From 02452f16b756736013f91eddd8b3d43562f625c2 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Fri, 11 Nov 2022 01:32:25 -0500 Subject: [PATCH 01/25] Update to Latest New Relic Agent --- overlays/00-sample/publish.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index 9d270e3..9ddb198 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -70,7 +70,7 @@ NEW_RELIC_KEY="" # # Leave blank if you do not use New Relic monitoring. # -NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.2.0.314-linux.tar.gz" +NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.3.0.315-linux.tar.gz" ## # The name by which you would like Nextcloud to identify itself in New Relic. From fd029a7309566587a811bae3bb5db955fd0626ac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Dec 2022 01:19:59 +0000 Subject: [PATCH 02/25] Bump jsonwebtoken from 8.5.1 to 9.0.0 in /docker/sftp-ws-server/app Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0. - [Release notes](https://github.com/auth0/node-jsonwebtoken/releases) - [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](https://github.com/auth0/node-jsonwebtoken/compare/v8.5.1...v9.0.0) --- updated-dependencies: - dependency-name: jsonwebtoken dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/package.json | 2 +- docker/sftp-ws-server/app/yarn.lock | 78 +++++++++----------------- 2 files changed, 29 insertions(+), 51 deletions(-) diff --git a/docker/sftp-ws-server/app/package.json b/docker/sftp-ws-server/app/package.json index 04c2408..8769529 100644 --- a/docker/sftp-ws-server/app/package.json +++ b/docker/sftp-ws-server/app/package.json @@ -6,7 +6,7 @@ "@inveniem/sftp-ws": "^0.8.1", "bunyan": "^1.8.14", "express": "^4.10", - "jsonwebtoken": "^8.1.0" + "jsonwebtoken": "^9.0.0" }, "author": "Inveniem", "license": "UNLICENSED" diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 0a7f5e4..c0498b9 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -271,21 +271,15 @@ ipaddr.js@1.9.1: resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz#bff38543eeb8984825079ff3a2a8e6cbd46781b3" integrity sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g== -jsonwebtoken@^8.1.0: - version "8.5.1" - resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz#00e71e0b8df54c2121a1f26137df2280673bcc0d" - integrity sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w== +jsonwebtoken@^9.0.0: + version "9.0.0" + resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-9.0.0.tgz#d0faf9ba1cc3a56255fe49c0961a67e520c1926d" + integrity sha512-tuGfYXxkQGDPnLJ7SibiQgVgeDgfbPq2k2ICcbgqW8WxWLBAxKQM/ZCu/IT8SOSwmaYl4dpTFCW5xZv7YbbWUw== dependencies: jws "^3.2.2" - lodash.includes "^4.3.0" - lodash.isboolean "^3.0.3" - lodash.isinteger "^4.0.4" - lodash.isnumber "^3.0.3" - lodash.isplainobject "^4.0.6" - lodash.isstring "^4.0.1" - lodash.once "^4.0.0" + lodash "^4.17.21" ms "^2.1.1" - semver "^5.6.0" + semver "^7.3.8" jwa@^1.4.1: version "1.4.1" @@ -304,40 +298,17 @@ jws@^3.2.2: jwa "^1.4.1" safe-buffer "^5.0.1" -lodash.includes@^4.3.0: - version "4.3.0" - resolved "https://registry.yarnpkg.com/lodash.includes/-/lodash.includes-4.3.0.tgz#60bb98a87cb923c68ca1e51325483314849f553f" - integrity sha1-YLuYqHy5I8aMoeUTJUgzFISfVT8= - -lodash.isboolean@^3.0.3: - version "3.0.3" - resolved "https://registry.yarnpkg.com/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz#6c2e171db2a257cd96802fd43b01b20d5f5870f6" - integrity sha1-bC4XHbKiV82WgC/UOwGyDV9YcPY= - -lodash.isinteger@^4.0.4: - version "4.0.4" - resolved "https://registry.yarnpkg.com/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz#619c0af3d03f8b04c31f5882840b77b11cd68343" - integrity sha1-YZwK89A/iwTDH1iChAt3sRzWg0M= - -lodash.isnumber@^3.0.3: - version "3.0.3" - resolved "https://registry.yarnpkg.com/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz#3ce76810c5928d03352301ac287317f11c0b1ffc" - integrity sha1-POdoEMWSjQM1IwGsKHMX8RwLH/w= - -lodash.isplainobject@^4.0.6: - version "4.0.6" - resolved "https://registry.yarnpkg.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz#7c526a52d89b45c45cc690b88163be0497f550cb" - integrity sha1-fFJqUtibRcRcxpC4gWO+BJf1UMs= - -lodash.isstring@^4.0.1: - version "4.0.1" - resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451" - integrity sha1-1SfftUVuynzJu5XV2ur4i6VKVFE= - -lodash.once@^4.0.0: - version "4.1.1" - resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac" - integrity sha1-DdOXEhPHxW34gJd9UEyI+0cal6w= +lodash@^4.17.21: + version "4.17.21" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" + integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== + +lru-cache@^6.0.0: + version "6.0.0" + resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-6.0.0.tgz#6d6fe6570ebd96aaf90fcad1dafa3b2566db3a94" + integrity sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA== + dependencies: + yallist "^4.0.0" media-typer@0.3.0: version "0.3.0" @@ -523,10 +494,12 @@ safe-json-stringify@~1: resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a" integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg== -semver@^5.6.0: - version "5.7.1" - resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7" - integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ== +semver@^7.3.8: + version "7.3.8" + resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.8.tgz#07a78feafb3f7b32347d725e33de7e2a2df67798" + integrity sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A== + dependencies: + lru-cache "^6.0.0" send@0.17.1: version "0.17.1" @@ -612,3 +585,8 @@ ws@^1.0.0: dependencies: options ">=0.0.5" ultron "1.0.x" + +yallist@^4.0.0: + version "4.0.0" + resolved "https://registry.yarnpkg.com/yallist/-/yallist-4.0.0.tgz#9bb92790d9c0effec63be73519e11a35019a3a72" + integrity sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A== From d57d79eaeda7176645e1e62a5ee9cca000670c06 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Tue, 7 Feb 2023 17:10:30 -0500 Subject: [PATCH 03/25] Remove Unnecessary Exports of Registry Name and Host This is passed as a command-line argument, not as an environment variable, so we do not need to export it. --- bin/rigger | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/rigger b/bin/rigger index 54ba8aa..838c88c 100644 --- a/bin/rigger +++ b/bin/rigger @@ -194,8 +194,6 @@ sub_publish() { echo "Building and publishing Nextcloud image '${publish_version}'..." echo "" - export REGISTRY_NAME - export REGISTRY_HOST export NEW_RELIC_KEY export NEW_RELIC_AGENT_URL export NEW_RELIC_APP From 1c4ee06d2d7811e30fd0443ceb64f4f6c0ee833d Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sat, 11 Feb 2023 21:21:39 -0500 Subject: [PATCH 04/25] Remove Unnecessary `require_command` for `cut` Not sure why I needed this but we no longer do. --- bin/rigger | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/rigger b/bin/rigger index 838c88c..6ad1363 100644 --- a/bin/rigger +++ b/bin/rigger @@ -281,8 +281,6 @@ sub_add_sftp_user() { local is_arg_missing=0 local username="${1:-}" - require_command "cut" - if [[ -z "${username}" ]]; then is_arg_missing=1 fi From 3bbabbdc93e03df65aba4e104105b1a0af41e872 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Dec 2022 01:42:05 +0000 Subject: [PATCH 05/25] Bump express from 4.17.1 to 4.17.3 in /docker/sftp-ws-server/app Bumps [express](https://github.com/expressjs/express) from 4.17.1 to 4.17.3. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](https://github.com/expressjs/express/compare/4.17.1...4.17.3) --- updated-dependencies: - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/package.json | 2 +- docker/sftp-ws-server/app/yarn.lock | 225 ++++++++++++------------- 2 files changed, 109 insertions(+), 118 deletions(-) diff --git a/docker/sftp-ws-server/app/package.json b/docker/sftp-ws-server/app/package.json index 04c2408..af64f4c 100644 --- a/docker/sftp-ws-server/app/package.json +++ b/docker/sftp-ws-server/app/package.json @@ -5,7 +5,7 @@ "dependencies": { "@inveniem/sftp-ws": "^0.8.1", "bunyan": "^1.8.14", - "express": "^4.10", + "express": "^4.17", "jsonwebtoken": "^8.1.0" }, "author": "Inveniem", diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 0a7f5e4..eedcfa2 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -9,13 +9,13 @@ dependencies: ws "^1.0.0" -accepts@~1.3.7: - version "1.3.7" - resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.7.tgz#531bc726517a3b2b41f850021c6cc15eaab507cd" - integrity sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA== +accepts@~1.3.8: + version "1.3.8" + resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.3.8.tgz#0bf0be125b67014adcb0b0921e62db7bffe16b2e" + integrity sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw== dependencies: - mime-types "~2.1.24" - negotiator "0.6.2" + mime-types "~2.1.34" + negotiator "0.6.3" array-flatten@1.1.1: version "1.1.1" @@ -27,21 +27,21 @@ balanced-match@^1.0.0: resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767" integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c= -body-parser@1.19.0: - version "1.19.0" - resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.19.0.tgz#96b2709e57c9c4e09a6fd66a8fd979844f69f08a" - integrity sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw== +body-parser@1.19.2: + version "1.19.2" + resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.19.2.tgz#4714ccd9c157d44797b8b5607d72c0b89952f26e" + integrity sha512-SAAwOxgoCKMGs9uUAUFHygfLAyaniaoun6I8mFY9pRAJL9+Kec34aU+oIjDhTycub1jozEfEwx1W1IuOYxVSFw== dependencies: - bytes "3.1.0" + bytes "3.1.2" content-type "~1.0.4" debug "2.6.9" depd "~1.1.2" - http-errors "1.7.2" + http-errors "1.8.1" iconv-lite "0.4.24" on-finished "~2.3.0" - qs "6.7.0" - raw-body "2.4.0" - type-is "~1.6.17" + qs "6.9.7" + raw-body "2.4.3" + type-is "~1.6.18" brace-expansion@^1.1.7: version "1.1.11" @@ -66,22 +66,22 @@ bunyan@^1.8.14: mv "~2" safe-json-stringify "~1" -bytes@3.1.0: - version "3.1.0" - resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.1.0.tgz#f6cf7933a360e0588fa9fde85651cdc7f805d1f6" - integrity sha512-zauLjrfCG+xvoyaqLoV8bLVXXNGC4JqlxFCutSDWA6fJrTo2ZuvLYTqZ7aHBLZSMOopbzwv8f+wZcVzfVTI2Dg== +bytes@3.1.2: + version "3.1.2" + resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.1.2.tgz#8b0beeb98605adf1b128fa4386403c009e0221a5" + integrity sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg== concat-map@0.0.1: version "0.0.1" resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b" integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s= -content-disposition@0.5.3: - version "0.5.3" - resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.3.tgz#e130caf7e7279087c5616c2007d0485698984fbd" - integrity sha512-ExO0774ikEObIAEV9kDo50o+79VCUdEB6n6lzKgGwupcVeRlhrj3qGAfwq8G6uBJjkqLrhT0qEYFcWng8z1z0g== +content-disposition@0.5.4: + version "0.5.4" + resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.4.tgz#8b82b4efac82512a02bb0b1dcec9d2c5e8eb5bfe" + integrity sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ== dependencies: - safe-buffer "5.1.2" + safe-buffer "5.2.1" content-type@~1.0.4: version "1.0.4" @@ -93,10 +93,10 @@ cookie-signature@1.0.6: resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c" integrity sha1-4wOogrNCzD7oylE6eZmXNNqzriw= -cookie@0.4.0: - version "0.4.0" - resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.4.0.tgz#beb437e7022b3b6d49019d088665303ebe9c14ba" - integrity sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg== +cookie@0.4.2: + version "0.4.2" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.4.2.tgz#0e41f24de5ecf317947c82fc789e06a884824432" + integrity sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA== debug@2.6.9: version "2.6.9" @@ -149,17 +149,17 @@ etag@~1.8.1: resolved "https://registry.yarnpkg.com/etag/-/etag-1.8.1.tgz#41ae2eeb65efa62268aebfea83ac7d79299b0887" integrity sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc= -express@^4.10: - version "4.17.1" - resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134" - integrity sha512-mHJ9O79RqluphRrcw2X/GTh3k9tVv8YcoyY4Kkh4WDMUYKRZUq0h1o0w2rrrxBqM7VoeUVqgb27xlEMXTnYt4g== +express@^4.17: + version "4.17.3" + resolved "https://registry.yarnpkg.com/express/-/express-4.17.3.tgz#f6c7302194a4fb54271b73a1fe7a06478c8f85a1" + integrity sha512-yuSQpz5I+Ch7gFrPCk4/c+dIBKlQUxtgwqzph132bsT6qhuzss6I8cLJQz7B3rFblzd6wtcI0ZbGltH/C4LjUg== dependencies: - accepts "~1.3.7" + accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.19.0" - content-disposition "0.5.3" + body-parser "1.19.2" + content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.4.0" + cookie "0.4.2" cookie-signature "1.0.6" debug "2.6.9" depd "~1.1.2" @@ -173,13 +173,13 @@ express@^4.10: on-finished "~2.3.0" parseurl "~1.3.3" path-to-regexp "0.1.7" - proxy-addr "~2.0.5" - qs "6.7.0" + proxy-addr "~2.0.7" + qs "6.9.7" range-parser "~1.2.1" - safe-buffer "5.1.2" - send "0.17.1" - serve-static "1.14.1" - setprototypeof "1.1.1" + safe-buffer "5.2.1" + send "0.17.2" + serve-static "1.14.2" + setprototypeof "1.2.0" statuses "~1.5.0" type-is "~1.6.18" utils-merge "1.0.1" @@ -198,10 +198,10 @@ finalhandler@~1.1.2: statuses "~1.5.0" unpipe "~1.0.0" -forwarded@~0.1.2: - version "0.1.2" - resolved "https://registry.yarnpkg.com/forwarded/-/forwarded-0.1.2.tgz#98c23dab1175657b8c0573e8ceccd91b0ff18c84" - integrity sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ= +forwarded@0.2.0: + version "0.2.0" + resolved "https://registry.yarnpkg.com/forwarded/-/forwarded-0.2.0.tgz#2269936428aad4c15c7ebe9779a84bf0b2a81811" + integrity sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow== fresh@0.5.2: version "0.5.2" @@ -219,27 +219,16 @@ glob@^6.0.1: once "^1.3.0" path-is-absolute "^1.0.0" -http-errors@1.7.2: - version "1.7.2" - resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.7.2.tgz#4f5029cf13239f31036e5b2e55292bcfbcc85c8f" - integrity sha512-uUQBt3H/cSIVfch6i1EuPNy/YsRSOUBXTVfZ+yR7Zjez3qjBz6i9+i4zjNaoqcoFVI4lQJ5plg63TvGfRSDCRg== - dependencies: - depd "~1.1.2" - inherits "2.0.3" - setprototypeof "1.1.1" - statuses ">= 1.5.0 < 2" - toidentifier "1.0.0" - -http-errors@~1.7.2: - version "1.7.3" - resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.7.3.tgz#6c619e4f9c60308c38519498c14fbb10aacebb06" - integrity sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw== +http-errors@1.8.1: + version "1.8.1" + resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.8.1.tgz#7c3f28577cbc8a207388455dbd62295ed07bd68c" + integrity sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g== dependencies: depd "~1.1.2" inherits "2.0.4" - setprototypeof "1.1.1" + setprototypeof "1.2.0" statuses ">= 1.5.0 < 2" - toidentifier "1.0.0" + toidentifier "1.0.1" iconv-lite@0.4.24: version "0.4.24" @@ -261,11 +250,6 @@ inherits@2, inherits@2.0.4: resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== -inherits@2.0.3: - version "2.0.3" - resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.3.tgz#633c2c83e3da42a502f52466022480f4208261de" - integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4= - ipaddr.js@1.9.1: version "1.9.1" resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz#bff38543eeb8984825079ff3a2a8e6cbd46781b3" @@ -359,6 +343,11 @@ mime-db@1.44.0: resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.44.0.tgz#fa11c5eb0aca1334b4233cb4d52f10c5a6272f92" integrity sha512-/NOTfLrsPBVeH7YtFPgsVWveuL+4SjjYxaQ1xtM1KMFj7HdxlBlxeyNLzhyJVx7r4rZGJAZ/6lkKCitSc/Nmpg== +mime-db@1.52.0: + version "1.52.0" + resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.52.0.tgz#bbabcdc02859f4987301c856e3387ce5ec43bf70" + integrity sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg== + mime-types@~2.1.24: version "2.1.27" resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.27.tgz#47949f98e279ea53119f5722e0f34e529bec009f" @@ -366,6 +355,13 @@ mime-types@~2.1.24: dependencies: mime-db "1.44.0" +mime-types@~2.1.34: + version "2.1.35" + resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.35.tgz#381a871b62a734450660ae3deee44813f70d959a" + integrity sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw== + dependencies: + mime-db "1.52.0" + mime@1.6.0: version "1.6.0" resolved "https://registry.yarnpkg.com/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1" @@ -400,10 +396,10 @@ ms@2.0.0: resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8" integrity sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g= -ms@2.1.1: - version "2.1.1" - resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.1.tgz#30a5864eb3ebb0a66f2ebe6d727af06a09d86e0a" - integrity sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg== +ms@2.1.3: + version "2.1.3" + resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.3.tgz#574c8138ce1d2b5861f0b44579dbadd60c6615b2" + integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA== ms@^2.1.1: version "2.1.2" @@ -429,10 +425,10 @@ ncp@~2.0.0: resolved "https://registry.yarnpkg.com/ncp/-/ncp-2.0.0.tgz#195a21d6c46e361d2fb1281ba38b91e9df7bdbb3" integrity sha1-GVoh1sRuNh0vsSgbo4uR6d9727M= -negotiator@0.6.2: - version "0.6.2" - resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.2.tgz#feacf7ccf525a77ae9634436a64883ffeca346fb" - integrity sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw== +negotiator@0.6.3: + version "0.6.3" + resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.3.tgz#58e323a72fedc0d6f9cd4d31fe49f51479590ccd" + integrity sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg== on-finished@~2.3.0: version "2.3.0" @@ -468,31 +464,31 @@ path-to-regexp@0.1.7: resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.7.tgz#df604178005f522f15eb4490e7247a1bfaa67f8c" integrity sha1-32BBeABfUi8V60SQ5yR6G/qmf4w= -proxy-addr@~2.0.5: - version "2.0.6" - resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.6.tgz#fdc2336505447d3f2f2c638ed272caf614bbb2bf" - integrity sha512-dh/frvCBVmSsDYzw6n926jv974gddhkFPfiN8hPOi30Wax25QZyZEGveluCgliBnqmuM+UJmBErbAUFIoDbjOw== +proxy-addr@~2.0.7: + version "2.0.7" + resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.7.tgz#f19fe69ceab311eeb94b42e70e8c2070f9ba1025" + integrity sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg== dependencies: - forwarded "~0.1.2" + forwarded "0.2.0" ipaddr.js "1.9.1" -qs@6.7.0: - version "6.7.0" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.7.0.tgz#41dc1a015e3d581f1621776be31afb2876a9b1bc" - integrity sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ== +qs@6.9.7: + version "6.9.7" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.9.7.tgz#4610846871485e1e048f44ae3b94033f0e675afe" + integrity sha512-IhMFgUmuNpyRfxA90umL7ByLlgRXu6tIfKPpF5TmcfRLlLCckfP/g3IQmju6jjpu+Hh8rA+2p6A27ZSPOOHdKw== range-parser@~1.2.1: version "1.2.1" resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.1.tgz#3cf37023d199e1c24d1a55b84800c2f3e6468031" integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg== -raw-body@2.4.0: - version "2.4.0" - resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.4.0.tgz#a1ce6fb9c9bc356ca52e89256ab59059e13d0332" - integrity sha512-4Oz8DUIwdvoa5qMJelxipzi/iJIi40O5cGV1wNYp5hvZP8ZN0T+jiNkL0QepXs+EsQ9XJ8ipEDoiH70ySUJP3Q== +raw-body@2.4.3: + version "2.4.3" + resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.4.3.tgz#8f80305d11c2a0a545c2d9d89d7a0286fcead43c" + integrity sha512-UlTNLIcu0uzb4D2f4WltY6cVjLi+/jEN4lgEUj3E04tpMDpUlkBo/eSn6zou9hum2VMNpCCUone0O0WeJim07g== dependencies: - bytes "3.1.0" - http-errors "1.7.2" + bytes "3.1.2" + http-errors "1.8.1" iconv-lite "0.4.24" unpipe "1.0.0" @@ -503,12 +499,7 @@ rimraf@~2.4.0: dependencies: glob "^6.0.1" -safe-buffer@5.1.2: - version "5.1.2" - resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d" - integrity sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g== - -safe-buffer@^5.0.1: +safe-buffer@5.2.1, safe-buffer@^5.0.1: version "5.2.1" resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6" integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ== @@ -528,10 +519,10 @@ semver@^5.6.0: resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7" integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ== -send@0.17.1: - version "0.17.1" - resolved "https://registry.yarnpkg.com/send/-/send-0.17.1.tgz#c1d8b059f7900f7466dd4938bdc44e11ddb376c8" - integrity sha512-BsVKsiGcQMFwT8UxypobUKyv7irCNRHk1T0G680vk88yf6LBByGcZJOTJCrTP2xVN6yI+XjPJcNuE3V4fT9sAg== +send@0.17.2: + version "0.17.2" + resolved "https://registry.yarnpkg.com/send/-/send-0.17.2.tgz#926622f76601c41808012c8bf1688fe3906f7820" + integrity sha512-UJYB6wFSJE3G00nEivR5rgWp8c2xXvJ3OPWPhmuteU0IKj8nKbG3DrjiOmLwpnHGYWAVwA69zmTm++YG0Hmwww== dependencies: debug "2.6.9" depd "~1.1.2" @@ -540,39 +531,39 @@ send@0.17.1: escape-html "~1.0.3" etag "~1.8.1" fresh "0.5.2" - http-errors "~1.7.2" + http-errors "1.8.1" mime "1.6.0" - ms "2.1.1" + ms "2.1.3" on-finished "~2.3.0" range-parser "~1.2.1" statuses "~1.5.0" -serve-static@1.14.1: - version "1.14.1" - resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.14.1.tgz#666e636dc4f010f7ef29970a88a674320898b2f9" - integrity sha512-JMrvUwE54emCYWlTI+hGrGv5I8dEwmco/00EvkzIIsR7MqrHonbD9pO2MOfFnpFntl7ecpZs+3mW+XbQZu9QCg== +serve-static@1.14.2: + version "1.14.2" + resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.14.2.tgz#722d6294b1d62626d41b43a013ece4598d292bfa" + integrity sha512-+TMNA9AFxUEGuC0z2mevogSnn9MXKb4fa7ngeRMJaaGv8vTwnIEkKi+QGvPt33HSnf8pRS+WGM0EbMtCJLKMBQ== dependencies: encodeurl "~1.0.2" escape-html "~1.0.3" parseurl "~1.3.3" - send "0.17.1" + send "0.17.2" -setprototypeof@1.1.1: - version "1.1.1" - resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.1.1.tgz#7e95acb24aa92f5885e0abef5ba131330d4ae683" - integrity sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw== +setprototypeof@1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.2.0.tgz#66c9a24a73f9fc28cbe66b09fed3d33dcaf1b424" + integrity sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw== "statuses@>= 1.5.0 < 2", statuses@~1.5.0: version "1.5.0" resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c" integrity sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow= -toidentifier@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/toidentifier/-/toidentifier-1.0.0.tgz#7e1be3470f1e77948bc43d94a3c8f4d7752ba553" - integrity sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw== +toidentifier@1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/toidentifier/-/toidentifier-1.0.1.tgz#3be34321a88a820ed1bd80dfaa33e479fbb8dd35" + integrity sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA== -type-is@~1.6.17, type-is@~1.6.18: +type-is@~1.6.18: version "1.6.18" resolved "https://registry.yarnpkg.com/type-is/-/type-is-1.6.18.tgz#4e552cd05df09467dcbc4ef739de89f2cf37c131" integrity sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g== From 9c4f275c8fbf9912a4ed3fc8424dd0e2a2fd2c77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Apr 2023 18:47:00 +0000 Subject: [PATCH 06/25] Bump moment from 2.29.2 to 2.29.4 in /docker/sftp-ws-server/app Bumps [moment](https://github.com/moment/moment) from 2.29.2 to 2.29.4. - [Release notes](https://github.com/moment/moment/releases) - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](https://github.com/moment/moment/compare/2.29.2...2.29.4) --- updated-dependencies: - dependency-name: moment dependency-type: indirect ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 9e5b93a..af7b7ad 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -358,9 +358,9 @@ mkdirp@~0.5.1: minimist "^1.2.5" moment@^2.19.3: - version "2.29.2" - resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.2.tgz#00910c60b20843bcba52d37d58c628b47b1f20e4" - integrity sha512-UgzG4rvxYpN15jgCmVJwac49h9ly9NurikMWGPdVxm8GZD6XjkKPxDTjQQ43gtGgnV3X0cAyWDdP2Wexoquifg== + version "2.29.4" + resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.4.tgz#3dbe052889fe7c1b2ed966fcb3a77328964ef108" + integrity sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w== ms@2.0.0: version "2.0.0" From aa0bd94a6c8f790ece91b28d05646afb34504705 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Apr 2023 18:47:00 +0000 Subject: [PATCH 07/25] Bump minimatch from 3.0.4 to 3.1.2 in /docker/sftp-ws-server/app Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.2. - [Release notes](https://github.com/isaacs/minimatch/releases) - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v3.0.4...v3.1.2) --- updated-dependencies: - dependency-name: minimatch dependency-type: indirect ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 9e5b93a..29d38e3 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -339,9 +339,9 @@ mime@1.6.0: integrity sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg== "minimatch@2 || 3": - version "3.0.4" - resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" - integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== + version "3.1.2" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" + integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== dependencies: brace-expansion "^1.1.7" From 9a448bcbbc479633f74d2b4661955508132e1c95 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Jul 2023 11:45:20 +0000 Subject: [PATCH 08/25] Bump semver from 7.3.8 to 7.5.4 in /docker/sftp-ws-server/app Bumps [semver](https://github.com/npm/node-semver) from 7.3.8 to 7.5.4. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.3.8...v7.5.4) --- updated-dependencies: - dependency-name: semver dependency-type: indirect ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 280cebf..88cb891 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -486,9 +486,9 @@ safe-json-stringify@~1: integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg== semver@^7.3.8: - version "7.3.8" - resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.8.tgz#07a78feafb3f7b32347d725e33de7e2a2df67798" - integrity sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A== + version "7.5.4" + resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e" + integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA== dependencies: lru-cache "^6.0.0" From ec07cc0c8055ef7a97b7b5540c2004a47ae31a85 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Fri, 22 Mar 2024 11:55:08 -0400 Subject: [PATCH 09/25] Upgrade to Redis 7.2.4 No reason to lock this down to 6.x. --- overlays/00-sample/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/00-sample/kustomization.yaml b/overlays/00-sample/kustomization.yaml index a40f905..791d8a3 100644 --- a/overlays/00-sample/kustomization.yaml +++ b/overlays/00-sample/kustomization.yaml @@ -92,7 +92,7 @@ images: digest: "sha256:09faf0d32b3f6f1169d2428e8226f2ea12bbb8fc3d96acc95ee1278f1a9f39c4" - name: redis - newTag: "6.2.6-alpine" + newTag: "7.2.4-alpine" - name: inveniem/nextcloud-cron newName: your-acr-instance.azurecr.io/inveniem/nextcloud-cron From 74c8dae45cb4854451a8edf791413143f8e42e4b Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 20 Apr 2023 21:34:28 -0400 Subject: [PATCH 10/25] Introduce a Maintenance Page Feature for Use During Scheduled Downtime --- .../maintenance_page/kustomization.yaml | 51 +++++++++ .../manifests/app-maintenance_page.yaml | 105 ++++++++++++++++++ overlays/00-sample/kustomization.yaml | 10 ++ .../manifests/config-environment.yaml | 15 +++ 4 files changed, 181 insertions(+) create mode 100644 components/maintenance_page/kustomization.yaml create mode 100644 components/maintenance_page/manifests/app-maintenance_page.yaml diff --git a/components/maintenance_page/kustomization.yaml b/components/maintenance_page/kustomization.yaml new file mode 100644 index 0000000..8d0abeb --- /dev/null +++ b/components/maintenance_page/kustomization.yaml @@ -0,0 +1,51 @@ +## +# Kustomization component to serve up a maintenance page instead of Nextcloud. +# +# The configuration for the maintenance page comes from a +# config-environment.yaml file provided by the overlay for the environment. This +# functionality has been provided as a component so that it only needs to be +# referenced by an overlay when traffic served by that overlay should be routed +# away from Nextcloud, such as during scheduled downtime. The component +# accomplishes this by rewriting the ingress routes for Nextcloud to route +# traffic to the maintenance page service instead of Nextcloud itself. +# +# To enable the maintenance page for the environment of an overlay: +# 1. Customize the appropriate settings in the config-environment.yaml of the +# overlay. +# 2. Uncomment the reference to this component in the `kustomization.yaml` file. +# 3. Re-deploy the overlay. +# +# To disable the maintenance page for the environment of an overlay: +# 1. Comment out the reference to this component in the `kustomization.yaml` +# file. +# 2. Re-deploy the overlay. +# +# @author Guy Elsmore-Paddock (guy@inveniem.com) +# @copyright Copyright (c) 2023-2024, Inveniem +# @license GNU AGPL version 3 or any later version +# +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: + - manifests/app-maintenance_page.yaml + +patches: + - target: + kind: Ingress + name: "frontend-nextcloud-ingress" + labelSelector: "owning-app=nextcloud" + patch: | + [ + { + "op": "replace", + "path": "/spec/rules/0/http/paths/0/backend/service/name", + "value": "internal-maintenance-page" + }, + { + "op": "replace", + "path": "/spec/rules/0/http/paths/0/backend/service/port/number", + "value": 8080 + } + ] + diff --git a/components/maintenance_page/manifests/app-maintenance_page.yaml b/components/maintenance_page/manifests/app-maintenance_page.yaml new file mode 100644 index 0000000..b775c43 --- /dev/null +++ b/components/maintenance_page/manifests/app-maintenance_page.yaml @@ -0,0 +1,105 @@ +## +# Kubernetes deployment manifest for running a simple maintenance page during +# scheduled/planned downtime. +# +# The messages displayed are configured in the config-environment.yaml file +# provided by the overlay for the environment. +# +# @author Guy Elsmore-Paddock (guy@inveniem.com) +# @copyright Copyright (c) 2023-2024, Inveniem +# @license GNU AGPL version 3 or any later version +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: maintenance-page +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: frontend-maintenance-page + role: frontend + template: + metadata: + labels: + app: frontend-maintenance-page + role: frontend + spec: + tolerations: + # Allow scheduling this job on burstable nodes. + - key: inveniem.com/workload-type + operator: Equal + value: burstable + effect: NoSchedule + containers: + - name: frontend-maintenance-page + image: "wickerlabs/maintenance:latest" + ports: + - containerPort: 8080 + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi + env: + - name: TITLE + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceTitle + - name: HEADLINE + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceHeadline + - name: MESSAGE + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceMessage + - name: CONTACT_LINK + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceContactLink + - name: MAIL_ADDRESS + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceMailAddress + - name: TEAM_NAME + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceTeamName + - name: LINK_COLOR + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceLinkColor + - name: THEME + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceTheme + - name: RESPONSE_CODE + valueFrom: + configMapKeyRef: + name: environment + key: maintenanceResponseCode +--- +apiVersion: v1 +kind: Service +metadata: + name: internal-maintenance-page + labels: + role: internal-service +spec: + type: ClusterIP + ports: + - port: 8080 + selector: + app: frontend-maintenance-page diff --git a/overlays/00-sample/kustomization.yaml b/overlays/00-sample/kustomization.yaml index 791d8a3..535c7eb 100644 --- a/overlays/00-sample/kustomization.yaml +++ b/overlays/00-sample/kustomization.yaml @@ -32,6 +32,16 @@ components: - ../../components/cert-manager-lets-encrypt - ../../components/ingress-dns +# Uncomment the line after this comment and re-deploy this overlay to serve up a +# maintenance page for end users, rather than the normal Nextcloud application. +# To reverse this and restore access, comment out the component and re-deploy +# the overlay. +# +# This does not prevent deployment of Nextcloud, but does block access to it by +# end users. No other components have to be commented out for this to work. +# +# - ../../components/maintenance_page + generators: - decrypt-secrets.nextcloud.yaml #### Uncomment this if using the "sftp-server" component: diff --git a/overlays/00-sample/manifests/config-environment.yaml b/overlays/00-sample/manifests/config-environment.yaml index 113a068..8037401 100644 --- a/overlays/00-sample/manifests/config-environment.yaml +++ b/overlays/00-sample/manifests/config-environment.yaml @@ -29,3 +29,18 @@ data: "mynextcloudstorageaccount": "nextcloud-azure-files-creds" } } + + # Settings when in maintenance mode (toggle this mode on by including the + # maintenance_page component in your overlay). + # + # See this page for a description of the settings: + # https://github.com/wickerlabs/maintenance + maintenanceTitle: "Site Maintenance" + maintenanceHeadline: "We'll be back soon!" + maintenanceMessage: "Sorry for the inconvenience but we're performing some maintenance at the moment. If you need to you can always {{contact}}, otherwise we'll be back online shortly!" + maintenanceContactLink: "contact us" + maintenanceMailAddress: "mail@example.com" + maintenanceTeamName: "The Team" + maintenanceLinkColor: "#dc8100" + maintenanceTheme: "Light" + maintenanceResponseCode: "503" From 77c2ab1a7bd5d21ac18bafa88a97efd26046aa2f Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Tue, 18 Apr 2023 16:48:18 -0400 Subject: [PATCH 11/25] Rigger: Move MySQL Credential Secret into Constant --- bin/rigger | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/rigger b/bin/rigger index 6ad1363..0aace7c 100644 --- a/bin/rigger +++ b/bin/rigger @@ -61,6 +61,7 @@ storage_secrets_generator_bin_path="generate_secrets_azure_files_storage.php" generated_storage_secrets_path="manifests/generated/secrets-azure_files.yaml" mysql_secrets_path="manifests/secrets-mysql.yaml" +mysql_secret_name="nextcloud-mysql-creds" generated_sftp_host_keys_secrets_path="manifests/generated/secrets-sftp-host-keys.yaml" sftp_host_keys_secret_name="sftp-host-keys" @@ -808,7 +809,7 @@ sub_launch_db_shell() { db_credentials=$( sops --decrypt "${mysql_secrets_encrypted_path}" | \ yq eval \ - '. | select(.metadata.name == "nextcloud-mysql-creds") | .stringData' - + ". | select(.metadata.name == \"${mysql_secret_name}\") | .stringData" - ) db_hostname=$(echo "${db_credentials}" | yq eval '.hostname' -) @@ -853,7 +854,7 @@ sub_dump_db() { db_credentials=$( sops --decrypt "${mysql_secrets_encrypted_path}" | \ yq eval \ - '. | select(.metadata.name == "nextcloud-mysql-creds") | .stringData' - + ". | select(.metadata.name == \"${mysql_secret_name}\") | .stringData" - ) db_hostname=$(echo "${db_credentials}" | yq eval '.hostname' -) From 6d26e70af42ba5d4990e5e5789ae4886ff575f1f Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Tue, 18 Apr 2023 22:19:50 -0400 Subject: [PATCH 12/25] Enhance `dump-db` Command - Now, the default behavior is to write output to a file that is automatically named with the timestamp at the time export starts. - Adds `--to-stdout` option if output to standard out is desired. - Now exports with `--disable-keys` so that imports of a backup are faster. - Now exports with `--single-transaction` so that exports do not acquire table locks but are more consistent. --- bin/rigger | 58 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 48 insertions(+), 10 deletions(-) diff --git a/bin/rigger b/bin/rigger index 0aace7c..bd97734 100644 --- a/bin/rigger +++ b/bin/rigger @@ -126,7 +126,7 @@ sub_help() { echo " launch-shell Launches an sh shell on a Nextcloud pod." echo " launch-db-shell Launches a MySQL interactive shell connected to the Nextcloud database." echo "" - echo " dump-db Dumps the contents of the Nextcloud MySQL database to standard output." + echo " dump-db [options] Dumps the contents of the Nextcloud MySQL database to a file or standard out." echo "" if [[ "${have_addon_commands}" -ne 0 ]]; then @@ -844,11 +844,32 @@ sub_dump_db() { local db_username local db_password + local write_to_stdout=0 + + for arg in "$@"; do + case "${arg}" in + '--to-stdout') + write_to_stdout=1 + ;; + *) + echo "Usage: ${program_name} dump-db [--to-stdout]" + echo "" + echo "When '--to-stdout' is specified, the backup is written to standard" + echo "out. Otherwise, a new file is created on disk with the date and time" + echo "that the backup started." + echo "" + + exit 0 + ;; + esac + done + + require_command "mysqldump" + mysql_secrets_encrypted_path=$( get_encrypted_secret_path "${mysql_secrets_path}" ) - require_command "mysql" require_encrypted_secrets_file "${mysql_secrets_encrypted_path}" db_credentials=$( @@ -863,15 +884,32 @@ sub_dump_db() { db_username=$(echo "${db_credentials}" | yq eval '.username' -) db_password=$(echo "${db_credentials}" | yq eval '.password' -) - mysqldump \ - --no-tablespaces \ - --skip-extended-insert \ - --order-by-primary \ - --host="${db_hostname}" \ - --databases "${db_schema}" \ - --port="${db_port}" \ - --user="${db_username}" \ + options=( + --host="${db_hostname}" + --port="${db_port}" + --user="${db_username}" --password="${db_password}" + --no-tablespaces + --skip-extended-insert + --order-by-primary + --disable-keys + --single-transaction + --databases "${db_schema}" + ) + + if [[ "${write_to_stdout}" -eq 1 ]]; then + mysqldump "${options[@]}" + else + require_command "pv" + + dump_filename="$(date +"%Y-%m-%d")-${db_hostname}-${db_schema}.sql" + + echo "Exporting database to '${dump_filename}'." + echo "" + + mysqldump "${options[@]}" | pv >"${dump_filename}" + fi + echo "" } From 67852601bdd465cf93b1cb951579ebbd2215e93a Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 20 Apr 2023 18:17:00 -0400 Subject: [PATCH 13/25] Default to Non-Ordered Dump to Increase Export and Import Speed If we're just moving data from one database to another, we don't need/want it to be ordered. --- bin/rigger | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/bin/rigger b/bin/rigger index bd97734..bd64c47 100644 --- a/bin/rigger +++ b/bin/rigger @@ -845,19 +845,27 @@ sub_dump_db() { local db_password local write_to_stdout=0 + local ordered_dump=0 for arg in "$@"; do case "${arg}" in '--to-stdout') write_to_stdout=1 ;; + '--ordered-dump') + ordered_dump=1 + ;; *) - echo "Usage: ${program_name} dump-db [--to-stdout]" + echo "Usage: ${program_name} dump-db [--to-stdout] [--ordered-dump]" echo "" echo "When '--to-stdout' is specified, the backup is written to standard" echo "out. Otherwise, a new file is created on disk with the date and time" echo "that the backup started." echo "" + echo "When '--ordered-dump' is specified, the export is written out in" + echo "descending primary key order, and the export contains one insert" + echo "statement per record rather than using extended inserts." + echo "" exit 0 ;; @@ -890,13 +898,18 @@ sub_dump_db() { --user="${db_username}" --password="${db_password}" --no-tablespaces - --skip-extended-insert - --order-by-primary --disable-keys --single-transaction --databases "${db_schema}" ) + if [[ "${ordered_dump}" -eq 1 ]]; then + options+=( + --skip-extended-insert + --order-by-primary + ) + fi + if [[ "${write_to_stdout}" -eq 1 ]]; then mysqldump "${options[@]}" else From 65ac5d2a45ddbe26f43f2372c463d73362dd8fba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 02:27:01 +0000 Subject: [PATCH 14/25] Bump express from 4.17.3 to 4.19.2 in /docker/sftp-ws-server/app Bumps [express](https://github.com/expressjs/express) from 4.17.3 to 4.19.2. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](https://github.com/expressjs/express/compare/4.17.3...4.19.2) --- updated-dependencies: - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/package.json | 2 +- docker/sftp-ws-server/app/yarn.lock | 275 +++++++++++++++++-------- 2 files changed, 194 insertions(+), 83 deletions(-) diff --git a/docker/sftp-ws-server/app/package.json b/docker/sftp-ws-server/app/package.json index 0d3da4b..18b27d2 100644 --- a/docker/sftp-ws-server/app/package.json +++ b/docker/sftp-ws-server/app/package.json @@ -5,7 +5,7 @@ "dependencies": { "@inveniem/sftp-ws": "^0.8.1", "bunyan": "^1.8.14", - "express": "^4.17", + "express": "^4.19", "jsonwebtoken": "^9.0.0" }, "author": "Inveniem", diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 88cb891..839592c 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -27,21 +27,23 @@ balanced-match@^1.0.0: resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767" integrity sha1-ibTRmasr7kneFk6gK4nORi1xt2c= -body-parser@1.19.2: - version "1.19.2" - resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.19.2.tgz#4714ccd9c157d44797b8b5607d72c0b89952f26e" - integrity sha512-SAAwOxgoCKMGs9uUAUFHygfLAyaniaoun6I8mFY9pRAJL9+Kec34aU+oIjDhTycub1jozEfEwx1W1IuOYxVSFw== +body-parser@1.20.2: + version "1.20.2" + resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd" + integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA== dependencies: bytes "3.1.2" - content-type "~1.0.4" + content-type "~1.0.5" debug "2.6.9" - depd "~1.1.2" - http-errors "1.8.1" + depd "2.0.0" + destroy "1.2.0" + http-errors "2.0.0" iconv-lite "0.4.24" - on-finished "~2.3.0" - qs "6.9.7" - raw-body "2.4.3" + on-finished "2.4.1" + qs "6.11.0" + raw-body "2.5.2" type-is "~1.6.18" + unpipe "1.0.0" brace-expansion@^1.1.7: version "1.1.11" @@ -71,6 +73,17 @@ bytes@3.1.2: resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.1.2.tgz#8b0beeb98605adf1b128fa4386403c009e0221a5" integrity sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg== +call-bind@^1.0.7: + version "1.0.7" + resolved "https://registry.yarnpkg.com/call-bind/-/call-bind-1.0.7.tgz#06016599c40c56498c18769d2730be242b6fa3b9" + integrity sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w== + dependencies: + es-define-property "^1.0.0" + es-errors "^1.3.0" + function-bind "^1.1.2" + get-intrinsic "^1.2.4" + set-function-length "^1.2.1" + concat-map@0.0.1: version "0.0.1" resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b" @@ -83,20 +96,20 @@ content-disposition@0.5.4: dependencies: safe-buffer "5.2.1" -content-type@~1.0.4: - version "1.0.4" - resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b" - integrity sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA== +content-type@~1.0.4, content-type@~1.0.5: + version "1.0.5" + resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.5.tgz#8b773162656d1d1086784c8f23a54ce6d73d7918" + integrity sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA== cookie-signature@1.0.6: version "1.0.6" resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c" integrity sha1-4wOogrNCzD7oylE6eZmXNNqzriw= -cookie@0.4.2: - version "0.4.2" - resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.4.2.tgz#0e41f24de5ecf317947c82fc789e06a884824432" - integrity sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA== +cookie@0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051" + integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw== debug@2.6.9: version "2.6.9" @@ -105,15 +118,24 @@ debug@2.6.9: dependencies: ms "2.0.0" -depd@~1.1.2: - version "1.1.2" - resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9" - integrity sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak= +define-data-property@^1.1.4: + version "1.1.4" + resolved "https://registry.yarnpkg.com/define-data-property/-/define-data-property-1.1.4.tgz#894dc141bb7d3060ae4366f6a0107e68fbe48c5e" + integrity sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A== + dependencies: + es-define-property "^1.0.0" + es-errors "^1.3.0" + gopd "^1.0.1" -destroy@~1.0.4: - version "1.0.4" - resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.0.4.tgz#978857442c44749e4206613e37946205826abd80" - integrity sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA= +depd@2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/depd/-/depd-2.0.0.tgz#b696163cc757560d09cf22cc8fad1571b79e76df" + integrity sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw== + +destroy@1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/destroy/-/destroy-1.2.0.tgz#4803735509ad8be552934c67df614f94e66fa015" + integrity sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg== dtrace-provider@~0.8: version "0.8.8" @@ -139,6 +161,18 @@ encodeurl@~1.0.2: resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59" integrity sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k= +es-define-property@^1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/es-define-property/-/es-define-property-1.0.0.tgz#c7faefbdff8b2696cf5f46921edfb77cc4ba3845" + integrity sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ== + dependencies: + get-intrinsic "^1.2.4" + +es-errors@^1.3.0: + version "1.3.0" + resolved "https://registry.yarnpkg.com/es-errors/-/es-errors-1.3.0.tgz#05f75a25dab98e4fb1dcd5e1472c0546d5057c8f" + integrity sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw== + escape-html@~1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988" @@ -149,53 +183,54 @@ etag@~1.8.1: resolved "https://registry.yarnpkg.com/etag/-/etag-1.8.1.tgz#41ae2eeb65efa62268aebfea83ac7d79299b0887" integrity sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc= -express@^4.17: - version "4.17.3" - resolved "https://registry.yarnpkg.com/express/-/express-4.17.3.tgz#f6c7302194a4fb54271b73a1fe7a06478c8f85a1" - integrity sha512-yuSQpz5I+Ch7gFrPCk4/c+dIBKlQUxtgwqzph132bsT6qhuzss6I8cLJQz7B3rFblzd6wtcI0ZbGltH/C4LjUg== +express@^4.19: + version "4.19.2" + resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" + integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== dependencies: accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.19.2" + body-parser "1.20.2" content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.4.2" + cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" - depd "~1.1.2" + depd "2.0.0" encodeurl "~1.0.2" escape-html "~1.0.3" etag "~1.8.1" - finalhandler "~1.1.2" + finalhandler "1.2.0" fresh "0.5.2" + http-errors "2.0.0" merge-descriptors "1.0.1" methods "~1.1.2" - on-finished "~2.3.0" + on-finished "2.4.1" parseurl "~1.3.3" path-to-regexp "0.1.7" proxy-addr "~2.0.7" - qs "6.9.7" + qs "6.11.0" range-parser "~1.2.1" safe-buffer "5.2.1" - send "0.17.2" - serve-static "1.14.2" + send "0.18.0" + serve-static "1.15.0" setprototypeof "1.2.0" - statuses "~1.5.0" + statuses "2.0.1" type-is "~1.6.18" utils-merge "1.0.1" vary "~1.1.2" -finalhandler@~1.1.2: - version "1.1.2" - resolved "https://registry.yarnpkg.com/finalhandler/-/finalhandler-1.1.2.tgz#b7e7d000ffd11938d0fdb053506f6ebabe9f587d" - integrity sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA== +finalhandler@1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/finalhandler/-/finalhandler-1.2.0.tgz#7d23fe5731b207b4640e4fcd00aec1f9207a7b32" + integrity sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg== dependencies: debug "2.6.9" encodeurl "~1.0.2" escape-html "~1.0.3" - on-finished "~2.3.0" + on-finished "2.4.1" parseurl "~1.3.3" - statuses "~1.5.0" + statuses "2.0.1" unpipe "~1.0.0" forwarded@0.2.0: @@ -208,6 +243,22 @@ fresh@0.5.2: resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.5.2.tgz#3d8cadd90d976569fa835ab1f8e4b23a105605a7" integrity sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac= +function-bind@^1.1.2: + version "1.1.2" + resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.2.tgz#2c02d864d97f3ea6c8830c464cbd11ab6eab7a1c" + integrity sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA== + +get-intrinsic@^1.1.3, get-intrinsic@^1.2.4: + version "1.2.4" + resolved "https://registry.yarnpkg.com/get-intrinsic/-/get-intrinsic-1.2.4.tgz#e385f5a4b5227d449c3eabbad05494ef0abbeadd" + integrity sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ== + dependencies: + es-errors "^1.3.0" + function-bind "^1.1.2" + has-proto "^1.0.1" + has-symbols "^1.0.3" + hasown "^2.0.0" + glob@^6.0.1: version "6.0.4" resolved "https://registry.yarnpkg.com/glob/-/glob-6.0.4.tgz#0f08860f6a155127b2fadd4f9ce24b1aab6e4d22" @@ -219,15 +270,46 @@ glob@^6.0.1: once "^1.3.0" path-is-absolute "^1.0.0" -http-errors@1.8.1: - version "1.8.1" - resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-1.8.1.tgz#7c3f28577cbc8a207388455dbd62295ed07bd68c" - integrity sha512-Kpk9Sm7NmI+RHhnj6OIWDI1d6fIoFAtFt9RLaTMRlg/8w49juAStsrBgp0Dp4OdxdVbRIeKhtCUvoi/RuAhO4g== +gopd@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/gopd/-/gopd-1.0.1.tgz#29ff76de69dac7489b7c0918a5788e56477c332c" + integrity sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA== + dependencies: + get-intrinsic "^1.1.3" + +has-property-descriptors@^1.0.2: + version "1.0.2" + resolved "https://registry.yarnpkg.com/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz#963ed7d071dc7bf5f084c5bfbe0d1b6222586854" + integrity sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg== dependencies: - depd "~1.1.2" + es-define-property "^1.0.0" + +has-proto@^1.0.1: + version "1.0.3" + resolved "https://registry.yarnpkg.com/has-proto/-/has-proto-1.0.3.tgz#b31ddfe9b0e6e9914536a6ab286426d0214f77fd" + integrity sha512-SJ1amZAJUiZS+PhsVLf5tGydlaVB8EdFpaSO4gmiUKUOxk8qzn5AIy4ZeJUmh22znIdk/uMAUT2pl3FxzVUH+Q== + +has-symbols@^1.0.3: + version "1.0.3" + resolved "https://registry.yarnpkg.com/has-symbols/-/has-symbols-1.0.3.tgz#bb7b2c4349251dce87b125f7bdf874aa7c8b39f8" + integrity sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A== + +hasown@^2.0.0: + version "2.0.2" + resolved "https://registry.yarnpkg.com/hasown/-/hasown-2.0.2.tgz#003eaf91be7adc372e84ec59dc37252cedb80003" + integrity sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ== + dependencies: + function-bind "^1.1.2" + +http-errors@2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/http-errors/-/http-errors-2.0.0.tgz#b7774a1486ef73cf7667ac9ae0858c012c57b9d3" + integrity sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ== + dependencies: + depd "2.0.0" inherits "2.0.4" setprototypeof "1.2.0" - statuses ">= 1.5.0 < 2" + statuses "2.0.1" toidentifier "1.0.1" iconv-lite@0.4.24: @@ -401,10 +483,15 @@ negotiator@0.6.3: resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.3.tgz#58e323a72fedc0d6f9cd4d31fe49f51479590ccd" integrity sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg== -on-finished@~2.3.0: - version "2.3.0" - resolved "https://registry.yarnpkg.com/on-finished/-/on-finished-2.3.0.tgz#20f1336481b083cd75337992a16971aa2d906947" - integrity sha1-IPEzZIGwg811M3mSoWlxqi2QaUc= +object-inspect@^1.13.1: + version "1.13.1" + resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.13.1.tgz#b96c6109324ccfef6b12216a956ca4dc2ff94bc2" + integrity sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ== + +on-finished@2.4.1: + version "2.4.1" + resolved "https://registry.yarnpkg.com/on-finished/-/on-finished-2.4.1.tgz#58c8c44116e54845ad57f14ab10b03533184ac3f" + integrity sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg== dependencies: ee-first "1.1.1" @@ -443,23 +530,25 @@ proxy-addr@~2.0.7: forwarded "0.2.0" ipaddr.js "1.9.1" -qs@6.9.7: - version "6.9.7" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.9.7.tgz#4610846871485e1e048f44ae3b94033f0e675afe" - integrity sha512-IhMFgUmuNpyRfxA90umL7ByLlgRXu6tIfKPpF5TmcfRLlLCckfP/g3IQmju6jjpu+Hh8rA+2p6A27ZSPOOHdKw== +qs@6.11.0: + version "6.11.0" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a" + integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q== + dependencies: + side-channel "^1.0.4" range-parser@~1.2.1: version "1.2.1" resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.1.tgz#3cf37023d199e1c24d1a55b84800c2f3e6468031" integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg== -raw-body@2.4.3: - version "2.4.3" - resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.4.3.tgz#8f80305d11c2a0a545c2d9d89d7a0286fcead43c" - integrity sha512-UlTNLIcu0uzb4D2f4WltY6cVjLi+/jEN4lgEUj3E04tpMDpUlkBo/eSn6zou9hum2VMNpCCUone0O0WeJim07g== +raw-body@2.5.2: + version "2.5.2" + resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a" + integrity sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA== dependencies: bytes "3.1.2" - http-errors "1.8.1" + http-errors "2.0.0" iconv-lite "0.4.24" unpipe "1.0.0" @@ -492,44 +581,66 @@ semver@^7.3.8: dependencies: lru-cache "^6.0.0" -send@0.17.2: - version "0.17.2" - resolved "https://registry.yarnpkg.com/send/-/send-0.17.2.tgz#926622f76601c41808012c8bf1688fe3906f7820" - integrity sha512-UJYB6wFSJE3G00nEivR5rgWp8c2xXvJ3OPWPhmuteU0IKj8nKbG3DrjiOmLwpnHGYWAVwA69zmTm++YG0Hmwww== +send@0.18.0: + version "0.18.0" + resolved "https://registry.yarnpkg.com/send/-/send-0.18.0.tgz#670167cc654b05f5aa4a767f9113bb371bc706be" + integrity sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg== dependencies: debug "2.6.9" - depd "~1.1.2" - destroy "~1.0.4" + depd "2.0.0" + destroy "1.2.0" encodeurl "~1.0.2" escape-html "~1.0.3" etag "~1.8.1" fresh "0.5.2" - http-errors "1.8.1" + http-errors "2.0.0" mime "1.6.0" ms "2.1.3" - on-finished "~2.3.0" + on-finished "2.4.1" range-parser "~1.2.1" - statuses "~1.5.0" + statuses "2.0.1" -serve-static@1.14.2: - version "1.14.2" - resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.14.2.tgz#722d6294b1d62626d41b43a013ece4598d292bfa" - integrity sha512-+TMNA9AFxUEGuC0z2mevogSnn9MXKb4fa7ngeRMJaaGv8vTwnIEkKi+QGvPt33HSnf8pRS+WGM0EbMtCJLKMBQ== +serve-static@1.15.0: + version "1.15.0" + resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.15.0.tgz#faaef08cffe0a1a62f60cad0c4e513cff0ac9540" + integrity sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g== dependencies: encodeurl "~1.0.2" escape-html "~1.0.3" parseurl "~1.3.3" - send "0.17.2" + send "0.18.0" + +set-function-length@^1.2.1: + version "1.2.2" + resolved "https://registry.yarnpkg.com/set-function-length/-/set-function-length-1.2.2.tgz#aac72314198eaed975cf77b2c3b6b880695e5449" + integrity sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg== + dependencies: + define-data-property "^1.1.4" + es-errors "^1.3.0" + function-bind "^1.1.2" + get-intrinsic "^1.2.4" + gopd "^1.0.1" + has-property-descriptors "^1.0.2" setprototypeof@1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.2.0.tgz#66c9a24a73f9fc28cbe66b09fed3d33dcaf1b424" integrity sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw== -"statuses@>= 1.5.0 < 2", statuses@~1.5.0: - version "1.5.0" - resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c" - integrity sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow= +side-channel@^1.0.4: + version "1.0.6" + resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.6.tgz#abd25fb7cd24baf45466406b1096b7831c9215f2" + integrity sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA== + dependencies: + call-bind "^1.0.7" + es-errors "^1.3.0" + get-intrinsic "^1.2.4" + object-inspect "^1.13.1" + +statuses@2.0.1: + version "2.0.1" + resolved "https://registry.yarnpkg.com/statuses/-/statuses-2.0.1.tgz#55cb000ccf1d48728bd23c685a063998cf1a1b63" + integrity sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ== toidentifier@1.0.1: version "1.0.1" From d185b6e01aa2150c305422a1fa43c596d50a956d Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 16:55:21 -0400 Subject: [PATCH 15/25] [IT-120] Update ReadMe for Nextcloud 24.x Release --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ac7b0fc..91817af 100644 --- a/README.md +++ b/README.md @@ -32,16 +32,17 @@ this kit: | nextcloud-azure-aks | Kubernetes Version Compatibility* | Nextcloud Version | Deployment Mechanism | |---------------------|-----------------------------------|-------------------|-----------------------------| -| 1.x | 1.15-1.21 | 15.x | Shell scripts and templates | -| 2.x | 1.15-1.21 | 16.x | Shell scripts and templates | -| 3.x | 1.15-1.21 | 17.x | Shell scripts and templates | -| 4.x | 1.15-1.21 | 18.x | Shell scripts and templates | -| 5.x | 1.15-1.21 | 19.x | Shell scripts and templates | +| 11.x | Only tested on 1.25+ | 24.x | Kustomize and Rigger CLI | +| 10.x | 1.16-1.22+ | 23.x | Kustomize and Rigger CLI | +| 9.x | 1.16-1.22+ | 22.x | Kustomize and Rigger CLI | +| 8.x | 1.16-1.22+ | 21.x | Kustomize and Rigger CLI | +| 7.x | 1.16-1.22+ | 20.x | Kustomize and Rigger CLI | | 6.x | 1.16-1.22+ | 19.x | Shell scripts and templates | -| 7.x | 1.16-1.22+ | 20.x | Kustomize and Rigger | -| 8.x | 1.16-1.22+ | 21.x | Kustomize and Rigger | -| 9.x | 1.16-1.22+ | 22.x | Kustomize and Rigger | -| 10.x | 1.16-1.22+ | 23.x | Kustomize and Rigger | +| 5.x | 1.15-1.21 | 19.x | Shell scripts and templates | +| 4.x | 1.15-1.21 | 18.x | Shell scripts and templates | +| 3.x | 1.15-1.21 | 17.x | Shell scripts and templates | +| 2.x | 1.15-1.21 | 16.x | Shell scripts and templates | +| 1.x | 1.15-1.21 | 15.x | Shell scripts and templates | ### Switching from "Shell Script" Deployment to "Kustomize" Deployment If you are running version 1.x through 6.x of this kit and are now upgrading to From 0441fdc3f5200e562f76570da7dfcfb09feab240 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 21:03:53 -0400 Subject: [PATCH 16/25] [IT-120] Clean Up and Update Entrypoint for Nextcloud 24.x Finally, a sensible file layout with documentation! These changes also include: - (Hopefully) Ensures that the initialization lock gets released if the entry point script crashes. - Adds support for the `APACHE_DISABLE_REWRITE_IP` environment variable. - Adds support for the `APACHE_RUN_USER` and `APACHE_RUN_GROUP` environment variables (though a user who wants to use this would also require have to customize the storage mount configuration to ensure that storage mounts with the correct user ID). - Fixes up syncing process so that custom themes are synced the same way as custom apps. - Drops support for Postgres, since this kit is designed and tested only with MySQL and MariaDB. The deployment manifests are hardcoded to only support MySQL environment variables, so supporting other databases in the entry point didn't really make sense. - DRYes-up several places in the code. - Adds inline docs. - Renames several functions for clarity of purpose. --- docker/nextcloud-common/entrypoint.sh | 563 ++++++++++++++++++-------- 1 file changed, 386 insertions(+), 177 deletions(-) diff --git a/docker/nextcloud-common/entrypoint.sh b/docker/nextcloud-common/entrypoint.sh index 5fd1701..524c3f9 100755 --- a/docker/nextcloud-common/entrypoint.sh +++ b/docker/nextcloud-common/entrypoint.sh @@ -15,17 +15,82 @@ set -eu -acquire_lock() { +################################################################################ +# High-level Functions +################################################################################ + +## +# Initializes the container for running Nextcloud. +# +# @param $1 +# The type of container ("apache" or "php-fpm") being run. +# +initialize_container() { + container_type="${1}" + + if expr "${container_type}" : "apache" 1>/dev/null \ + || [ "${container_type}" = "php-fpm" ] \ + || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then + installed_version="0.0.0.0" + + if [ -f /var/www/html/config/version.php ]; then + # shellcheck disable=SC2016 + installed_version="$(php -r 'require "/var/www/html/config/version.php"; echo implode(".", $OC_Version);')" + fi + + # shellcheck disable=SC2016 + image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')" + + ensure_compatible_image "${installed_version}" "${image_version}" + acquire_initialization_lock + identify_run_as_user_and_group "${container_type}" + deploy_nextcloud_release + configure_redis + tune_php + + echo "The installed version of Nextcloud is ${installed_version} and" \ + "the running Nextcloud image is version ${image_version}." + + if version_greater "${image_version}" "${installed_version}"; then + if [ "${NEXTCLOUD_CONFIG_READ_ONLY}" = "true" ]; then + echo "Nextcloud cannot be installed or updated because it" \ + "has been deployed with a read-only config." >&2 + exit 1 + fi + + capture_existing_app_list "${installed_version}" + + if [ "${installed_version}" = "0.0.0.0" ]; then + install_nextcloud "${image_version}" + else + upgrade_nextcloud "${installed_version}" "${image_version}" + fi + + capture_installed_version + fi + + configure_web_server "${container_type}" + release_initialization_lock + fi +} + +## +# Acquires a lock by creating a file in the Nextcloud config folder. +# +# This employs a different mechanism than the upstream entrypoint script, since +# flock() doesn't work on SMB-mounted volumes across pods. +# +acquire_initialization_lock() { # If another process is syncing the html folder, wait for it to be done, # then escape initialization. # # You need to define the NEXTCLOUD_INIT_LOCK environment variable - lock=/var/www/html/nextcloud-init-sync.lock + initialization_lock_file=/var/www/html/nextcloud-init-sync.lock count=0 limit=10 - if [ -f "${lock}" ] && [ "${NEXTCLOUD_INIT_LOCK:-}" = "true" ]; then - until [ ! -f "${lock}" ] || [ "$count" -gt "${limit}" ]; do + if [ -f "${initialization_lock_file}" ] && [ "${NEXTCLOUD_INIT_LOCK:-}" = "true" ]; then + until [ ! -f "${initialization_lock_file}" ] || [ "$count" -gt "${limit}" ]; do count=$((count+1)) wait=$((count*10)) @@ -40,16 +105,52 @@ acquire_lock() { echo "The other process is done, assuming complete initialization" else - # Prevent multiple images syncing simultaneously - touch "${lock}" + # Prevent multiple pods from syncing simultaneously. + touch "${initialization_lock_file}" + + # Ensure lock is released if script exits abnormally. + trap release_initialization_lock EXIT + fi +} + +## +# Releases any initialization lock on the Nextcloud configuration folder. +# +release_initialization_lock() { + if [ -n "${initialization_lock_file:-}" ] && + [ -f "${initialization_lock_file}" ]; then + rm "${initialization_lock_file}" fi } -release_lock() { - rm "${lock}" +## +# Applies miscellaneous configuration tuning for the web server being run. +# +# @param $1 +# The type of container ("apache" or "php-fpm") being run. +# +configure_web_server() { + container_type="${1}" + + if [ "${container_type}" = "apache" ]; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi + + chown "${user}:${group}" /var/www/html/.htaccess + + # From https://help.nextcloud.com/t/apache-rewrite-to-remove-index-php/658 + echo "Updating .htaccess for proper rewrites..." + run_as "php /var/www/html/occ maintenance:update:htaccess" + + chown "root:${group}" /var/www/html/.htaccess + fi } -initialize_environment_vars() { +## +# Applies fix-ups to environment variable values before being interpreted. +# +sanitize_environment_vars() { touch_file="/var/www/html/config/.writable" if touch "${touch_file}" 1>/dev/null 2>&1; then @@ -61,59 +162,135 @@ initialize_environment_vars() { fi } -initialize_container() { +## +# Identifies what user and group ID the image should run processes as. +# +# This populates the following global variables: +# - uid: The ID of the user under which this script is currently running. +# - user: The name or ID of the user under which Nextcloud should run. Defaults +# to "www-data". +# - gid: The ID of the group security context under which this script is +# currently running. +# - group: The name or ID of the group security context under which Nextcloud +# should run. Defaults to "www-data". +# +# @param $1 +# The type of container ("apache" or "php-fpm") being run. +# +identify_run_as_user_and_group() { container_type="${1}" - if expr "${container_type}" : "apache" 1>/dev/null \ - || [ "${container_type}" = "php-fpm" ] \ - || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then - installed_version="0.0.0.0" + uid="$(id -u)" + gid="$(id -g)" + + if [ "${uid}" = '0' ]; then + case "${container_type}" in + apache2*) + user="${APACHE_RUN_USER:-www-data}" + group="${APACHE_RUN_GROUP:-www-data}" + + # strip off any '#' symbol ('#1000' is valid syntax for Apache) + user="${user#'#'}" + group="${group#'#'}" + ;; + *) # php-fpm + user='www-data' + group='www-data' + ;; + esac + else + user="${uid}" + group="${gid}" + fi +} - if [ -f /var/www/html/config/version.php ]; then - # shellcheck disable=SC2016 - installed_version="$(php -r 'require "/var/www/html/config/version.php"; echo implode(".", $OC_Version);')" - fi +## +# Runs the given command under the appropriate user for Nextcloud. +# +# This depends on identify_run_as_user_and_group() having run first. +# +# @param $1 +# The command to invoke under the Nextcloud user. +# +run_as() { + if [ "${uid}" = 0 ]; then + # We are root, so we can "su" into the appropriate account. + su -p "${user}" -s /bin/sh -c "${1}" || exit 1 + else + # We're stuck running as the user who launched us. + sh -c "${1}" || exit 1 + fi +} - # shellcheck disable=SC2016 - image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')" +## +# Syncs the Nextcloud release, apps, and themes from image into the web root. +# +# If the configuration directory is writable, this will also update all +# configuration snippets other than the config.php itself. +# +deploy_nextcloud_release() { + echo "Deploying Nextcloud ${image_version}..." - ensure_compatible_image "${installed_version}" "${image_version}" - acquire_lock - deploy_nextcloud_release - setup_redis - tune_php + if [ "${uid}" = 0 ]; then + rsync_options="-rlDog --chown root:${group}" + else + rsync_options="-rlD" + fi - if version_greater "$image_version" "$installed_version"; then - capture_existing_app_list "$installed_version" - populate_instance_dirs + rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/ - if [ "$installed_version" = "0.0.0.0" ]; then - install_nextcloud "${image_version}" + # Ensure that config, data, custom apps, and themes exist. + # + for dir in config data custom_apps themes; do + dir_path="/var/www/html/${dir}" + + # We explicitly force updates to custom apps and themes from this Docker + # image. + if [ ! -d "${dir_path}" ] || directory_empty "${dir_path}" || + [ "${dir_path}" = "custom_apps" ] || [ "${dir_path}" = "themes" ]; then + mkdir -p "${dir_path}" + chmod 0750 "${dir_path}" + chown "root:${group}" "${dir_path}" + + # Avoid accidentally bashing data in the data folder. + if [ "${dir}" = "data" ]; then + rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ else - upgrade_nextcloud "${installed_version}" "${image_version}" + rsync $rsync_options --delete --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ fi - - capture_instance_state fi + done - update_htaccess - release_lock - fi -} - -ensure_compatible_image() { - installed_version="${1}" - image_version="${2}" + # Copy version.php last, per https://github.com/nextcloud/docker/pull/660 + # + # NOTE: We have to do this separately since recent images added version.php + # to the "upgrade.exclude" list. However, we aren't affected by the upstream + # issue that this workaround was intended for because NC code is not + # persisted from container to container -- we keep it in an ephemeral, + # emptyDir volume within each pod, so we always sync version.php at startup. + # + rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/ - if version_greater "$installed_version" "$image_version"; then - echo "This image of Nextcloud cannot be used because the data was last used with version ($installed_version)," >&2 - echo "which is higher than the docker image version ($image_version) and downgrading is not supported." >&2 - echo "Are you sure you have pulled the newest image version?" >&2 - exit 1 + if [ "${NEXTCLOUD_CONFIG_READ_ONLY:-false}" = "false" ]; then + echo "'config' directory is writable." + echo "Sync-ing configuration snippets:" + cp -v /usr/src/nextcloud/config/*.config.php /var/www/html/config/ + cp -v /usr/src/nextcloud/config/*.pem /var/www/html/config/ + echo "" + else + echo "'config' directory is not writable." + echo "Configuration snippets will not be synced." + echo "" fi + + echo "Deployment finished." + echo "" } -setup_redis() { +## +# Configures connectivity for Redis session storage, if enabled. +# +configure_redis() { if [ "${REDIS_HOST:-}" = "" ]; then return fi @@ -148,6 +325,12 @@ setup_redis() { } > /usr/local/etc/php/conf.d/redis-sessions.ini } +## +# Tweaks performance-related settings for PHP and the PHP opcache. +# +# This disables timestamp checking on the opcache, since we do not except the +# code for Nextcloud to ever change at run time. +# tune_php() { echo "Tuning PHP performance." { @@ -164,50 +347,12 @@ tune_php() { } > /usr/local/etc/php/conf.d/perf-tuning.ini } -deploy_nextcloud_release() { - echo "Deploying Nextcloud ${image_version}..." - - if [ "$(id -u)" = 0 ]; then - rsync_options="-rlDog --chown root:www-data" - else - rsync_options="-rlD" - fi - - rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/ - - # Copy version.php last, per https://github.com/nextcloud/docker/pull/660 - # - # NOTE: We have to do this separately since recent images added version.php - # to the "upgrade.exclude" list. However, we aren't affected by the upstream - # issue that this workaround was intended for because NC code is not - # persisted from container to container -- we keep it in an ephemeral, - # emptyDir volume within each pod, so we always sync version.php at startup. - # - rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/ - - # Explicitly sync 'custom_apps' in this Docker image - rsync $rsync_options --delete /usr/src/nextcloud/custom_apps/ /var/www/html/custom_apps/ - - if [ "${NEXTCLOUD_CONFIG_READ_ONLY:-false}" = "false" ]; then - echo "'config' directory is writable." - echo "Sync-ing configuration snippets:" - cp -v /usr/src/nextcloud/config/*.config.php /var/www/html/config/ - cp -v /usr/src/nextcloud/config/*.pem /var/www/html/config/ - echo "" - else - echo "'config' directory is not writable." - echo "Configuration snippets will not be synced." - echo "" - fi - - mkdir -p /var/www/html/themes/ - chmod 0750 /var/www/html/themes/ - chown root:www-data /var/www/html/themes/ - - echo "Deployment finished." - echo "" -} - +## +# Captures the list of all apps that are enabled. +# +# This is run before an upgrade so that an admin can be notified if an upgrade +# has disabled any apps. +# capture_existing_app_list() { installed_version="${1}" @@ -216,52 +361,35 @@ capture_existing_app_list() { fi } -populate_instance_dirs() { - for dir in config data themes; do - if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ - fi - done -} - -capture_instance_state() { - # Capture the only file needed from a distribution to properly spin up a - # new instance and/or upgrade an existing one - cp /usr/src/nextcloud/version.php /var/www/html/config/version.php -} - +## +# Installs Nextcloud for the first time on this environment. +# +# @param $1 +# The version of Nextcloud being installed (the version of this image). +# install_nextcloud() { image_version="${1}" echo "This is a new installation of Nextcloud." echo "" - # NOTE: This populates `install_type` and `install_options` + # NOTE: This populates `database_type` and `install_options` if capture_install_options; then echo "Installing Nextcloud using settings provided by container environment..." echo "" - echo "Database type: ${install_type}" + echo "Database type: ${database_type}" echo "" - max_retries=10 - try=0 - set +e - until run_installer "${install_options}" || [ "$try" -gt "$max_retries" ]; do - echo "Retrying installation..." - try=$((try+1)) - sleep 3s - done - - set -e - - if [ "$try" -gt "$max_retries" ]; then - echo "Installation of nextcloud has failed!" + if ! run_installer "${install_options}"; then + echo "Installation of Nextcloud has failed!" exit 1 fi + set -e + configure_trusted_domains echo "Installation finished." @@ -272,11 +400,41 @@ install_nextcloud() { echo "" } + +## +# Checks to ensure that the given installed version is compatible with an image. +# +# @param $1 +# The version of Nextcloud that is installed. +# @param $2 +# The version of Nextcloud that is in the loaded Docker image. +# +ensure_compatible_image() { + installed_version="${1}" + image_version="${2}" + + if version_greater "${installed_version}" "${image_version}"; then + { + echo "This image of Nextcloud cannot be used because the data was last used with version (${installed_version})," + echo "which is higher than the docker image version (${image_version}) and downgrading is not supported." + echo "Are you sure you have pulled the newest image version?" + } >&2 + fi +} + +## +# Upgrades an existing installation of Nextcloud to the version in this image. +# +# @param $1 +# The version of Nextcloud that is installed. +# @param $2 +# The version of Nextcloud that is in the loaded Docker image. +# upgrade_nextcloud() { installed_version="${1}" image_version="${2}" - echo "Nextcloud will be upgraded from $installed_version to $image_version." + echo "Nextcloud will be upgraded from ${installed_version} to ${image_version}." echo "" echo "Running upgrade..." @@ -292,8 +450,16 @@ upgrade_nextcloud() { rm -f /tmp/list_before /tmp/list_after } +## +# Captures what options should be passed to the Nextcloud installer. +# +# This populates the following global variables: +# - install_options: The command-line arguments to pass to the installer. +# - database_type: The type of database on which Nextcloud is being installed. +# (Currently, only MySQL/MariaDB are supported by this image). +# capture_install_options() { - if [ ! -n "${NEXTCLOUD_ADMIN_USER+x}" ] || [ ! -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then + if [ -z "${NEXTCLOUD_ADMIN_USER+x}" ] || [ -z "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then return 1 fi @@ -308,52 +474,45 @@ capture_install_options() { file_env MYSQL_DATABASE file_env MYSQL_PASSWORD file_env MYSQL_USER - file_env POSTGRES_DB - file_env POSTGRES_PASSWORD - file_env POSTGRES_USER - install_type="None" + database_type="None" - if [ -n "${SQLITE_DATABASE+x}" ]; then - # shellcheck disable=SC2016 - install_options=$install_options' --database-name "$SQLITE_DATABASE"' - install_type="SQLite" - elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then + if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && \ + [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then if [ -n "${MYSQL_PORT+x}" ]; then - # Nextcloud bakes the port into the host for some reason. - MYSQL_HOST="${MYSQL_HOST}:${MYSQL_PORT}" + # Nextcloud bakes the port into the host for some reason. + MYSQL_HOST="${MYSQL_HOST}:${MYSQL_PORT}" fi # shellcheck disable=SC2016 install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"' - install_type="MySQL" - elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then - if [ -n "${POSTGRES_PORT+x}" ]; then - # Nextcloud bakes the port into the host for some reason. - POSTGRES_HOST="${POSTGRES_HOST}:${POSTGRES_PORT}" - fi - - # shellcheck disable=SC2016 - install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"' - install_type="PostgreSQL" + database_type="MySQL" fi - if [ "${install_type}" = "None" ]; then + if [ "${database_type}" = "None" ]; then return 1 else return 0 fi } +## +# Runs the Nextcloud installer with the given options. +# +# @param $1 +# The space-separated command-line arguments to pass to the installer. +# run_installer() { install_options="${1}" - run_as "php /var/www/html/occ maintenance:install ${install_options}" \ - && configure_trusted_domains + run_as "php /var/www/html/occ maintenance:install ${install_options}" return $? } +## +# Configures the domains that this installation of Nextcloud trusts traffic for. +# configure_trusted_domains() { if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then echo "Configuring trusted domains..." @@ -364,45 +523,83 @@ configure_trusted_domains() { run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN" - NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1)) + NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1)) done fi } -update_htaccess() { - chown www-data /var/www/html/.htaccess - - # From https://help.nextcloud.com/t/apache-rewrite-to-remove-index-php/658 - echo "Updating .htaccess for proper rewrites..." - run_as "php /var/www/html/occ maintenance:update:htaccess" - - chown root /var/www/html/.htaccess +## +# Records the installed Docker image version number into the config volume. +# +# This is used to perform sanity checks at startup to confirm that the running +# image is either the same version as what's installed, or a version to which +# the installed version can be upgraded (no downgrades, and no skipping major +# versions). +# +capture_installed_version() { + # Capture the only file needed from a distribution to properly spin up a + # new instance and/or upgrade an existing one + cp /usr/src/nextcloud/version.php /var/www/html/config/version.php } +## +# Starts capturing output from the Nextcloud application and audit logs. +# +# The output is written to the standard output of the container so that it can +# be picked up by Azure Log Analytics or similar container log capture. +# start_log_capture() { app_log="/var/log/nextcloud.log" audit_log="/var/log/nextcloud-audit.log" # Application log touch "${app_log}" - chown www-data:root "${app_log}" + chown "${user}:${group}" "${app_log}" tail -F "${app_log}" & # Audit log touch "${audit_log}" - chown www-data:root "${audit_log}" + chown "${user}:${group}" "${audit_log}" run_as "php /var/www/html/occ config:app:set admin_audit logfile '--value=${audit_log}'" tail -F "${audit_log}" & } -# version_greater A B returns whether A > B +################################################################################ +# Utility Functions +################################################################################ +## +# Compares two version numbers and returns if first is greater than second. +# +# @param $1 +# The first version number. +# @param $2 +# The second version number. +# +# @return +# - 0 (success) if the first version is greater than the second. +# - 1 (failure) if the first version is less than or equal to the second. +# version_greater() { [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ] } -# return true if specified directory is empty +## +# Determine if the given directory is empty. +# +# This differs from Nextcloud's stock implementation because we have to ignore +# specific dotfiles and special system folders (like lost+found). +# +# @param $1 +# The directory to check. +# +# @return +# - 0 (success) if the specified path is empty or contains only files we can +# safely ignore. +# - 1 (failure) if the specified path is not empty or contains more than just +# files we can safely ignore. +# directory_empty() { dir_contents=$(\ find "${1}/" \ @@ -412,6 +609,7 @@ directory_empty() { -o \( \ -type d \ -a -not -name lost\+found \ + -a -not -name .snapshot \ -a -not -name . \ \) \ ) @@ -419,24 +617,33 @@ directory_empty() { [ -z "${dir_contents}" ] } +## +# Uses PHP to URI-encodes special characters in the given string. +# +# The function echoes the result on its standard out. +# +# @param $1 +# The string to URL-encode. +# uri_encode() { - php -r "echo urlencode('${1}');" -} - -run_as() { - if [ "$(id -u)" = 0 ]; then - su -p www-data -s /bin/sh -c "$1" - return $? - else - sh -c "$1" - return $? - fi + php -r "echo urlencode('${1}');" } -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +## +# Load the value of an environment variable from environment or an env file. +# +# For example: file_env 'XYZ_DB_PASSWORD' 'example' +# +# This would allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially when being used with Docker's +# secrets volume feature. +# +# @param $1 +# The name of the variable to load. +# @param $2 [optional] +# An optional default value for the variable, if it has not been provided by +# the environment. +# file_env() { var="$1" fileVar="${var}_FILE" @@ -445,7 +652,7 @@ file_env() { fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + echo >&2 "error: both ${var} and ${fileVar} are set (but are exclusive)" exit 1 fi @@ -460,10 +667,12 @@ file_env() { unset "$fileVar" } - +################################################################################ +# Main script +################################################################################ container_type="${1:-none}" -initialize_environment_vars +sanitize_environment_vars initialize_container "${container_type}" start_log_capture From aa2622b03e16bc98e7667a5ab4432507f9979454 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 21:06:15 -0400 Subject: [PATCH 17/25] [IT-120] Apply Latest Upstream Changes for `nginx.conf` These changes should work all the way up to Nextcloud v28, since that's the current version and that version is shipping with this config. There do not appear to be any version-specific config snippets in here. The changes appear to enhance the cacheability and handling of static assets, including JavaScript. --- docker/middle-nextcloud-nginx/nginx.conf | 79 +++++++++++++++++------- 1 file changed, 58 insertions(+), 21 deletions(-) diff --git a/docker/middle-nextcloud-nginx/nginx.conf b/docker/middle-nextcloud-nginx/nginx.conf index a039626..1b74403 100644 --- a/docker/middle-nextcloud-nginx/nginx.conf +++ b/docker/middle-nextcloud-nginx/nginx.conf @@ -15,7 +15,7 @@ events { } http { - include /etc/nginx/mime.types; + include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -30,9 +30,9 @@ http { # Prevent nginx HTTP Server Detection server_tokens off; - ## Customizations for the Inveniem AKS Image ## keepalive_timeout 65; + ## Customizations for the Inveniem AKS Image ## proxy_connect_timeout 60; proxy_send_timeout 1800; proxy_read_timeout 1800; @@ -74,6 +74,12 @@ http { } ## End of Customizations for Inveniem AKS Image ## + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + map $arg_v $asset_immutable { + "" ""; + default "immutable"; + } + upstream php-handler { # With Kubernetes, `backend-nextcloud-fpm` is a container in the same # pod, so it's available on `localhost` @@ -91,34 +97,39 @@ http { # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - fastcgi_buffers 64 4K; - ## Customizations for the Inveniem AKS Image ## # Set max, single-POST upload size. This only affects WebDAV uploads; it # does not affect multi-part uploads. client_max_body_size 10g; ## End of Customizations for Inveniem AKS Image ## + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # The settings allows you to optimize the HTTP2 bandwidth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tuning hints + client_body_buffer_size 512k; + # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -156,7 +167,8 @@ http { # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. ## Customizations for the Inveniem AKS Image ## location = /.well-known/carddav { @@ -167,13 +179,18 @@ http { return 301 $frontend_scheme://$host/remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { - return 301 $frontend_scheme://$host/index.php$uri; + location /.well-known/acme-challenge { + try_files $uri $uri/ =404; } - ## End of Customizations for Inveniem AKS Image ## - try_files $uri $uri/ =404; + location /.well-known/pki-validation { + try_files $uri $uri/ =404; + } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 $frontend_scheme://$host/index.php$request_uri; + ## End of Customizations for Inveniem AKS Image ## } # Rules borrowed from `.htaccess` to hide certain paths from clients @@ -191,7 +208,7 @@ http { # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -209,12 +226,32 @@ http { fastcgi_intercept_errors on; fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; + } + + # Javascript mimetype fixes for nginx + # Note: The block below should be removed, and the js|mjs section should be + # added to the block below this one. This is a temporary fix until Nginx + # upstream fixes the js mime-type + location ~* \.(?:js|mjs)$ { + types { + text/javascript js mjs; + } + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; } - location ~ \.(?:css|js|svg|gif|map)$ { + # Serve static files + location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } } location ~ \.woff2?$ { From b9d04a9d0afab9d7831764df239032e48ed463b9 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 21:48:03 -0400 Subject: [PATCH 18/25] [IT-120] Supply New Relic Subscription and Application Name at Run Time I'm not sure why I baked these values in at build time; it should be possible to set them at run time instead. This makes it much easier to have separate NR monitoring configurations for dev, test, and live environments without running separate images. --- .../manifests/app-nextcloud.apache.yaml | 10 ++++++ .../manifests/app-nextcloud.nginx-fpm.yaml | 10 ++++++ docker/nextcloud-common/entrypoint.sh | 23 ++++++++++++ .../generate_nr_setup_command.sh | 35 +++++-------------- .../manifests/config-environment.yaml | 12 ++++++- overlays/00-sample/publish.profile | 25 +++++-------- 6 files changed, 71 insertions(+), 44 deletions(-) diff --git a/components/http-apache/manifests/app-nextcloud.apache.yaml b/components/http-apache/manifests/app-nextcloud.apache.yaml index 79e738c..fe4e14c 100644 --- a/components/http-apache/manifests/app-nextcloud.apache.yaml +++ b/components/http-apache/manifests/app-nextcloud.apache.yaml @@ -132,6 +132,16 @@ spec: secretKeyRef: name: "nextcloud-redis-creds" key: password + - name: NEW_RELIC_KEY + valueFrom: + configMapKeyRef: + name: environment + key: newRelicSubscriptionKey + - name: NEW_RELIC_APP + valueFrom: + configMapKeyRef: + name: environment + key: newRelicApplicationName startupProbe: # After pod creation, allow Nextcloud to take up to 10 minutes # (5 seconds x 120 attempts) before concluding the container diff --git a/components/http-nginx-fpm/manifests/app-nextcloud.nginx-fpm.yaml b/components/http-nginx-fpm/manifests/app-nextcloud.nginx-fpm.yaml index f740ac2..b069583 100644 --- a/components/http-nginx-fpm/manifests/app-nextcloud.nginx-fpm.yaml +++ b/components/http-nginx-fpm/manifests/app-nextcloud.nginx-fpm.yaml @@ -131,6 +131,16 @@ spec: secretKeyRef: name: "nextcloud-redis-creds" key: password + - name: NEW_RELIC_KEY + valueFrom: + configMapKeyRef: + name: environment + key: newRelicSubscriptionKey + - name: NEW_RELIC_APP + valueFrom: + configMapKeyRef: + name: environment + key: newRelicApplicationName # Container: Nginx Server Middleware - name: middle-nextcloud-nginx diff --git a/docker/nextcloud-common/entrypoint.sh b/docker/nextcloud-common/entrypoint.sh index 524c3f9..9a454ad 100755 --- a/docker/nextcloud-common/entrypoint.sh +++ b/docker/nextcloud-common/entrypoint.sh @@ -44,6 +44,7 @@ initialize_container() { ensure_compatible_image "${installed_version}" "${image_version}" acquire_initialization_lock identify_run_as_user_and_group "${container_type}" + configure_new_relic deploy_nextcloud_release configure_redis tune_php @@ -123,6 +124,28 @@ release_initialization_lock() { fi } +## +# Configures New Relic, if installed and configured by the environment. +# +configure_new_relic() { + if [ -n "${NEW_RELIC_KEY}" ]; then + NEW_RELIC_APP="${NEW_RELIC_APP:-Nextcloud}" + new_relic_config_file="/usr/local/etc/php/conf.d/newrelic.ini" + + if [ ! -f "${new_relic_config_file}" ]; then + { + echo "A New Relic subscription key was provided but New Relic" + echo "was not included in this image at publishing time." + } >&2 + exit 1 + fi + + sed -i -e "s/\"REPLACE_WITH_REAL_KEY\"/\"${NEW_RELIC_KEY}\"/" \ + -e "s/newrelic.appname = \"PHP Application\"/newrelic.appname = \"${NEW_RELIC_APP}\"/" \ + "${new_relic_config_file}" + fi +} + ## # Applies miscellaneous configuration tuning for the web server being run. # diff --git a/docker/nextcloud-common/generate_nr_setup_command.sh b/docker/nextcloud-common/generate_nr_setup_command.sh index 4d09bd0..5e775f5 100755 --- a/docker/nextcloud-common/generate_nr_setup_command.sh +++ b/docker/nextcloud-common/generate_nr_setup_command.sh @@ -1,21 +1,18 @@ #!/usr/bin/env bash ## -# Generates the commands necessary to download and configure New Relic -# monitoring. +# Generates the commands necessary to download and install New Relic monitoring. # # This is optional. This script only downloads and configures New Relic if the -# following environment variables are set: +# NEW_RELIC_AGENT_URL environment variable is set. # -# - NEW_RELIC_AGENT_URL -# - NEW_RELIC_KEY -# - NEW_RELIC_APP -# -# These variables are typically set via publish.profile in an overlay, and then this -# script is invoked automatically by `./rigger publish` within the overlay. +# This variable is typically set via publish.profile in an overlay, and then +# this script is invoked automatically by `./rigger publish` within the overlay. +# The New Relic application name and license key are provided via environment +# variables modified in `kustomization.yaml` of the overlay. # # @author Guy Elsmore-Paddock (guy@inveniem.com) -# @copyright Copyright (c) 2019-2022, Inveniem +# @copyright Copyright (c) 2019-2024, Inveniem # @license GNU AGPL version 3 or any later version # set -e @@ -31,16 +28,6 @@ script_path="${BASH_SOURCE[0]}" script_name=$(basename "${script_path}") script_dir="$( cd "$( dirname "${script_path}" )" >/dev/null 2>&1 && pwd )" -################################################################################ -# Overridable Environment Variables -################################################################################ -# All of the variables below can be specified on the command line to override -# them at run-time. - -NEW_RELIC_AGENT_URL="${NEW_RELIC_AGENT_URL}" -NEW_RELIC_KEY="${NEW_RELIC_KEY}" -NEW_RELIC_APP="${NEW_RELIC_APP:-Nextcloud}" - ################################################################################ # Main Script Body ################################################################################ @@ -63,9 +50,7 @@ set -u END - if [[ "${NEW_RELIC_AGENT_URL:-}" != "" && \ - "${NEW_RELIC_KEY:-}" != "" && \ - "${NEW_RELIC_APP:-}" != "" ]]; then + if [[ -n "${NEW_RELIC_AGENT_URL:-}" ]]; then cat < Date: Wed, 27 Mar 2024 21:48:45 -0400 Subject: [PATCH 19/25] [IT-120] Update New Relic Agent Download URL --- overlays/00-sample/publish.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index c5dab10..932c5e1 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -70,7 +70,7 @@ NEXTCLOUD_CUSTOM_APPS=( # subscription key in the "config-environment.yaml" file, or Nextcloud will fail # to start. # -NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.8.0.323-linux.tar.gz" +NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.19.0.9-linux.tar.gz" ################################################################################ # Deployment Macros From 77d74726b9530704d8253c8ff4c93d52117492af Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 22:02:28 -0400 Subject: [PATCH 20/25] [IT-120] Update Base Image and Custom Apps for Nextcloud 24.x --- docker/backend-nextcloud-apache/Dockerfile | 4 +- docker/backend-nextcloud-fpm/Dockerfile | 4 +- .../sabre-http-avoid-mmap.patch | 51 ------------------- docker/nextcloud-cron/Dockerfile | 4 +- overlays/00-sample/publish.profile | 19 ++++--- 5 files changed, 15 insertions(+), 67 deletions(-) delete mode 100644 docker/nextcloud-common/bundled-patches/sabre-http-avoid-mmap.patch diff --git a/docker/backend-nextcloud-apache/Dockerfile b/docker/backend-nextcloud-apache/Dockerfile index 820e643..05fb651 100644 --- a/docker/backend-nextcloud-apache/Dockerfile +++ b/docker/backend-nextcloud-apache/Dockerfile @@ -5,10 +5,10 @@ # NOTE: All COPY paths are relative to the parent folder (../docker). # # @author Guy Elsmore-Paddock (guy@inveniem.com) -# @copyright Copyright (c) 2019, Inveniem +# @copyright Copyright (c) 2019-2024, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.10-apache +FROM nextcloud:24.0.12-apache ENV NEXTCLOUD_CONFIG_READ_ONLY "false" ENV NEXTCLOUD_INIT_LOCK "true" diff --git a/docker/backend-nextcloud-fpm/Dockerfile b/docker/backend-nextcloud-fpm/Dockerfile index 9e19403..e3c62e9 100644 --- a/docker/backend-nextcloud-fpm/Dockerfile +++ b/docker/backend-nextcloud-fpm/Dockerfile @@ -7,7 +7,7 @@ # This is a multi-stage build. # # @author Guy Elsmore-Paddock (guy@inveniem.com) -# @copyright Copyright (c) 2019-2022, Inveniem +# @copyright Copyright (c) 2019-2024, Inveniem # @license GNU AGPL version 3 or any later version # @@ -59,7 +59,7 @@ RUN set -eux;\ ################################################################################ # This is the container that actually gets pushed. # -FROM nextcloud:23.0.10-fpm-alpine +FROM nextcloud:24.0.12-fpm-alpine ENV NEXTCLOUD_CONFIG_READ_ONLY "false" ENV NEXTCLOUD_INIT_LOCK "true" diff --git a/docker/nextcloud-common/bundled-patches/sabre-http-avoid-mmap.patch b/docker/nextcloud-common/bundled-patches/sabre-http-avoid-mmap.patch deleted file mode 100644 index bcbd783..0000000 --- a/docker/nextcloud-common/bundled-patches/sabre-http-avoid-mmap.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/3rdparty/sabre/http/lib/Sapi.php b/3rdparty/sabre/http/lib/Sapi.php -index 73674a5a..8344bd0f 100644 ---- a/3rdparty/sabre/http/lib/Sapi.php -+++ b/3rdparty/sabre/http/lib/Sapi.php -@@ -89,42 +89,10 @@ class Sapi - if (null !== $contentLength) { - $output = fopen('php://output', 'wb'); - if (is_resource($body) && 'stream' == get_resource_type($body)) { -- if (PHP_INT_SIZE > 4) { -- // use the dedicated function on 64 Bit systems -- // a workaround to make PHP more possible to use mmap based copy, see https://github.com/sabre-io/http/pull/119 -- $left = (int) $contentLength; -- // copy with 4MiB chunks -- $chunk_size = 4 * 1024 * 1024; -- stream_set_chunk_size($output, $chunk_size); -- // If this is a partial response, flush the beginning bytes until the first position that is a multiple of the page size. -- $contentRange = $response->getHeader('Content-Range'); -- // Matching "Content-Range: bytes 1234-5678/7890" -- if (null !== $contentRange && preg_match('/^bytes\s([0-9]+)-([0-9]+)\//i', $contentRange, $matches)) { -- // 4kB should be the default page size on most architectures -- $pageSize = 4096; -- $offset = (int) $matches[1]; -- $delta = ($offset % $pageSize) > 0 ? ($pageSize - $offset % $pageSize) : 0; -- if ($delta > 0) { -- $left -= stream_copy_to_stream($body, $output, min($delta, $left)); -- } -- } -- while ($left > 0) { -- $copied = stream_copy_to_stream($body, $output, min($left, $chunk_size)); -- // stream_copy_to_stream($src, $dest, $maxLength) must return the number of bytes copied or false in case of failure -- // But when the $maxLength is greater than the total number of bytes remaining in the stream, -- // It returns the negative number of bytes copied -- // So break the loop in such cases. -- if ($copied <= 0) { -- break; -- } -- $left -= $copied; -- } -- } else { -- // workaround for 32 Bit systems to avoid stream_copy_to_stream -- while (!feof($body)) { -- fwrite($output, fread($body, 8192)); -- } -- } -+ // workaround for 32 Bit systems to avoid stream_copy_to_stream -+ while (!feof($body)) { -+ fwrite($output, fread($body, 8192)); -+ } - } else { - fwrite($output, $body, (int) $contentLength); - } diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile index 9be328d..192808f 100644 --- a/docker/nextcloud-cron/Dockerfile +++ b/docker/nextcloud-cron/Dockerfile @@ -4,10 +4,10 @@ # NOTE: All COPY paths are relative to the parent folder (../docker). # # @author Guy Elsmore-Paddock (guy@inveniem.com) -# @copyright Copyright (c) 2019-2020, Inveniem +# @copyright Copyright (c) 2019-2024, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.10-apache +FROM nextcloud:24.0.12-apache ENV NEXTCLOUD_CONFIG_READ_ONLY "true" diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index 932c5e1..0a54b6f 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -38,18 +38,17 @@ CONTAINER_ENGINE="docker" # available in the deployed image. # NEXTCLOUD_CUSTOM_APPS=( - 'https://github.com/westberliner/checksum/releases/download/v1.1.4/checksum.tar.gz' - 'https://github.com/nextcloud/files_antivirus/releases/download/v3.3.1/files_antivirus.tar.gz' - 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.13.0/files_automatedtagging-v1.13.0.tar.gz' - 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.15.0/files_downloadactivity-v1.15.0.tar.gz' + 'https://github.com/westberliner/checksum/releases/download/v1.2.3/checksum.tar.gz' + 'https://github.com/nextcloud-releases/files_antivirus/releases/download/v5.3.1/files_antivirus-v5.3.1.tar.gz' + 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.2/files_automatedtagging-v1.14.2.tar.gz' + 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.16.0/files_downloadactivity-v1.16.0.tar.gz' 'https://github.com/Inveniem/nextcloud-files-excludedirs/releases/download/v1.0.1-beta/nextcloud_files_excludedirs-v1.0.1-beta.tar.gz' 'https://github.com/nextcloud/files_rightclick/releases/download/v0.15.1/files_rightclick.tar.gz' - 'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.16.0/metadata.tar.gz' - 'https://github.com/owncloud/music/releases/download/v1.6.0/music_1.6.0_for_nextcloud.tar.gz' - 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.1.0/previewgenerator-v5.1.0.tar.gz' - 'https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v2.3.3/oidc_login.tar.gz' - 'https://github.com/nextcloud-releases/user_external/releases/download/v3.0.0/user_external-v3.0.0.tar.gz' - 'https://github.com/nextcloud-releases/user_saml/releases/download/v5.0.3/user_saml-v5.0.3.tar.gz' + 'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.19.0/metadata.tar.gz' + 'https://github.com/owncloud/music/releases/download/v1.10.0/music_1.10.0_for_nextcloud.tar.gz' + 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.2.4/previewgenerator-v5.2.4.tar.gz' + 'https://github.com/nextcloud-releases/user_external/releases/download/v3.1.0/user_external-v3.1.0.tar.gz' + 'https://github.com/nextcloud-releases/user_saml/releases/download/v5.1.5/user_saml-v5.1.5.tar.gz' ) ################################################################################ From 83d5e32975b49d33e8012601b86344fe48e61fc5 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 22:16:58 -0400 Subject: [PATCH 21/25] [IT-120] Update nginx from `1.23.1` to `1.25.4` --- docker/middle-nextcloud-nginx/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/middle-nextcloud-nginx/Dockerfile b/docker/middle-nextcloud-nginx/Dockerfile index e46bb2b..10f3dcf 100644 --- a/docker/middle-nextcloud-nginx/Dockerfile +++ b/docker/middle-nextcloud-nginx/Dockerfile @@ -6,6 +6,6 @@ # @copyright Copyright (c) 2019-2022, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nginx:1.23.1-alpine +FROM nginx:1.25.4-alpine COPY nginx.conf /etc/nginx/nginx.conf From 1ade10782360e02dbe76124cd6f8031987d8fd6d Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 01:53:25 -0400 Subject: [PATCH 22/25] [IT-234] Update MySQL Connection from Environment Variables Nextcloud generates the config with database settings the first time that it is run, but from then on it does not automatically update the variables from the environment. This is a real pain if the password or hostname of the DB server needs to change, because an admin has to update the credentials in BOTH the environment AND the config volume, which is often mounted read-only. So, to support closer to a zero downtime deployment model for database connection string changes, this new config snippet should keep the database connection info in sync with the environment on a read-only config folder, even if what's in the config file is not in sync. --- .../nextcloud-common/config/mysql.config.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docker/nextcloud-common/config/mysql.config.php diff --git a/docker/nextcloud-common/config/mysql.config.php b/docker/nextcloud-common/config/mysql.config.php new file mode 100644 index 0000000..fad60e8 --- /dev/null +++ b/docker/nextcloud-common/config/mysql.config.php @@ -0,0 +1,19 @@ + 'mysql', + 'dbname' => $mysql_database, + 'dbhost' => $mysql_host, + 'dbport' => $mysql_port, + 'dbtableprefix' => '', + 'dbuser' => $mysql_user, + 'dbpassword' => $mysql_password, + ); +} From 591f6b140c7c346b8ab5446639329068ba76264c Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 01:54:01 -0400 Subject: [PATCH 23/25] [IT-234] Throw a Loud Error if the Azure CA File is Missing --- .../config/mysql-ssl.config.php | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/docker/nextcloud-common/config/mysql-ssl.config.php b/docker/nextcloud-common/config/mysql-ssl.config.php index 5eba0ca..c518ac1 100644 --- a/docker/nextcloud-common/config/mysql-ssl.config.php +++ b/docker/nextcloud-common/config/mysql-ssl.config.php @@ -2,17 +2,29 @@ /** * The name of the combined CA file that gets created during the Docker build. * - * The CA file contains certificates for both BaltimoreCyberTrustRoot and - * DigiCertGlobalRootG2, per the instructions from this article: + * The CA file contains certificates for both Baltimore Cyber Trust and + * Digi Cert Global Root (both regular and G2), per the instructions from this + * article: * https://learn.microsoft.com/en-us/azure/mariadb/concepts-certificate-rotation */ const AZURE_CA_PEM_FILE = 'azure_ca.pem'; $config_folder = dirname(__FILE__); +$ca_file_path = sprintf('%s/%s', $config_folder, AZURE_CA_PEM_FILE); -# Support connecting to Azure MySQL over SSL -$CONFIG = array( - 'dbdriveroptions' => array( - PDO::MYSQL_ATTR_SSL_CA => sprintf('%s/%s', $config_folder, AZURE_CA_PEM_FILE), - ), -); +if (is_readable($ca_file_path)) { + # Ensure that the root certificate authority certificates for Azure from the + # Docker image are used to verify the SSL certificate chain during connection. + $CONFIG = array( + 'dbdriveroptions' => array( + PDO::MYSQL_ATTR_SSL_CA => $ca_file_path, + ), + ); +} +else { + // Should not happen unless config is read-only and the CA file is missing + // from the volume. + throw new InvalidArgumentException( + 'The Azure CA file is missing (is config read-only when it should not be?): ' . $ca_file_path + ); +} From a92fd12147b30a160532629f162f6f9c2b6304e9 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Wed, 27 Mar 2024 01:54:38 -0400 Subject: [PATCH 24/25] [IT-234] Add Azure Digi Cert Global Root CA for MySQL Flexible Server --- .../ssl/azure_ca/DigiCertGlobalRootCA.crt.pem | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docker/nextcloud-common/ssl/azure_ca/DigiCertGlobalRootCA.crt.pem diff --git a/docker/nextcloud-common/ssl/azure_ca/DigiCertGlobalRootCA.crt.pem b/docker/nextcloud-common/ssl/azure_ca/DigiCertGlobalRootCA.crt.pem new file mode 100644 index 0000000..fd4341d --- /dev/null +++ b/docker/nextcloud-common/ssl/azure_ca/DigiCertGlobalRootCA.crt.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB +CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 +nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt +43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P +T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 +gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR +TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw +DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr +hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg +06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF +PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls +YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= +-----END CERTIFICATE----- From de26f12ceb71a536e3d95c911c979da78ced7506 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 28 Mar 2024 00:42:50 -0400 Subject: [PATCH 25/25] Update Release Documentation --- CHANGELOG.md | 3 +++ SECURITY.md | 13 ++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..f19da1f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,3 @@ +# Change log +See the [releases](https://github.com/Inveniem/nextcloud-azure-aks/releases) +page for notes that go with each release. diff --git a/SECURITY.md b/SECURITY.md index a070b85..deaccf3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,15 +2,14 @@ ## Supported Versions | Version | Supported | -| ------- | ------------------ | -| 7.x | :white_check_mark: | -| 6.x | :white_check_mark: | -| < 6.0 | :x: | +|---------| ------------------ | +| 11.x | :white_check_mark: | +| < 11.0 | :x: | ## Reporting a Vulnerability -Please do not report vulnerabilities using the issue queue. Instead, please email -sysadmins@inveniem.com if you believe you have found a vulnerability in the way that our -Docker images are packaged or configured. +Please do not report vulnerabilities using the issue queue. Instead, please +email sysadmins at inveniem dot com if you believe you have found a +vulnerability in the way that our Docker images are packaged or configured. If you believe you have found a vulnerability in Nextcloud itself, please do not report your issue to us. Instead, report it through Nextcloud's own system at