libreoffice-online/docker/from-source/Ubuntu
Michael Meeks 317dffb817 Optimize copy of jails to hard-linking with new capability.
In some cases we cannot do a fast bind-mount of the files we want
in our jail since we don't have cap_sys_admin for loolmount inside
eg. docker.

Thus we need to fallback to hard-linking, however various security
systems namespace parts of our tree, such that link() fails with
EXDEV even across the (apparently) same file-system.

As such we need to assemble a copy of what we want to hard-link
close to our jails. However, this needs to be owned by root / the
system to avoid having writable files shared between jails. Hence
we need cap_chown in addition to cap_fowner, to get ownership right
and then hard-link.

Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
2021-01-04 15:05:36 +00:00

47 lines
1.9 KiB
Text

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
FROM ubuntu:18.04
# refresh repos otherwise installations later may fail
# install LibreOffice run-time dependencies
# install adduser, findutils, openssl and cpio that we need later
# install an editor
# tdf#117557 - Add CJK Fonts to Collabora Online Docker Image
RUN apt-get update && \
apt-get -y install libpng16-16 fontconfig adduser cpio \
findutils nano libpocoxml50 libpocoutil50 libpoconetssl50 \
libpoconet50 libpocojson50 libpocofoundation50 libpococrypto50 \
libcap2-bin openssl openssh-client inotify-tools procps \
libxcb-shm0 libxcb-render0 libxrender1 libxext6 \
fonts-wqy-zenhei fonts-wqy-microhei fonts-droid-fallback \
fonts-noto-cjk
# copy freshly built LOKit and Collabora Online
COPY /instdir /
# copy the shell script which can start Collabora Online (loolwsd)
COPY /start-collabora-online.sh /
# set up Collabora Online (normally done by postinstall script of package)
# Fix permissions
RUN setcap cap_fowner,cap_chown,cap_mknod,cap_sys_chroot=ep /usr/bin/loolforkit && \
setcap cap_sys_admin=ep /usr/bin/loolmount && \
adduser --quiet --system --group --home /opt/lool lool && \
mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd && \
rm -rf /var/cache/loolwsd/* && \
rm -rf /opt/lool && \
mkdir -p /opt/lool/child-roots && \
loolwsd-systemplate-setup /opt/lool/systemplate /opt/libreoffice >/dev/null 2>&1 && \
touch /var/log/loolwsd.log && \
chown lool:lool /var/log/loolwsd.log && \
chown -R lool:lool /opt/ && \
chown -R lool:lool /etc/loolwsd
EXPOSE 9980
# switch to lool user (use numeric user id to be compatible with Kubernetes Pod Security Policies)
USER 101
CMD bash /start-collabora-online.sh