+1

Docker Documentation Additions & Suggestions

Rudhra 2 weeks ago updated 2 weeks ago 0

I believe a lot of people can benefit from these additions.

  1. Docker-Compose example with: 
    1. the most modern and by far the easiest to configure https reverse proxy with A+
      security rating: caddy (nothing has to be installed on the host!).
    2. OnlyOffice Documentserver fully working example.

    Everything with a $ should be customized to the user installation (or present in an .env file with the desired value). 

    version: "2.3"
    services:
    ## __________________
      caddy:
    container_name: caddy-proxy
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    restart: always
    networks:
    - web-proxy
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - $DOCKERDIR/caddy/caddy_data:/data
    - $DOCKERDIR/caddy/config:/config
    labels:
    caddy.email: $EMAIL
    ports:
    - 80:80
    - 443:443 ## ________________
    filerun:
    image: afian/filerun
    container_name: filerun
    restart: always
    networks:
    - web-proxy
    - filerun
    environment:
    FR_DB_HOST: filerun-db
    FR_DB_PORT: 3306
    FR_DB_NAME: filerundb
    FR_DB_USER: $USERNAME
    FR_DB_PASS: $PW_INT
    APACHE_RUN_USER: $USERNAME
    APACHE_RUN_USER_ID: $PUID
    APACHE_RUN_GROUP: $USERNAME
    APACHE_RUN_GROUP_ID: $PGID
    depends_on:
    - filerun-db
    - filerun-tika
    - filerun-search
    volumes:
    - $DOCKERDIR/filerun/html:/var/www/html
    - $DATAPOOL/Users:/user-files
    labels:
    caddy: files.$DOMAIN, drive.$DOMAIN
    caddy.reverse_proxy: "{{upstreams 80}}"
    caddy.reverse_proxy.header_up: "Host files.$DOMAIN"
    # Required extra headers
    caddy.file_server: "" # required for fileservers
    caddy.encode: gzip # required for fileservers
    caddy.header.Strict-Transport-Security: '"max-age=31536000;"' # Recommended security hardening for fileservers
    caddy.header.X-XSS-Protection: '"1; mode=block;"' # Recommended security hardening for fileservers
    caddy.header.X-Content-Type-Options: "nosniff" # Seems required to open files in OnlyOffice
    caddy.header.X-Frame-Options: "SAMEORIGIN" # Seems required to open files in OnlyOffice
    ## ________________ filerun-db:
    image: mariadb:10.1
    container_name: filerun-db
    restart: always
    networks:
    - filerun
    environment:
    MYSQL_ROOT_PASSWORD: $PW_INT
    MYSQL_USER: $USER
    MYSQL_PASSWORD: $PW_INT
    MYSQL_DATABASE: filerundb
    volumes:
    - $DOCKERDIR/filerun/db:/var/lib/mysql
    ##____________________ filerun-tika:
    image: logicalspark/docker-tikaserver
    container_name: filerun-tika
    restart: always
    networks:
    - filerun
    ##____________________
    filerun-search:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.2.4
    container_name: filerun-search
    restart: always
    networks:
    - filerun
    environment:
    cluster.name: docker-cluster
    bootstrap.memory_lock: 'true'
    ES_JAVA_OPTS: '-Xms512m -Xmx512m'
    ulimits:
    memlock:
    soft: -1
    hard: -1
    mem_limit: 1g
    volumes:
    - $DOCKERDIR/filerun/esearch:/usr/share/elasticsearch/data
    ##
    ##_____________________ OnlyOffice Document Server [Cloud/Office]
    onlyoffice:
    image: onlyoffice/documentserver
    container_name: onlyoffice
    stdin_open: 'true'
    restart: always
    networks:
    - web-proxy
    tty: 'true'
    volumes:
    - $DOCKERDIR/onlyoffice/data:/var/www/onlyoffice/Data
    - $DOCKERDIR/onlyoffice/log:/var/log/onlyoffice
    - $DOCKERDIR/onlyoffice/database:/var/lib/postgresql
    - /usr/share/fonts:/usr/share/fonts
    dns: 9.9.9.9
    environment:
    JWT_ENABLED: 'true'
    JWT_SECRET: $ONLYOFFICEJWT
    labels:
    caddy: office.$DOMAIN
    caddy.reverse_proxy: "{{upstreams 80}}"
    # Required extra headers
    caddy.file_server: ""
    caddy.encode: gzip
    caddy.header.X-Content-Type-Options: "nosniff"

    OnlyOffice: Run this after the container has loaded, to process the mapped host fonts:

    docker exec onlyoffice /usr/bin/documentserver-generate-allfonts.sh

    2. ElasticSearch required preparations on a Debian/Ubuntu host, before running the container. I think this is absolutely essential for this part of the guide: https://docs.filerun.com/file_indexing

    #!/bin/bash
    # ElasticSearch ~ requirements
    # ---------------------------------------------
    # Create folder and set permissions
    sudo mkdir -p $HOME/docker/filerun/esearch
    sudo chown -R $USER:$USER $HOME/docker/filerun/esearch
    sudo chmod 777 $HOME/docker/filerun/esearch
    
    # IMPORTANT! Should be the same user:group as the owner of the personal data you access via FileRun!
    sudo mkdir -p $HOME/docker/html
    sudo chown -R $USER:$USER $HOME/docker/html
    sudo chmod 755 $HOME/docker/filerun/esearch
    
    # Change OS virtual mem allocation as it is too low by default for ElasticSearch
    sudo sysctl -w vm.max_map_count=262144
    
    # Make this change permanent
    sudo sh -c "echo 'vm.max_map_count=262144' >> /etc/sysctl.conf

    3. Command line tools that should be run regularly (nightly).

    With the below commands, the user does not need to be inside the container, can simply use cron on the host, making it completely independent from the container: when the container is recreated, this still works. Saves a lot of time!

    I think this is really a good addition for this part of the documentation, at least a single example of the command to show how to run it from the host, instead of letting users do this within the container:

    https://docs.filerun.com/command_line_tools

    #!/bin/bash
    # FileRun nightly tasks
    docker exec -w /var/www/html/cron -it filerun php empty_trash.php -days 30
    docker exec -w /var/www/html/cron -it filerun php paths_cleanup.php
    docker exec -w /var/www/html/cron -it filerun php metadata_index.php
    docker exec -w /var/www/html/cron -it filerun php make_thumbs.php
    docker exec -w /var/www/html/cron -it filerun php process_search_index_queue.php
    docker exec -w /var/www/html/cron -it filerun php index_filenames.php true