diff --git a/.env.template b/.env.template index 4a19f249..8f134a98 100644 --- a/.env.template +++ b/.env.template @@ -103,7 +103,7 @@ # ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^ ## Any IP which is not defined as a global IP will be blacklisted. -## Usefull to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block +## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block # ICON_BLACKLIST_NON_GLOBAL_IPS=true ## Disable 2FA remember @@ -111,6 +111,18 @@ ## Note that the checkbox would still be present, but ignored. # DISABLE_2FA_REMEMBER=false +## Maximum attempts before an email token is reset and a new email will need to be sent. +# EMAIL_ATTEMPTS_LIMIT=3 + +## Token expiration time +## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. +# EMAIL_EXPIRATION_TIME=600 + +## Email token size +## Number of digits in an email token (min: 6, max: 19). +## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! +# EMAIL_TOKEN_SIZE=6 + ## Controls if new users can register # SIGNUPS_ALLOWED=true @@ -151,6 +163,16 @@ ## Invitations org admins to invite users, even when signups are disabled # INVITATIONS_ALLOWED=true +## Name shown in the invitation emails that don't come from a specific organization +# INVITATION_ORG_NAME=Bitwarden_RS + +## Per-organization attachment limit (KB) +## Limit in kilobytes for an organization attachments, once the limit is exceeded it won't be possible to upload more +# ORG_ATTACHMENT_LIMIT= +## Per-user attachment limit (KB). +## Limit in kilobytes for a users attachments, once the limit is exceeded it won't be possible to upload more +# USER_ATTACHMENT_LIMIT= + ## Controls the PBBKDF password iterations to apply on the server ## The change only applies when the password is changed @@ -166,6 +188,13 @@ ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs # DOMAIN=https://bw.domain.tld:8443 +## Allowed iframe ancestors (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors +## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets +## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value. +## Multiple values must be separated with a whitespace. +# ALLOWED_IFRAME_ANCESTORS= + ## Yubico (Yubikey) Settings ## Set your Client ID and Secret Key for Yubikey OTP ## You can generate it here: https://upgrade.yubico.com/getapikey/ @@ -214,10 +243,24 @@ # SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. # SMTP_USERNAME=username # SMTP_PASSWORD=password +# SMTP_TIMEOUT=15 + ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. ## Possible values: ["Plain", "Login", "Xoauth2"]. ## Multiple options need to be separated by a comma ','. # SMTP_AUTH_MECHANISM="Plain" -# SMTP_TIMEOUT=15 + +## Server name sent during the SMTP HELO +## By default this value should be is on the machine's hostname, +## but might need to be changed in case it trips some anti-spam filters +# HELO_NAME= + +## Require new device emails. When a user logs in an email is required to be sent. +## If sending the email fails the login attempt will fail!! +# REQUIRE_DEVICE_EMAIL=false + +## HIBP Api Key +## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key +# HIBP_API_KEY= # vim: syntax=ini diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index ec9ed642..e2acdf08 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -9,7 +9,7 @@ {% set package_arch_name = "" %} {% elif "arm32v7" in target_file %} {% set build_stage_base_image = "messense/rust-musl-cross:armv7-musleabihf" %} -{% set runtime_stage_base_image = "cmosh/alpine-arm:3.6" %} +{% set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.12" %} {% set package_arch_name = "" %} {% endif %} {% elif "amd64" in target_file %} @@ -35,11 +35,11 @@ ####################### VAULT BUILD IMAGE ####################### {% set vault_image_hash = "sha256:e40228f94cead5e50af6575fb39850a002dad146dab6836e5da5663e6d214303" %} {% raw %} -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -54,13 +54,9 @@ FROM {{ build_stage_base_image }} as build # Alpine only works on SQlite ARG DB=sqlite -{% elif "amd64" in target_file %} -# AMD64 supports all -ARG DB=sqlite,mysql,postgresql - {% else %} -# ARM only supports SQLite for now -ARG DB=sqlite +# Debian-based builds support multidb +ARG DB=sqlite,mysql,postgresql {% endif %} # Build time options to avoid dpkg warnings and help with reproducible builds. @@ -75,6 +71,7 @@ ENV RUSTFLAGS='-C link-arg=-s' {% elif "arm" in target_file %} # Install required build libs for {{ package_arch_name }} architecture. +# To compile both mysql and postgresql we need some extra packages for both host arch and target arch RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ /etc/apt/sources.list.d/deb-src.list \ && dpkg --add-architecture {{ package_arch_name }} \ @@ -82,7 +79,11 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ && apt-get install -y \ --no-install-recommends \ libssl-dev{{ package_arch_prefix }} \ - libc6-dev{{ package_arch_prefix }} + libc6-dev{{ package_arch_prefix }} \ + libpq5{{ package_arch_prefix }} \ + libpq-dev \ + libmariadb-dev{{ package_arch_prefix }} \ + libmariadb-dev-compat{{ package_arch_prefix }} {% endif -%} {% if "arm64v8" in target_file %} @@ -92,7 +93,8 @@ RUN apt-get update \ gcc-aarch64-linux-gnu \ && mkdir -p ~/.cargo \ && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \ - && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config + && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \ + && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config ENV CARGO_HOME "/root/.cargo" ENV USER "root" @@ -103,7 +105,8 @@ RUN apt-get update \ gcc-arm-linux-gnueabi \ && mkdir -p ~/.cargo \ && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \ - && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config + && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \ + && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config ENV CARGO_HOME "/root/.cargo" ENV USER "root" @@ -114,7 +117,8 @@ RUN apt-get update \ gcc-arm-linux-gnueabihf \ && mkdir -p ~/.cargo \ && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \ - && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config + && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \ + && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config ENV CARGO_HOME "/root/.cargo" ENV USER "root" @@ -138,19 +142,43 @@ COPY ./rust-toolchain ./rust-toolchain COPY ./build.rs ./build.rs {% if "alpine" not in target_file %} +{% if "arm" in target_file %} +# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies. +# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic. +# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client) +# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the {{ package_arch_prefix }} version. +# What we can do is a force install, because nothing important is overlapping each other. +RUN apt-get install -y libmariadb3:amd64 && \ + mkdir -pv /tmp/dpkg && \ + cd /tmp/dpkg && \ + apt-get download libmariadb-dev-compat:amd64 && \ + dpkg --force-all -i *.deb && \ + rm -rf /tmp/dpkg + +# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic. +# The libpq5{{ package_arch_prefix }} package seems to not provide a symlink to libpq.so.5 with the name libpq.so. +# This is only provided by the libpq-dev package which can't be installed for both arch at the same time. +# Without this specific file the ld command will fail and compilation fails with it. +{% endif -%} {% if "arm64v8" in target_file %} +RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so + ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" RUN rustup target add aarch64-unknown-linux-gnu {% elif "arm32v6" in target_file %} +RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so + ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" RUN rustup target add arm-unknown-linux-gnueabi {% elif "arm32v7" in target_file %} +RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so + ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" @@ -168,7 +196,23 @@ RUN rustup target add armv7-unknown-linux-musleabihf # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies +{% if "alpine" in target_file %} +{% if "amd64" in target_file %} +RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl +{% elif "arm32v7" in target_file %} +RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf +{% endif %} +{% elif "alpine" not in target_file %} +{% if "amd64" in target_file %} RUN cargo build --features ${DB} --release +{% elif "arm64v8" in target_file %} +RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu +{% elif "arm32v6" in target_file %} +RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi +{% elif "arm32v7" in target_file %} +RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf +{% endif %} +{% endif %} RUN find . -not -path "./target*" -delete # Copies the complete project @@ -238,10 +282,8 @@ RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ sqlite3 \ -{% if "amd64" in target_file %} - libmariadbclient-dev \ + libmariadb-dev-compat \ libpq5 \ -{% endif %} && rm -rf /var/lib/apt/lists/* {% endif %} {% if "alpine" in target_file and "arm32v7" in target_file %} diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile index d7350eb0..8b52940b 100644 --- a/docker/amd64/Dockerfile +++ b/docker/amd64/Dockerfile @@ -6,11 +6,11 @@ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -20,7 +20,7 @@ FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab683 ########################## BUILD IMAGE ########################## FROM rust:1.46 as build -# AMD64 supports all +# Debian-based builds support multidb ARG DB=sqlite,mysql,postgresql # Build time options to avoid dpkg warnings and help with reproducible builds. @@ -82,7 +82,7 @@ RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ sqlite3 \ - libmariadbclient-dev \ + libmariadb-dev-compat \ libpq5 \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine index 74f8fd02..7685a766 100644 --- a/docker/amd64/Dockerfile.alpine +++ b/docker/amd64/Dockerfile.alpine @@ -6,11 +6,11 @@ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -47,7 +47,7 @@ RUN rustup target add x86_64-unknown-linux-musl # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release +RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl RUN find . -not -path "./target*" -delete # Copies the complete project diff --git a/docker/arm32v6/Dockerfile b/docker/arm32v6/Dockerfile index af8e874a..1329747f 100644 --- a/docker/arm32v6/Dockerfile +++ b/docker/arm32v6/Dockerfile @@ -6,11 +6,11 @@ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -20,8 +20,8 @@ FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab683 ########################## BUILD IMAGE ########################## FROM rust:1.46 as build -# ARM only supports SQLite for now -ARG DB=sqlite +# Debian-based builds support multidb +ARG DB=sqlite,mysql,postgresql # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color @@ -30,6 +30,7 @@ ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color RUN rustup set profile minimal # Install required build libs for armel architecture. +# To compile both mysql and postgresql we need some extra packages for both host arch and target arch RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ /etc/apt/sources.list.d/deb-src.list \ && dpkg --add-architecture armel \ @@ -37,7 +38,11 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ && apt-get install -y \ --no-install-recommends \ libssl-dev:armel \ - libc6-dev:armel + libc6-dev:armel \ + libpq5:armel \ + libpq-dev \ + libmariadb-dev:armel \ + libmariadb-dev-compat:armel RUN apt-get update \ && apt-get install -y \ @@ -45,7 +50,8 @@ RUN apt-get update \ gcc-arm-linux-gnueabi \ && mkdir -p ~/.cargo \ && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \ - && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config + && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \ + && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config ENV CARGO_HOME "/root/.cargo" ENV USER "root" @@ -59,6 +65,24 @@ COPY ./Cargo.* ./ COPY ./rust-toolchain ./rust-toolchain COPY ./build.rs ./build.rs +# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies. +# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic. +# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client) +# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armel version. +# What we can do is a force install, because nothing important is overlapping each other. +RUN apt-get install -y libmariadb3:amd64 && \ + mkdir -pv /tmp/dpkg && \ + cd /tmp/dpkg && \ + apt-get download libmariadb-dev-compat:amd64 && \ + dpkg --force-all -i *.deb && \ + rm -rf /tmp/dpkg + +# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic. +# The libpq5:armel package seems to not provide a symlink to libpq.so.5 with the name libpq.so. +# This is only provided by the libpq-dev package which can't be installed for both arch at the same time. +# Without this specific file the ld command will fail and compilation fails with it. +RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so + ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" @@ -68,7 +92,7 @@ RUN rustup target add arm-unknown-linux-gnueabi # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release +RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi RUN find . -not -path "./target*" -delete # Copies the complete project @@ -103,6 +127,8 @@ RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ sqlite3 \ + libmariadb-dev-compat \ + libpq5 \ && rm -rf /var/lib/apt/lists/* RUN mkdir /data diff --git a/docker/arm32v7/Dockerfile b/docker/arm32v7/Dockerfile index 012a26ce..a9ad9661 100644 --- a/docker/arm32v7/Dockerfile +++ b/docker/arm32v7/Dockerfile @@ -6,11 +6,11 @@ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -20,8 +20,8 @@ FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab683 ########################## BUILD IMAGE ########################## FROM rust:1.46 as build -# ARM only supports SQLite for now -ARG DB=sqlite +# Debian-based builds support multidb +ARG DB=sqlite,mysql,postgresql # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color @@ -30,6 +30,7 @@ ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color RUN rustup set profile minimal # Install required build libs for armhf architecture. +# To compile both mysql and postgresql we need some extra packages for both host arch and target arch RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ /etc/apt/sources.list.d/deb-src.list \ && dpkg --add-architecture armhf \ @@ -37,7 +38,11 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ && apt-get install -y \ --no-install-recommends \ libssl-dev:armhf \ - libc6-dev:armhf + libc6-dev:armhf \ + libpq5:armhf \ + libpq-dev \ + libmariadb-dev:armhf \ + libmariadb-dev-compat:armhf RUN apt-get update \ && apt-get install -y \ @@ -45,7 +50,8 @@ RUN apt-get update \ gcc-arm-linux-gnueabihf \ && mkdir -p ~/.cargo \ && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \ - && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config + && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \ + && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config ENV CARGO_HOME "/root/.cargo" ENV USER "root" @@ -59,6 +65,24 @@ COPY ./Cargo.* ./ COPY ./rust-toolchain ./rust-toolchain COPY ./build.rs ./build.rs +# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies. +# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic. +# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client) +# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armhf version. +# What we can do is a force install, because nothing important is overlapping each other. +RUN apt-get install -y libmariadb3:amd64 && \ + mkdir -pv /tmp/dpkg && \ + cd /tmp/dpkg && \ + apt-get download libmariadb-dev-compat:amd64 && \ + dpkg --force-all -i *.deb && \ + rm -rf /tmp/dpkg + +# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic. +# The libpq5:armhf package seems to not provide a symlink to libpq.so.5 with the name libpq.so. +# This is only provided by the libpq-dev package which can't be installed for both arch at the same time. +# Without this specific file the ld command will fail and compilation fails with it. +RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so + ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" @@ -68,7 +92,7 @@ RUN rustup target add armv7-unknown-linux-gnueabihf # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release +RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf RUN find . -not -path "./target*" -delete # Copies the complete project @@ -103,6 +127,8 @@ RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ sqlite3 \ + libmariadb-dev-compat \ + libpq5 \ && rm -rf /var/lib/apt/lists/* RUN mkdir /data diff --git a/docker/arm32v7/Dockerfile.alpine b/docker/arm32v7/Dockerfile.alpine index 22c7410a..f70755b4 100644 --- a/docker/arm32v7/Dockerfile.alpine +++ b/docker/arm32v7/Dockerfile.alpine @@ -6,11 +6,11 @@ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -47,7 +47,7 @@ RUN rustup target add armv7-unknown-linux-musleabihf # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release +RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf RUN find . -not -path "./target*" -delete # Copies the complete project @@ -65,7 +65,7 @@ RUN musl-strip target/armv7-unknown-linux-musleabihf/release/bitwarden_rs ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built -FROM cmosh/alpine-arm:3.6 +FROM balenalib/armv7hf-alpine:3.12 ARG ROCKET_PORT=80 ARG WEBSOCKET_PORT=3012 diff --git a/docker/arm64v8/Dockerfile b/docker/arm64v8/Dockerfile index 6902edb4..53c853d4 100644 --- a/docker/arm64v8/Dockerfile +++ b/docker/arm64v8/Dockerfile @@ -6,11 +6,11 @@ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -# This hash is extracted from the docker web-vault builds and it's prefered over a simple tag because it's immutable. +# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. # It can be viewed in multiple ways: # - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. # - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.16.0b +# docker pull bitwardenrs/web-vault:v2.16.1 # docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.16.1 # # - To do the opposite, and get the tag from the hash, you can do: @@ -20,8 +20,8 @@ FROM bitwardenrs/web-vault@sha256:e40228f94cead5e50af6575fb39850a002dad146dab683 ########################## BUILD IMAGE ########################## FROM rust:1.46 as build -# ARM only supports SQLite for now -ARG DB=sqlite +# Debian-based builds support multidb +ARG DB=sqlite,mysql,postgresql # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color @@ -30,6 +30,7 @@ ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color RUN rustup set profile minimal # Install required build libs for arm64 architecture. +# To compile both mysql and postgresql we need some extra packages for both host arch and target arch RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ /etc/apt/sources.list.d/deb-src.list \ && dpkg --add-architecture arm64 \ @@ -37,7 +38,11 @@ RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \ && apt-get install -y \ --no-install-recommends \ libssl-dev:arm64 \ - libc6-dev:arm64 + libc6-dev:arm64 \ + libpq5:arm64 \ + libpq-dev \ + libmariadb-dev:arm64 \ + libmariadb-dev-compat:arm64 RUN apt-get update \ && apt-get install -y \ @@ -45,7 +50,8 @@ RUN apt-get update \ gcc-aarch64-linux-gnu \ && mkdir -p ~/.cargo \ && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \ - && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config + && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \ + && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config ENV CARGO_HOME "/root/.cargo" ENV USER "root" @@ -59,6 +65,24 @@ COPY ./Cargo.* ./ COPY ./rust-toolchain ./rust-toolchain COPY ./build.rs ./build.rs +# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies. +# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic. +# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client) +# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :arm64 version. +# What we can do is a force install, because nothing important is overlapping each other. +RUN apt-get install -y libmariadb3:amd64 && \ + mkdir -pv /tmp/dpkg && \ + cd /tmp/dpkg && \ + apt-get download libmariadb-dev-compat:amd64 && \ + dpkg --force-all -i *.deb && \ + rm -rf /tmp/dpkg + +# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic. +# The libpq5:arm64 package seems to not provide a symlink to libpq.so.5 with the name libpq.so. +# This is only provided by the libpq-dev package which can't be installed for both arch at the same time. +# Without this specific file the ld command will fail and compilation fails with it. +RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so + ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" ENV CROSS_COMPILE="1" ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" @@ -68,7 +92,7 @@ RUN rustup target add aarch64-unknown-linux-gnu # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release +RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu RUN find . -not -path "./target*" -delete # Copies the complete project @@ -103,6 +127,8 @@ RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ sqlite3 \ + libmariadb-dev-compat \ + libpq5 \ && rm -rf /var/lib/apt/lists/* RUN mkdir /data diff --git a/hooks/arches.sh b/hooks/arches.sh index 7bd52c49..7deeed50 100644 --- a/hooks/arches.sh +++ b/hooks/arches.sh @@ -1,6 +1,6 @@ -# The default Debian-based SQLite images support these arches. +# The default Debian-based images support these arches for all database connections # -# Other images (Alpine-based, or with other database backends) currently +# Other images (Alpine-based) currently # support only a subset of these. arches=( amd64 @@ -9,15 +9,6 @@ arches=( arm64v8 ) -case "${DOCKER_REPO}" in - *-mysql) - arches=(amd64) - ;; - *-postgresql) - arches=(amd64) - ;; -esac - if [[ "${DOCKER_TAG}" == *alpine ]]; then # The Alpine build currently only works for amd64. os_suffix=.alpine