diff --git a/.github/workflows/collabora.yml b/.github/workflows/collabora.yml deleted file mode 100644 index 92434695..00000000 --- a/.github/workflows/collabora.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: collabora-update - -on: - workflow_dispatch: - schedule: - - cron: '00 12 * * *' - -jobs: - collabora-update: - name: update collabora - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - name: Run collabora-profile-update - run: | - rm -f php/cool-seccomp-profile.json - wget https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/master/docker/cool-seccomp-profile.json - mv cool-seccomp-profile.json php/ - - - name: Create Pull Request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 - with: - commit-message: collabora-seccomp-update automated change - signoff: true - title: collabora seccomp update - body: Automated collabora seccomp profile update - labels: dependencies, 3. to review - milestone: next - branch: collabora-seccomp-update diff --git a/Containers/watchtower/Dockerfile b/Containers/watchtower/Dockerfile index 46f16459..e3858248 100644 --- a/Containers/watchtower/Dockerfile +++ b/Containers/watchtower/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:latest FROM golang:1.25.3-alpine3.22 AS go -ENV WATCHTOWER_COMMIT_HASH=9130559da17f882f2db4dbc2a3ed0425f41f25e4 # v1.12.1 +ENV WATCHTOWER_COMMIT_HASH=v1.12.1 RUN set -ex; \ apk upgrade --no-cache -a; \ diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index d63dd39e..9c249cb1 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -27,7 +27,7 @@ cp latest.yml latest.yml.backup # Additional config # shellcheck disable=SC1083 -sed -i -E '/^( *- )(NET_RAW|SYS_NICE|MKNOD|SYS_ADMIN|CHOWN|SYS_CHROOT|FOWNER|MAC_OVERRIDE|BLOCK_SUSPEND|AUDIT_READ)$/!s/( *- )([A-Z_]+)$/\1\2=${\2}/' latest.yml +sed -i -E '/^( *- )(NET_RAW|SYS_NICE|MKNOD|SYS_ADMIN|CHOWN|SYS_CHROOT|FOWNER)$/!s/( *- )([A-Z_]+)$/\1\2=${\2}/' latest.yml cp sample.conf /tmp/ sed -i 's|^|export |' /tmp/sample.conf # shellcheck disable=SC1091 diff --git a/php/containers.json b/php/containers.json index 1a775c98..4506c09e 100644 --- a/php/containers.json +++ b/php/containers.json @@ -380,7 +380,7 @@ "internal_port": "9980", "environment": [ "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache:23973", - "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+", + "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+", "dictionaries=%COLLABORA_DICTIONARIES%", "TZ=%TIMEZONE%", "server_name=%NC_DOMAIN%", @@ -399,10 +399,7 @@ "SYS_ADMIN", "SYS_CHROOT", "FOWNER", - "CHOWN", - "MAC_OVERRIDE", - "BLOCK_SUSPEND", - "AUDIT_READ" + "CHOWN" ], "cap_drop": [ "NET_RAW" diff --git a/php/cool-seccomp-profile.json b/php/cool-seccomp-profile.json deleted file mode 100644 index ed2320ca..00000000 --- a/php/cool-seccomp-profile.json +++ /dev/null @@ -1,844 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "defaultErrnoRet": 1, - "archMap": [ - { - "architecture": "SCMP_ARCH_X86_64", - "subArchitectures": [ - "SCMP_ARCH_X86", - "SCMP_ARCH_X32" - ] - }, - { - "architecture": "SCMP_ARCH_AARCH64", - "subArchitectures": [ - "SCMP_ARCH_ARM" - ] - }, - { - "architecture": "SCMP_ARCH_MIPS64", - "subArchitectures": [ - "SCMP_ARCH_MIPS", - "SCMP_ARCH_MIPS64N32" - ] - }, - { - "architecture": "SCMP_ARCH_MIPS64N32", - "subArchitectures": [ - "SCMP_ARCH_MIPS", - "SCMP_ARCH_MIPS64" - ] - }, - { - "architecture": "SCMP_ARCH_MIPSEL64", - "subArchitectures": [ - "SCMP_ARCH_MIPSEL", - "SCMP_ARCH_MIPSEL64N32" - ] - }, - { - "architecture": "SCMP_ARCH_MIPSEL64N32", - "subArchitectures": [ - "SCMP_ARCH_MIPSEL", - "SCMP_ARCH_MIPSEL64" - ] - }, - { - "architecture": "SCMP_ARCH_S390X", - "subArchitectures": [ - "SCMP_ARCH_S390" - ] - }, - { - "architecture": "SCMP_ARCH_RISCV64", - "subArchitectures": null - } - ], - "syscalls": [ - { - "names": [ - "unshare", - "mount", - "setns", - "clone", - "chroot", - "umount2" - ], - "action": "SCMP_ACT_ALLOW" - }, - { - "names": [ - "accept", - "accept4", - "access", - "adjtimex", - "alarm", - "bind", - "brk", - "cachestat", - "capget", - "capset", - "chdir", - "chmod", - "chown", - "chown32", - "clock_adjtime", - "clock_adjtime64", - "clock_getres", - "clock_getres_time64", - "clock_gettime", - "clock_gettime64", - "clock_nanosleep", - "clock_nanosleep_time64", - "close", - "close_range", - "connect", - "copy_file_range", - "creat", - "dup", - "dup2", - "dup3", - "epoll_create", - "epoll_create1", - "epoll_ctl", - "epoll_ctl_old", - "epoll_pwait", - "epoll_pwait2", - "epoll_wait", - "epoll_wait_old", - "eventfd", - "eventfd2", - "execve", - "execveat", - "exit", - "exit_group", - "faccessat", - "faccessat2", - "fadvise64", - "fadvise64_64", - "fallocate", - "fanotify_mark", - "fchdir", - "fchmod", - "fchmodat", - "fchmodat2", - "fchown", - "fchown32", - "fchownat", - "fcntl", - "fcntl64", - "fdatasync", - "fgetxattr", - "flistxattr", - "flock", - "fork", - "fremovexattr", - "fsetxattr", - "fstat", - "fstat64", - "fstatat64", - "fstatfs", - "fstatfs64", - "fsync", - "ftruncate", - "ftruncate64", - "futex", - "futex_requeue", - "futex_time64", - "futex_wait", - "futex_waitv", - "futex_wake", - "futimesat", - "getcpu", - "getcwd", - "getdents", - "getdents64", - "getegid", - "getegid32", - "geteuid", - "geteuid32", - "getgid", - "getgid32", - "getgroups", - "getgroups32", - "getitimer", - "getpeername", - "getpgid", - "getpgrp", - "getpid", - "getppid", - "getpriority", - "getrandom", - "getresgid", - "getresgid32", - "getresuid", - "getresuid32", - "getrlimit", - "get_robust_list", - "getrusage", - "getsid", - "getsockname", - "getsockopt", - "get_thread_area", - "gettid", - "gettimeofday", - "getuid", - "getuid32", - "getxattr", - "inotify_add_watch", - "inotify_init", - "inotify_init1", - "inotify_rm_watch", - "io_cancel", - "ioctl", - "io_destroy", - "io_getevents", - "io_pgetevents", - "io_pgetevents_time64", - "ioprio_get", - "ioprio_set", - "io_setup", - "io_submit", - "ipc", - "kill", - "landlock_add_rule", - "landlock_create_ruleset", - "landlock_restrict_self", - "lchown", - "lchown32", - "lgetxattr", - "link", - "linkat", - "listen", - "listxattr", - "llistxattr", - "_llseek", - "lremovexattr", - "lseek", - "lsetxattr", - "lstat", - "lstat64", - "madvise", - "map_shadow_stack", - "membarrier", - "memfd_create", - "memfd_secret", - "mincore", - "mkdir", - "mkdirat", - "mknod", - "mknodat", - "mlock", - "mlock2", - "mlockall", - "mmap", - "mmap2", - "mprotect", - "mq_getsetattr", - "mq_notify", - "mq_open", - "mq_timedreceive", - "mq_timedreceive_time64", - "mq_timedsend", - "mq_timedsend_time64", - "mq_unlink", - "mremap", - "msgctl", - "msgget", - "msgrcv", - "msgsnd", - "msync", - "munlock", - "munlockall", - "munmap", - "name_to_handle_at", - "nanosleep", - "newfstatat", - "_newselect", - "open", - "openat", - "openat2", - "pause", - "pidfd_open", - "pidfd_send_signal", - "pipe", - "pipe2", - "pkey_alloc", - "pkey_free", - "pkey_mprotect", - "poll", - "ppoll", - "ppoll_time64", - "prctl", - "pread64", - "preadv", - "preadv2", - "prlimit64", - "process_mrelease", - "pselect6", - "pselect6_time64", - "pwrite64", - "pwritev", - "pwritev2", - "read", - "readahead", - "readlink", - "readlinkat", - "readv", - "recv", - "recvfrom", - "recvmmsg", - "recvmmsg_time64", - "recvmsg", - "remap_file_pages", - "removexattr", - "rename", - "renameat", - "renameat2", - "restart_syscall", - "rmdir", - "rseq", - "rt_sigaction", - "rt_sigpending", - "rt_sigprocmask", - "rt_sigqueueinfo", - "rt_sigreturn", - "rt_sigsuspend", - "rt_sigtimedwait", - "rt_sigtimedwait_time64", - "rt_tgsigqueueinfo", - "sched_getaffinity", - "sched_getattr", - "sched_getparam", - "sched_get_priority_max", - "sched_get_priority_min", - "sched_getscheduler", - "sched_rr_get_interval", - "sched_rr_get_interval_time64", - "sched_setaffinity", - "sched_setattr", - "sched_setparam", - "sched_setscheduler", - "sched_yield", - "seccomp", - "select", - "semctl", - "semget", - "semop", - "semtimedop", - "semtimedop_time64", - "send", - "sendfile", - "sendfile64", - "sendmmsg", - "sendmsg", - "sendto", - "setfsgid", - "setfsgid32", - "setfsuid", - "setfsuid32", - "setgid", - "setgid32", - "setgroups", - "setgroups32", - "setitimer", - "setpgid", - "setpriority", - "setregid", - "setregid32", - "setresgid", - "setresgid32", - "setresuid", - "setresuid32", - "setreuid", - "setreuid32", - "setrlimit", - "set_robust_list", - "setsid", - "setsockopt", - "set_thread_area", - "set_tid_address", - "setuid", - "setuid32", - "setxattr", - "shmat", - "shmctl", - "shmdt", - "shmget", - "shutdown", - "sigaltstack", - "signalfd", - "signalfd4", - "sigprocmask", - "sigreturn", - "socketcall", - "socketpair", - "splice", - "stat", - "stat64", - "statfs", - "statfs64", - "statx", - "symlink", - "symlinkat", - "sync", - "sync_file_range", - "syncfs", - "sysinfo", - "tee", - "tgkill", - "time", - "timer_create", - "timer_delete", - "timer_getoverrun", - "timer_gettime", - "timer_gettime64", - "timer_settime", - "timer_settime64", - "timerfd_create", - "timerfd_gettime", - "timerfd_gettime64", - "timerfd_settime", - "timerfd_settime64", - "times", - "tkill", - "truncate", - "truncate64", - "ugetrlimit", - "umask", - "uname", - "unlink", - "unlinkat", - "utime", - "utimensat", - "utimensat_time64", - "utimes", - "vfork", - "vmsplice", - "wait4", - "waitid", - "waitpid", - "write", - "writev" - ], - "action": "SCMP_ACT_ALLOW" - }, - { - "names": [ - "process_vm_readv", - "process_vm_writev", - "ptrace" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "minKernel": "4.8" - } - }, - { - "names": [ - "socket" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 40, - "op": "SCMP_CMP_NE" - } - ] - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 8, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 131072, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 131080, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "names": [ - "personality" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 4294967295, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "names": [ - "sync_file_range2", - "swapcontext" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "arches": [ - "ppc64le" - ] - } - }, - { - "names": [ - "arm_fadvise64_64", - "arm_sync_file_range", - "sync_file_range2", - "breakpoint", - "cacheflush", - "set_tls" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "arches": [ - "arm", - "arm64" - ] - } - }, - { - "names": [ - "arch_prctl" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "arches": [ - "amd64", - "x32" - ] - } - }, - { - "names": [ - "modify_ldt" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "arches": [ - "amd64", - "x32", - "x86" - ] - } - }, - { - "names": [ - "s390_pci_mmio_read", - "s390_pci_mmio_write", - "s390_runtime_instr" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "arches": [ - "s390", - "s390x" - ] - } - }, - { - "names": [ - "riscv_flush_icache" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "arches": [ - "riscv64" - ] - } - }, - { - "names": [ - "open_by_handle_at" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_DAC_READ_SEARCH" - ] - } - }, - { - "names": [ - "bpf", - "clone", - "clone3", - "fanotify_init", - "fsconfig", - "fsmount", - "fsopen", - "fspick", - "lookup_dcookie", - "mount", - "mount_setattr", - "move_mount", - "open_tree", - "perf_event_open", - "quotactl", - "quotactl_fd", - "setdomainname", - "sethostname", - "setns", - "syslog", - "umount", - "umount2", - "unshare" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - } - }, - { - "names": [ - "clone" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 2114060288, - "op": "SCMP_CMP_MASKED_EQ" - } - ], - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ], - "arches": [ - "s390", - "s390x" - ] - } - }, - { - "names": [ - "clone" - ], - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 1, - "value": 2114060288, - "op": "SCMP_CMP_MASKED_EQ" - } - ], - "comment": "s390 parameter ordering for clone is different", - "includes": { - "arches": [ - "s390", - "s390x" - ] - }, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - } - }, - { - "names": [ - "clone3" - ], - "action": "SCMP_ACT_ERRNO", - "errnoRet": 38, - "excludes": { - "caps": [ - "CAP_SYS_ADMIN" - ] - } - }, - { - "names": [ - "reboot" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_BOOT" - ] - } - }, - { - "names": [ - "chroot" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_CHROOT" - ] - } - }, - { - "names": [ - "delete_module", - "init_module", - "finit_module" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_MODULE" - ] - } - }, - { - "names": [ - "acct" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_PACCT" - ] - } - }, - { - "names": [ - "kcmp", - "pidfd_getfd", - "process_madvise", - "process_vm_readv", - "process_vm_writev", - "ptrace" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_PTRACE" - ] - } - }, - { - "names": [ - "iopl", - "ioperm" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_RAWIO" - ] - } - }, - { - "names": [ - "settimeofday", - "stime", - "clock_settime", - "clock_settime64" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_TIME" - ] - } - }, - { - "names": [ - "vhangup" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_TTY_CONFIG" - ] - } - }, - { - "names": [ - "get_mempolicy", - "mbind", - "set_mempolicy", - "set_mempolicy_home_node" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYS_NICE" - ] - } - }, - { - "names": [ - "syslog" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_SYSLOG" - ] - } - }, - { - "names": [ - "bpf" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_BPF" - ] - } - }, - { - "names": [ - "perf_event_open" - ], - "action": "SCMP_ACT_ALLOW", - "includes": { - "caps": [ - "CAP_PERFMON" - ] - } - } - ] -} diff --git a/php/psalm-baseline.xml b/php/psalm-baseline.xml index 041cf87c..93ddb312 100644 --- a/php/psalm-baseline.xml +++ b/php/psalm-baseline.xml @@ -1,11 +1,23 @@ + + + + + + + + + + + + @@ -13,8 +25,26 @@ + + + + + + + + + + + + + + + + + + diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 2ea04d82..a404e3a3 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -38,13 +38,13 @@ readonly class ContainerDefinitionFetcher { */ private function GetDefinition(): array { - $data = json_decode((string)file_get_contents(DataConst::GetContainersDefinitionPath()), true, 512, JSON_THROW_ON_ERROR); + $data = json_decode(file_get_contents(__DIR__ . '/../containers.json'), true); $additionalContainerNames = []; foreach ($this->configurationManager->GetEnabledCommunityContainers() as $communityContainer) { if ($communityContainer !== '') { $path = DataConst::GetCommunityContainersDirectory() . '/' . $communityContainer . '/' . $communityContainer . '.json'; - $additionalData = json_decode((string)file_get_contents($path), true, 512, JSON_THROW_ON_ERROR); + $additionalData = json_decode(file_get_contents($path), true); $data = array_merge_recursive($data, $additionalData); if (isset($additionalData['aio_services_v1'][0]['display_name']) && $additionalData['aio_services_v1'][0]['display_name'] !== '') { // Store container_name of community containers in variable for later diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php index 581550fb..1a2b4461 100644 --- a/php/src/Data/ConfigurationManager.php +++ b/php/src/Data/ConfigurationManager.php @@ -13,7 +13,7 @@ class ConfigurationManager { if(file_exists(DataConst::GetConfigFile())) { - $configContent = (string)file_get_contents(DataConst::GetConfigFile()); + $configContent = file_get_contents(DataConst::GetConfigFile()); return json_decode($configContent, true, 512, JSON_THROW_ON_ERROR); } @@ -80,7 +80,10 @@ class ConfigurationManager return ''; } - $content = (string)file_get_contents(DataConst::GetBackupArchivesList()); + $content = file_get_contents(DataConst::GetBackupArchivesList()); + if ($content === '') { + return ''; + } $lastBackupLines = explode("\n", $content); $lastBackupLine = ""; @@ -105,7 +108,10 @@ class ConfigurationManager return []; } - $content = (string)file_get_contents(DataConst::GetBackupArchivesList()); + $content = file_get_contents(DataConst::GetBackupArchivesList()); + if ($content === '') { + return []; + } $backupLines = explode("\n", $content); $backupTimes = []; @@ -630,7 +636,7 @@ class ConfigurationManager return ""; } - return trim((string)file_get_contents(DataConst::GetBackupPublicKey())); + return trim(file_get_contents(DataConst::GetBackupPublicKey())); } public function GetBorgRestorePassword() : string { @@ -789,7 +795,7 @@ class ConfigurationManager if (!file_exists(DataConst::GetDailyBackupTimeFile())) { return ''; } - $dailyBackupFile = (string)file_get_contents(DataConst::GetDailyBackupTimeFile()); + $dailyBackupFile = file_get_contents(DataConst::GetDailyBackupTimeFile()); $dailyBackupFileArray = explode("\n", $dailyBackupFile); return $dailyBackupFileArray[0]; } @@ -798,7 +804,7 @@ class ConfigurationManager if (!file_exists(DataConst::GetDailyBackupTimeFile())) { return false; } - $dailyBackupFile = (string)file_get_contents(DataConst::GetDailyBackupTimeFile()); + $dailyBackupFile = file_get_contents(DataConst::GetDailyBackupTimeFile()); $dailyBackupFileArray = explode("\n", $dailyBackupFile); if (isset($dailyBackupFileArray[1]) && $dailyBackupFileArray[1] === 'automaticUpdatesAreNotEnabled') { return false; @@ -849,7 +855,8 @@ class ConfigurationManager if (!file_exists(DataConst::GetAdditionalBackupDirectoriesFile())) { return ''; } - return (string)file_get_contents(DataConst::GetAdditionalBackupDirectoriesFile()); + $additionalBackupDirectories = file_get_contents(DataConst::GetAdditionalBackupDirectoriesFile()); + return $additionalBackupDirectories; } public function GetAdditionalBackupDirectoriesArray() : array { @@ -1033,7 +1040,7 @@ class ConfigurationManager apcu_add($filePath, $fileContents); } } - $json = is_string($fileContents) ? json_decode($fileContents, true, 512, JSON_THROW_ON_ERROR) : false; + $json = is_string($fileContents) ? json_decode($fileContents, true) : false; if(is_array($json) && is_array($json['aio_services_v1'])) { foreach ($json['aio_services_v1'] as $service) { $documentation = is_string($service['documentation']) ? $service['documentation'] : ''; diff --git a/php/src/Data/DataConst.php b/php/src/Data/DataConst.php index 099079c6..4f697325 100644 --- a/php/src/Data/DataConst.php +++ b/php/src/Data/DataConst.php @@ -8,7 +8,7 @@ class DataConst { return '/mnt/docker-aio-config/data/'; } - return (string)realpath(__DIR__ . '/../../data/'); + return realpath(__DIR__ . '/../../data/'); } public static function GetSessionDirectory() : string { @@ -16,7 +16,7 @@ class DataConst { return '/mnt/docker-aio-config/session/'; } - return (string)realpath(__DIR__ . '/../../session/'); + return realpath(__DIR__ . '/../../session/'); } public static function GetConfigFile() : string { @@ -56,14 +56,6 @@ class DataConst { } public static function GetCommunityContainersDirectory() : string { - return (string)realpath(__DIR__ . '/../../../community-containers/'); - } - - public static function GetCollaboraSeccompProfilePath() : string { - return (string)realpath(__DIR__ . '/../cool-seccomp-profile.json'); - } - - public static function GetContainersDefinitionPath() : string { - return (string)realpath(__DIR__ . '/../containers.json'); + return realpath(__DIR__ . '/../../../community-containers/'); } } diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index ffa0ca2a..d46bc5c9 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -7,7 +7,6 @@ use AIO\Container\ContainerState; use AIO\Container\VersionState; use AIO\ContainerDefinitionFetcher; use AIO\Data\ConfigurationManager; -use AIO\Data\DataConst; use GuzzleHttp\Client; use GuzzleHttp\Exception\RequestException; use http\Env\Response; @@ -48,7 +47,7 @@ readonly class DockerActionManager { throw $e; } - $responseBody = json_decode((string)$response->getBody(), true, 512, JSON_THROW_ON_ERROR); + $responseBody = json_decode((string)$response->getBody(), true); if ($responseBody['State']['Running'] === true) { return ContainerState::Running; @@ -68,7 +67,7 @@ readonly class DockerActionManager { throw $e; } - $responseBody = json_decode((string)$response->getBody(), true, 512, JSON_THROW_ON_ERROR); + $responseBody = json_decode((string)$response->getBody(), true); if ($responseBody['State']['Restarting'] === true) { return ContainerState::Restarting; @@ -384,10 +383,9 @@ readonly class DockerActionManager { } } } - - // Special things for the talk container which should not be exposed in the containers.json + // Special things for the talk container which should not be exposed in the containers.json } elseif ($container->GetIdentifier() === 'nextcloud-aio-talk') { - // This is needed due to a bug in libwebsockets used in Janus which cannot handle unlimited ulimits + // This is needed due to a bug in libwebsockets which cannot handle unlimited ulimits $requestBody['HostConfig']['Ulimits'] = [["Name" => "nofile", "Hard" => 200000, "Soft" => 200000]]; // // Special things for the nextcloud container which should not be exposed in the containers.json // } elseif ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') { @@ -397,19 +395,11 @@ readonly class DockerActionManager { // } // $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]]; // } - - // Special things for the caddy community container + // Special things for the caddy community container } elseif ($container->GetIdentifier() === 'nextcloud-aio-caddy') { $requestBody['HostConfig']['ExtraHosts'] = ['host.docker.internal:host-gateway']; - - // Special things for the collabora container which should not be exposed in the containers.json + // Special things for the collabora container which should not be exposed in the containers.json } elseif ($container->GetIdentifier() === 'nextcloud-aio-collabora') { - // Load reference seccomp profile for collabora - $seccompProfile = (string)file_get_contents(DataConst::GetCollaboraSeccompProfilePath()); - $seccompProfile = addslashes($seccompProfile); - $requestBody['HostConfig']['SecurityOpt'] = ["label:disable", "seccomp=$seccompProfile", "no-new-privileges=true", "apparmor=unconfined"]; - - // Additional Collabora options if ($this->configurationManager->GetAdditionalCollaboraOptions() !== '') { $requestBody['Cmd'] = [$this->configurationManager->GetAdditionalCollaboraOptions()]; } @@ -643,11 +633,11 @@ readonly class DockerActionManager { private function GetRepoDigestsOfContainer(string $containerName): ?array { try { $containerUrl = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName)); - $containerOutput = json_decode($this->guzzleClient->get($containerUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR); + $containerOutput = json_decode($this->guzzleClient->get($containerUrl)->getBody()->getContents(), true); $imageName = $containerOutput['Image']; $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $imageName)); - $imageOutput = json_decode($this->guzzleClient->get($imageUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR); + $imageOutput = json_decode($this->guzzleClient->get($imageUrl)->getBody()->getContents(), true); if (!isset($imageOutput['RepoDigests'])) { error_log('RepoDigests is not set of container ' . $containerName); @@ -691,7 +681,7 @@ readonly class DockerActionManager { $containerName = 'nextcloud-aio-mastercontainer'; $url = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName)); try { - $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR); + $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true); $imageNameArray = explode(':', $output['Config']['Image']); if (count($imageNameArray) === 2) { $imageName = $imageNameArray[0]; @@ -718,7 +708,7 @@ readonly class DockerActionManager { $containerName = 'nextcloud-aio-mastercontainer'; $url = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName)); try { - $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR); + $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true); $tagArray = explode(':', $output['Config']['Image']); if (count($tagArray) === 2) { $tag = $tagArray[1]; @@ -782,9 +772,7 @@ readonly class DockerActionManager { ], ] )->getBody()->getContents(), - true, - 512, - JSON_THROW_ON_ERROR, + true ); $id = $response['Id']; @@ -926,7 +914,7 @@ readonly class DockerActionManager { throw $e; } - $responseBody = json_decode((string)$response->getBody(), true, 512, JSON_THROW_ON_ERROR); + $responseBody = json_decode((string)$response->getBody(), true); $exitCode = $responseBody['State']['ExitCode']; if (is_int($exitCode)) { @@ -948,7 +936,7 @@ readonly class DockerActionManager { throw $e; } - $responseBody = json_decode((string)$response->getBody(), true, 512, JSON_THROW_ON_ERROR); + $responseBody = json_decode((string)$response->getBody(), true); $exitCode = $responseBody['State']['ExitCode']; if (is_int($exitCode)) { @@ -980,7 +968,7 @@ readonly class DockerActionManager { $imageName = $imageName . ':' . $this->GetCurrentChannel(); try { $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $imageName)); - $imageOutput = json_decode($this->guzzleClient->get($imageUrl)->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR); + $imageOutput = json_decode($this->guzzleClient->get($imageUrl)->getBody()->getContents(), true); if (!isset($imageOutput['Created'])) { error_log('Created is not set of image ' . $imageName); diff --git a/php/src/Docker/DockerHubManager.php b/php/src/Docker/DockerHubManager.php index 256d592e..9bf4ad29 100644 --- a/php/src/Docker/DockerHubManager.php +++ b/php/src/Docker/DockerHubManager.php @@ -30,7 +30,7 @@ readonly class DockerHubManager { 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:' . $name . ':pull' ); $body = $authTokenRequest->getBody()->getContents(); - $decodedBody = json_decode($body, true, 512, JSON_THROW_ON_ERROR); + $decodedBody = json_decode($body, true); if(isset($decodedBody['token'])) { $authToken = $decodedBody['token']; $manifestRequest = $this->guzzleClient->request( diff --git a/php/src/Docker/GitHubContainerRegistryManager.php b/php/src/Docker/GitHubContainerRegistryManager.php index eeecfb28..d885ae09 100644 --- a/php/src/Docker/GitHubContainerRegistryManager.php +++ b/php/src/Docker/GitHubContainerRegistryManager.php @@ -31,7 +31,7 @@ readonly class GitHubContainerRegistryManager 'https://ghcr.io/token?scope=repository:' . $name . ':pull' ); $body = $authTokenRequest->getBody()->getContents(); - $decodedBody = json_decode($body, true, 512, JSON_THROW_ON_ERROR); + $decodedBody = json_decode($body, true); if (isset($decodedBody['token'])) { $authToken = $decodedBody['token']; $manifestRequest = $this->guzzleClient->request(