* Automatic Dockerfile update by release process

Improve clarity of comments re: security of port mapping

Dockerfile

@@ -1,11 +1,11 @@
 # Build time variables
 
-ARG SRCIMAGE=debian:bullseye-slim
+ARG SRCIMAGE=debian:bookworm-slim
 
 
 FROM  $SRCIMAGE AS builder
 
-ARG LSMB_VERSION="1.10.29"
+ARG LSMB_VERSION="1.11.7"
 ARG LSMB_DL_DIR="Releases"
 ARG ARTIFACT_LOCATION="https://download.ledgersmb.org/f/$LSMB_DL_DIR/$LSMB_VERSION/ledgersmb-$LSMB_VERSION.tar.gz"
 
@@ -51,7 +51,7 @@ LABEL org.opencontainers.image.description="LedgerSMB is a full featured double-
  the LedgerSMB project is to bring high quality ERP and accounting capabilities\
  to Small and Midsize Businesses."
 
-ARG LSMB_VERSION="1.10.29"
+ARG LSMB_VERSION="1.11.7"
 ARG LSMB_DL_DIR="Releases"
 ARG ARTIFACT_LOCATION="https://download.ledgersmb.org/f/$LSMB_DL_DIR/$LSMB_VERSION/ledgersmb-$LSMB_VERSION.tar.gz"
 
@@ -61,8 +61,6 @@ ARG ARTIFACT_LOCATION="https://download.ledgersmb.org/f/$LSMB_DL_DIR/$LSMB_VERSI
 
 # Installing psql client directly from instructions at https://wiki.postgresql.org/wiki/Apt
 # That mitigates issues where the PG instance is running a newer version than this container
-# Install Locale::Codes Locale::Country Locale::Language from CPAN to suppress
-# deprecation-as-core-module warning
 
 
 COPY --from=builder /srv/derived-deps /tmp/derived-deps
@@ -128,7 +126,9 @@ ENV DEFAULT_DB lsmb
 COPY start.sh /usr/local/bin/start.sh
 
 RUN chmod +x /usr/local/bin/start.sh && \
-  mkdir -p /var/www
+  mkdir -p /var/www && \
+  mkdir -p /srv/ledgersmb/local/conf && \
+  chown -R www-data /srv/ledgersmb/local
 
 # Work around an aufs bug related to directory permissions:
 RUN mkdir -p /tmp && chmod 1777 /tmp

README.md

@@ -203,6 +203,47 @@ The following parameters are now supported to set mail preferences:
 
 # Advanced setup
 
+## Changing configuration
+
+The configuration file is stored in /srv/ledgersmb/local/conf/. By mounting
+that directory using a bind-mount to a location outside the container,
+configuration can be changed between container starts:
+
+```plain
+ $ docker run -d -p 5762:5762 --name myledger \
+     --mount 'type=bind,src=/home/ledgersmb/conf,dst=/srv/ledgersmb/local/conf \
+     -e POSTGRES_HOST=<ip/hostname> ledgersmb/ledgersmb:latest
+```
+
+## Overriding or adding configuration
+
+By pre-creating a configuration file in the mounted configuration directory,
+the standard configuration generation process in the container can be overruled:
+
+```plain
+ $ cat <<EOF > /home/ledgersmb/conf/ledgersmb.yaml
+   ... YOUR CONFIG HERE ...
+ EOF
+ $ docker run -d -p 5762:5762 --name myledger \
+     --mount 'type=bind,src=/home/ledgersmb/conf,dst=/srv/ledgersmb/local/conf \
+     -e POSTGRES_HOST=<ip/hostname> ledgersmb/ledgersmb:latest
+```
+
+If you do not want to completely overrule the configuration generated, but instead
+supplement the configuration, you can put incremental configuration snippets in
+files named `ledgersmb.XXX.yaml` in the same folder. E.g.:
+
+```plain
+ $ cat <<EOF > /home/ledgersmb/conf/ledgersmb.001.yaml
+ logging:
+   file: ledgersmb.logging
+ EOF
+```
+
+[Documentation with respect to the available configuration
+keys](https://github.com/ledgersmb/LedgerSMB/blob/master/doc/conf/ledgersmb.yaml)
+is available in the LedgerSMB repository.
+
 ## Docker Compose with reverse proxy
 
 The `docker-compose-reverseproxy.yml` file shows a docker-compose setup

docker-compose.yml

@@ -16,7 +16,7 @@ services:
   # because that allows us to use the default hostname ("postgres")
   # from the LedgerSMB configuration
   postgres:
-    image: postgres:12-alpine
+    image: postgres:15-alpine
     environment:
       # Replace the password below for a secure setup
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-abc}
@@ -31,16 +31,24 @@ services:
   lsmb:
     depends_on:
       - postgres
-    image: ghcr.io/ledgersmb/ledgersmb:1.10
+    image: ghcr.io/ledgersmb/ledgersmb:1.11
+      # In order to store the configuration outside the image, allowing it to
+      # be edited between container restarts, uncomment the section below and
+      # change the 'source' to the directory where you want the configuration
+      # to be stored.
+    # volumes:
+    #   - type: bind
+    #     source: /home/ledgersmb/conf
+    #     target: /srv/ledgersmb/local/conf
     networks:
       - internal
       - default
     # Comment the 'ports' section to disable mapping the LedgerSMB container port (5762)
-    #  to the host's port of the same number, thus making LedgerSMB
+    #  to the host's port of the same number. Mapping "5762:5762" makes LedgerSMB
     #  available on http://<host-dns-or-ip>:5762/
-    #     SECURITY NOTE: Do this for evaluation purposes only!
+    #     SECURITY NOTE:  Leave this uncommented for evaluation purposes only!
-    #       In production, be sure to use SSL/TLS to protect user's passwords
+    #       In production, be sure to use SSL/TLS (such as by reverse proxying) to protect 
-    #       and other sensitive data
+    #       user's passwords and other sensitive data
     ports:
       - "5762:5762"
     environment:

start.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 cd /srv/ledgersmb
-
+[[ -d ./local/conf/ ]] || mkdir ./local/conf/
 if [[ -n "$SSMTP_ROOT" ]]; then
     echo "\$SSMTP_ROOT set; parameter is deprecated and will be ignored"
     LSMB_HAVE_DEPRECATED=1
@@ -68,27 +68,82 @@ if [[ -n "$LSMB_HAVE_DEPRECATED" ]]; then
 fi
 
 
-if [[ ! -f ledgersmb.conf ]]; then
+if [[ ! -f ./local/conf/ledgersmb.yaml ]]; then
-  cat <<EOF >/tmp/ledgersmb.conf
+  cat <<EOF >./local/conf/ledgersmb.yaml
-[main]
+paths:
-cache_templates = 1
+  \$class: Beam::Wire
-[database]
+  config:
-host = $POSTGRES_HOST
+    UI: ./UI/
-port = $POSTGRES_PORT
+    UI_cache: lsmb_templates/
-default_db = $DEFAULT_DB
+
-[mail]
+db:
-${LSMB_MAIL_SMTPHOST:+smtphost=$LSMB_MAIL_SMTPHOST
+  \$class: LedgerSMB::Database::Factory
-}${LSMB_MAIL_SMTPPORT:+smtpport=$LSMB_MAIL_SMTPPORT
+  connect_data:
-}${LSMB_MAIL_SMTPSENDER_HOSTNAME:+smtpsender_hostname=$LSMB_MAIL_SMTPSENDER_HOSTNAME
+    host: ${POSTGRES_HOST:-postgres}
-}${LSMB_MAIL_SMTPTLS:+smtptls=$LSMB_MAIL_SMTPTLS
+    port: ${POSTGRES_PORT:-5432}
-}${LSMB_MAIL_SMTPUSER:+smtpuser=$LSMB_MAIL_SMTPUSER
+
-}${LSMB_MAIL_SMTPPASS:+smtppass=$LSMB_MAIL_SMTPPASS
+mail:
-}${LSMB_MAIL_SMTPAUTHMECH:+smtpauthmech=$LSMB_MAIL_SMTPAUTHMECH
+  transport:
-}
+    \$class: LedgerSMB::Mailer::TransportSMTP
-[proxy]
+    tls: $LSMB_MAIL_SMTPTLS
-ip=${PROXY_IP:-172.17.0.1/12}
+
+miscellaneous:
+  \$class: Beam::Wire
+  config:
+    proxy_ip: ${PROXY_IP:-172.17.0.1/12}
+
+ui:
+  class: LedgerSMB::Template::UI
+  method: new_UI
+  lifecycle: eager
+  args:
+    cache:
+      \$ref: paths/UI_cache
+    root:
+      \$ref: paths/UI
 EOF
-  export LSMB_CONFIG_FILE='/tmp/ledgersmb.conf'
+
+  if [[ -n "$LSMB_MAIL_SMTPHOST" ]]
+  then
+      cat <<EOF >./local/conf/ledgersmb.000.yaml
+mail:
+  transport:
+    host: $LSMB_MAIL_SMTPHOST
+EOF
+  fi
+
+  if [[ -n "$LSMB_MAIL_SMTPPORT" ]]
+  then
+      cat <<EOF >./local/conf/ledgersmb.001.yaml
+mail:
+  transport:
+    port: $LSMB_MAIL_SMTPPORT
+EOF
+  fi
+
+  if [[ -n "$LSMB_MAIL_SMTPSENDER_HOSTNAME" ]]
+  then
+      cat <<EOF >./local/conf/ledgersmb.002.yaml
+mail:
+  transport:
+    helo: $LSMB_MAIL_SMTPSENDER_HOSTNAME
+EOF
+  fi
+
+  if [[ -n "$LSMB_MAIL_SMTPUSER" ]]
+  then
+      cat <<EOF >./local/conf/ledgersmb.003.yaml
+mail:
+  transport:
+    sasl_password: ''
+    sasl_username:
+      \$class: Authen::SASL
+      mechanism: $LSMB_MAIL_SMTPAUTHMECH
+      callback:
+        user: $LSMB_MAIL_SMTPUSER
+        pass: $LSMB_MAIL_SMTPPASS
+EOF
+  fi
 fi
 
 # start ledgersmb
@@ -96,12 +151,14 @@ fi
 # starman instance (instead of just the worker, which will immediately
 # get restarted) on error; it also has a positive effect on memory use
 
+LSMB_CONFIG_FILE=${LSMB_CONFIG_FILE:-./local/conf/ledgersmb.yaml}
+export LSMB_CONFIG_FILE
 echo '--------- LEDGERSMB CONFIGURATION:  ledgersmb.conf'
-cat ${LSMB_CONFIG_FILE:-ledgersmb.conf}
+cat ${LSMB_CONFIG_FILE}
 echo '--------- LEDGERSMB CONFIGURATION --- END'
 
 # ':5762:' suppresses an uninitialized variable warning in starman
 # the last colon means "don't connect using tls"; without it, there's a warning
-exec starman --listen :5762: --workers ${LSMB_WORKERS:-5} \
+exec starman --listen 0.0.0.0:5762 --workers ${LSMB_WORKERS:-5} \
              -I lib -I old/lib \
              --preload-app bin/ledgersmb-server.psgi