invoice-ninja: Run in a mutable container
The Invoice Ninja container is not designed to be immutable at all; it makes a bunch of changes to its own contents when it starts up. Notably, it copies the contents of the `public` and `storage` directories from the container image to the persistent volume _and then deletes the source_. Additionally, being a Laravel application, it needs write access to its own code for caching, etc. Previously, the `init.sh` script copied the entire `app` directory to a temporary directory, and then the runtime container mounted that volume over the top of the original location. This allowed the root filesystem of the container to be read-only, while the `app` directory was still mutable. Unfortunately, this makes the startup process incredibly slow, as it takes a couple of minutes to copy the whole application. It's also pretty pointless, because the application runs as an unprivileged process, so it wouldn't have write access to the rest of the filesystem anyway. As such, I've decided to remove the `readOnlyRootFilesytem` restriction, and allow the container to run as upstream intends, albeit begrudgingly.xactmon-doc
parent
78cd26c827
commit
e74a6b3142
|
|
@ -1,18 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
cp -r /var/www/app/. /app
|
|
||||||
|
|
||||||
# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
|
|
||||||
# server, despite the APP_URL setting.
|
|
||||||
sed -i \
|
|
||||||
-e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
|
|
||||||
/app/app/Utils/HtmlEngine.php
|
|
||||||
|
|
||||||
chown -R invoiceninja:invoiceninja /app
|
|
||||||
|
|
||||||
if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
|
|
||||||
chown -R invoiceninja:invoiceninja /storage
|
|
||||||
chmod -R u=rwx,go= /storage
|
|
||||||
fi
|
|
||||||
|
|
@ -54,33 +54,11 @@ spec:
|
||||||
app.kubernetes.io/component: invoice-ninja
|
app.kubernetes.io/component: invoice-ninja
|
||||||
app.kubernetes.io/part-of: invoice-ninja
|
app.kubernetes.io/part-of: invoice-ninja
|
||||||
spec:
|
spec:
|
||||||
initContainers:
|
|
||||||
- name: init
|
|
||||||
image: &image docker.io/invoiceninja/invoiceninja:5.8.16
|
|
||||||
command:
|
|
||||||
- /init.sh
|
|
||||||
securityContext:
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
add:
|
|
||||||
- CHOWN
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
runAsGroup: 0
|
|
||||||
runAsNonRoot: false
|
|
||||||
runAsUser: 0
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /app
|
|
||||||
name: app
|
|
||||||
- mountPath: /init.sh
|
|
||||||
name: init
|
|
||||||
subPath: init.sh
|
|
||||||
- mountPath: /storage
|
|
||||||
name: data
|
|
||||||
subPath: storage
|
|
||||||
containers:
|
containers:
|
||||||
- name: invoice-ninja
|
- name: invoice-ninja
|
||||||
image: *image
|
image: &image docker.io/invoiceninja/invoiceninja:5.8.16
|
||||||
|
command:
|
||||||
|
- /start.sh
|
||||||
env: &env
|
env: &env
|
||||||
- name: DB_HOST
|
- name: DB_HOST
|
||||||
value: invoice-ninja-db
|
value: invoice-ninja-db
|
||||||
|
|
@ -107,17 +85,19 @@ spec:
|
||||||
<<: *probe
|
<<: *probe
|
||||||
periodSeconds: 1
|
periodSeconds: 1
|
||||||
failureThreshold: 60
|
failureThreshold: 60
|
||||||
securityContext:
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
volumeMounts: &mounts
|
volumeMounts: &mounts
|
||||||
- mountPath: /run/secrets/invoiceninja
|
- mountPath: /run/secrets/invoiceninja
|
||||||
name: secrets
|
name: secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- mountPath: /start.sh
|
||||||
|
name: init
|
||||||
|
subPath: start.sh
|
||||||
- mountPath: /tmp
|
- mountPath: /tmp
|
||||||
name: tmp
|
name: tmp
|
||||||
subPath: tmp
|
subPath: tmp
|
||||||
- mountPath: /var/www/app
|
- mountPath: /var/www/app/public
|
||||||
name: app
|
name: data
|
||||||
|
subPath: public
|
||||||
- mountPath: /var/www/app/public/storage
|
- mountPath: /var/www/app/public/storage
|
||||||
name: data
|
name: data
|
||||||
subPath: storage-public
|
subPath: storage-public
|
||||||
|
|
@ -156,7 +136,7 @@ spec:
|
||||||
- mountPath: /var/cache/nginx
|
- mountPath: /var/cache/nginx
|
||||||
name: nginx-cache
|
name: nginx-cache
|
||||||
- mountPath: /var/www/app/public
|
- mountPath: /var/www/app/public
|
||||||
name: app
|
name: data
|
||||||
subPath: public
|
subPath: public
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: /var/www/app/public/storage
|
- mountPath: /var/www/app/public/storage
|
||||||
|
|
@ -192,6 +172,8 @@ spec:
|
||||||
- invoice-ninja-db
|
- invoice-ninja-db
|
||||||
securityContext:
|
securityContext:
|
||||||
runAsNonRoot: True
|
runAsNonRoot: True
|
||||||
|
fsGroup: 1500
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ configMapGenerator:
|
||||||
- name: invoice-ninja-init
|
- name: invoice-ninja-init
|
||||||
files:
|
files:
|
||||||
- init.sh
|
- init.sh
|
||||||
|
- start.sh
|
||||||
|
|
||||||
- name: invoice-ninja
|
- name: invoice-ninja
|
||||||
envs:
|
envs:
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
|
||||||
|
# server, despite the APP_URL setting.
|
||||||
|
sed -i \
|
||||||
|
-e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
|
||||||
|
/var/www/app/app/Utils/HtmlEngine.php
|
||||||
|
|
||||||
|
exec /usr/local/bin/docker-entrypoint supervisord
|
||||||
Loading…
Reference in New Issue