Update Mattermost

.travis.yml

@@ -1,5 +1,3 @@
-sudo: required
-
 services:
     - docker
 

MAINTENANCE.md

@@ -20,7 +20,7 @@ The following people help to maintain this open source project:
 |:--------------------------------------|:--------------|
 | Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018   |
 
-In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
+In case something happens where no maintainers are able to complete their responsibilities, the following sponsoring organization can help find a new maintainer:
 
 | Sponsoring Organization        | Start Date    |
 |:-------------------------------|:--------------|

README.md

@@ -67,6 +67,13 @@ If your database use some custom host and port, it is also possible to configure
 * `DB_HOST`: database host address
 * `DB_PORT_NUMBER`: database port
 
+Use this optional variable if your PostgreSQL connection requires encryption (you may need a certificate authority file and/or a certificate revocation list - check the documentation for your database provider).  See the [PostgreSQL notes on encrypted connections](https://www.postgresql.org/docs/current/libpq-ssl.html) for recommendations on what values to use when encryption is needed.
+* `DB_SSLMODE`: defaults to `disable`, indicating no encryption
+
+PostgreSQL allows two other variables `sslrootcert` and `sslcrl` for connection strings.  However these are not broadly supported when the connection string is specified as a URI. If you need these parameters, use the PostgreSQL-specified environment variables
+* `PGSSLROOTCERT` specifies the location of CA file
+* `PGSSLCRL` specifies the location of a certificate revocation list file
+
 If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) :
 * `MM_CONFIG`: configuration file location inside the container.
 
@@ -189,7 +196,7 @@ docker-compose build app
 docker-compose run app -upgrade_db_30
 docker-compose up -d
 ```
-See the [offical Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
+See the [official Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
 
 ## Installation using Docker Swarm Mode
 

app/Dockerfile

@@ -2,7 +2,8 @@ FROM alpine:3.10
 
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
-ENV MM_VERSION=5.24.2
+ENV MM_VERSION=5.31.0
+ENV MM_INSTALL_TYPE=docker
 
 # Build argument to set Mattermost edition
 ARG edition=enterprise
@@ -18,7 +19,7 @@ RUN apk add --no-cache \
 	jq \
 	libc6-compat \
 	libffi-dev \
-    libcap \
+	libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
@@ -28,15 +29,15 @@ RUN apk add --no-cache \
 
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
-    && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
-      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
-      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
-    && cp /mattermost/config/config.json /config.json.save \
-    && rm -rf /mattermost/config/config.json \
-    && addgroup -g ${PGID} mattermost \
-    && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
-    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
-    && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
+	&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
+		elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
+		else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
+	&& cp /mattermost/config/config.json /config.json.save \
+	&& rm -rf /mattermost/config/config.json \
+	&& addgroup -g ${PGID} mattermost \
+	&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
+	&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
+	&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 
 USER mattermost
 

app/entrypoint.sh

@@ -2,65 +2,72 @@
 
 # Function to generate a random salt
 generate_salt() {
-  tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
+  tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 48 | head -n 1
 }
 
 # Read environment variables or set default values
 DB_HOST=${DB_HOST:-db}
 DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
+# see https://www.postgresql.org/docs/current/libpq-ssl.html
+# for usage when database connection requires encryption
+# filenames should be escaped if they contain spaces
+#  i.e. $(printf %s ${MY_ENV_VAR:-''}  | jq -s -R -r @uri)
+# the location of the CA file can be set using environment var PGSSLROOTCERT
+# the location of the CRL file can be set using PGSSLCRL
+# The URL syntax for connection string does not support the parameters
+# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
+# to set names if using a location other than default
+DB_USE_SSL=${DB_USE_SSL:-disable}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 
-if [ "${1:0:1}" = '-' ]; then
-    set -- mattermost "$@"
+_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }')
+if [ "$_1" = '-' ]; then
+  set -- mattermost "$@"
 fi
 
 if [ "$1" = 'mattermost' ]; then
   # Check CLI args for a -config option
-  for ARG in $@;
-  do
-      case "$ARG" in
-          -config=*)
-              MM_CONFIG=${ARG#*=};;
-      esac
+  for ARG in "$@"; do
+    case "$ARG" in
+    -config=*) MM_CONFIG=${ARG#*=} ;;
+    esac
   done
 
-  if [ ! -f $MM_CONFIG ]
-  then
+  if [ ! -f "$MM_CONFIG" ]; then
     # If there is no configuration file, create it with some default values
-    echo "No configuration file" $MM_CONFIG
+    echo "No configuration file $MM_CONFIG"
     echo "Creating a new one"
     # Copy default configuration file
-    cp /config.json.save $MM_CONFIG
-    # Substitue some parameters with jq
-    jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
-    jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
+    cp /config.json.save "$MM_CONFIG"
+    # Substitute some parameters with jq
+    jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
+    jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
   else
-    echo "Using existing config file" $MM_CONFIG
+    echo "Using existing config file $MM_CONFIG"
   fi
 
   # Configure database access
-  if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
-  then
-    echo -ne "Configure database connection..."
+  if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
+    echo "Configure database connection..."
     # URLEncode the password, allowing for special characters
-    ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
-    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
-    echo OK
+    ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
+    export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
+    echo "OK"
   else
     echo "Using existing database connection"
   fi

db/entrypoint.sh

@@ -5,7 +5,7 @@ export WAL_LEVEL=${WAL_LEVEL:-minimal}
 export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
 export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
 
-function update_conf () {
+function update_conf() {
   wal=$1
   # PGDATA is defined in upstream postgres dockerfile
   config_file=$PGDATA/postgresql.conf
@@ -23,11 +23,11 @@ function update_conf () {
   sed -i "s/archive_command =.*$//g" $config_file
 
   # Configure wal-e
-  if [ "$wal" = true ] ; then
+  if [ "$wal" = true ]; then
     /docker-entrypoint-initdb.d/setup-wale.sh
   fi
-  echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
-  echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
+  echo "log_timezone = $DEFAULT_TIMEZONE" >>$config_file
+  echo "timezone = $DEFAULT_TIMEZONE" >>$config_file
 }
 
 if [ "${1:0:1}" = '-' ]; then
@@ -46,7 +46,7 @@ if [ "$1" = 'postgres' ]; then
   done
 
   # Setup wal-e env variables
-  if [ "$wal_enable" = true ] ; then
+  if [ "$wal_enable" = true ]; then
     for v in ${VARS[@]}; do
       export $v="${!v}"
     done

db/setup-wale.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # wal-e specific configuration
-echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
-echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
-echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
-echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf
+echo "wal_level = $WAL_LEVEL" >>$PGDATA/postgresql.conf
+echo "archive_mode = $ARCHIVE_MODE" >>$PGDATA/postgresql.conf
+echo "archive_command = '/usr/bin/wal-e wal-push %p'" >>$PGDATA/postgresql.conf
+echo "archive_timeout = $ARCHIVE_TIMEOUT" >>$PGDATA/postgresql.conf

web/entrypoint.sh

@@ -11,7 +11,7 @@ if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then
 else
   echo "linking plain config"
 fi
-# Ensure that the configuration file is not present before linking. 
+# Ensure that the configuration file is not present before linking.
 test -w /etc/nginx/conf.d/mattermost.conf && rm /etc/nginx/conf.d/mattermost.conf
 # Linking Nginx configuration file
 ln -s -f /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf

web/mattermost-ssl

@@ -1,7 +1,7 @@
 server {
-	listen 80 default_server;
-	server_name _;
-	return 301 https://$host$request_uri;
+    listen 80 default_server;
+    server_name _;
+    return 301 https://$host$request_uri;
 }
 
 map $http_x_forwarded_proto $proxy_x_forwarded_proto {
@@ -15,9 +15,11 @@ server {
     ssl_certificate /cert/cert.pem;
     ssl_certificate_key /cert/key-no-password.pem;
     ssl_session_timeout 5m;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH;
-    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    # Please update the ciphers in this file every 6 months.
+    # https://ssl-config.mozilla.org/
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
 
     location ~ /api/v[0-9]+/(users/)?websocket$ {
         proxy_set_header Upgrade $http_upgrade;
@@ -33,7 +35,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
+        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 
     location / {
@@ -50,7 +52,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
+        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 }