Merge branch 'develop' into 'master'

Develop

See merge request passbolt/passbolt_docker!211

.gitlab-ci/Jobs/docker-compose-file-upload.yml

@@ -1,6 +1,6 @@
 .upload-files:
   stage: upload-assets
-  image: registry.gitlab.com/passbolt/passbolt-ci-docker-images/gcloud
+  image: gcr.io/google.com/cloudsdktool/google-cloud-cli:latest
   variables:
     BUCKET: "gs://download.passbolt.com"
     PREFIX: "ce/docker"

.gitlab-ci/Jobs/entrypoint_test.yml

@@ -1,7 +1,7 @@
 entrypoint-tests:
   extends: .rules
   stage: test
-  image: registry.gitlab.com/passbolt/passbolt-ci-docker-images/debian-bullseye-11-slim:latest
+  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/debian:bullseye-slim
   before_script:
     - apt update && apt install curl git -y
     - curl -fsSL https://git.io/shellspec | sh -s -- --yes

.gitlab-ci/Jobs/test_images.yaml

@@ -1,16 +1,16 @@
 services:
-  - name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/dind:latest
+  - name: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind
     alias: docker
     command: ["--tls=false"]
 
 .test-images:
   extends: .rules
   stage: test
-  image:
-    name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/ruby:latest
+  image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/ruby:slim-bookworm
   script:
-    - bundle install
-    - rake spec:$TEST_NAME
+    - |
+      bundle install
+      rake spec:$TEST_NAME
   variables:
     PASSBOLT_COMPONENT: stable
     PASSBOLT_FLAVOUR: ce
@@ -40,7 +40,7 @@ ce-docker-runtime-no-envs:
   variables:
     TEST_NAME: docker_runtime_no_envs
 
-ce-docker-runtime-no-envs:
+ce-docker-runtime-with-passbolt-php:
   extends: .test-images
   variables:
     TEST_NAME: docker_runtime_with_passbolt_php

.gitlab-ci/Jobs/test_vulnerabilities.yaml

@@ -2,7 +2,7 @@
   extends: .rules
   stage: test-vulnerabilities
   image:
-    name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/aquasec:latest
+    name: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/aquasec/trivy:latest
     entrypoint: [""]
   variables:
     TRIVY_USERNAME: $CI_REGISTRY_USER

conf/php/zz-docker.conf

@@ -0,0 +1,9 @@
+[global]
+error_log = /proc/self/fd/2
+; https://github.com/docker-library/php/pull/725#issuecomment-443540114
+log_limit = 8192
+
+[www]
+catch_workers_output = yes
+decorate_workers_output = no
+

debian/Dockerfile

@@ -26,6 +26,7 @@ ENV PHP_VERSION=8.2
 ENV GNUPGHOME=/var/lib/passbolt/.gnupg
 ENV PASSBOLT_FLAVOUR=$PASSBOLT_FLAVOUR
 ENV PASSBOLT_PKG="passbolt-$PASSBOLT_FLAVOUR-server"
+ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update \
@@ -53,22 +54,20 @@ RUN apt-get update \
   && sed -i 's,www-data.*$,root su -s /bin/bash -c ". /etc/environment \&\& $PASSBOLT_BASE_DIR/bin/cron" www-data >/proc/1/fd/1 2>\&1,' /etc/cron.d/$PASSBOLT_PKG \
   && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \
   && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
-  && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
-  && ln -sf /dev/stderr /var/log/passbolt/error.log \
-  && ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log
+  && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log
 
 COPY conf/supervisor/cron.conf /etc/supervisor/conf.d/cron.conf
 COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
 COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf
+COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf
+
 COPY scripts/entrypoint/docker-entrypoint.sh /docker-entrypoint.sh
 COPY scripts/entrypoint/passbolt/entrypoint.sh /passbolt/entrypoint.sh
 COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh
 COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh
 COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
 
-# Docker API does not support buildkit so we
-# need to do this workaround https://github.com/docker/for-linux/issues/1136
 RUN chmod 0644 /etc/supervisor/conf.d/* \
   && chmod 0700 /docker-entrypoint.sh \
   && chmod 0700 /passbolt/* \

debian/Dockerfile.rootless

@@ -35,6 +35,7 @@ ENV SUPERCRONIC_VERSION=0.2.28
 ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v${SUPERCRONIC_VERSION}/supercronic-linux-${SUPERCRONIC_ARCH} \
   SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH}
 ENV PASSBOLT_FLAVOUR="${PASSBOLT_FLAVOUR}"
+ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency"
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -98,8 +99,6 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
   && chown -R www-data:0 /var/log/nginx \
   && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
   && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
-  && ln -sf /dev/stderr /var/log/passbolt/error.log \
-  && ln -sf /dev/stderr /var/log/php$PHP_VERSION-fpm.log \
   && chown -R www-data:0 /var/log/supervisor \
   && touch /var/www/.profile \
   && chown www-data:www-data /var/www/.profile \
@@ -109,15 +108,14 @@ RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.
   && chown www-data:www-data /etc/environment \
   && chmod 600 /etc/environment
 
+COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf
 COPY scripts/entrypoint/docker-entrypoint.rootless.sh /docker-entrypoint.sh
 COPY scripts/entrypoint/passbolt/entrypoint-rootless.sh /passbolt/entrypoint-rootless.sh
 COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh
 COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh
 COPY scripts/entrypoint/passbolt/entropy.sh /passbolt/entropy.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
 
-# Docker API does not support buildkit so we
-# need to do this workaround https://github.com/docker/for-linux/issues/1136
 RUN chmod 0644 /etc/supervisor/conf.d/* \
   && chmod 0755 /docker-entrypoint.sh \
   && chmod 0755 /passbolt/* \

dev/docker-compose-dev.yaml

@@ -1,8 +1,7 @@
-version: '3.9'
 services:
 
   db:
-    image: mariadb:10.3
+    image: mariadb:10.11
     container_name: db
     env_file:
       - env/mysql.env

docker-compose/docker-compose-ce-postgresql.yaml

@@ -1,4 +1,3 @@
-version: "3.7"
 services:
   db:
     image: postgres:latest

docker-compose/docker-compose-ce.yaml

@@ -1,4 +1,3 @@
-version: "3.9"
 services:
   db:
     image: mariadb:10.11

docker-compose/docker-compose-pro.yaml

@@ -1,4 +1,3 @@
-version: "3.9"
 services:
   db:
     image: mariadb:10.11

spec/docker_runtime/runtime_spec.rb

@@ -3,13 +3,9 @@
 describe 'passbolt_api service' do
   before(:all) do
     @mysql_image =
-      if ENV['GITLAB_CI']
-        Docker::Image.create(
-          'fromImage' => 'registry.gitlab.com/passbolt/passbolt-ci-docker-images/mariadb-10.3:latest'
-        )
-      else
-        Docker::Image.create('fromImage' => 'mariadb:latest')
-      end
+      Docker::Image.create(
+        'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : 'mariadb:10.11'
+      )
 
     @mysql = Docker::Container.create(
       'Env' => [
@@ -21,7 +17,7 @@
       'Healthcheck' => {
         "Test": [
           'CMD-SHELL',
-          'mysqladmin ping --silent'
+          'mariadb-admin ping --silent'
         ]
       },
       'Image' => @mysql_image.id
@@ -31,31 +27,25 @@
 
     sleep 1 while @mysql.json['State']['Health']['Status'] != 'healthy'
 
-    if ENV['GITLAB_CI']
-      Docker.authenticate!(
-        'username' => ENV['CI_REGISTRY_USER'].to_s,
-        'password' => ENV['CI_REGISTRY_PASSWORD'].to_s,
-        'serveraddress' => 'https://registry.gitlab.com/'
-      )
-      @image =
-        if ENV['ROOTLESS'] == 'true'
-          Docker::Image.create(
-            'fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-rootless-latest"
-          )
-        else
-          Docker::Image.create(
-            'fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-root-latest"
-          )
-        end
-    else
-      @image = Docker::Image.build_from_dir(
-        ROOT_DOCKERFILES,
-        {
-          'dockerfile' => $dockerfile,
-          'buildargs' => JSON.generate($buildargs)
-        }
-      )
-    end
+    @image = if ENV['GITLAB_CI']
+               if ENV['ROOTLESS'] == 'true'
+                 Docker::Image.create(
+                   'fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-rootless-latest"
+                 )
+               else
+                 Docker::Image.create(
+                   'fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-root-latest"
+                 )
+               end
+             else
+               Docker::Image.build_from_dir(
+                 ROOT_DOCKERFILES,
+                 {
+                   'dockerfile' => $dockerfile,
+                   'buildargs' => JSON.generate($buildargs)
+                 }
+               )
+             end
 
     @container = Docker::Container.create(
       'Env' => [

spec/docker_runtime_no_envs/runtime_no_envs_spec.rb

@@ -2,11 +2,11 @@
 
 describe 'passbolt_api service' do
   before(:all) do
-    if ENV['GITLAB_CI']
-      @mysql_image = Docker::Image.create('fromImage' => 'registry.gitlab.com/passbolt/passbolt-ci-docker-images/mariadb-10.3:latest')
-    else
-      @mysql_image = Docker::Image.create('fromImage' => 'mariadb:latest')
-    end
+    @mysql_image =
+      Docker::Image.create(
+        'fromImage' => ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX'] ? "#{ENV['CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX']}/mariadb:10.11" : 'mariadb:10.11'
+      )
+
     @mysql = Docker::Container.create(
       'Env' => [
         'MARIADB_ROOT_PASSWORD=test',
@@ -17,7 +17,7 @@
       'Healthcheck' => {
         "Test": [
           'CMD-SHELL',
-          'mysqladmin ping --silent'
+          'mariadb-admin ping --silent'
         ]
       },
       'Image' => @mysql_image.id
@@ -27,11 +27,6 @@
     sleep 1 while @mysql.json['State']['Health']['Status'] != 'healthy'
 
     if ENV['GITLAB_CI']
-      Docker.authenticate!(
-        'username' => ENV['CI_REGISTRY_USER'].to_s,
-        'password' => ENV['CI_REGISTRY_PASSWORD'].to_s,
-        'serveraddress' => 'https://registry.gitlab.com/'
-      )
       @image = if ENV['ROOTLESS'] == 'true'
                  Docker::Image.create('fromImage' => "#{ENV['CI_REGISTRY_IMAGE']}:#{ENV['PASSBOLT_FLAVOUR']}-rootless-latest")
                else
@@ -67,8 +62,8 @@
   end
 
   let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
-  let(:uri)               { '/healthcheck/status.json' }
-  let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
+  let(:uri)               { '/install' }
+  let(:curl)              { "curl -skL -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
 
   describe 'php service' do
     it 'is running supervised' do
@@ -96,14 +91,15 @@
     end
   end
 
-  describe 'passbolt status' do
-    it 'returns 200' do
-      expect(command(curl).stdout).to eq '200'
+  describe 'passbolt install' do
+    it 'shows correctly' do
+      expect(command(curl).stdout).to match(/.*Passbolt is not configured yet!.*/)
     end
   end
 
   describe 'can not access outside webroot' do
     let(:uri) { '/vendor/autoload.php' }
+    let(:curl) { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}:#{$https_port}/#{uri}" }
     it 'returns 404' do
       expect(command(curl).stdout).to eq '404'
     end