[ -d ${DEST} ]]; then
2023-03-12 11:10:45 +00:00
_log 'trace' "Destination ${DEST} exists, linking ${SERVICEDIR} to it"
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# Original content from image no longer relevant, remove it:
2023-03-12 11:10:45 +00:00
rm -rf "${SERVICEDIR}"
2023-05-24 07:06:59 +00:00
elif [[ -d ${SERVICEDIR} ]]; then
2023-03-12 11:10:45 +00:00
_log 'trace' "Moving contents of ${SERVICEDIR} to ${DEST}"
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# Empty volume was mounted, or new content from enabling a feature ENV:
2023-03-12 11:10:45 +00:00
mv "${SERVICEDIR}" "${DEST}"
fi
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
2023-03-12 11:10:45 +00:00
# Symlink the original path in the container ($SERVICEDIR) to be
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# sourced from assocaiated path in /var/mail-state/ ($DEST):
2023-03-12 11:10:45 +00:00
ln -s "${DEST}" "${SERVICEDIR}"
done
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# This ensures the user and group of the files from the external mount have their
# numeric ID values in sync. New releases where the installed packages order changes
# can change the values in the Docker image, causing an ownership mismatch.
# NOTE: More details about users and groups added during image builds are documented here:
# https://github.com/docker-mailserver/docker-mailserver/pull/3011#issuecomment-1399120252
_log 'trace' "Fixing ${STATEDIR}/* permissions"
[[ ${ENABLE_AMAVIS} -eq 1 ]] && chown -R amavis:amavis "${STATEDIR}/lib-amavis"
[[ ${ENABLE_CLAMAV} -eq 1 ]] && chown -R clamav:clamav "${STATEDIR}/lib-clamav"
[[ ${ENABLE_FETCHMAIL} -eq 1 ]] && chown -R fetchmail:nogroup "${STATEDIR}/lib-fetchmail"
[[ ${ENABLE_POSTGREY} -eq 1 ]] && chown -R postgrey:postgrey "${STATEDIR}/lib-postgrey"
[[ ${ENABLE_RSPAMD} -eq 1 ]] && chown -R _rspamd:_rspamd "${STATEDIR}/lib-rspamd"
[[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && chown -R redis:redis "${STATEDIR}/lib-redis"
[[ ${ENABLE_SPAMASSASSIN} -eq 1 ]] && chown -R debian-spamd:debian-spamd "${STATEDIR}/lib-spamassassin"
chown -R root:root "${STATEDIR}/lib-logrotate"
chown -R postfix:postfix "${STATEDIR}/lib-postfix"
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# NOTE: The Postfix spool location has mixed owner/groups to take into account:
# UID = postfix(101): active, bounce, corrupt, defer, deferred, flush, hold, incoming, maildrop, private, public, saved, trace
# UID = root(0): dev, etc, lib, pid, usr
# GID = postdrop(103): maildrop, public
# GID for all other directories is root(0)
fix: Ensure state persisted to `/var/mail-state` retains correct group (#3011) * fix: RSPAM ENV should only add to array if ENV enabled * fix: Correctly match ownership for Postfix content - `/var/lib/postfix` dir and content is `postfix:postfix`, not `postfix:root`. - `/var/spool/postfix` is `root:root` not `postfix:root` like it's content. - Add additional comments, including ownership changes by Postfix to `/var/spool/postfix` when process starts / restarts. * fix: Ensure correct `chown -R` user and groups applied These were all fine except for clamav not using the correct clamav group. `fetchmail` group is `nogroup` as per the group set by the debian package. Additionally formatted the `-eq 1 ]]` content to align on the same columns, and added additional comment about the purpose of this `chown -R` usage so that it's clear what bug / breakage it's attempting to prevent / fix. * refactor: `misc-stack.sh` conditional handling The last condition doesn't get triggered at all AFAIK. Nor does it make sense to make a folder path with `mkdir -p` to symlink to when the container does not have anything to copy over? - If that was for files, the `mkdir -p` approach seems invalid? - If it was for a directory that could come up later, it should instead be created in advance? None of the current values for `FILES` seem to hit this path. Removing as it doesn't seem relevant to current support. Symlinking was done for each case, I've opted to just perform that after the conditional instead. Additional inline docs added for additional context. * chore: Move amavis `chown -R` fix into `misc-stack.sh` This was handled separately for some reason. It belongs with the other services handling this fix in `misc-stack.sh`. The `-h` option isn't relevant, when paired with `-R` it has no effect. * fix: Dockerfile should preserve `clamav` ownership with `COPY --link` The UID and GID were copied over but would not match `clamav` user and group due to numeric ID mismatch between containers. `--chown=clamav` fixes that. * chore: Workaround `buildx` bug with separate `chown -R` Avoids increasing the image weight from this change by leveraging `COPY` in the final stage. * chore: `COPY --link` from a separate stage instead of relying on scratch The `scratch` approach wasn't great. A single layer invalidation in the previous stage would result in a new 600MB layer to store. `make build` with this change seems to barely be affected by such if a change came before copying over the linked stage, although with `buildx` and the `docker-container` driver with `--load` it would take much longer to import and seemed to keep adding storage. Possibly because I was testing with a minimal `buildx` command, that wasn't leveraging proper cache options? * lint: Appease the linting gods * chore: Align `misc-stack.sh` paths for `chown -R` operations Review feedback Co-authored-by: Casper <casperklein@users.noreply.github.com> * fix: Reduce one extra cache layer copy No apparent advantage of a `COPY --link` initially in separate stage. Just `COPY --chown` in the separate stage and `COPY --link` the stage content. 230MB less in build cache used. * fix: Remove separate ClamAV stage by adding `clamav` user explicitly Creating the user before the package is installed allows to ensure a fixed numeric ID that we can provide to `--chown` that is compatible with `--link`. This keeps the build cache minimal for CI, without being anymore complex as a workaround than the separate stage was for the most part. * chore: Add reference link regarding users to `misc-stack.sh`
2023-01-24 23:53:47 +00:00
# NOTE: `spool-postfix/private/` will be set to `postfix:postfix` when Postfix starts / restarts
# Set most common ownership:
chown -R postfix:root "${STATEDIR}/spool-postfix"
chown root:root "${STATEDIR}/spool-postfix"
# These two require the postdrop(103) group:
chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}
# These permissions rely on the `postdrop` binary having the SGID bit set.
# Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3625
chmod 730 "${STATEDIR}/spool-postfix/maildrop"
chmod 710 "${STATEDIR}/spool-postfix/public"
2023-05-24 07:06:59 +00:00
elif [[ ${ONE_DIR} -eq 1 ]]; then
2023-03-04 09:57:42 +00:00
_log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
else
_log 'debug' 'Not consolidating state (because it has been disabled)'
fi
}