Merge pull request #643 from turbo124/debian

Updates for permission handling in the container

.github/workflows/publish-image.yaml

@@ -1,4 +1,4 @@
-name: Publish Debian and Alpine Container Images
+name: Publish Debian Container Images
 
 on:
   push:
@@ -16,7 +16,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4  # Updated from v2
+        with:
+          fetch-depth: 0
 
       - name: Prepare
         id: prep
@@ -30,54 +32,44 @@ jobs:
           MAJOR="$(echo "${VERSION}" | cut -d. -f1)"
           MINOR="$(echo "${VERSION}" | cut -d. -f2)"
           TAGS="$TAGS,${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:${MAJOR}.${MINOR}"
-          if [[ $VERSION =~ ^5\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-            TAGS="$TAGS,${DOCKER_IMAGE}:latest"
-          fi
-          echo ::set-output name=tags::${TAGS}
-          echo ::set-output name=version::${VERSION}
-          echo ::set-output name=major::${MAJOR}
+          
+          # Debug output
+          echo "Current version: ${VERSION}"
+          echo "Version pattern check: $([[ $VERSION =~ ^5\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && echo "matches" || echo "doesn't match")"
+          
+          TAGS="$TAGS,${DOCKER_IMAGE}:latest"
+
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT  # Updated output syntax
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "major=${MAJOR}" >> $GITHUB_OUTPUT
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3  # Updated from v1
         with:
           platforms: all
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-${{ matrix.image }}-buildx-${{ steps.prep.outputs.major }}-${{ hashFiles('**/cache_buster') }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.image }}-buildx-${{ steps.prep.outputs.major }}-${{ hashFiles('**/cache_buster') }}-
+        uses: docker/setup-buildx-action@v3  # Updated from v1
 
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3  # Updated from v1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5  # Updated from v2
         with:
-          builder: ${{ steps.buildx.outputs.name }}
           context: ${{ matrix.context }}
           build-args: INVOICENINJA_VERSION=${{ steps.prep.outputs.version }}
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.prep.outputs.tags }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-
-      - name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          cache-from: type=gha  # Updated cache type
+          cache-to: type=gha,mode=max
 
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}

README.md

@@ -1,15 +1,17 @@
-[![Docker image, latest](https://img.shields.io/docker/image-size/invoiceninja/invoiceninja-debian/latest?label=latest)](https://hub.docker.com/r/invoiceninja/invoiceninja-debian)
-[![Docker image, debian](https://img.shields.io/docker/image-size/invoiceninja/invoiceninja-debian/debian?label=debian)](https://hub.docker.com/r/invoiceninja/invoiceninja-debian)
-[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/invoiceninja)](https://artifacthub.io/packages/search?repo=invoiceninja)
-[![Publish Image](https://github.com/invoiceninja/dockerfiles/actions/workflows/publish-image.yaml/badge.svg)](https://github.com/invoiceninja/dockerfiles/actions/workflows/publish-image.yaml)
-[![Build Debian Image](https://github.com/invoiceninja/dockerfiles/actions/workflows/build-image-debian.yaml/badge.svg)](https://github.com/invoiceninja/dockerfiles/actions/workflows/build-image-debian.yaml)
+[![Docker Image Size](https://img.shields.io/docker/image-size/invoiceninja/invoiceninja-debian?label=debian)](https://hub.docker.com/r/invoiceninja/invoiceninja-debian)
+[![Docker Pulls](https://img.shields.io/docker/pulls/invoiceninja/invoiceninja-debian)](https://hub.docker.com/r/invoiceninja/invoiceninja-debian)
+[![Publish Status](https://github.com/invoiceninja/dockerfiles/actions/workflows/publish-image.yaml/badge.svg)](https://github.com/invoiceninja/dockerfiles/actions/workflows/publish-image.yaml)
+[![Build Status](https://github.com/invoiceninja/dockerfiles/actions/workflows/build-image-v5.yaml/badge.svg)](https://github.com/invoiceninja/dockerfiles/actions/workflows/build-image-v5.yaml)
 
 # Debian Docker for [Invoice Ninja](https://www.invoiceninja.com/)
 
 :crown: **Features**
 
-:fire: NGINX webserver support [NGINX](https://nginx.org/)  
-:chrome: Built-in Chrome for PDF generation and other features
+NGINX webserver support [NGINX](https://nginx.org/)  
+Built-in Chrome for PDF generation and other features  
+Saxon XLST 2 engine  
+OPcache  
+Multi language support  
 
 ## Get started with Docker Compose
 
@@ -17,7 +19,7 @@ This Debian-based image includes Chrome for enhanced PDF generation and other fe
 
 ```bash
 git clone https://github.com/invoiceninja/dockerfiles.git -b debian
-cd dockerfiles
+cd dockerfiles/debian
 ```
 
 Instead of defining our environment variables inside our docker-compose.yml file we now define this in the `.env` file, open this file up and insert your `APP_URL`, `APP_KEY` and update the rest of the variables as required.
@@ -31,9 +33,21 @@ IN_USER_EMAIL=
 IN_PASSWORD=
 ```
 
-If `IN_USER_EMAIL` and `IN_PASSWORD` is not set the default user email and password is "admin@example.com" and "changeme!" respectively. You will use this for the initial login, thereafter, you can delete these two environment variables.
+## Initial account setup
 
-The `APP_KEY` can be generated by running
+### Primary account setup
+Prior to starting the container for the first time, open the .env file and update the IN_USER_EMAIL and IN_PASSWORD variables with your primary account. 
+
+This will take care of the initial account setup. You can later remove these .env variables.
+
+> ⚠️ **Warning**  
+> If `IN_USER_EMAIL` and `IN_PASSWORD` are not set the default user email and password is "admin@example.com" and "changeme!" respectively. 
+
+After the container has completed the first startup you can delete these two environment variables.
+
+### Generate a APP_KEY
+
+The `APP_KEY` can be generated by running:
 
 ```bash
 # If you haven't started the containers yet:
@@ -43,7 +57,7 @@ docker run --rm -it invoiceninja/invoiceninja-debian php artisan key:generate --
 docker-compose exec app php artisan key:generate --show
 ```
 
-Copy the entire string and insert in the env file at `APP_KEY=base64....`
+Copy the entire string and insert in the .env file at `APP_KEY=base64....`
 
 **Note: For PDF generation using localhost, your domain name MUST end in .test for PDFs to generate correctly due to Chrome's DNS resolver.
 
@@ -69,4 +83,13 @@ It is recommended to perform a backup before updating.
 
 ### Support
 
-If you discover a bug, please create an issue. For general queries, visit our [Forum](https://forum.invoiceninja.com/)
+If you discover a bug, please create an issue. For general queries, visit our [Forum](https://forum.invoiceninja.com/)
+
+
+### Todo
+
+This is a new image which should provide much better support for all users, however there are some items left to complete
+
+- [ ] Backup script  
+- [ ] Integrate soketi server  
+- [ ] Add elastic search for site wide search  

debian/Dockerfile

@@ -95,17 +95,17 @@ COPY php/php-fpm.conf /usr/local/etc/php-fpm.d/www.conf
 # Configure Saxon
 WORKDIR /opt
 
-## fetch
-RUN curl https://downloads.saxonica.com/SaxonC/HE/12/libsaxon-HEC-linux-x86_64-v${saxon}.zip --output saxon.zip
-RUN unzip saxon.zip -d saxon
-RUN cp saxon/libsaxon-HEC-linux-amd64-v${saxon}/libs/nix/libsaxon-hec-${saxon}.so /usr/lib/
-WORKDIR /opt/saxon/libsaxon-HEC-linux-amd64-v${saxon}/Saxon.C.API
-RUN phpize
-RUN ./configure --enable-saxon
-RUN make
-RUN ls -al
-RUN make install
-RUN echo 'extension=saxon.so' > "/usr/local/etc/php/conf.d/app.ini"
+RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
+        curl https://downloads.saxonica.com/SaxonC/HE/12/libsaxon-HEC-linux-x86_64-v${saxon}.zip --output saxon.zip \
+        && unzip saxon.zip -d saxon \
+        && cp saxon/libsaxon-HEC-linux-amd64-v${saxon}/libs/nix/libsaxon-hec-${saxon}.so /usr/lib/ \
+        && cd /opt/saxon/libsaxon-HEC-linux-amd64-v${saxon}/Saxon.C.API \
+        && phpize \
+        && ./configure --enable-saxon \
+        && make \
+        && make install \
+        && echo 'extension=saxon.so' > "/usr/local/etc/php/conf.d/app.ini"; \
+    fi
 
 # Copy scripts
 COPY rootfs /
@@ -117,10 +117,19 @@ WORKDIR /var/www/html
 RUN set -eux; \ 
     DOWNLOAD_URL=$(curl -s "https://api.github.com/repos/invoiceninja/invoiceninja/releases/latest" | \
     grep -o '"browser_download_url": "[^"]*invoiceninja.tar"' | cut -d '"' -f 4) && \
-    curl -L "$DOWNLOAD_URL" | tar -xvz -C /var/www/html && \
-    rm -rf /var/www/html/ui && \
+    echo "Downloading from: $DOWNLOAD_URL" && \
+    # Download and save the tar
+    curl -L "$DOWNLOAD_URL" -o /tmp/ninja.tar && \
+    # Try extraction
+    cd /var/www/html && \
+    tar -xf /tmp/ninja.tar && \
+    # List what was extracted
+    rm -f /tmp/ninja.tar && \
     chown -R www-data:www-data /var/www/html
 
+# After setting permissions, switch to www-data for remaining operations
+USER www-data
+
 # Install dependencies
 RUN composer install --no-dev --no-scripts --no-autoloader
 
@@ -131,6 +140,8 @@ RUN composer dump-autoload --optimize \
     && php artisan config:cache \
     && php artisan route:cache
 
+USER root
+
 # Setup supervisor
 COPY supervisor/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
@@ -151,7 +162,7 @@ RUN mkdir -p \
     /var/www/html/storage/framework/sessions \
     /var/www/html/storage/framework/views \
     /var/www/html/storage/logs \
-    /var/www/html/public/uploads \
+    /var/www/html/public/storage \
     /var/run \
     /var/log/supervisor 
 
@@ -159,16 +170,19 @@ RUN mkdir -p \
 RUN chown -R www-data:www-data \
     /var/www/html/storage \
     /var/www/html/bootstrap/cache \
-    /var/www/html/public/uploads \
+    /var/www/html/public/storage \
     /var/run \
     /var/log/supervisor \
     && chmod -R 775 \
-        /var/www/html/public/uploads \
+        /var/www/html/public/storage \
         /var/www/html/storage \
         /var/www/html/bootstrap/cache \
         /var/run \
         /var/log/supervisor 
 
+# Switch to www-data for runtime
+USER www-data
+
 # Health check
 HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
     CMD php -v || exit 1

debian/docker-compose.yml

@@ -8,8 +8,7 @@ x-logging: &default-logging
 
 services:
   app:
-    # image: deb40d:latest
-    image: invoiceninja/invoiceninja-debian:latest 
+    image: invoiceninja/invoiceninja-debian:latest
     restart: unless-stopped
     env_file:
       - ./.env
@@ -17,7 +16,8 @@ services:
       - ./.env:/var/www/html/.env  
       - app_storage:/var/www/html/storage
       - app_cache:/var/www/html/bootstrap/cache
-      - public_files:/var/www/html/public  
+      - public_storage:/var/www/html/public/storage
+    user: www-data:www-data 
 
     networks:
       - app-network
@@ -36,14 +36,13 @@ services:
     image: nginx:alpine
     restart: unless-stopped
     ports:
-      - "8013:80"
+      - "80:80"
     volumes:
       - ./nginx/conf.d:/etc/nginx/conf.d:ro
       - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - type: volume
-        source: public_files
-        target: /var/www/html/public
-        read_only: true
+    volumes_from:
+      - app
+
     networks:
       - app-network
     depends_on:
@@ -104,13 +103,11 @@ networks:
 volumes:
   app_storage:
     driver: local
-  app_public:
-    driver: local
   app_cache:
     driver: local
+  public_storage:
+    driver: local  # Persistent storage for user files
   mysql_data:
     driver: local
   redis_data:
-    driver: local
-  public_files:  
     driver: local