Server-a001 updates. There are 7 patches in this series. Everyone who was involved in the recent changes is CC'ed. 1. Use nginx from Ubuntu for simplicity. Using custom nginx package has different directory structures. It confuses me when migrating the old data to this new docker container. Just use the nginx that Ubuntu provides. 2. Add vmail storage directory. vmail will contain the mailbox data for each user. It should be mounted from the host to make the backup process easy and won't be destroyed when the container is dead. 3. Dockerfile: Upgrade the Ubuntu version to 22.04. Ubuntu 22.04 (jammy) has been released, upgrade the base image. 4. Dockerfile: Set the default main user to "ubuntu". The usual main user name on a ubuntu server is "ubuntu". Adjust it to that. 5. Add an installer script to simplify the docker image installation. 6. Create a simple init program. Using "tail -f /dev/null" as the init program is wrong because it doesn't handle the SIGCHLD signal, resulting many zombie processes like these: Zs [master] <defunct> Z [qmgr] <defunct> Zs [dovecot] <defunct> Z [anvil] <defunct> Z [log] <defunct> Z [config] <defunct> Z [tlsmgr] <defunct> Z [stats] <defunct> Z [imap-login] <defunct> Z [imap] <defunct> Z [imap-login] <defunct> Z [imap] <defunct> Z [imap-login] <defunct> Z [imap] <defunct> Z [pickup] <defunct> Zs [dovecot] <defunct> Z [anvil] <defunct> Z [log] <defunct> Z [config] <defunct> Z [imap-login] <defunct> Z [stats] <defunct> Z [imap] <defunct> Create a simple init program that ignores SIGCHLD so that the zombie processes are gone. 7. docker-entrypoint: Properly set directory ownership and mode When the container is restarted, the ownership and mode of the mounted directories might have changed. Ensure we correct them properly at initialization. While in there, also change "service rsyslog start" with directly invoke "/usr/sbin/rsyslogd". Using Ubuntu 22.04 can't start it using service: # service rsyslog start rsyslog: unrecognized service Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- Ammar Faizi (7): Use nginx from Ubuntu for simplicity start.sh: Add vmail storage directory Dockerfile: Upgrade the Ubuntu version to 22.04 (jammy) Dockerfile: Set the default main user to "ubuntu" Add an installer script Create a simple init program docker-entrypoint: Properly set directory ownership and mode .gitignore | 1 + Dockerfile | 29 ++++++++++++----------------- apt-sources/nginx.list | 2 -- docker-entrypoint.sh | 15 ++++++++++++--- init.c | 15 +++++++++++++++ install.sh | 5 +++++ start.sh | 6 +++++- 7 files changed, 50 insertions(+), 23 deletions(-) delete mode 100644 apt-sources/nginx.list create mode 100644 init.c create mode 100755 install.sh base-commit: dff27b4c7f105d30824fc3b54ef40f7870332a50 -- Ammar Faizi
Using custom nginx package has different directory structures. It confuses me when migrating the old data to this new docker container. Just use the nginx that Ubuntu provides. Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- Dockerfile | 20 +++++++------------- apt-sources/nginx.list | 2 -- 2 files changed, 7 insertions(+), 15 deletions(-) delete mode 100644 apt-sources/nginx.list diff --git a/Dockerfile b/Dockerfile index 92d79f31f3f888e9..721ef4de494e186e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,10 @@ ARG DEBIAN_FRONTEND=noninteractive RUN yes | unminimize # Install base packages -RUN apt-get update && apt-get -y --no-install-recommends install ca-certificates gnupg htop ncurses-term vim software-properties-common sudo wget net-tools rsyslog +RUN apt-get update && apt-get -y --no-install-recommends install \ + ca-certificates gnupg htop ncurses-term vim \ + software-properties-common sudo wget net-tools rsyslog \ + openssh-server nginx mysql-server # Change root password, and create main user RUN echo "root:${rootPassword}" | chpasswd \ @@ -21,17 +24,6 @@ RUN echo "root:${rootPassword}" | chpasswd \ && usermod -aG sudo ${mainUser} \ && sed -i /etc/sudoers -re '/%sudo ALL=(ALL:ALL) ALL/s/^#//g' -# Copy additional apt sources -COPY apt-sources/* /etc/apt/sources.list.d - -# Install server components -RUN apt-key adv --fetch-keys https://nginx.org/keys/nginx_signing.key \ - && apt-get update \ - && apt-get -y --no-install-recommends install openssh-server nginx mysql-server - -# Mark port 48589/tcp is to be exposed -EXPOSE 48589/tcp 25/tcp 25/tcp 465/tcp 587/tcp 143/tcp 993/tcp - # Apply SSH config and add public keys COPY etc/ssh/sshd_config /etc/ssh/sshd_config RUN rm -rf /root/.ssh /home/${mainUser}/.ssh @@ -45,7 +37,9 @@ RUN chown -R root:root /root/.ssh \ # Mailserver RUN apt update \ - && apt -y --no-install-recommends install postfix postfix-mysql postfix-policyd-spf-python dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql opendkim opendmarc + && apt -y --no-install-recommends install postfix postfix-mysql \ + postfix-policyd-spf-python dovecot-core dovecot-imapd \ + dovecot-lmtpd dovecot-mysql opendkim opendmarc COPY mailserver /root/mailserver RUN --mount=type=secret,required=true,id=config /root/mailserver/setup.sh diff --git a/apt-sources/nginx.list b/apt-sources/nginx.list deleted file mode 100644 index 4ae2224978c48157..0000000000000000 --- a/apt-sources/nginx.list +++ /dev/null @@ -1,2 +0,0 @@ -deb https://nginx.org/packages/ubuntu/ focal nginx -deb-src https://nginx.org/packages/ubuntu/ focal nginx \ No newline at end of file -- Ammar Faizi
vmail will contain the mailbox data for each user. It should be mounted from the host to make the backup process easy and won't be destroyed when the container is dead. Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- start.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/start.sh b/start.sh index 706c3626f4a22a95..70e72b629a4d6e84 100755 --- a/start.sh +++ b/start.sh @@ -5,16 +5,19 @@ HOSTNAME="gnuweeb.org"; CONTAINER_NAME="server-a001-ct"; MYSQL_DATA_DIR="./storage/mysql_data"; KEYS_DIR="./storage/keys"; +VMAIL_DIR="./storage/vmail"; SSL_KEYS_DIR="./storage/ssl"; DKIM_KEYS_DIR="./storage/dkim"; -mkdir -pv "$MYSQL_DATA_DIR"; +mkdir -pv "${MYSQL_DATA_DIR}"; mkdir -pv "${KEYS_DIR}/ssl"; mkdir -pv "${KEYS_DIR}/dkim"; +mkdir -pv "${VMAIL_DIR}"; MYSQL_DATA_DIR="$(readlink -e "${MYSQL_DATA_DIR}")"; KEYS_DIR="$(readlink -e "${KEYS_DIR}")"; +VMAIL_DIR="$(readlink -e ${VMAIL_DIR})"; CMD="$1"; @@ -30,6 +33,7 @@ if [[ "${CMD}" == "run" ]]; then --hostname "${HOSTNAME}" \ --mount "type=volume,dst=/var/keys,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=${KEYS_DIR}" \ --mount "type=volume,dst=/var/lib/mysql,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=${MYSQL_DATA_DIR}" \ + --mount "type=volume,dst=/var/vmail,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=${VMAIL_DIR}" \ --tty \ --interactive \ --detach \ -- Ammar Faizi
Ubuntu 22.04 (jammy) has been released, upgrade the base image. Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 721ef4de494e186e..b54745737a6c24ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:focal as base +FROM ubuntu:jammy as base # Build args ARG rootPassword=somerootpassword -- Ammar Faizi
The usual main user name on a ubuntu server is "ubuntu". Adjust it to that. Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b54745737a6c24ff..7bc54e0afb43d8ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:jammy as base # Build args ARG rootPassword=somerootpassword -ARG mainUser=user +ARG mainUser=ubuntu ARG mainUserPassword=someuserpassword # Tell apt that DEBIAN_FRONTEND is noninteractive -- Ammar Faizi
To simplify the docker image installation. Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- install.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100755 install.sh diff --git a/install.sh b/install.sh new file mode 100755 index 0000000000000000..652861d263a698dc --- /dev/null +++ b/install.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +set -e; +DOCKER_BUILDKIT=1 docker build --secret id=config -t server-a001 .; -- Ammar Faizi
Using "tail -f /dev/null" as the init program is wrong because it doesn't handle the SIGCHLD signal, resulting many zombie processes like these: Zs 08:30 0:00 [master] <defunct> Z 08:30 0:00 [qmgr] <defunct> Zs 08:30 0:00 [dovecot] <defunct> Z 08:30 0:00 [anvil] <defunct> Z 08:30 0:00 [log] <defunct> Z 08:30 0:00 [config] <defunct> Z 08:30 0:00 [tlsmgr] <defunct> Z 08:30 0:00 [stats] <defunct> Z 08:33 0:00 [imap-login] <defunct> Z 08:33 0:00 [imap] <defunct> Z 08:33 0:00 [imap-login] <defunct> Z 08:33 0:00 [imap] <defunct> Z 08:39 0:01 [imap-login] <defunct> Z 08:39 0:03 [imap] <defunct> Z 11:50 0:00 [pickup] <defunct> Zs 12:31 0:00 [dovecot] <defunct> Z 12:31 0:00 [anvil] <defunct> Z 12:31 0:00 [log] <defunct> Z 12:31 0:00 [config] <defunct> Z 12:31 0:00 [imap-login] <defunct> Z 12:31 0:00 [stats] <defunct> Z 12:31 0:00 [imap] <defunct> Create a simple init program that ignores SIGCHLD so that the zombie processes are gone. Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- .gitignore | 1 + Dockerfile | 5 +++-- init.c | 15 +++++++++++++++ install.sh | 1 + 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 init.c diff --git a/.gitignore b/.gitignore index 50cf6dedd170238f..bceb5ce4098add1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /config +/init diff --git a/Dockerfile b/Dockerfile index 7bc54e0afb43d8ce..3492aa0408b7b5a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,10 +41,11 @@ RUN apt update \ postfix-policyd-spf-python dovecot-core dovecot-imapd \ dovecot-lmtpd dovecot-mysql opendkim opendmarc +COPY init /bin/gwinitd COPY mailserver /root/mailserver RUN --mount=type=secret,required=true,id=config /root/mailserver/setup.sh - +RUN chmod -v +x /bin/gwinitd COPY docker-entrypoint.sh / ENTRYPOINT [ "/docker-entrypoint.sh" ] -CMD [ "tail", "-f", "/dev/null" ] +CMD [ "/bin/gwinitd" ] diff --git a/init.c b/init.c new file mode 100644 index 0000000000000000..adc67275dd3414c0 --- /dev/null +++ b/init.c @@ -0,0 +1,15 @@ +#include <signal.h> +#include <unistd.h> + +int main(void) +{ + struct sigaction a = { .sa_handler = SIG_IGN }; + + if (sigaction(SIGCHLD, &a, NULL) < 0) + return 1; + + while (1) + sleep(1000000); + + return 0; +} diff --git a/install.sh b/install.sh index 652861d263a698dc..dea60516f2e27512 100755 --- a/install.sh +++ b/install.sh @@ -1,4 +1,5 @@ #!/bin/bash set -e; +gcc -Wall -Wextra -Os init.c -o init; DOCKER_BUILDKIT=1 docker build --secret id=config -t server-a001 .; -- Ammar Faizi
When the container is restarted, the ownership and mode of the mounted directories might have changed. Ensure we correct them properly at initialization. While in there, also change "service rsyslog start" with directly invoke "/usr/sbin/rsyslogd". Using Ubuntu 22.04 can't start it using service: # service rsyslog start rsyslog: unrecognized service Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org> --- docker-entrypoint.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index d741061731ecc64f..963e249bc601102b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -2,11 +2,20 @@ chown -v root:root /var/keys -service rsyslog start +chown -R opendkim:opendkim /var/keys/dkim +chmod -R 700 /var/keys/dkim + +chown -R vmail:vmail /var/vmail +chmod -R u+rw,g+rw,o= /var/vmail + +chown -R mysql:mysql /var/lib/mysql +chmod -R u+rw,g+rw,o= /var/lib/mysql + +/usr/sbin/rsyslogd + service ssh start -service nginx start service mysql start - +service nginx start service postfix start service dovecot start service opendkim start -- Ammar Faizi
On Wed, Mar 29, 2023 at 2:59 PM Ammar Faizi wrote:
> Ammar Faizi (7):
> Use nginx from Ubuntu for simplicity
> start.sh: Add vmail storage directory
> Dockerfile: Upgrade the Ubuntu version to 22.04 (jammy)
> Dockerfile: Set the default main user to "ubuntu"
> Add an installer script
> Create a simple init program
> docker-entrypoint: Properly set directory ownership and mode
Acked-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>