mirror of
https://github.com/kyantech/Palmr.git
synced 2025-10-24 08:33:43 +00:00
feat: standardize UID/GID configuration across Docker Compose files
- Added PALMR_UID and PALMR_GID environment variables to all relevant Docker Compose files to ensure consistent user and group ID settings for container processes. - Updated documentation in quick-start guide to reflect these changes, enhancing clarity for users regarding UID/GID configurations.
This commit is contained in:
@@ -57,6 +57,8 @@ services:
|
|||||||
- ENABLE_S3=false
|
- ENABLE_S3=false
|
||||||
- ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
|
- ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
|
||||||
# - SECURE_SITE=false # Set to true if you are using a reverse proxy
|
# - SECURE_SITE=false # Set to true if you are using a reverse proxy
|
||||||
|
- PALMR_UID=1000 # UID for the container processes (default is 1001)
|
||||||
|
- PALMR_GID=1000 # GID for the container processes (default is 1001)
|
||||||
ports:
|
ports:
|
||||||
- "5487:5487" # Web interface
|
- "5487:5487" # Web interface
|
||||||
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
||||||
@@ -93,9 +95,8 @@ services:
|
|||||||
- ENABLE_S3=false
|
- ENABLE_S3=false
|
||||||
- ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
|
- ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
|
||||||
# - SECURE_SITE=false # Set to true if you are using a reverse proxy
|
# - SECURE_SITE=false # Set to true if you are using a reverse proxy
|
||||||
# Optional: Set custom UID/GID for file permissions
|
- PALMR_UID=1000 # UID for the container processes (default is 1001)
|
||||||
# - PALMR_UID=1000
|
- PALMR_GID=1000 # GID for the container processes (default is 1001)
|
||||||
# - PALMR_GID=1000
|
|
||||||
ports:
|
ports:
|
||||||
- "5487:5487" # Web port
|
- "5487:5487" # Web port
|
||||||
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
||||||
|
@@ -5,9 +5,8 @@ services:
|
|||||||
environment:
|
environment:
|
||||||
- ENABLE_S3=false
|
- ENABLE_S3=false
|
||||||
- ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
|
- ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
|
||||||
# Optional: Set custom UID/GID for file permissions
|
- PALMR_UID=1000 # UID for the container processes (default is 1001)
|
||||||
# - PALMR_UID=1000
|
- PALMR_GID=1000 # GID for the container processes (default is 1001)
|
||||||
# - PALMR_GID=1000
|
|
||||||
ports:
|
ports:
|
||||||
- "5487:5487" # Web port
|
- "5487:5487" # Web port
|
||||||
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
||||||
|
@@ -12,6 +12,8 @@ services:
|
|||||||
- S3_REGION=${S3_REGION:-us-east-1} # S3 region (us-east-1 is the default region) but it depends on your s3 server region
|
- S3_REGION=${S3_REGION:-us-east-1} # S3 region (us-east-1 is the default region) but it depends on your s3 server region
|
||||||
- S3_BUCKET_NAME=${S3_BUCKET_NAME:-palmr-files} # Bucket name for the S3 storage (here we are using palmr-files as the bucket name to understand that this is the bucket for palmr)
|
- S3_BUCKET_NAME=${S3_BUCKET_NAME:-palmr-files} # Bucket name for the S3 storage (here we are using palmr-files as the bucket name to understand that this is the bucket for palmr)
|
||||||
- S3_FORCE_PATH_STYLE=true # For MinIO compatibility we have to set this to true
|
- S3_FORCE_PATH_STYLE=true # For MinIO compatibility we have to set this to true
|
||||||
|
- PALMR_UID=1000 # UID for the container processes (default is 1001)
|
||||||
|
- PALMR_GID=1000 # GID for the container processes (default is 1001)
|
||||||
ports:
|
ports:
|
||||||
- "5487:5487" # Web port
|
- "5487:5487" # Web port
|
||||||
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
||||||
|
@@ -12,6 +12,8 @@ services:
|
|||||||
- S3_REGION=${S3_REGION:-us-east-1} # S3 region (us-east-1 is the default region) but it depends on your s3 server region
|
- S3_REGION=${S3_REGION:-us-east-1} # S3 region (us-east-1 is the default region) but it depends on your s3 server region
|
||||||
- S3_BUCKET_NAME=${S3_BUCKET_NAME:-palmr-files} # Bucket name for the S3 storage (here we are using palmr-files as the bucket name to understand that this is the bucket for palmr)
|
- S3_BUCKET_NAME=${S3_BUCKET_NAME:-palmr-files} # Bucket name for the S3 storage (here we are using palmr-files as the bucket name to understand that this is the bucket for palmr)
|
||||||
- S3_FORCE_PATH_STYLE=false # For S3 compatibility we have to set this to false
|
- S3_FORCE_PATH_STYLE=false # For S3 compatibility we have to set this to false
|
||||||
|
- PALMR_UID=1000 # UID for the container processes (default is 1001)
|
||||||
|
- PALMR_GID=1000 # GID for the container processes (default is 1001)
|
||||||
ports:
|
ports:
|
||||||
- "5487:5487" # Web port
|
- "5487:5487" # Web port
|
||||||
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
||||||
|
@@ -8,6 +8,8 @@ services:
|
|||||||
ports:
|
ports:
|
||||||
- "5487:5487" # Web port
|
- "5487:5487" # Web port
|
||||||
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
- "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
|
||||||
|
- PALMR_UID=1000 # UID for the container processes (default is 1001)
|
||||||
|
- PALMR_GID=1000 # GID for the container processes (default is 1001)
|
||||||
volumes:
|
volumes:
|
||||||
- palmr_data:/app/server # Volume for the application data (changed from /data to /app/server)
|
- palmr_data:/app/server # Volume for the application data (changed from /data to /app/server)
|
||||||
restart: unless-stopped # Restart the container unless it is stopped
|
restart: unless-stopped # Restart the container unless it is stopped
|
||||||
|
@@ -20,6 +20,9 @@ make stop
|
|||||||
|
|
||||||
# Clean up containers and images
|
# Clean up containers and images
|
||||||
make clean
|
make clean
|
||||||
|
|
||||||
|
# Update apps version
|
||||||
|
make update-version
|
||||||
```
|
```
|
||||||
|
|
||||||
### Available Commands:
|
### Available Commands:
|
||||||
@@ -29,5 +32,6 @@ make clean
|
|||||||
- `make logs` - Show application logs
|
- `make logs` - Show application logs
|
||||||
- `make clean` - Clean up containers and images
|
- `make clean` - Clean up containers and images
|
||||||
- `make shell` - Access the application container shell
|
- `make shell` - Access the application container shell
|
||||||
|
- `make update-version` - Update all apps version in package.json
|
||||||
|
|
||||||
All infrastructure scripts are organized in the `./infra/` directory for better project organization.
|
All infrastructure scripts are organized in the `./infra/` directory for better project organization.
|
@@ -1,10 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Ask for tag interactively
|
|
||||||
echo "🏷️ Please enter a tag for the build (e.g., v1.0.0, production, beta):"
|
echo "🏷️ Please enter a tag for the build (e.g., v1.0.0, production, beta):"
|
||||||
read -p "Tag: " TAG
|
read -p "Tag: " TAG
|
||||||
|
|
||||||
# Check if tag was provided
|
|
||||||
if [ -z "$TAG" ]; then
|
if [ -z "$TAG" ]; then
|
||||||
echo "❌ Error: Tag cannot be empty"
|
echo "❌ Error: Tag cannot be empty"
|
||||||
echo "Please run the script again and provide a valid tag"
|
echo "Please run the script again and provide a valid tag"
|
||||||
@@ -14,10 +12,8 @@ fi
|
|||||||
echo "🚀 Building Palmr Unified Image for AMD64 and ARM..."
|
echo "🚀 Building Palmr Unified Image for AMD64 and ARM..."
|
||||||
echo "📦 Building tags: latest and $TAG"
|
echo "📦 Building tags: latest and $TAG"
|
||||||
|
|
||||||
# Ensure buildx is available and create/use a builder instance
|
|
||||||
docker buildx create --name palmr-builder --use 2>/dev/null || docker buildx use palmr-builder
|
docker buildx create --name palmr-builder --use 2>/dev/null || docker buildx use palmr-builder
|
||||||
|
|
||||||
# Build the unified image for multiple platforms without cache
|
|
||||||
docker buildx build \
|
docker buildx build \
|
||||||
--platform linux/amd64,linux/arm64 \
|
--platform linux/amd64,linux/arm64 \
|
||||||
--no-cache \
|
--no-cache \
|
||||||
|
@@ -10,12 +10,10 @@ TARGET_GID=${PALMR_GID:-1001}
|
|||||||
if [ -n "$PALMR_UID" ] || [ -n "$PALMR_GID" ]; then
|
if [ -n "$PALMR_UID" ] || [ -n "$PALMR_GID" ]; then
|
||||||
echo "🔧 Runtime UID/GID: $TARGET_UID:$TARGET_GID"
|
echo "🔧 Runtime UID/GID: $TARGET_UID:$TARGET_GID"
|
||||||
|
|
||||||
# Update ownership of critical directories to match target UID/GID
|
|
||||||
echo "🔐 Updating file ownership..."
|
echo "🔐 Updating file ownership..."
|
||||||
chown -R $TARGET_UID:$TARGET_GID /app/palmr-app 2>/dev/null || echo "⚠️ Some ownership changes may have failed"
|
chown -R $TARGET_UID:$TARGET_GID /app/palmr-app 2>/dev/null || echo "⚠️ Some ownership changes may have failed"
|
||||||
chown -R $TARGET_UID:$TARGET_GID /home/palmr 2>/dev/null || echo "⚠️ Some home directory ownership changes may have failed"
|
chown -R $TARGET_UID:$TARGET_GID /home/palmr 2>/dev/null || echo "⚠️ Some home directory ownership changes may have failed"
|
||||||
|
|
||||||
# Update ownership of data directory if it exists
|
|
||||||
if [ -d "/app/server" ]; then
|
if [ -d "/app/server" ]; then
|
||||||
chown -R $TARGET_UID:$TARGET_GID /app/server 2>/dev/null || echo "⚠️ Some data directory ownership changes may have failed"
|
chown -R $TARGET_UID:$TARGET_GID /app/server 2>/dev/null || echo "⚠️ Some data directory ownership changes may have failed"
|
||||||
fi
|
fi
|
||||||
@@ -23,30 +21,24 @@ if [ -n "$PALMR_UID" ] || [ -n "$PALMR_GID" ]; then
|
|||||||
echo "✅ UID/GID configuration completed"
|
echo "✅ UID/GID configuration completed"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Ensure we're in the correct directory
|
|
||||||
cd /app/palmr-app
|
cd /app/palmr-app
|
||||||
|
|
||||||
# Set the database URL
|
|
||||||
export DATABASE_URL="file:/app/server/prisma/palmr.db"
|
export DATABASE_URL="file:/app/server/prisma/palmr.db"
|
||||||
|
|
||||||
echo "📂 Data directory: /app/server"
|
echo "📂 Data directory: /app/server"
|
||||||
echo "💾 Database: $DATABASE_URL"
|
echo "💾 Database: $DATABASE_URL"
|
||||||
|
|
||||||
# Create all necessary directories
|
|
||||||
echo "📁 Creating data directories..."
|
echo "📁 Creating data directories..."
|
||||||
mkdir -p /app/server/prisma /app/server/uploads /app/server/temp-chunks /app/server/uploads/logo
|
mkdir -p /app/server/prisma /app/server/uploads /app/server/temp-chunks /app/server/uploads/logo
|
||||||
|
|
||||||
# Fix ownership of database directory BEFORE database operations
|
|
||||||
if [ "$(id -u)" = "0" ]; then
|
if [ "$(id -u)" = "0" ]; then
|
||||||
echo "🔐 Ensuring proper ownership before database operations..."
|
echo "🔐 Ensuring proper ownership before database operations..."
|
||||||
chown -R $TARGET_UID:$TARGET_GID /app/server/prisma 2>/dev/null || true
|
chown -R $TARGET_UID:$TARGET_GID /app/server/prisma 2>/dev/null || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check if it's a first run (no database file exists)
|
|
||||||
if [ ! -f "/app/server/prisma/palmr.db" ]; then
|
if [ ! -f "/app/server/prisma/palmr.db" ]; then
|
||||||
echo "🚀 First run detected - setting up database..."
|
echo "🚀 First run detected - setting up database..."
|
||||||
|
|
||||||
# Create database with proper schema path - run as target user to avoid permission issues
|
|
||||||
echo "🗄️ Creating database schema..."
|
echo "🗄️ Creating database schema..."
|
||||||
if [ "$(id -u)" = "0" ]; then
|
if [ "$(id -u)" = "0" ]; then
|
||||||
su-exec $TARGET_UID:$TARGET_GID npx prisma db push --schema=./prisma/schema.prisma --skip-generate
|
su-exec $TARGET_UID:$TARGET_GID npx prisma db push --schema=./prisma/schema.prisma --skip-generate
|
||||||
@@ -66,7 +58,6 @@ if [ ! -f "/app/server/prisma/palmr.db" ]; then
|
|||||||
else
|
else
|
||||||
echo "♻️ Existing database found"
|
echo "♻️ Existing database found"
|
||||||
|
|
||||||
# Always run migrations to ensure schema is up to date - as target user
|
|
||||||
echo "🔧 Checking for schema updates..."
|
echo "🔧 Checking for schema updates..."
|
||||||
if [ "$(id -u)" = "0" ]; then
|
if [ "$(id -u)" = "0" ]; then
|
||||||
su-exec $TARGET_UID:$TARGET_GID npx prisma db push --schema=./prisma/schema.prisma --skip-generate
|
su-exec $TARGET_UID:$TARGET_GID npx prisma db push --schema=./prisma/schema.prisma --skip-generate
|
||||||
@@ -74,60 +65,91 @@ else
|
|||||||
npx prisma db push --schema=./prisma/schema.prisma --skip-generate
|
npx prisma db push --schema=./prisma/schema.prisma --skip-generate
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check if configurations exist - as target user
|
echo "🔍 Checking if new tables need seeding..."
|
||||||
echo "🔍 Verifying database configurations..."
|
NEEDS_SEEDING=$(
|
||||||
CONFIG_COUNT=$(
|
|
||||||
if [ "$(id -u)" = "0" ]; then
|
if [ "$(id -u)" = "0" ]; then
|
||||||
su-exec $TARGET_UID:$TARGET_GID node -e "
|
su-exec $TARGET_UID:$TARGET_GID node -e "
|
||||||
const { PrismaClient } = require('@prisma/client');
|
const { PrismaClient } = require('@prisma/client');
|
||||||
const prisma = new PrismaClient();
|
const prisma = new PrismaClient();
|
||||||
prisma.appConfig.count()
|
|
||||||
.then(count => {
|
async function checkSeedingNeeded() {
|
||||||
console.log(count);
|
try {
|
||||||
process.exit(0);
|
const appConfigCount = await prisma.appConfig.count();
|
||||||
})
|
const userCount = await prisma.user.count();
|
||||||
.catch(() => {
|
const authProviderCount = await prisma.authProvider.count();
|
||||||
console.log(0);
|
|
||||||
process.exit(0);
|
if (appConfigCount === 0 || userCount === 0) {
|
||||||
});
|
console.log('true');
|
||||||
" 2>/dev/null || echo "0"
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (authProviderCount === 0) {
|
||||||
|
console.log('true');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log('false');
|
||||||
|
} catch (error) {
|
||||||
|
console.log('true');
|
||||||
|
} finally {
|
||||||
|
await prisma.\$disconnect();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
checkSeedingNeeded();
|
||||||
|
" 2>/dev/null || echo "true"
|
||||||
else
|
else
|
||||||
node -e "
|
node -e "
|
||||||
const { PrismaClient } = require('@prisma/client');
|
const { PrismaClient } = require('@prisma/client');
|
||||||
const prisma = new PrismaClient();
|
const prisma = new PrismaClient();
|
||||||
prisma.appConfig.count()
|
|
||||||
.then(count => {
|
async function checkSeedingNeeded() {
|
||||||
console.log(count);
|
try {
|
||||||
process.exit(0);
|
const appConfigCount = await prisma.appConfig.count();
|
||||||
})
|
const userCount = await prisma.user.count();
|
||||||
.catch(() => {
|
const authProviderCount = await prisma.authProvider.count();
|
||||||
console.log(0);
|
|
||||||
process.exit(0);
|
if (appConfigCount === 0 || userCount === 0) {
|
||||||
});
|
console.log('true');
|
||||||
" 2>/dev/null || echo "0"
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (authProviderCount === 0) {
|
||||||
|
console.log('true');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log('false');
|
||||||
|
} catch (error) {
|
||||||
|
console.log('true');
|
||||||
|
} finally {
|
||||||
|
await prisma.\$disconnect();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
checkSeedingNeeded();
|
||||||
|
" 2>/dev/null || echo "true"
|
||||||
fi
|
fi
|
||||||
)
|
)
|
||||||
|
|
||||||
if [ "$CONFIG_COUNT" -eq "0" ]; then
|
if [ "$NEEDS_SEEDING" = "true" ]; then
|
||||||
echo "🌱 No configurations found, running seed..."
|
echo "🌱 New tables detected or missing data, running seed..."
|
||||||
# Always run seed from application directory where node_modules is available - as target user
|
|
||||||
if [ "$(id -u)" = "0" ]; then
|
if [ "$(id -u)" = "0" ]; then
|
||||||
su-exec $TARGET_UID:$TARGET_GID node ./prisma/seed.js
|
su-exec $TARGET_UID:$TARGET_GID node ./prisma/seed.js
|
||||||
else
|
else
|
||||||
node ./prisma/seed.js
|
node ./prisma/seed.js
|
||||||
fi
|
fi
|
||||||
|
echo "✅ Seeding completed!"
|
||||||
else
|
else
|
||||||
echo "✅ Found $CONFIG_COUNT configurations"
|
echo "✅ All tables have data, no seeding needed"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "🚀 Starting Palmr server..."
|
echo "🚀 Starting Palmr server..."
|
||||||
|
|
||||||
# Drop privileges using su-exec with specific UID/GID
|
|
||||||
if [ "$(id -u)" = "0" ]; then
|
if [ "$(id -u)" = "0" ]; then
|
||||||
echo "🔽 Dropping privileges to UID:GID $TARGET_UID:$TARGET_GID"
|
echo "🔽 Dropping privileges to UID:GID $TARGET_UID:$TARGET_GID"
|
||||||
exec su-exec $TARGET_UID:$TARGET_GID node dist/server.js
|
exec su-exec $TARGET_UID:$TARGET_GID node dist/server.js
|
||||||
else
|
else
|
||||||
# We're already running as non-root
|
|
||||||
exec node dist/server.js
|
exec node dist/server.js
|
||||||
fi
|
fi
|
@@ -1,8 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Script to update version numbers in all package.json files
|
|
||||||
# Usage: ./update-versions.sh <version>
|
|
||||||
|
|
||||||
VERSION=$1
|
VERSION=$1
|
||||||
|
|
||||||
if [ -z "$VERSION" ]; then
|
if [ -z "$VERSION" ]; then
|
||||||
@@ -14,18 +11,14 @@ fi
|
|||||||
|
|
||||||
echo "🔄 Updating version to $VERSION in all package.json files..."
|
echo "🔄 Updating version to $VERSION in all package.json files..."
|
||||||
|
|
||||||
# Function to update version in package.json
|
|
||||||
update_package_json() {
|
update_package_json() {
|
||||||
local file=$1
|
local file=$1
|
||||||
local app_name=$2
|
local app_name=$2
|
||||||
|
|
||||||
if [ -f "$file" ]; then
|
if [ -f "$file" ]; then
|
||||||
# Use sed to update the version line
|
|
||||||
if [[ "$OSTYPE" == "darwin"* ]]; then
|
if [[ "$OSTYPE" == "darwin"* ]]; then
|
||||||
# macOS requires different sed syntax
|
|
||||||
sed -i '' "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" "$file"
|
sed -i '' "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" "$file"
|
||||||
else
|
else
|
||||||
# Linux sed syntax
|
|
||||||
sed -i "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" "$file"
|
sed -i "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" "$file"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -35,7 +28,6 @@ update_package_json() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Update all three package.json files
|
|
||||||
update_package_json "apps/web/package.json" "Web App"
|
update_package_json "apps/web/package.json" "Web App"
|
||||||
update_package_json "apps/docs/package.json" "Documentation"
|
update_package_json "apps/docs/package.json" "Documentation"
|
||||||
update_package_json "apps/server/package.json" "API Server"
|
update_package_json "apps/server/package.json" "API Server"
|
||||||
|
Reference in New Issue
Block a user