From d15179409a509acca0ddef9a53b7c8d685e69372 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 23 Sep 2025 02:45:31 -0400 Subject: [PATCH 1/5] refactor(entrypoint) improve script clarity Improved entrypoint script clarity: - General code reformatting - Refactors to keep most lines <=90 characters - Updates existing comments for clarity/consistency/usefulness - Adds new, clarifying comments - Adds/enhances descriptions for all utility functions - Adds reminder language re: ash/dash script compatibility - Minor adjustments to some error/general output - Noted some future "TODO" (possible) items - Fix non-POSIX variable compliance No logic changes. Signed-off-by: Josh --- docker-entrypoint.sh | 322 ++++++++++++++++++++++++++++++------------- 1 file changed, 230 insertions(+), 92 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index e3b88f147..4db5ea564 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,16 +1,64 @@ #!/bin/sh set -eu -# version_greater A B returns whether A > B +############################################################################### +# Entrypoint script for Nextcloud Docker container +############################################################################### + +# Handles container-specific operations such as initialization, automatic configuration, +# user/group ID management, and setup checks. Also runs Nextcloud Server’s built-in +# installation and upgrade routines in a way that fits the container environment. +# +# Supports environment-based configuration injection at install time for all key +# parameters (see README for details). After installation, allows reconfiguration +# of select parameters via environment variables - except NEXTCLOUD_TRUSTED_DOMAINS +# and those set by the Nextcloud installer. +# +# REMINDER: This script must work with non-interactive, POSIX-compliant shells used in our +# images. Do not use Bash-specific syntax ("bashisms"): /bin/sh is always either 'ash' +# (BusyBox) or 'dash' (Debian), not Bash. Stick to standard POSIX shell features. +# Resources for writing portable shell scripts: +# - checkbashisms (Alpine: checkbashisms; Debian: devscripts) +# - https://mywiki.wooledge.org/Bashism +# - https://www.shellcheck.net/ +# Same also applies to any commands called too (e.g., GNU find versus Busybox find). + +############################################################################### +# Utility Functions +############################################################################### + +# Command for running `occ` +OCC="php /var/www/html/occ" + +# version_greater +# Compare two version strings (A and B). +# Arguments: +# $1: Version string A +# $2: Version string B +# Returns: 0 (true) if version A is greater than B; 1 (false) otherwise. version_greater() { [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ] } -# return true if specified directory is empty +# directory_empty +# Check if a directory is empty. +# Arguments: +# $1: Directory path. +# Returns: 0 (true) if directory is empty; 1 (false) otherwise. directory_empty() { [ -z "$(ls -A "$1/")" ] } +# run_as +# Run a command as the specified user if running as root, otherwise as current user. +# Arguments: +# $1: Command string to execute. +# Globals: +# user - Username to switch to (when running as root). +# Returns: the exit code of the executed command. +# TODO: +# Consider printing error message then returning (or exiting the script) if a command fails. +# If some callers want to handle errors, hide behind optional flag ("--exit-on-error"). run_as() { if [ "$(id -u)" = 0 ]; then su -p "$user" -s /bin/sh -c "$1" @@ -19,13 +67,17 @@ run_as() { fi } -# Execute all executable files in a given directory in alphanumeric order +# run_path +# Execute all executable .sh files in the specified hook folder, in alphanumeric order. +# Arguments: +# $1: Name of the hook folder inside /docker-entrypoint-hooks.d/ +# Returns: 0 on success; exits the script on any hook failure. run_path() { - local hook_folder_path="/docker-entrypoint-hooks.d/$1" - local return_code=0 - local found=0 + hook_folder_path="/docker-entrypoint-hooks.d/$1" + return_code=0 + found=0 - echo "=> Searching for hook scripts (*.sh) to run, located in the folder \"${hook_folder_path}\"" + echo "=> Searching for hook scripts (*.sh) to run in \"${hook_folder_path}\"" if ! [ -d "${hook_folder_path}" ] || directory_empty "${hook_folder_path}"; then echo "==> Skipped: the \"$1\" folder is empty (or does not exist)" @@ -35,40 +87,43 @@ run_path() { find "${hook_folder_path}" -maxdepth 1 -iname '*.sh' '(' -type f -o -type l ')' -print | sort | ( while read -r script_file_path; do if ! [ -x "${script_file_path}" ]; then - echo "==> The script \"${script_file_path}\" was skipped, because it lacks the executable flag" + echo "==> The script \"${script_file_path}\" was skipped: lacks exec flag" found=$((found-1)) continue fi - echo "==> Running the script (cwd: $(pwd)): \"${script_file_path}\"" + echo "==> Running script (cwd: $(pwd)): \"${script_file_path}\"" found=$((found+1)) run_as "${script_file_path}" || return_code="$?" if [ "${return_code}" -ne "0" ]; then - echo "==> Failed at executing script \"${script_file_path}\". Exit code: ${return_code}" + echo "==> Failed executing \"${script_file_path}\". Exit code: ${return_code}" exit 1 fi - echo "==> Finished executing the script: \"${script_file_path}\"" + echo "==> Finished executing: \"${script_file_path}\"" done + if [ "$found" -lt "1" ]; then - echo "==> Skipped: the \"$1\" folder does not contain any valid scripts" + echo "==> Skipped: the \"$1\" folder contains no valid scripts" else - echo "=> Completed executing scripts in the \"$1\" folder" + echo "=> Completed executing scripts in \"$1\"" fi ) } -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +# file_env +# Load an environment variable from a file if available (supporting Docker secrets). +# Arguments: +# $1: Name of the environment variable. +# $2: (Optional) Default value if not set. +# Returns: Sets the environment variable named by $1. file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") - local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + var="$1" + fileVar="${var}_FILE" + def="${2:-}" + varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then echo >&2 "error: both $var and $fileVar are set (but are exclusive)" exit 1 @@ -83,22 +138,32 @@ file_env() { unset "$fileVar" } +############################################################################### +# Main Entrypoint Logic +############################################################################### + +# Disable the Apache remoteip configuration if requested via environment variable. +# TODO: This probably be moved inside the main initialization/upgrade block below. if expr "$1" : "apache" 1>/dev/null; then if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then a2disconf remoteip fi fi +# Only run this block if entrypoint command is Apache|PHP-FPM, or if explicitly requested. +# TODO: This huge block should probably be broken into several discrete functions for maintainability. if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then + uid="$(id -u)" gid="$(id -g)" + + # Determine effective user and group for Nextcloud operations. if [ "$uid" = '0' ]; then case "$1" in apache2*) user="${APACHE_RUN_USER:-www-data}" group="${APACHE_RUN_GROUP:-www-data}" - - # strip off any '#' symbol ('#1000' is valid syntax for Apache) + # Strip off any '#' symbol ('#1000' is valid syntax for Apache) user="${user#'#'}" group="${group#'#'}" ;; @@ -112,104 +177,138 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP group="$gid" fi + # If REDIS_HOST is set, configure PHP sessions to use Redis. if [ -n "${REDIS_HOST+x}" ]; then - echo "Configuring Redis as session handler" - { - file_env REDIS_HOST_PASSWORD - echo 'session.save_handler = redis' - # check if redis host is an unix socket path - if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then - if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then - if [ -n "${REDIS_HOST_USER+x}" ]; then - echo "session.save_path = \"unix://${REDIS_HOST}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}\"" - else - echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\"" - fi - else - echo "session.save_path = \"unix://${REDIS_HOST}\"" - fi - # check if redis password has been set - elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then + + file_env REDIS_HOST_PASSWORD + + # Determine session.save_path depending on socket or TCP and credentials. + redis_save_path="" + first_char=$(printf '%s' "$REDIS_HOST" | cut -c1-1) + if [ "$first_char" = "/" ]; then + # Unix socket + if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then if [ -n "${REDIS_HOST_USER+x}" ]; then - echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}\"" + redis_save_path="unix://${REDIS_HOST}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}" else - echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\"" + redis_save_path="unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}" fi else - echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\"" + redis_save_path="unix://${REDIS_HOST}" fi - echo "redis.session.locking_enabled = 1" - echo "redis.session.lock_retries = -1" - # redis.session.lock_wait_time is specified in microseconds. - # Wait 10ms before retrying the lock rather than the default 2ms. - echo "redis.session.lock_wait_time = 10000" - } > /usr/local/etc/php/conf.d/redis-session.ini + elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then + # TCP with password + if [ -n "${REDIS_HOST_USER+x}" ]; then + redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}" + else + redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}" + fi + else + # TCP without password + redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}" + fi + + # Write the configuration file using a heredoc. + cat > /usr/local/etc/php/conf.d/redis-session.ini < installed version to proceed farther. + # NOTE: Also true if there is no installed version. if version_greater "$image_version" "$installed_version"; then echo "Initializing nextcloud $image_version ..." + + # Check for an already installed version that isn't in allowable upgrade jump range. if [ "$installed_version" != "0.0.0.0" ]; then if [ "${image_version%%.*}" -gt "$((${installed_version%%.*} + 1))" ]; then - echo "Can't start Nextcloud because upgrading from $installed_version to $image_version is not supported." - echo "It is only possible to upgrade one major version at a time. For example, if you want to upgrade from version 14 to 16, you will have to upgrade from version 14 to 15, then from 15 to 16." + echo "Can't start Nextcloud: upgrading from $installed_version to" + echo "$image_version is not supported." + echo "You can upgrade only one major version at a time." + echo "E.g., to upgrade from 14 to 16, first upgrade 14 to 15, then 15 to 16." exit 1 fi + # Installed version has been deemed within allow upgrade jump range... echo "Upgrading nextcloud from $installed_version ..." - run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before + run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before fi + + # Handle rsync configuration if [ "$(id -u)" = 0 ]; then rsync_options="-rlDog --chown $user:$group" else rsync_options="-rlD" fi - rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/ + # Replace installed code with newer image code except for exclusions + rsync "$rsync_options" --delete --exclude-from=/upgrade.exclude \ + /usr/src/nextcloud/ /var/www/html/ + + # Utilize newer image code versions if no existing { config, data, custom_apps, themes } for dir in config data custom_apps themes; do if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ + rsync "$rsync_options" --include "/$dir/" --exclude '/*' \ + /usr/src/nextcloud/ /var/www/html/ fi done - rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/ - # Install + # Replace installed code's version.php with newer image code version + rsync "$rsync_options" --include '/version.php' --exclude '/*' \ + /usr/src/nextcloud/ /var/www/html/ + + # Install block for fresh instances. if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + # Handle initial admin credentials (if provided) file_env NEXTCLOUD_ADMIN_PASSWORD file_env NEXTCLOUD_ADMIN_USER install=false - if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then - # shellcheck disable=SC2016 - install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] \ + && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then + install_options="-n \ + --admin-user \"$NEXTCLOUD_ADMIN_USER\" \ + --admin-pass \"$NEXTCLOUD_ADMIN_PASSWORD\"" + if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then - # shellcheck disable=SC2016 - install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' + install_options="$install_options \ + --data-dir \"$NEXTCLOUD_DATA_DIR\"" fi + # Handle database configuration (if specified) file_env MYSQL_DATABASE file_env MYSQL_PASSWORD file_env MYSQL_USER @@ -219,68 +318,98 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" - # shellcheck disable=SC2016 - install_options=$install_options' --database-name "$SQLITE_DATABASE"' + install_options="$install_options \ + --database-name \"$SQLITE_DATABASE\"" install=true - elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then + elif [ -n "${MYSQL_DATABASE+x}" ] \ + && [ -n "${MYSQL_USER+x}" ] \ + && [ -n "${MYSQL_PASSWORD+x}" ] \ + && [ -n "${MYSQL_HOST+x}" ]; then echo "Installing with MySQL database" - # shellcheck disable=SC2016 - install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"' + install_options="$install_options \ + --database mysql \ + --database-name \"$MYSQL_DATABASE\" \ + --database-user \"$MYSQL_USER\" \ + --database-pass \"$MYSQL_PASSWORD\" \ + --database-host \"$MYSQL_HOST\"" install=true - elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then + elif [ -n "${POSTGRES_DB+x}" ] \ + && [ -n "${POSTGRES_USER+x}" ] \ + && [ -n "${POSTGRES_PASSWORD+x}" ] \ + && [ -n "${POSTGRES_HOST+x}" ]; then echo "Installing with PostgreSQL database" - # shellcheck disable=SC2016 - install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"' + install_options="$install_options \ + --database pgsql \ + --database-name \"$POSTGRES_DB\" \ + --database-user \"$POSTGRES_USER\" \ + --database-pass \"$POSTGRES_PASSWORD\" \ + --database-host \"$POSTGRES_HOST\"" install=true fi + # Run Nextcloud installer if we were provided enough auto-config values. + # (if not, we don't trigger the actual Nextcloud installer; the config values + # will need to be provided via the Nextcloud Installer's Web UI / wizard). if [ "$install" = true ]; then + # Trigger pre-installation hook scripts (if any) run_path pre-installation echo "Starting nextcloud installation" max_retries=10 try=0 - until [ "$try" -gt "$max_retries" ] || run_as "php /var/www/html/occ maintenance:install $install_options" + until [ "$try" -gt "$max_retries" ] || run_as \ + "$OCC maintenance:install $install_options" do echo "Retrying install..." try=$((try+1)) sleep 10s done if [ "$try" -gt "$max_retries" ]; then - echo "Installing of nextcloud failed!" + echo "Installation of nextcloud failed!" exit 1 fi + + # Configure trusted domains if provided. + # TODO: This could probably be moved elsewhere to permit reconfiguration within existing installs. if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then - echo "Setting trusted domains…" - set -f # turn off glob + echo "Setting trusted_domains…" + set -f # turn off glob NC_TRUSTED_DOMAIN_IDX=1 for DOMAIN in ${NEXTCLOUD_TRUSTED_DOMAINS}; do DOMAIN=$(echo "${DOMAIN}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') - run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\"${DOMAIN}\"" + run_as \ + "$OCC config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\"${DOMAIN}\"" NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1)) done - set +f # turn glob back on + set +f # turn glob back on fi + # Trigger post-installation hook scripts (if any) run_path post-installation - fi + fi fi - # not enough specified to do a fully automated installation + + # Not enough parameters specified to do a fully automated installation. if [ "$install" = false ]; then echo "Next step: Access your instance to finish the web-based installation!" - echo "Hint: You can specify NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD and the database variables _prior to first launch_ to fully automate initial installation." + echo "Hint: Set NEXTCLOUD_ADMIN_USER, NEXTCLOUD_ADMIN_PASSWORD, and DB vars" + echo "before first launch to fully automate initial installation." fi - # Upgrade + + # Upgrade path for existing instances. else + # Trigger pre-upgrade hook scripts (if any) run_path pre-upgrade - run_as 'php /var/www/html/occ upgrade' + run_as "$OCC upgrade" - run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after + run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after echo "The following apps have been disabled:" - diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1 + diff /tmp/list_before /tmp/list_after \ + | grep '<' | cut -d- -f2 | cut -d: -f1 rm -f /tmp/list_before /tmp/list_after + # Trigger post-upgrade hook scripts (if any) run_path post-upgrade fi @@ -288,23 +417,32 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP fi # Update htaccess after init if requested - if [ -n "${NEXTCLOUD_INIT_HTACCESS+x}" ] && [ "$installed_version" != "0.0.0.0" ]; then - run_as 'php /var/www/html/occ maintenance:update:htaccess' + if [ -n "${NEXTCLOUD_INIT_HTACCESS+x}" ] \ + && [ "$installed_version" != "0.0.0.0" ]; then + run_as "$OCC maintenance:update:htaccess" fi ) 9> /var/www/html/nextcloud-init-sync.lock - # warn if config files on persistent storage differ from the latest version of this image + # Warn the user if any config files in persistent storage differ from the image defaults. for cfgPath in /usr/src/nextcloud/config/*.php; do cfgFile=$(basename "$cfgPath") - if [ "$cfgFile" != "config.sample.php" ] && [ "$cfgFile" != "autoconfig.php" ]; then + if [ "$cfgFile" != "config.sample.php" ] \ + && [ "$cfgFile" != "autoconfig.php" ]; then if ! cmp -s "/usr/src/nextcloud/config/$cfgFile" "/var/www/html/config/$cfgFile"; then - echo "Warning: /var/www/html/config/$cfgFile differs from the latest version of this image at /usr/src/nextcloud/config/$cfgFile" + echo "Warning: /var/www/html/config/$cfgFile differs from the image default at" + echo " /usr/src/nextcloud/config/$cfgFile" fi fi done + # Trigger before-starting hook scripts (if any) run_path before-starting fi +############################################################################### +# Handoff to Main Container Process +############################################################################### + +# Hand off to the main container process (e.g., Apache, php-fpm, etc.) exec "$@" From 5f9b92814bfc0ed55dd0933d2ad8e1be71aeff20 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 23 Sep 2025 12:29:38 -0400 Subject: [PATCH 2/5] docs: explain persistent volume usage for code + misc Also: Implement rsync_wrapper for safer rsync usage and reformat rsync usage for greater readability. Signed-off-by: Josh --- docker-entrypoint.sh | 120 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 104 insertions(+), 16 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 4db5ea564..836c629aa 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -138,6 +138,28 @@ file_env() { unset "$fileVar" } +############################################################################### +# rsync_wrapper +# Helper to invoke rsync with the appropriate options depending on user/group. +# Arguments: +# $@ - Additional rsync arguments and paths. +# Globals: +# user - Username to use for chown (when running as root). +# Returns: the exit code of the rsync command. +# +# Handles: +# - SC2086 and word-splitting safely +# - DRY invocation of rsync for all sync operations +############################################################################### +rsync_wrapper() { + if [ "$(id -u)" = 0 ]; then + set -- -rlDog --chown "$user:$group" "$@" + else + set -- -rlD "$@" + fi + rsync "$@" +} + ############################################################################### # Main Entrypoint Logic ############################################################################### @@ -265,30 +287,95 @@ EOF run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before fi - # Handle rsync configuration - if [ "$(id -u)" = 0 ]; then - rsync_options="-rlDog --chown $user:$group" - else - rsync_options="-rlD" - fi - - # Replace installed code with newer image code except for exclusions - rsync "$rsync_options" --delete --exclude-from=/upgrade.exclude \ - /usr/src/nextcloud/ /var/www/html/ - - # Utilize newer image code versions if no existing { config, data, custom_apps, themes } + # Deploy image code onto the persistent storage volume. + ########################################################################################## + # Why we copy Nextcloud code from the image to persistent storage + # + # Nextcloud's application directory needs to be on persistent storage, not just inside + # the container's writable/read-only layers. This ensures: + # - All code and changes survive container restarts and replacements. + # - Clustering (using multiple containers with shared data) functions as expected. + # - Nextcloud can safely modify, add, or remove files (mainly under config/, data/, apps/, + # custom_apps/) during normal operation. + # - Upgrades, apps, and troubleshooting work reliably. + # + # The container’s writable layer is temporary and unique to each container. Changes made there + # are lost if the container is removed and are not shared between containers. + # + # This approach follows Nextcloud's official installation conventions and is necessary for + # robust container deployments. + # + # Note: + # - Actual file changes are typically limited to config/, data/, apps/, and custom_apps/ + # in a standard setup (so there may be some room for improvement here). + # + # TODO: + # - Consider ways to further streamline this process upstream. + # - Investigate separating truly read-only folders from writable ones. + ########################################################################################## + + # Replace installed code with newer image code except for exclusions. + # + # Risks & Considerations: + # - Deleting files not listed in the exclusions file could remove legitimate Nextcloud data + # if users overlook documentation or misconfigure persistent storage. + # - Using rsync (cp would be similar) are slow on NFS and other network filesystems, + # sometimes merely annoyingly; sometimes unacceptably. + # + # Alternative Approaches: + # - Warn if we detect unexpected files that would be deleted, but avoid a hard error to + # allow legitimate Nextcloud files/folders. + # - A dry-run mode with a hard error would prevent mistakes, but also block valid upgrades. + # - Batching files with tar on both ends of a pipe might help with performance. + # + # TODO: + # - Print a warning if non-excluded files are detected for deletion. + # - Investigate a middle ground between safety (preventing accidental deletion) + # and usability (supporting easy upgrades). + # - Consider batching file transfers for better performance on network filesystems. + # + # Notes: + # - The current rsync approach works for local filesystems but may be slow or appear + # to hang on networked storage. + + rsync_wrapper \ + --delete \ + --exclude-from=/upgrade.exclude \ + /usr/src/nextcloud/ \ + /var/www/html/ + + # Copy newer image code for the following directories ONLY if they do not exist or are empty: + # - config/ + # - data/ + # - custom_apps/ + # - themes/ + # + # TODO: + # - Consider updating only 'themes/' here, and move handling of 'config/', 'data/', and + # 'custom_apps/' into the install block. These directories should not be modified during a + # regular update/upgrade. + # - Review whether this change would cause any unexpected behavior or introduce breaking + # changes. + for dir in config data custom_apps themes; do if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync "$rsync_options" --include "/$dir/" --exclude '/*' \ - /usr/src/nextcloud/ /var/www/html/ + rsync_wrapper \ + --include "/$dir/" \ + --exclude '/*' \ + /usr/src/nextcloud/ \ + /var/www/html/ fi done # Replace installed code's version.php with newer image code version - rsync "$rsync_options" --include '/version.php' --exclude '/*' \ - /usr/src/nextcloud/ /var/www/html/ + rsync_wrapper \ + --include '/version.php' \ + --exclude '/*' \ + /usr/src/nextcloud/ \ + /var/www/html/ # Install block for fresh instances. + # TODO: Consider moving install block to a dedicated function if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" @@ -397,6 +484,7 @@ EOF fi # Upgrade path for existing instances. + # TODO: Consider moving upgrade block to a dedicated function else # Trigger pre-upgrade hook scripts (if any) run_path pre-upgrade From 0964eb06eb0a91ffe131c550d523ea449b8d2c65 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 25 Sep 2025 00:59:47 -0400 Subject: [PATCH 3/5] Refactor docker-entrypoint.sh for clarity and organization Refactor docker-entrypoint.sh to improve readability and organization while maintaining backwards compatibility. Signed-off-by: Josh --- docker-entrypoint.sh | 690 ++++++++++++++++++++++++++++--------------- 1 file changed, 459 insertions(+), 231 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 836c629aa..055972c0e 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -4,7 +4,7 @@ set -eu ############################################################################### # Entrypoint script for Nextcloud Docker container ############################################################################### - +# # Handles container-specific operations such as initialization, automatic configuration, # user/group ID management, and setup checks. Also runs Nextcloud Server’s built-in # installation and upgrade routines in a way that fits the container environment. @@ -14,41 +14,240 @@ set -eu # of select parameters via environment variables - except NEXTCLOUD_TRUSTED_DOMAINS # and those set by the Nextcloud installer. # -# REMINDER: This script must work with non-interactive, POSIX-compliant shells used in our -# images. Do not use Bash-specific syntax ("bashisms"): /bin/sh is always either 'ash' -# (BusyBox) or 'dash' (Debian), not Bash. Stick to standard POSIX shell features. -# Resources for writing portable shell scripts: +# See README.md for more details and usage examples: +# https://github.com/nextcloud/docker?tab=readme-ov-file +# +# REMINDER (to modifiers/contributors): This script must work with non-interactive, +# POSIX-compliant shells used in our images. Do not use Bash-specific syntax ("bashisms"): +# /bin/sh is always either 'ash' (BusyBox) or 'dash' (Debian), not Bash. Stick to standard +# POSIX shell features. Resources for writing portable shell scripts: # - checkbashisms (Alpine: checkbashisms; Debian: devscripts) # - https://mywiki.wooledge.org/Bashism # - https://www.shellcheck.net/ # Same also applies to any commands called too (e.g., GNU find versus Busybox find). +############################################################################### +# Supported Environment Variables +# +# NEXTCLOUD_ADMIN_USER - Username for initial admin account (install only) +# NEXTCLOUD_ADMIN_PASSWORD - Password for initial admin account (install only) +# NEXTCLOUD_TRUSTED_DOMAINS - Space-separated list of trusted domains +# NEXTCLOUD_DATA_DIR - Path to Nextcloud data directory +# MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD, MYSQL_HOST +# POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_HOST +# SQLITE_DATABASE +# REDIS_HOST, REDIS_HOST_USER, REDIS_HOST_PASSWORD, REDIS_HOST_PORT +# APACHE_RUN_USER, APACHE_RUN_GROUP +# APACHE_DISABLE_REWRITE_IP - If present, disables Apache remoteip module +# NEXTCLOUD_UPDATE - If set (e.g., to 1), forces update logic +# NEXTCLOUD_INIT_HTACCESS - If set, runs htaccess maintenance after upgrade +# *_FILE variants for secrets - For sensitive values, use *_FILE pattern with Docker secrets +############################################################################### + ############################################################################### # Utility Functions ############################################################################### +# The entrypoint command's first argument +ENTRYPOINT_ARGV1="${1:-}" + +# OCC # Command for running `occ` OCC="php /var/www/html/occ" +############################################################################### # version_greater # Compare two version strings (A and B). # Arguments: # $1: Version string A # $2: Version string B # Returns: 0 (true) if version A is greater than B; 1 (false) otherwise. +############################################################################### version_greater() { [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ] } +############################################################################### +# version_greater_major +# Compare major version numbers of two version strings. +# Arguments: +# $1: Version string A (e.g., "18.0.4") +# $2: Version string B (e.g., "16.0.7") +# $3: Delta (e.g., 1 for "at most one major ahead") +# Returns: 0 (true) if major version of A > major version of B + delta; 1 (false) otherwise. +############################################################################### +version_greater_major() { + major_a="${1%%.*}" + major_b="${2%%.*}" + delta="${3:-0}" + [ "$major_a" -gt "$((major_b + delta))" ] +} + +############################################################################### # directory_empty # Check if a directory is empty. # Arguments: # $1: Directory path. # Returns: 0 (true) if directory is empty; 1 (false) otherwise. +############################################################################### directory_empty() { [ -z "$(ls -A "$1/")" ] } +############################################################################### +# is_root +# Check if the current process is running as root. +# Arguments: none (uses $uid global). +# Returns: 0 (true) if running as root (UID 0), 1 (false) otherwise. +############################################################################### +is_root() { + [ "$uid" -eq 0 ] +} + +############################################################################### +# is_apache +# Check if the script's first argument indicates Apache. +# Arguments: none (uses ENTRYPOINT_ARGV1). +# Returns: 0 (true) if $1 matches "apache" or starts with "apache2", 1 (false) otherwise. +############################################################################### +is_apache() { + case "$ENTRYPOINT_ARGV1" in + apache|apache2*) + return 0 + ;; + *) + return 1 + ;; + esac +} + +############################################################################### +# is_php_fpm +# Check if the script's first argument indicates PHP-FPM. +# Arguments: none (uses ENTRYPOINT_ARGV1). +# Returns: 0 (true) if $1 starts with "php-fpm", 1 (false) otherwise. +############################################################################### +is_php_fpm() { + case "$ENTRYPOINT_ARGV1" in + php-fpm*) + return 0 + ;; + *) + return 1 + ;; + esac +} + +############################################################################### +# set_user_group +# Sets global $user and $group variables according to the entrypoint command and UID/GID context. +# Arguments: none. Uses is_root, is_apache, is_php_fpm, $APACHE_RUN_USER, $APACHE_RUN_GROUP, $uid, $gid. +# Sets: $user, $group, $uid, $gid. +############################################################################### +set_user_group() { + user='www-data' + group='www-data' + uid="$(id -u)" + gid="$(id -g)" + + if is_root; then + if is_apache; then + user="${APACHE_RUN_USER:-www-data}" + group="${APACHE_RUN_GROUP:-www-data}" + # Apache config may specify user/group as "#1000", so remove leading '#' if present + user="${user#'#'}" + group="${group#'#'}" + elif is_php_fpm; then + user='www-data' + group='www-data' + fi + else + user="$uid" + group="$gid" + fi +} + +############################################################################### +# configure_redis_session_handler +# Configures PHP sessions to use Redis if REDIS_HOST is set. +# Arguments: none. Uses env vars. +############################################################################### +configure_redis_session_handler() { + if [ -n "${REDIS_HOST+x}" ]; then + echo "Configuring Redis as session handler" + + file_env REDIS_HOST_PASSWORD + + # Determine the prefix for REDIS_HOST to decide between Unix socket and TCP connection + first_char=$(printf '%s' "$REDIS_HOST" | cut -c1-1) + if [ "$first_char" = "/" ]; then + # Using Unix socket for Redis connection + if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then + if [ -n "${REDIS_HOST_USER+x}" ]; then + redis_save_path="unix://${REDIS_HOST}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}" + else + redis_save_path="unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}" + fi + else + redis_save_path="unix://${REDIS_HOST}" + fi + elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then + # Using TCP connection with password + if [ -n "${REDIS_HOST_USER+x}" ]; then + redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}" + else + redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}" + fi + else + # Using TCP connection without password + redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}" + fi + + # Write the configuration file using a heredoc. + cat > /usr/local/etc/php/conf.d/redis-session.ini </dev/null; then - if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then - a2disconf remoteip +############################################################################### +# set_trusted_domains +# Configure Nextcloud trusted domains from environment variable. +# Arguments: none (uses NEXTCLOUD_TRUSTED_DOMAINS global) +# Trusted domains are set during installation. Changing them after install may break existing clients. +############################################################################### +set_trusted_domains() { + if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then + # turn off glob + set -f + NC_TRUSTED_DOMAIN_IDX=1 + for DOMAIN in ${NEXTCLOUD_TRUSTED_DOMAINS}; do + DOMAIN=$(echo "${DOMAIN}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') + run_as \ + "$OCC config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\"${DOMAIN}\"" + NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1)) + done + # turn glob back on + set +f fi -fi +} -# Only run this block if entrypoint command is Apache|PHP-FPM, or if explicitly requested. -# TODO: This huge block should probably be broken into several discrete functions for maintainability. -if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then +############################################################################### +# show_disabled_apps +# Display apps disabled after upgrade. +# Arguments: none (uses /tmp/list_before and /tmp/list_after) +############################################################################### +show_disabled_apps() { + echo "The following apps have been disabled:" + diff /tmp/list_before /tmp/list_after \ + | grep '<' | cut -d- -f2 | cut -d: -f1 + rm -f /tmp/list_before /tmp/list_after +} - uid="$(id -u)" - gid="$(id -g)" +############################################################################### +# warn_config_diffs +# Warn if config files in persistent storage differ from image defaults. +# Arguments: none. +############################################################################### +warn_config_diffs() { + for cfgPath in /usr/src/nextcloud/config/*.php; do + cfgFile=$(basename "$cfgPath") + if [ "$cfgFile" != "config.sample.php" ] \ + && [ "$cfgFile" != "autoconfig.php" ]; then + if ! cmp -s "/usr/src/nextcloud/config/$cfgFile" "/var/www/html/config/$cfgFile"; then + echo "Warning: /var/www/html/config/$cfgFile differs from the image default at" + echo " /usr/src/nextcloud/config/$cfgFile" + fi + fi + done +} - # Determine effective user and group for Nextcloud operations. - if [ "$uid" = '0' ]; then - case "$1" in - apache2*) - user="${APACHE_RUN_USER:-www-data}" - group="${APACHE_RUN_GROUP:-www-data}" - # Strip off any '#' symbol ('#1000' is valid syntax for Apache) - user="${user#'#'}" - group="${group#'#'}" - ;; - *) # php-fpm - user='www-data' - group='www-data' - ;; - esac - else - user="$uid" - group="$gid" +############################################################################### +# assemble_db_install_options +# Sets database related install_options for the Nextcloud installer, and set trigger_installer flag if config is sufficient. +# Arguments: none (uses env vars) +# Sets: install_options (global), trigger_installer (global) +############################################################################### +assemble_db_install_options() { + + # Handle database configuration (if specified) + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + + if [ -n "${SQLITE_DATABASE+x}" ]; then + echo "Installing with SQLite database" + install_options="$install_options \ + --database-name \"$SQLITE_DATABASE\"" + # We have enough for the automated installer; indicate we can bypass the Installation Wizard + trigger_installer=true + elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then + echo "Installing with MySQL database" + install_options="$install_options \ + --database mysql \ + --database-name \"$MYSQL_DATABASE\" \ + --database-user \"$MYSQL_USER\" \ + --database-pass \"$MYSQL_PASSWORD\" \ + --database-host \"$MYSQL_HOST\"" + # We have enough for the automated installer; indicate we can bypass the Installation Wizard + trigger_installer=true + elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then + echo "Installing with PostgreSQL database" + install_options="$install_options \ + --database pgsql \ + --database-name \"$POSTGRES_DB\" \ + --database-user \"$POSTGRES_USER\" \ + --database-pass \"$POSTGRES_PASSWORD\" \ + --database-host \"$POSTGRES_HOST\"" + # We have enough for the automated installer; indicate we can bypass the Installation Wizard + trigger_installer=true fi +} - # If REDIS_HOST is set, configure PHP sessions to use Redis. - if [ -n "${REDIS_HOST+x}" ]; then - echo "Configuring Redis as session handler" +############################################################################### +# run_nextcloud_installer +# Runs the Nextcloud command-line installer with retry logic for DB startup delays. +# Arguments: +# $1: install options string (quoted) +# Globals: +# OCC, user +############################################################################### +run_nextcloud_installer() { + echo "Starting nextcloud installation" + # Retry Nextcloud installation up to 10 times to handle possible database startup delays + # TODO: + # - Handle this better somehow and/or handle upstream. + # - Confirm these retries are still even needed. + max_retries=10 + try=0 + until [ "$try" -gt "$max_retries" ] || run_as \ + "$OCC maintenance:install $1" + do + echo "Retrying install..." + try=$((try+1)) + sleep 10s + done + if [ "$try" -gt "$max_retries" ]; then + echo "Installation of nextcloud failed!" + exit 1 + fi +} - file_env REDIS_HOST_PASSWORD +############################################################################### +# Main Entrypoint Logic +############################################################################### - # Determine session.save_path depending on socket or TCP and credentials. - redis_save_path="" - first_char=$(printf '%s' "$REDIS_HOST" | cut -c1-1) - if [ "$first_char" = "/" ]; then - # Unix socket - if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then - if [ -n "${REDIS_HOST_USER+x}" ]; then - redis_save_path="unix://${REDIS_HOST}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}" - else - redis_save_path="unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}" - fi - else - redis_save_path="unix://${REDIS_HOST}" - fi - elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then - # TCP with password - if [ -n "${REDIS_HOST_USER+x}" ]; then - redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}" - else - redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}" - fi - else - # TCP without password - redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}" - fi +# Permit disabling of the Apache remoteip configuration. +if is_apache && [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + echo "Disabling Apache IP rewrite (APACHE_DISABLE_REWRITE=1 specified)" + echo "See https://github.com/nextcloud/docker?tab=readme-ov-file#using-the-image-behind-a-reverse-proxy-and-specifying-the-server-host-and-protocol" + a2disconf remoteip +fi - # Write the configuration file using a heredoc. - cat > /usr/local/etc/php/conf.d/redis-session.ini < installed version to proceed farther. - # NOTE: Also true if there is no installed version. - if version_greater "$image_version" "$installed_version"; then + # Instalization block. + # - Initialization is only for new installs or upgrades. + # - Bypassed if there's nothing to do + if ! is installed || version_greater "$image_version" "$installed_version"; then echo "Initializing nextcloud $image_version ..." - # Check for an already installed version that isn't in allowable upgrade jump range. - if [ "$installed_version" != "0.0.0.0" ]; then - if [ "${image_version%%.*}" -gt "$((${installed_version%%.*} + 1))" ]; then - echo "Can't start Nextcloud: upgrading from $installed_version to" - echo "$image_version is not supported." - echo "You can upgrade only one major version at a time." - echo "E.g., to upgrade from 14 to 16, first upgrade 14 to 15, then 15 to 16." - exit 1 - fi - # Installed version has been deemed within allow upgrade jump range... + # A prior version is already installed, and has been deemed within allowed upgrade jump range so proceed. + if is_installed; then echo "Upgrading nextcloud from $installed_version ..." + # Save pre-upgrade enabled/disabled apps list + # TODO: Determine if tracking app list is still relevant run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before fi - # Deploy image code onto the persistent storage volume. + # Code deployment block. + # - Deploys image code onto the persistent storage volume + # TODO: Move code deployment block (below) to its own function(s) + ########################################################################################## - # Why we copy Nextcloud code from the image to persistent storage + # Why we copy Nextcloud code from the image to persistent storage... # # Nextcloud's application directory needs to be on persistent storage, not just inside # the container's writable/read-only layers. This ensures: @@ -337,8 +635,7 @@ EOF # Notes: # - The current rsync approach works for local filesystems but may be slow or appear # to hang on networked storage. - - rsync_wrapper \ + rsync \ --delete \ --exclude-from=/upgrade.exclude \ /usr/src/nextcloud/ \ @@ -350,25 +647,22 @@ EOF # - custom_apps/ # - themes/ # + # We only copy these directories if they're missing or empty, to avoid overwriting + # user data. This is especially important for config and data directories. + # # TODO: - # - Consider updating only 'themes/' here, and move handling of 'config/', 'data/', and - # 'custom_apps/' into the install block. These directories should not be modified during a - # regular update/upgrade. - # - Review whether this change would cause any unexpected behavior or introduce breaking - # changes. - + # - Consider updating only 'themes/' here, and move handling of 'config/', 'data/', and 'custom_apps/' + # into the install block. These directories should not be modified during a regular update/upgrade. + # - Review whether modifying these directories outside of installation could cause data loss or unexpected behavior. for dir in config data custom_apps themes; do - if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync_wrapper \ - --include "/$dir/" \ - --exclude '/*' \ - /usr/src/nextcloud/ \ - /var/www/html/ - fi + copy_if_missing_or_empty \ + "$dir" \ + "/usr/src/nextcloud" \ + "/var/www/html" done - # Replace installed code's version.php with newer image code version - rsync_wrapper \ + # Replace installed code's version.php with newer image code version + rsync \ --include '/version.php' \ --exclude '/*' \ /usr/src/nextcloud/ \ @@ -376,17 +670,21 @@ EOF # Install block for fresh instances. # TODO: Consider moving install block to a dedicated function - if [ "$installed_version" = "0.0.0.0" ]; then + if ! is_installed; then echo "New nextcloud instance" + # Base options for Nextcloud's command-line installer + # TODO: Consider enabling verbose mode too + install_options="--no-interaction" + # Tracks whether we have enough automatic configuration parameters to bypass the Installation Wizard + trigger_installer=false + # Handle initial admin credentials (if provided) - file_env NEXTCLOUD_ADMIN_PASSWORD file_env NEXTCLOUD_ADMIN_USER + file_env NEXTCLOUD_ADMIN_PASSWORD - install=false - if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] \ - && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then - install_options="-n \ + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then + install_options="$install_options \ --admin-user \"$NEXTCLOUD_ADMIN_USER\" \ --admin-pass \"$NEXTCLOUD_ADMIN_PASSWORD\"" @@ -395,107 +693,51 @@ EOF --data-dir \"$NEXTCLOUD_DATA_DIR\"" fi - # Handle database configuration (if specified) - file_env MYSQL_DATABASE - file_env MYSQL_PASSWORD - file_env MYSQL_USER - file_env POSTGRES_DB - file_env POSTGRES_PASSWORD - file_env POSTGRES_USER + # Assemble the database autoconfiguration options (if any) + assemble_db_install_options - if [ -n "${SQLITE_DATABASE+x}" ]; then - echo "Installing with SQLite database" - install_options="$install_options \ - --database-name \"$SQLITE_DATABASE\"" - install=true - elif [ -n "${MYSQL_DATABASE+x}" ] \ - && [ -n "${MYSQL_USER+x}" ] \ - && [ -n "${MYSQL_PASSWORD+x}" ] \ - && [ -n "${MYSQL_HOST+x}" ]; then - echo "Installing with MySQL database" - install_options="$install_options \ - --database mysql \ - --database-name \"$MYSQL_DATABASE\" \ - --database-user \"$MYSQL_USER\" \ - --database-pass \"$MYSQL_PASSWORD\" \ - --database-host \"$MYSQL_HOST\"" - install=true - elif [ -n "${POSTGRES_DB+x}" ] \ - && [ -n "${POSTGRES_USER+x}" ] \ - && [ -n "${POSTGRES_PASSWORD+x}" ] \ - && [ -n "${POSTGRES_HOST+x}" ]; then - echo "Installing with PostgreSQL database" - install_options="$install_options \ - --database pgsql \ - --database-name \"$POSTGRES_DB\" \ - --database-user \"$POSTGRES_USER\" \ - --database-pass \"$POSTGRES_PASSWORD\" \ - --database-host \"$POSTGRES_HOST\"" - install=true - fi - - # Run Nextcloud installer if we were provided enough auto-config values. - # (if not, we don't trigger the actual Nextcloud installer; the config values - # will need to be provided via the Nextcloud Installer's Web UI / wizard). - if [ "$install" = true ]; then + # If all required configuration values are provided, run the Nextcloud command-line installer + # automatically. Otherwise, skip the installer and require the user to complete setup through + # the web-based Installation Wizard. Any missing configuration must be entered in the web UI. + if [ "$trigger_installer" = true ]; then + # Trigger pre-installation hook scripts (if any) run_path pre-installation - echo "Starting nextcloud installation" - max_retries=10 - try=0 - until [ "$try" -gt "$max_retries" ] || run_as \ - "$OCC maintenance:install $install_options" - do - echo "Retrying install..." - try=$((try+1)) - sleep 10s - done - if [ "$try" -gt "$max_retries" ]; then - echo "Installation of nextcloud failed!" - exit 1 - fi - - # Configure trusted domains if provided. + # Run the Nextcloud command-line installer + run_nextcloud_installer "$install_options" + + # Configure trusted domains (if specified). # TODO: This could probably be moved elsewhere to permit reconfiguration within existing installs. - if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then - echo "Setting trusted_domains…" - set -f # turn off glob - NC_TRUSTED_DOMAIN_IDX=1 - for DOMAIN in ${NEXTCLOUD_TRUSTED_DOMAINS}; do - DOMAIN=$(echo "${DOMAIN}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') - run_as \ - "$OCC config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\"${DOMAIN}\"" - NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1)) - done - set +f # turn glob back on - fi - - # Trigger post-installation hook scripts (if any) + set_trusted_domains + + # Trigger post-installation hook scripts (if any) run_path post-installation fi fi - # Not enough parameters specified to do a fully automated installation. - if [ "$install" = false ]; then + # Not enough parameters specified to do an automated installation. + if [ "$trigger_installer" = false ]; then echo "Next step: Access your instance to finish the web-based installation!" echo "Hint: Set NEXTCLOUD_ADMIN_USER, NEXTCLOUD_ADMIN_PASSWORD, and DB vars" echo "before first launch to fully automate initial installation." fi # Upgrade path for existing instances. - # TODO: Consider moving upgrade block to a dedicated function - else + # TODO: Consider moving upgrade block to a dedicated function. + else # (i.e. is_installed) + # Trigger pre-upgrade hook scripts (if any) run_path pre-upgrade + # Run Nextcloud database upgrades (and other non-code changes) run_as "$OCC upgrade" + # Save post-upgrade enabled/disabled apps list. + # This is used to determine if there were problematic app upgrades. run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after - echo "The following apps have been disabled:" - diff /tmp/list_before /tmp/list_after \ - | grep '<' | cut -d- -f2 | cut -d: -f1 - rm -f /tmp/list_before /tmp/list_after + # Show differences in post-upgrade enabled/disabled apps + show_disabled_apps # Trigger post-upgrade hook scripts (if any) run_path post-upgrade @@ -506,25 +748,12 @@ EOF # Update htaccess after init if requested if [ -n "${NEXTCLOUD_INIT_HTACCESS+x}" ] \ - && [ "$installed_version" != "0.0.0.0" ]; then + && is_installed; then run_as "$OCC maintenance:update:htaccess" fi ) 9> /var/www/html/nextcloud-init-sync.lock - # Warn the user if any config files in persistent storage differ from the image defaults. - for cfgPath in /usr/src/nextcloud/config/*.php; do - cfgFile=$(basename "$cfgPath") - - if [ "$cfgFile" != "config.sample.php" ] \ - && [ "$cfgFile" != "autoconfig.php" ]; then - if ! cmp -s "/usr/src/nextcloud/config/$cfgFile" "/var/www/html/config/$cfgFile"; then - echo "Warning: /var/www/html/config/$cfgFile differs from the image default at" - echo " /usr/src/nextcloud/config/$cfgFile" - fi - fi - done - - # Trigger before-starting hook scripts (if any) + warn_config_diffs run_path before-starting fi @@ -532,5 +761,4 @@ fi # Handoff to Main Container Process ############################################################################### -# Hand off to the main container process (e.g., Apache, php-fpm, etc.) exec "$@" From bb8c48a65abc448e990092bc875be5e370639f7a Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 25 Sep 2025 08:14:58 -0400 Subject: [PATCH 4/5] chore: Fix typo in is_installed check refactor Signed-off-by: Josh --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 055972c0e..11ab0db89 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -571,7 +571,7 @@ if is_apache || is_php_fpm || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then # Instalization block. # - Initialization is only for new installs or upgrades. # - Bypassed if there's nothing to do - if ! is installed || version_greater "$image_version" "$installed_version"; then + if ! is_installed || version_greater "$image_version" "$installed_version"; then echo "Initializing nextcloud $image_version ..." # A prior version is already installed, and has been deemed within allowed upgrade jump range so proceed. From 63091f3e47267b10e89ccad4f2d447adc93bb663 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 25 Sep 2025 09:06:34 -0400 Subject: [PATCH 5/5] fix: debug final exec Signed-off-by: Josh --- docker-entrypoint.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 11ab0db89..85ab9b9f5 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -438,6 +438,8 @@ warn_config_diffs() { # Sets database related install_options for the Nextcloud installer, and set trigger_installer flag if config is sufficient. # Arguments: none (uses env vars) # Sets: install_options (global), trigger_installer (global) +# TODO: More properly handle arguments/splitting (will require some refactoring elsewhere including run_as/run_as calls) +# TODO: Switch to using more proper `=` instead of whitespace between long options and their respective values ############################################################################### assemble_db_install_options() { @@ -569,8 +571,8 @@ if is_apache || is_php_fpm || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then fi # Instalization block. - # - Initialization is only for new installs or upgrades. - # - Bypassed if there's nothing to do + # - Initialization is only for new installs or (valid) upgrade scenarios. + # - Bypassed if there's nothing to do (or blocked above before we even get here) if ! is_installed || version_greater "$image_version" "$installed_version"; then echo "Initializing nextcloud $image_version ..." @@ -753,7 +755,10 @@ if is_apache || is_php_fpm || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then fi ) 9> /var/www/html/nextcloud-init-sync.lock + # Check (and warn about) Nextcloud persistent storage `config/` files that are out-of-date with image version warn_config_diffs + + # Trigger before-starting hook scripts (if any) run_path before-starting fi @@ -761,4 +766,6 @@ fi # Handoff to Main Container Process ############################################################################### +set -x +echo "Handing off via exec: $@" exec "$@"