From 97df65e9efd1951639f2451d5eb99c9077fa8de0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 11 Nov 2022 13:56:04 +0100 Subject: [PATCH 1/6] Switch to GrapheneOS's hardened_malloc This was suggested during the dev meeting of the 18/09/22. It may break things and it may make things unbearably slow --- core/base/Dockerfile | 3 ++- towncrier/newsfragments/2525.feature | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 towncrier/newsfragments/2525.feature diff --git a/core/base/Dockerfile b/core/base/Dockerfile index d5be6a90..242fd060 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -12,7 +12,8 @@ ARG MAILU_GID=1000 RUN set -euxo pipefail \ ; addgroup -Sg ${MAILU_GID} mailu \ ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \ - ; apk add --no-cache bash ca-certificates curl python3 tzdata + ; apk add --no-cache bash ca-certificates curl python3 tzdata \ + ; apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc WORKDIR /app diff --git a/towncrier/newsfragments/2525.feature b/towncrier/newsfragments/2525.feature new file mode 100644 index 00000000..634733c7 --- /dev/null +++ b/towncrier/newsfragments/2525.feature @@ -0,0 +1 @@ +Switch to GrapheneOS's hardened_malloc From f11c4514031571f3b56801958a422da358d819c2 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 11 Nov 2022 14:12:54 +0100 Subject: [PATCH 2/6] Restrict it to arch where there is a package --- core/base/Dockerfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 242fd060..ad9dfa57 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -13,7 +13,12 @@ RUN set -euxo pipefail \ ; addgroup -Sg ${MAILU_GID} mailu \ ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \ ; apk add --no-cache bash ca-certificates curl python3 tzdata \ - ; apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc + ; machine="$(uname -m)" \ + ; ( [[ "${machine}" == x86_64 ]] || \ + [[ "${machine}" == armv8* ]] || \ + [[ "${machine}" == aarch64 ]] ) && \ + echo "Installing hardened-malloc" && \ + apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc WORKDIR /app From 455180043d03fda9a906e38e5b85776db9011bad Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 14 Nov 2022 09:34:43 +0100 Subject: [PATCH 3/6] doh --- core/base/Dockerfile | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index ad9dfa57..8e25d428 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -14,11 +14,17 @@ RUN set -euxo pipefail \ ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \ ; apk add --no-cache bash ca-certificates curl python3 tzdata \ ; machine="$(uname -m)" \ - ; ( [[ "${machine}" == x86_64 ]] || \ - [[ "${machine}" == armv8* ]] || \ - [[ "${machine}" == aarch64 ]] ) && \ - echo "Installing hardened-malloc" && \ - apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc + ; if [[ "${machine}" == x86_64 || "${machine}" == armv8* || "${machine}" == aarch64 ]] \ + ; then \ + echo "Installing hardened-malloc" \ + ; apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc \ + ; else \ + echo "Faking the install of hardened-malloc" \ + ; cp /lib/ld-musl-${machine}.so.1 /usr/lib/libhardened_malloc.so \ + ; touch /usr/lib/libhardened_malloc.so.faked \ + ; fi + +ENV LD_PRELOAD=/usr/lib/libhardened_malloc.so WORKDIR /app From 9b2f018be615400ed78befdcdd6649e8b815fa8d Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 15 Nov 2022 09:09:47 +0100 Subject: [PATCH 4/6] add --no-cache --- core/base/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 8e25d428..683f718f 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -17,7 +17,7 @@ RUN set -euxo pipefail \ ; if [[ "${machine}" == x86_64 || "${machine}" == armv8* || "${machine}" == aarch64 ]] \ ; then \ echo "Installing hardened-malloc" \ - ; apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc \ + ; apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc \ ; else \ echo "Faking the install of hardened-malloc" \ ; cp /lib/ld-musl-${machine}.so.1 /usr/lib/libhardened_malloc.so \ From 81628149a234985e1fba07881ac3448078ce2bc3 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 15 Nov 2022 09:17:06 +0100 Subject: [PATCH 5/6] don't fake the library --- core/base/Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/core/base/Dockerfile b/core/base/Dockerfile index 683f718f..35bcbd15 100644 --- a/core/base/Dockerfile +++ b/core/base/Dockerfile @@ -18,10 +18,6 @@ RUN set -euxo pipefail \ ; then \ echo "Installing hardened-malloc" \ ; apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc \ - ; else \ - echo "Faking the install of hardened-malloc" \ - ; cp /lib/ld-musl-${machine}.so.1 /usr/lib/libhardened_malloc.so \ - ; touch /usr/lib/libhardened_malloc.so.faked \ ; fi ENV LD_PRELOAD=/usr/lib/libhardened_malloc.so From 63513608b9423aee8c21c710f70f532e58ed81bd Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 15 Nov 2022 11:12:27 +0100 Subject: [PATCH 6/6] Close #2533: document SQLALCHEMY_DATABASE_URI --- docs/configuration.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuration.rst b/docs/configuration.rst index d411d2c7..ba75e0bf 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -287,6 +287,10 @@ The admin service stores configurations in a database. - ``DB_USER``: the database user for mailu admin service. (when not ``sqlite``) - ``DB_NAME``: the database name for mailu admin service. (when not ``sqlite``) +Alternatively, if you need more control, you can use a `DB URL`_ : do not set any of the ``DB_`` settings and set ``SQLALCHEMY_DATABASE_URI`` instead. + +.. _`DB URL`: https://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls + The roundcube service stores configurations in a database. - ``ROUNDCUBE_DB_FLAVOR``: the database type for roundcube service. (``sqlite``, ``postgresql``, ``mysql``)