feat(docker): standalone entrypoint env-var parity with upstream#116
Merged
Conversation
juliusknorr
changed the title
There was a problem hiding this comment.
Pull request overview
This PR expands the standalone Docker entrypoint to better match upstream DocumentServer container behavior by wiring more environment variables into runtime configuration, adding service/SSL setup logic, and making metrics opt-in.
Changes:
- Reworks
build/scripts/standalone/entrypoint.shto configure JWT, DB, Redis, AMQP, WOPI, nginx/SSL, metrics, logging, fonts, plugins, and bundled service startup. - Changes standalone metrics supervisor autostart behavior to opt-in via
METRICS_ENABLED. - Adds runtime tools needed by the new entrypoint logic to the standalone Docker image.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
build/scripts/standalone/entrypoint.sh |
Implements the expanded standalone startup/configuration flow and env-var support. |
build/configs/standalone/supervisor/ds-metrics.conf |
Disables metrics autostart so the entrypoint can enable it conditionally. |
build/.docker/standalone.bake.Dockerfile |
Installs additional utilities required by the new entrypoint behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
Author
|
Addressed Copilot's three review comments in ed75701:
|
The standalone entrypoint only applied JWT_SECRET to local.json but ignored JWT_HEADER, so custom values like AuthorizationJwt were not written to services.CoAuthoring.token.inbox.header / services.CoAuthoring.token.outbox.header. Mirror the orchestrated entrypoint's behavior and also honor JWT_HEADER_INBOX / JWT_HEADER_OUTBOX. Fixes #94 Signed-off-by: Julius Knorr <jus@bitgrid.net>
Extends build/scripts/standalone/entrypoint.sh from a small JWT-only wrapper to a configuration layer that mirrors the upstream run-document-server.sh. Adds support for DB_*, REDIS_SERVER_*, AMQP_*, WOPI_*, METRICS_*, SSL_*, NGINX_*, DS_LOG_LEVEL, PLUGINS_ENABLED, GENERATE_FONTS, JWT_ENABLED, JWT_IN_BODY and inbox/outbox JWT variants. Behavior: - Auto-generates JWT_SECRET, SECURE_LINK_SECRET, and the WOPI RSA keypair on first boot; persists them under /var/www/euro-office/Data so a mounted volume survives restarts. - Skips starting bundled postgres/redis/rabbitmq when the corresponding *_HOST points at a non-localhost address and waits for the remote port to open before launching supervisord. - Honors DB_PASSWORD as a deprecated alias of DB_PWD with a logged warning. - Configures the deb-shipped ds-ssl.conf.tmpl when SSL_CERTIFICATE_PATH and SSL_KEY_PATH are provided (HSTS / dhparam / verify_client knobs match upstream); Let's Encrypt and ONLYOFFICE_DATA_CONTAINER mode are intentionally not implemented (cluster image covers the split case). - Rejects non-postgres DB_TYPE values up front since the standalone image only ships postgresql-client. Dockerfile adds netcat-openbsd (remote-host wait), xxd (WOPI modulus extraction) and an explicit openssl. ds-metrics supervisor program flipped to autostart=false so METRICS_ENABLED becomes the real toggle. Closes #94 Closes #95 Signed-off-by: Julius Knorr <jus@bitgrid.net>
- METRICS_PREFIX default is "ds." (matches cluster image) instead of the upstream-inherited ".ds", which produced metric names with a leading dot and didn't line up with existing dashboards. - Normalize AMQP_VHOST to ensure a leading slash before appending to the URI, so values like "myvhost" yield "amqp://...:5672/myvhost" instead of an invalid "amqp://...:5672myvhost". - chmod 600 the WOPI private key after generation so the RSA key isn't world-readable on the Data volume. Signed-off-by: Julius Knorr <jus@bitgrid.net>
rikled
force-pushed
the
fix/jwt-header-standalone
branch
from
ed75701 to
aad8bc3
Compare
Signed-off-by: Hendrik Leidinger <hendrik.leidinger@nextcloud.com>
Member
|
tested locally, works fine. fixed some missed static paths. |
rikled
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build/scripts/standalone/entrypoint.shto feature parity with the upstreamrun-document-server.sh, turning the standalone container into a drop-in replacement for the upstream one./etc/euro-office/documentserver/local.json(and into nginx for SSL) before handing off to supervisord.netcat-openbsd,xxd, andopensslto the standalone image; flipsds-metricssupervisor program to opt-in viaMETRICS_ENABLED.Env vars now supported
JWT_ENABLED,JWT_SECRET,JWT_HEADER,JWT_IN_BODY, and*_INBOX/*_OUTBOXvariants for eachDB_TYPE(postgres only),DB_HOST,DB_PORT,DB_NAME,DB_USER,DB_PWD(alias:DB_PASSWORD, logs deprecation)REDIS_SERVER_HOST,REDIS_SERVER_PORT,REDIS_SERVER_USER,REDIS_SERVER_PASS,REDIS_SERVER_DBAMQP_URI,AMQP_HOST,AMQP_PORT,AMQP_USER,AMQP_PWD,AMQP_VHOSTWOPI_ENABLED(auto-generates RSA keypair under/var/www/euro-office/Data)SSL_CERTIFICATE_PATH,SSL_KEY_PATH,SSL_DHPARAM_PATH,SSL_VERIFY_CLIENT,ONLYOFFICE_HTTPS_HSTS_ENABLED,ONLYOFFICE_HTTPS_HSTS_MAXAGE,NGINX_WORKER_PROCESSES,NGINX_WORKER_CONNECTIONS,NGINX_ACCESS_LOGMETRICS_ENABLED,METRICS_HOST,METRICS_PORT,METRICS_PREFIXDS_LOG_LEVEL,PLUGINS_ENABLED,GENERATE_FONTS,USE_UNAUTHORIZED_STORAGE,ALLOW_PRIVATE_IP_ADDRESS,ALLOW_META_IP_ADDRESS,SECURE_LINK_SECRETDefaults match upstream where reasonable (
JWT_ENABLED=true,WOPI_ENABLED=false,PLUGINS_ENABLED=true,METRICS_ENABLED=false,GENERATE_FONTS=true,JWT_IN_BODY=false,JWT_HEADER=Authorization).METRICS_PREFIXdefaults tods.to line up with our cluster image instead of upstream's.ds(per review feedback).Behavior notes
JWT_SECRET,SECURE_LINK_SECRET, and the WOPI keypair are auto-generated on first boot and stored under/var/www/euro-office/Data/.private/(directory 0700, files 0600 — including the WOPI RSA private key). Mount that directory as a volume to keep them stable across restarts; the JWT message printed at boot reminds operators of this.postgresql,redis-server, andrabbitmq-serveronly start when the corresponding*_HOSTpoints atlocalhost. For remote hosts the entrypoint waits for the port to open before starting supervisord.postgresql-client, so non-postgresDB_TYPEvalues are rejected with a clear error. Users needing MariaDB/MySQL/MSSQL/Oracle should use the cluster image.myvhostis normalized to/myvhostbefore assembling the amqp:// URI, so users don't have to know the leading-slash detail.LETS_ENCRYPT_*) and the upstreamONLYOFFICE_DATA_CONTAINERsplit-deployment mode. The cluster image covers split deployments; users with public TLS termination typically run a reverse proxy in front.ALLOW_PRIVATE_IP_ADDRESS,USE_UNAUTHORIZED_STORAGE, etc.) are now compared against"true"rather than emptiness, matching upstream semantics. Anyone passing1oryesbefore will need to switch totrue.This PR also picks up the existing
JWT_HEADERinbox/outbox fix (commit5ba0cad), so it closes both #94 and #95.Test plan
All items verified against a derivative image (nightly base + new entrypoint + new packages). The container-level checks were exercised end-to-end with live
docker runs.JWT_SECRET=mysecret JWT_HEADER=AuthorizationJwt→secret.{browser,session,inbox,outbox}.string == "mysecret"andtoken.{inbox,outbox}.header == "AuthorizationJwt"(closes JWT_HEADER env variable is only partially working #94)DB_PASSWORD=oldpwdemitsWARNING: DB_PASSWORD is deprecated, use DB_PWD insteadon stderr and populatesservices.CoAuthoring.sql.dbPassDB_HOST=db.internal DB_PWD=… DB_USER=… DB_NAME=…wires the external host intoservices.CoAuthoring.sqlREDIS_SERVER_HOST=redis.internal REDIS_SERVER_PASS=… REDIS_SERVER_DB=2populatesservices.CoAuthoring.redis.{host,options.password,options.database}AMQP_URI=amqp://u:p@rabbit.internal:5672/vhostlands inrabbitmq.url;AMQP_VHOST=myvhostnormalizes to/myvhostDB_TYPE=mysqlis rejected at startup with a clear errorWOPI_ENABLED=truegenerates the RSA keypair under/var/www/euro-office/Dataand re-uses it across restarts (modulus stable); private key is0600JWT_SECRETpersists across restarts when the data dir is mounteddocker runprints the generated JWT secret on stdout and serves/welcome/(welcome page contains "Euro-Office Docs Community Edition")DB_HOST=<external pg>,pgrep postgresreturns nothing inside the container and docservice's queries hit the external host (proven by schema-not-bootstrapped errors against the external DB)REDIS_SERVER_HOST=<external redis>,pgrep redis-serverreturns nothing inside the container;redis.hostset to external host inlocal.jsonSSL_CERTIFICATE_PATH+SSL_KEY_PATHproduce a working HTTPS listener (HTTP/2 200) with HSTS header (strict-transport-security: max-age=31536000)docker buildx bake standalonefrom scratch — not re-verified in this round; the prior bake hung partway in the WASM/closure-compiler stages (likely OOM in the buildkit VM, not in our diff). Recommend re-running in CI or with more memory before merge.🤖 Generated with Claude Code