Merge pull request #643 from turbo124/debian

Updates for permission handling in the container

.github/workflows/publish-image.yaml

@@ -16,7 +16,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4  # Updated from v2
+        with:
+          fetch-depth: 0
 
       - name: Prepare
         id: prep
@@ -30,54 +32,44 @@ jobs:
           MAJOR="$(echo "${VERSION}" | cut -d. -f1)"
           MINOR="$(echo "${VERSION}" | cut -d. -f2)"
           TAGS="$TAGS,${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:${MAJOR}.${MINOR}"
-          if [[ $VERSION =~ ^5\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+          
-            TAGS="$TAGS,${DOCKER_IMAGE}:latest"
+          # Debug output
-          fi
+          echo "Current version: ${VERSION}"
-          echo ::set-output name=tags::${TAGS}
+          echo "Version pattern check: $([[ $VERSION =~ ^5\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && echo "matches" || echo "doesn't match")"
-          echo ::set-output name=version::${VERSION}
+          
-          echo ::set-output name=major::${MAJOR}
+          TAGS="$TAGS,${DOCKER_IMAGE}:latest"
+
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT  # Updated output syntax
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "major=${MAJOR}" >> $GITHUB_OUTPUT
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3  # Updated from v1
         with:
           platforms: all
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3  # Updated from v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-${{ matrix.image }}-buildx-${{ steps.prep.outputs.major }}-${{ hashFiles('**/cache_buster') }}-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.image }}-buildx-${{ steps.prep.outputs.major }}-${{ hashFiles('**/cache_buster') }}-
 
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3  # Updated from v1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5  # Updated from v2
         with:
-          builder: ${{ steps.buildx.outputs.name }}
           context: ${{ matrix.context }}
           build-args: INVOICENINJA_VERSION=${{ steps.prep.outputs.version }}
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.prep.outputs.tags }}
-          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-from: type=gha  # Updated cache type
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          cache-to: type=gha,mode=max
-
-      - name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}

README.md

@@ -19,7 +19,7 @@ This Debian-based image includes Chrome for enhanced PDF generation and other fe
 
 ```bash
 git clone https://github.com/invoiceninja/dockerfiles.git -b debian
-cd dockerfiles
+cd dockerfiles/debian
 ```
 
 Instead of defining our environment variables inside our docker-compose.yml file we now define this in the `.env` file, open this file up and insert your `APP_URL`, `APP_KEY` and update the rest of the variables as required.
@@ -41,7 +41,9 @@ Prior to starting the container for the first time, open the .env file and updat
 This will take care of the initial account setup. You can later remove these .env variables.
 
 > ⚠️ **Warning**  
-> If `IN_USER_EMAIL` and `IN_PASSWORD` is not set the default user email and password is "admin@example.com" and "changeme!" respectively. You will use this for the initial login, thereafter, you can delete these two environment variables.
+> If `IN_USER_EMAIL` and `IN_PASSWORD` are not set the default user email and password is "admin@example.com" and "changeme!" respectively. 
+
+After the container has completed the first startup you can delete these two environment variables.
 
 ### Generate a APP_KEY
 

debian/Dockerfile

@@ -117,10 +117,19 @@ WORKDIR /var/www/html
 RUN set -eux; \ 
     DOWNLOAD_URL=$(curl -s "https://api.github.com/repos/invoiceninja/invoiceninja/releases/latest" | \
     grep -o '"browser_download_url": "[^"]*invoiceninja.tar"' | cut -d '"' -f 4) && \
-    curl -L "$DOWNLOAD_URL" | tar -xvz -C /var/www/html && \
+    echo "Downloading from: $DOWNLOAD_URL" && \
-    rm -rf /var/www/html/ui && \
+    # Download and save the tar
+    curl -L "$DOWNLOAD_URL" -o /tmp/ninja.tar && \
+    # Try extraction
+    cd /var/www/html && \
+    tar -xf /tmp/ninja.tar && \
+    # List what was extracted
+    rm -f /tmp/ninja.tar && \
     chown -R www-data:www-data /var/www/html
 
+# After setting permissions, switch to www-data for remaining operations
+USER www-data
+
 # Install dependencies
 RUN composer install --no-dev --no-scripts --no-autoloader
 
@@ -131,6 +140,8 @@ RUN composer dump-autoload --optimize \
     && php artisan config:cache \
     && php artisan route:cache
 
+USER root
+
 # Setup supervisor
 COPY supervisor/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
@@ -151,7 +162,7 @@ RUN mkdir -p \
     /var/www/html/storage/framework/sessions \
     /var/www/html/storage/framework/views \
     /var/www/html/storage/logs \
-    /var/www/html/public/uploads \
+    /var/www/html/public/storage \
     /var/run \
     /var/log/supervisor 
 
@@ -159,16 +170,19 @@ RUN mkdir -p \
 RUN chown -R www-data:www-data \
     /var/www/html/storage \
     /var/www/html/bootstrap/cache \
-    /var/www/html/public/uploads \
+    /var/www/html/public/storage \
     /var/run \
     /var/log/supervisor \
     && chmod -R 775 \
-        /var/www/html/public/uploads \
+        /var/www/html/public/storage \
         /var/www/html/storage \
         /var/www/html/bootstrap/cache \
         /var/run \
         /var/log/supervisor 
 
+# Switch to www-data for runtime
+USER www-data
+
 # Health check
 HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
     CMD php -v || exit 1

debian/docker-compose.yml

@@ -8,7 +8,7 @@ x-logging: &default-logging
 
 services:
   app:
-    image: invoiceninja/invoiceninja-debian:5 
+    image: invoiceninja/invoiceninja-debian:latest
     restart: unless-stopped
     env_file:
       - ./.env
@@ -16,7 +16,8 @@ services:
       - ./.env:/var/www/html/.env  
       - app_storage:/var/www/html/storage
       - app_cache:/var/www/html/bootstrap/cache
-      - public_files:/var/www/html/public  
+      - public_storage:/var/www/html/public/storage
+    user: www-data:www-data 
 
     networks:
       - app-network
@@ -39,10 +40,9 @@ services:
     volumes:
       - ./nginx/conf.d:/etc/nginx/conf.d:ro
       - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - type: volume
+    volumes_from:
-        source: public_files
+      - app
-        target: /var/www/html/public
+
-        read_only: true
     networks:
       - app-network
     depends_on:
@@ -103,13 +103,11 @@ networks:
 volumes:
   app_storage:
     driver: local
-  app_public:
-    driver: local
   app_cache:
     driver: local
+  public_storage:
+    driver: local  # Persistent storage for user files
   mysql_data:
     driver: local
   redis_data:
     driver: local
-  public_files:  
-    driver: local