83825d26e9
The key that is automatically generated weaken the security strength. As noted in RFC7518 section 3.2 [0]: ``` A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm. (This requirement is based on Section 5.3.4 (Security Effect of the HMAC Key) of NIST SP 800-117 [NIST.800-107], which states that the effective security strength is the minimum of the security strength of the key and two times the size of the internal hash value.) ``` Some JWT libraries are rejecting by default keys that are too small in a attempt to prevent misusages so generating a key that does not respect the minimal length can be problematic for OO integrations. [0] https://www.rfc-editor.org/rfc/rfc7518.html#section-3.2
657 lines
21 KiB
Bash
Executable file
657 lines
21 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
umask 0022
|
|
|
|
function clean_exit {
|
|
/usr/bin/documentserver-prepare4shutdown.sh
|
|
}
|
|
|
|
trap clean_exit SIGTERM
|
|
|
|
# Define '**' behavior explicitly
|
|
shopt -s globstar
|
|
|
|
APP_DIR="/var/www/${COMPANY_NAME}/documentserver"
|
|
DATA_DIR="/var/www/${COMPANY_NAME}/Data"
|
|
PRIVATE_DATA_DIR="${DATA_DIR}/.private"
|
|
DS_RELEASE_DATE="${PRIVATE_DATA_DIR}/ds_release_date"
|
|
LOG_DIR="/var/log/${COMPANY_NAME}"
|
|
DS_LOG_DIR="${LOG_DIR}/documentserver"
|
|
LIB_DIR="/var/lib/${COMPANY_NAME}"
|
|
DS_LIB_DIR="${LIB_DIR}/documentserver"
|
|
CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
|
|
IS_UPGRADE="false"
|
|
|
|
ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
|
|
ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
|
|
ONLYOFFICE_DATA_CONTAINER_PORT=80
|
|
|
|
RELEASE_DATE="$(stat -c="%y" ${APP_DIR}/server/DocService/docservice | sed -r 's/=([0-9]+)-([0-9]+)-([0-9]+) ([0-9:.+ ]+)/\1-\2-\3/')";
|
|
if [ -f ${DS_RELEASE_DATE} ]; then
|
|
PREV_RELEASE_DATE=$(head -n 1 ${DS_RELEASE_DATE})
|
|
else
|
|
PREV_RELEASE_DATE="0"
|
|
fi
|
|
|
|
if [ "${RELEASE_DATE}" != "${PREV_RELEASE_DATE}" ]; then
|
|
if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
|
|
IS_UPGRADE="true";
|
|
fi
|
|
fi
|
|
|
|
SSL_CERTIFICATES_DIR="/usr/share/ca-certificates/ds"
|
|
mkdir -p ${SSL_CERTIFICATES_DIR}
|
|
if [[ -d ${DATA_DIR}/certs ]] && [ -e ${DATA_DIR}/certs/*.crt ]; then
|
|
cp -f ${DATA_DIR}/certs/* ${SSL_CERTIFICATES_DIR}
|
|
chmod 644 ${SSL_CERTIFICATES_DIR}/*.crt ${SSL_CERTIFICATES_DIR}/*.pem
|
|
chmod 400 ${SSL_CERTIFICATES_DIR}/*.key
|
|
fi
|
|
|
|
if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.crt ]]; then
|
|
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.crt
|
|
else
|
|
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
|
|
fi
|
|
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.key ]]; then
|
|
SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.key
|
|
else
|
|
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
|
|
fi
|
|
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
|
|
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
|
|
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
|
|
USE_UNAUTHORIZED_STORAGE=${USE_UNAUTHORIZED_STORAGE:-false}
|
|
ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true}
|
|
ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAGE:-31536000}
|
|
SYSCONF_TEMPLATES_DIR="/app/ds/setup/config"
|
|
|
|
NGINX_CONFD_PATH="/etc/nginx/conf.d";
|
|
NGINX_ONLYOFFICE_PATH="${CONF_DIR}/nginx"
|
|
NGINX_ONLYOFFICE_CONF="${NGINX_ONLYOFFICE_PATH}/ds.conf"
|
|
NGINX_ONLYOFFICE_EXAMPLE_PATH="${CONF_DIR}-example/nginx"
|
|
NGINX_ONLYOFFICE_EXAMPLE_CONF="${NGINX_ONLYOFFICE_EXAMPLE_PATH}/includes/ds-example.conf"
|
|
|
|
NGINX_CONFIG_PATH="/etc/nginx/nginx.conf"
|
|
NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
|
|
# Limiting the maximum number of simultaneous connections due to possible memory shortage
|
|
[ $(ulimit -n) -gt 1048576 ] && NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-1048576} || NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-$(ulimit -n)}
|
|
|
|
JWT_ENABLED=${JWT_ENABLED:-true}
|
|
|
|
# validate user's vars before usinig in json
|
|
if [ "${JWT_ENABLED}" == "true" ]; then
|
|
JWT_ENABLED="true"
|
|
else
|
|
JWT_ENABLED="false"
|
|
fi
|
|
|
|
[ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
|
|
|
|
JWT_SECRET=${JWT_SECRET:-$(pwgen -s 32)}
|
|
JWT_HEADER=${JWT_HEADER:-Authorization}
|
|
JWT_IN_BODY=${JWT_IN_BODY:-false}
|
|
|
|
WOPI_ENABLED=${WOPI_ENABLED:-false}
|
|
|
|
GENERATE_FONTS=${GENERATE_FONTS:-true}
|
|
|
|
if [[ ${PRODUCT_NAME}${PRODUCT_EDITION} == "documentserver" ]]; then
|
|
REDIS_ENABLED=false
|
|
else
|
|
REDIS_ENABLED=true
|
|
fi
|
|
|
|
ONLYOFFICE_DEFAULT_CONFIG=${CONF_DIR}/local.json
|
|
ONLYOFFICE_LOG4JS_CONFIG=${CONF_DIR}/log4js/production.json
|
|
ONLYOFFICE_EXAMPLE_CONFIG=${CONF_DIR}-example/local.json
|
|
|
|
JSON_BIN=${APP_DIR}/npm/json
|
|
JSON="${JSON_BIN} -q -f ${ONLYOFFICE_DEFAULT_CONFIG}"
|
|
JSON_LOG="${JSON_BIN} -q -f ${ONLYOFFICE_LOG4JS_CONFIG}"
|
|
JSON_EXAMPLE="${JSON_BIN} -q -f ${ONLYOFFICE_EXAMPLE_CONFIG}"
|
|
|
|
LOCAL_SERVICES=()
|
|
|
|
PG_ROOT=/var/lib/postgresql
|
|
PG_NAME=main
|
|
PGDATA=${PG_ROOT}/${PG_VERSION}/${PG_NAME}
|
|
PG_NEW_CLUSTER=false
|
|
RABBITMQ_DATA=/var/lib/rabbitmq
|
|
REDIS_DATA=/var/lib/redis
|
|
|
|
if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
|
|
LETSENCRYPT_ROOT_DIR="/etc/letsencrypt/live"
|
|
SSL_CERTIFICATE_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/fullchain.pem
|
|
SSL_KEY_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/privkey.pem
|
|
fi
|
|
|
|
read_setting(){
|
|
deprecated_var POSTGRESQL_SERVER_HOST DB_HOST
|
|
deprecated_var POSTGRESQL_SERVER_PORT DB_PORT
|
|
deprecated_var POSTGRESQL_SERVER_DB_NAME DB_NAME
|
|
deprecated_var POSTGRESQL_SERVER_USER DB_USER
|
|
deprecated_var POSTGRESQL_SERVER_PASS DB_PWD
|
|
deprecated_var RABBITMQ_SERVER_URL AMQP_URI
|
|
deprecated_var AMQP_SERVER_URL AMQP_URI
|
|
deprecated_var AMQP_SERVER_TYPE AMQP_TYPE
|
|
|
|
METRICS_ENABLED="${METRICS_ENABLED:-false}"
|
|
METRICS_HOST="${METRICS_HOST:-localhost}"
|
|
METRICS_PORT="${METRICS_PORT:-8125}"
|
|
METRICS_PREFIX="${METRICS_PREFIX:-.ds}"
|
|
|
|
DB_HOST=${DB_HOST:-${POSTGRESQL_SERVER_HOST:-$(${JSON} services.CoAuthoring.sql.dbHost)}}
|
|
DB_TYPE=${DB_TYPE:-$(${JSON} services.CoAuthoring.sql.type)}
|
|
case $DB_TYPE in
|
|
"postgres")
|
|
DB_PORT=${DB_PORT:-"5432"}
|
|
;;
|
|
"mariadb"|"mysql")
|
|
DB_PORT=${DB_PORT:-"3306"}
|
|
;;
|
|
"")
|
|
DB_PORT=${DB_PORT:-${POSTGRESQL_SERVER_PORT:-$(${JSON} services.CoAuthoring.sql.dbPort)}}
|
|
;;
|
|
*)
|
|
echo "ERROR: unknown database type"
|
|
exit 1
|
|
;;
|
|
esac
|
|
DB_NAME=${DB_NAME:-${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}}
|
|
DB_USER=${DB_USER:-${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}}
|
|
DB_PWD=${DB_PWD:-${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}}
|
|
|
|
RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)}
|
|
AMQP_URI=${AMQP_URI:-${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}}
|
|
AMQP_TYPE=${AMQP_TYPE:-${AMQP_SERVER_TYPE:-rabbitmq}}
|
|
parse_rabbitmq_url ${AMQP_URI}
|
|
|
|
REDIS_SERVER_HOST=${REDIS_SERVER_HOST:-$(${JSON} services.CoAuthoring.redis.host)}
|
|
REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-6379}
|
|
|
|
DS_LOG_LEVEL=${DS_LOG_LEVEL:-$(${JSON_LOG} categories.default.level)}
|
|
}
|
|
|
|
deprecated_var() {
|
|
if [[ -n ${!1} ]]; then
|
|
echo "Variable $1 is deprecated. Use $2 instead."
|
|
fi
|
|
}
|
|
|
|
parse_rabbitmq_url(){
|
|
local amqp=$1
|
|
|
|
# extract the protocol
|
|
local proto="$(echo $amqp | grep :// | sed -e's,^\(.*://\).*,\1,g')"
|
|
# remove the protocol
|
|
local url="$(echo ${amqp/$proto/})"
|
|
|
|
# extract the user and password (if any)
|
|
local userpass="`echo $url | grep @ | cut -d@ -f1`"
|
|
local pass=`echo $userpass | grep : | cut -d: -f2`
|
|
|
|
local user
|
|
if [ -n "$pass" ]; then
|
|
user=`echo $userpass | grep : | cut -d: -f1`
|
|
else
|
|
user=$userpass
|
|
fi
|
|
|
|
# extract the host
|
|
local hostport="$(echo ${url/$userpass@/} | cut -d/ -f1)"
|
|
# by request - try to extract the port
|
|
local port="$(echo $hostport | grep : | sed -r 's_^.*:+|/.*$__g')"
|
|
|
|
local host
|
|
if [ -n "$port" ]; then
|
|
host=`echo $hostport | grep : | cut -d: -f1`
|
|
else
|
|
host=$hostport
|
|
port="5672"
|
|
fi
|
|
|
|
# extract the path (if any)
|
|
local path="$(echo $url | grep / | cut -d/ -f2-)"
|
|
|
|
AMQP_SERVER_PROTO=${proto:0:-3}
|
|
AMQP_SERVER_HOST=$host
|
|
AMQP_SERVER_USER=$user
|
|
AMQP_SERVER_PASS=$pass
|
|
AMQP_SERVER_PORT=$port
|
|
}
|
|
|
|
waiting_for_connection(){
|
|
until nc -z -w 3 "$1" "$2"; do
|
|
>&2 echo "Waiting for connection to the $1 host on port $2"
|
|
sleep 1
|
|
done
|
|
}
|
|
|
|
waiting_for_db(){
|
|
waiting_for_connection $DB_HOST $DB_PORT
|
|
}
|
|
|
|
waiting_for_amqp(){
|
|
waiting_for_connection ${AMQP_SERVER_HOST} ${AMQP_SERVER_PORT}
|
|
}
|
|
|
|
waiting_for_redis(){
|
|
waiting_for_connection ${REDIS_SERVER_HOST} ${REDIS_SERVER_PORT}
|
|
}
|
|
waiting_for_datacontainer(){
|
|
waiting_for_connection ${ONLYOFFICE_DATA_CONTAINER_HOST} ${ONLYOFFICE_DATA_CONTAINER_PORT}
|
|
}
|
|
|
|
update_statsd_settings(){
|
|
${JSON} -I -e "if(this.statsd===undefined)this.statsd={};"
|
|
${JSON} -I -e "this.statsd.useMetrics = '${METRICS_ENABLED}'"
|
|
${JSON} -I -e "this.statsd.host = '${METRICS_HOST}'"
|
|
${JSON} -I -e "this.statsd.port = '${METRICS_PORT}'"
|
|
${JSON} -I -e "this.statsd.prefix = '${METRICS_PREFIX}'"
|
|
}
|
|
|
|
update_db_settings(){
|
|
${JSON} -I -e "this.services.CoAuthoring.sql.type = '${DB_TYPE}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.sql.dbHost = '${DB_HOST}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.sql.dbPort = '${DB_PORT}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.sql.dbName = '${DB_NAME}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.sql.dbUser = '${DB_USER}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.sql.dbPass = '${DB_PWD}'"
|
|
}
|
|
|
|
update_rabbitmq_setting(){
|
|
if [ "${AMQP_TYPE}" == "rabbitmq" ]; then
|
|
${JSON} -I -e "if(this.queue===undefined)this.queue={};"
|
|
${JSON} -I -e "this.queue.type = 'rabbitmq'"
|
|
${JSON} -I -e "this.rabbitmq.url = '${AMQP_URI}'"
|
|
fi
|
|
|
|
if [ "${AMQP_TYPE}" == "activemq" ]; then
|
|
${JSON} -I -e "if(this.queue===undefined)this.queue={};"
|
|
${JSON} -I -e "this.queue.type = 'activemq'"
|
|
${JSON} -I -e "if(this.activemq===undefined)this.activemq={};"
|
|
${JSON} -I -e "if(this.activemq.connectOptions===undefined)this.activemq.connectOptions={};"
|
|
|
|
${JSON} -I -e "this.activemq.connectOptions.host = '${AMQP_SERVER_HOST}'"
|
|
|
|
if [ ! "${AMQP_SERVER_PORT}" == "" ]; then
|
|
${JSON} -I -e "this.activemq.connectOptions.port = '${AMQP_SERVER_PORT}'"
|
|
else
|
|
${JSON} -I -e "delete this.activemq.connectOptions.port"
|
|
fi
|
|
|
|
if [ ! "${AMQP_SERVER_USER}" == "" ]; then
|
|
${JSON} -I -e "this.activemq.connectOptions.username = '${AMQP_SERVER_USER}'"
|
|
else
|
|
${JSON} -I -e "delete this.activemq.connectOptions.username"
|
|
fi
|
|
|
|
if [ ! "${AMQP_SERVER_PASS}" == "" ]; then
|
|
${JSON} -I -e "this.activemq.connectOptions.password = '${AMQP_SERVER_PASS}'"
|
|
else
|
|
${JSON} -I -e "delete this.activemq.connectOptions.password"
|
|
fi
|
|
|
|
case "${AMQP_SERVER_PROTO}" in
|
|
amqp+ssl|amqps)
|
|
${JSON} -I -e "this.activemq.connectOptions.transport = 'tls'"
|
|
;;
|
|
*)
|
|
${JSON} -I -e "delete this.activemq.connectOptions.transport"
|
|
;;
|
|
esac
|
|
fi
|
|
}
|
|
|
|
update_redis_settings(){
|
|
${JSON} -I -e "if(this.services.CoAuthoring.redis===undefined)this.services.CoAuthoring.redis={};"
|
|
${JSON} -I -e "this.services.CoAuthoring.redis.host = '${REDIS_SERVER_HOST}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.redis.port = '${REDIS_SERVER_PORT}'"
|
|
|
|
if [ -n "${REDIS_SERVER_PASS}" ]; then
|
|
${JSON} -I -e "this.services.CoAuthoring.redis.options = {'password':'${REDIS_SERVER_PASS}'}"
|
|
fi
|
|
|
|
}
|
|
|
|
update_ds_settings(){
|
|
${JSON} -I -e "this.services.CoAuthoring.token.enable.browser = ${JWT_ENABLED}"
|
|
${JSON} -I -e "this.services.CoAuthoring.token.enable.request.inbox = ${JWT_ENABLED}"
|
|
${JSON} -I -e "this.services.CoAuthoring.token.enable.request.outbox = ${JWT_ENABLED}"
|
|
|
|
${JSON} -I -e "this.services.CoAuthoring.secret.inbox.string = '${JWT_SECRET}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.secret.outbox.string = '${JWT_SECRET}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.secret.session.string = '${JWT_SECRET}'"
|
|
|
|
${JSON} -I -e "this.services.CoAuthoring.token.inbox.header = '${JWT_HEADER}'"
|
|
${JSON} -I -e "this.services.CoAuthoring.token.outbox.header = '${JWT_HEADER}'"
|
|
|
|
${JSON} -I -e "this.services.CoAuthoring.token.inbox.inBody = ${JWT_IN_BODY}"
|
|
${JSON} -I -e "this.services.CoAuthoring.token.outbox.inBody = ${JWT_IN_BODY}"
|
|
|
|
if [ -f "${ONLYOFFICE_EXAMPLE_CONFIG}" ]; then
|
|
${JSON_EXAMPLE} -I -e "this.server.token.enable = ${JWT_ENABLED}"
|
|
${JSON_EXAMPLE} -I -e "this.server.token.secret = '${JWT_SECRET}'"
|
|
${JSON_EXAMPLE} -I -e "this.server.token.authorizationHeader = '${JWT_HEADER}'"
|
|
fi
|
|
|
|
if [ "${USE_UNAUTHORIZED_STORAGE}" == "true" ]; then
|
|
${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults===undefined)this.services.CoAuthoring.requestDefaults={}"
|
|
${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults.rejectUnauthorized===undefined)this.services.CoAuthoring.requestDefaults.rejectUnauthorized=false"
|
|
fi
|
|
|
|
if [ "${WOPI_ENABLED}" == "true" ]; then
|
|
${JSON} -I -e "if(this.wopi===undefined)this.wopi={}"
|
|
${JSON} -I -e "this.wopi.enable = true"
|
|
fi
|
|
}
|
|
|
|
create_postgresql_cluster(){
|
|
local pg_conf_dir=/etc/postgresql/${PG_VERSION}/${PG_NAME}
|
|
local postgresql_conf=$pg_conf_dir/postgresql.conf
|
|
local hba_conf=$pg_conf_dir/pg_hba.conf
|
|
|
|
mv $postgresql_conf $postgresql_conf.backup
|
|
mv $hba_conf $hba_conf.backup
|
|
|
|
pg_createcluster ${PG_VERSION} ${PG_NAME}
|
|
}
|
|
|
|
create_postgresql_db(){
|
|
sudo -u postgres psql -c "CREATE DATABASE $DB_NAME;"
|
|
sudo -u postgres psql -c "CREATE USER $DB_USER WITH password '"$DB_PWD"';"
|
|
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE $DB_NAME TO $DB_USER;"
|
|
}
|
|
|
|
create_db_tbl() {
|
|
case $DB_TYPE in
|
|
"postgres")
|
|
create_postgresql_tbl
|
|
;;
|
|
"mariadb"|"mysql")
|
|
create_mysql_tbl
|
|
;;
|
|
esac
|
|
}
|
|
|
|
upgrade_db_tbl() {
|
|
case $DB_TYPE in
|
|
"postgres")
|
|
upgrade_postgresql_tbl
|
|
;;
|
|
"mariadb"|"mysql")
|
|
upgrade_mysql_tbl
|
|
;;
|
|
esac
|
|
}
|
|
|
|
upgrade_postgresql_tbl() {
|
|
if [ -n "$DB_PWD" ]; then
|
|
export PGPASSWORD=$DB_PWD
|
|
fi
|
|
|
|
PSQL="psql -q -h$DB_HOST -p$DB_PORT -d$DB_NAME -U$DB_USER -w"
|
|
|
|
$PSQL -f "$APP_DIR/server/schema/postgresql/removetbl.sql"
|
|
$PSQL -f "$APP_DIR/server/schema/postgresql/createdb.sql"
|
|
}
|
|
|
|
upgrade_mysql_tbl() {
|
|
CONNECTION_PARAMS="-h$DB_HOST -P$DB_PORT -u$DB_USER -p$DB_PWD -w"
|
|
MYSQL="mysql -q $CONNECTION_PARAMS"
|
|
|
|
$MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/removetbl.sql" >/dev/null 2>&1
|
|
$MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/createdb.sql" >/dev/null 2>&1
|
|
}
|
|
|
|
create_postgresql_tbl() {
|
|
if [ -n "$DB_PWD" ]; then
|
|
export PGPASSWORD=$DB_PWD
|
|
fi
|
|
|
|
PSQL="psql -q -h$DB_HOST -p$DB_PORT -d$DB_NAME -U$DB_USER -w"
|
|
$PSQL -f "$APP_DIR/server/schema/postgresql/createdb.sql"
|
|
}
|
|
|
|
create_mysql_tbl() {
|
|
CONNECTION_PARAMS="-h$DB_HOST -P$DB_PORT -u$DB_USER -p$DB_PWD -w"
|
|
MYSQL="mysql -q $CONNECTION_PARAMS"
|
|
|
|
# Create db on remote server
|
|
$MYSQL -e "CREATE DATABASE IF NOT EXISTS $DB_NAME DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;" >/dev/null 2>&1
|
|
|
|
$MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/createdb.sql" >/dev/null 2>&1
|
|
}
|
|
|
|
update_welcome_page() {
|
|
WELCOME_PAGE="${APP_DIR}-example/welcome/docker.html"
|
|
if [[ -e $WELCOME_PAGE ]]; then
|
|
DOCKER_CONTAINER_ID=$(basename $(cat /proc/1/cpuset))
|
|
(( ${#DOCKER_CONTAINER_ID} < 12 )) && DOCKER_CONTAINER_ID=$(hostname)
|
|
if (( ${#DOCKER_CONTAINER_ID} >= 12 )); then
|
|
if [[ -x $(command -v docker) ]]; then
|
|
DOCKER_CONTAINER_NAME=$(docker inspect --format="{{.Name}}" $DOCKER_CONTAINER_ID)
|
|
sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/' -i $WELCOME_PAGE
|
|
JWT_MESSAGE=$(echo $JWT_MESSAGE | sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/')
|
|
else
|
|
sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/' -i $WELCOME_PAGE
|
|
JWT_MESSAGE=$(echo $JWT_MESSAGE | sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/')
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
update_nginx_settings(){
|
|
# Set up nginx
|
|
sed 's/^worker_processes.*/'"worker_processes ${NGINX_WORKER_PROCESSES};"'/' -i ${NGINX_CONFIG_PATH}
|
|
sed 's/worker_connections.*/'"worker_connections ${NGINX_WORKER_CONNECTIONS};"'/' -i ${NGINX_CONFIG_PATH}
|
|
sed 's/access_log.*/'"access_log off;"'/' -i ${NGINX_CONFIG_PATH}
|
|
|
|
# setup HTTPS
|
|
if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then
|
|
cp -f ${NGINX_ONLYOFFICE_PATH}/ds-ssl.conf.tmpl ${NGINX_ONLYOFFICE_CONF}
|
|
|
|
# configure nginx
|
|
sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i ${NGINX_ONLYOFFICE_CONF}
|
|
sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i ${NGINX_ONLYOFFICE_CONF}
|
|
|
|
# turn on http2
|
|
sed 's,\(443 ssl\),\1 http2,' -i ${NGINX_ONLYOFFICE_CONF}
|
|
|
|
# if dhparam path is valid, add to the config, otherwise remove the option
|
|
if [ -r "${SSL_DHPARAM_PATH}" ]; then
|
|
sed 's,\(\#* *\)\?\(ssl_dhparam \).*\(;\)$,'"\2${SSL_DHPARAM_PATH}\3"',' -i ${NGINX_ONLYOFFICE_CONF}
|
|
else
|
|
sed '/ssl_dhparam/d' -i ${NGINX_ONLYOFFICE_CONF}
|
|
fi
|
|
|
|
sed 's,\(ssl_verify_client \).*\(;\)$,'"\1${SSL_VERIFY_CLIENT}\2"',' -i ${NGINX_ONLYOFFICE_CONF}
|
|
|
|
if [ -f "${CA_CERTIFICATES_PATH}" ]; then
|
|
sed '/ssl_verify_client/a '"ssl_client_certificate ${CA_CERTIFICATES_PATH}"';' -i ${NGINX_ONLYOFFICE_CONF}
|
|
fi
|
|
|
|
if [ "${ONLYOFFICE_HTTPS_HSTS_ENABLED}" == "true" ]; then
|
|
sed 's,\(max-age=\).*\(;\)$,'"\1${ONLYOFFICE_HTTPS_HSTS_MAXAGE}\2"',' -i ${NGINX_ONLYOFFICE_CONF}
|
|
else
|
|
sed '/max-age=/d' -i ${NGINX_ONLYOFFICE_CONF}
|
|
fi
|
|
else
|
|
ln -sf ${NGINX_ONLYOFFICE_PATH}/ds.conf.tmpl ${NGINX_ONLYOFFICE_CONF}
|
|
fi
|
|
|
|
# check if ipv6 supported otherwise remove it from nginx config
|
|
if [ ! -f /proc/net/if_inet6 ]; then
|
|
sed '/listen\s\+\[::[0-9]*\].\+/d' -i $NGINX_ONLYOFFICE_CONF
|
|
fi
|
|
|
|
if [ -f "${NGINX_ONLYOFFICE_EXAMPLE_CONF}" ]; then
|
|
sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF}
|
|
fi
|
|
|
|
documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false
|
|
}
|
|
|
|
update_supervisor_settings(){
|
|
# Copy modified supervisor start script
|
|
cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisor /etc/init.d/
|
|
# Copy modified supervisor config
|
|
cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
|
|
sed "s/COMPANY_NAME/${COMPANY_NAME}/g" -i ${SYSCONF_TEMPLATES_DIR}/supervisor/ds/*.conf
|
|
cp ${SYSCONF_TEMPLATES_DIR}/supervisor/ds/*.conf etc/supervisor/conf.d/
|
|
}
|
|
|
|
update_log_settings(){
|
|
${JSON_LOG} -I -e "this.categories.default.level = '${DS_LOG_LEVEL}'"
|
|
}
|
|
|
|
update_logrotate_settings(){
|
|
sed 's|\(^su\b\).*|\1 root root|' -i /etc/logrotate.conf
|
|
}
|
|
|
|
update_release_date(){
|
|
mkdir -p ${PRIVATE_DATA_DIR}
|
|
echo ${RELEASE_DATE} > ${DS_RELEASE_DATE}
|
|
}
|
|
|
|
# create base folders
|
|
for i in converter docservice metrics; do
|
|
mkdir -p "${DS_LOG_DIR}/$i"
|
|
done
|
|
|
|
mkdir -p ${DS_LOG_DIR}-example
|
|
|
|
# create app folders
|
|
for i in ${DS_LIB_DIR}/App_Data/cache/files ${DS_LIB_DIR}/App_Data/docbuilder ${DS_LIB_DIR}-example/files; do
|
|
mkdir -p "$i"
|
|
done
|
|
|
|
# change folder rights
|
|
for i in ${LOG_DIR} ${LIB_DIR}; do
|
|
chown -R ds:ds "$i"
|
|
chmod -R 755 "$i"
|
|
done
|
|
|
|
if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
|
|
|
|
read_setting
|
|
|
|
if [ $METRICS_ENABLED = "true" ]; then
|
|
update_statsd_settings
|
|
fi
|
|
|
|
update_welcome_page
|
|
|
|
update_log_settings
|
|
|
|
update_ds_settings
|
|
|
|
# update settings by env variables
|
|
if [ $DB_HOST != "localhost" ]; then
|
|
update_db_settings
|
|
waiting_for_db
|
|
create_db_tbl
|
|
else
|
|
# change rights for postgres directory
|
|
chown -R postgres:postgres ${PG_ROOT}
|
|
chmod -R 700 ${PG_ROOT}
|
|
|
|
# create new db if it isn't exist
|
|
if [ ! -d ${PGDATA} ]; then
|
|
create_postgresql_cluster
|
|
PG_NEW_CLUSTER=true
|
|
fi
|
|
LOCAL_SERVICES+=("postgresql")
|
|
fi
|
|
|
|
if [ ${AMQP_SERVER_HOST} != "localhost" ]; then
|
|
update_rabbitmq_setting
|
|
else
|
|
# change rights for rabbitmq directory
|
|
chown -R rabbitmq:rabbitmq ${RABBITMQ_DATA}
|
|
chmod -R go=rX,u=rwX ${RABBITMQ_DATA}
|
|
if [ -f ${RABBITMQ_DATA}/.erlang.cookie ]; then
|
|
chmod 400 ${RABBITMQ_DATA}/.erlang.cookie
|
|
fi
|
|
|
|
LOCAL_SERVICES+=("rabbitmq-server")
|
|
# allow Rabbitmq startup after container kill
|
|
rm -rf /var/run/rabbitmq
|
|
fi
|
|
|
|
if [ ${REDIS_ENABLED} = "true" ]; then
|
|
if [ ${REDIS_SERVER_HOST} != "localhost" ]; then
|
|
update_redis_settings
|
|
else
|
|
# change rights for redis directory
|
|
chown -R redis:redis ${REDIS_DATA}
|
|
chmod -R 750 ${REDIS_DATA}
|
|
|
|
LOCAL_SERVICES+=("redis-server")
|
|
fi
|
|
fi
|
|
else
|
|
# no need to update settings just wait for remote data
|
|
waiting_for_datacontainer
|
|
|
|
# read settings after the data container in ready state
|
|
# to prevent get unconfigureted data
|
|
read_setting
|
|
|
|
update_welcome_page
|
|
fi
|
|
|
|
find /etc/${COMPANY_NAME} -exec chown ds:ds {} \;
|
|
|
|
#start needed local services
|
|
for i in ${LOCAL_SERVICES[@]}; do
|
|
service $i start
|
|
done
|
|
|
|
if [ ${PG_NEW_CLUSTER} = "true" ]; then
|
|
create_postgresql_db
|
|
create_postgresql_tbl
|
|
fi
|
|
|
|
if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
|
|
waiting_for_db
|
|
waiting_for_amqp
|
|
if [ ${REDIS_ENABLED} = "true" ]; then
|
|
waiting_for_redis
|
|
fi
|
|
|
|
if [ "${IS_UPGRADE}" = "true" ]; then
|
|
upgrade_db_tbl
|
|
update_release_date
|
|
fi
|
|
|
|
update_nginx_settings
|
|
|
|
update_supervisor_settings
|
|
service supervisor start
|
|
|
|
# start cron to enable log rotating
|
|
update_logrotate_settings
|
|
service cron start
|
|
fi
|
|
|
|
# nginx used as a proxy, and as data container status service.
|
|
# it run in all cases.
|
|
service nginx start
|
|
|
|
if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
|
|
if [ ! -f "${SSL_CERTIFICATE_PATH}" -a ! -f "${SSL_KEY_PATH}" ]; then
|
|
documentserver-letsencrypt.sh ${LETS_ENCRYPT_MAIL} ${LETS_ENCRYPT_DOMAIN}
|
|
fi
|
|
fi
|
|
|
|
# Regenerate the fonts list and the fonts thumbnails
|
|
if [ "${GENERATE_FONTS}" == "true" ]; then
|
|
documentserver-generate-allfonts.sh ${ONLYOFFICE_DATA_CONTAINER}
|
|
fi
|
|
documentserver-static-gzip.sh ${ONLYOFFICE_DATA_CONTAINER}
|
|
|
|
echo "${JWT_MESSAGE}"
|
|
|
|
tail -f /var/log/${COMPANY_NAME}/**/*.log &
|
|
wait $!
|