From 9a787dd105edeea5fdb309a50f2b47155937c5ed Mon Sep 17 00:00:00 2001 From: BlackDex Date: Tue, 19 Jul 2022 18:39:42 +0200 Subject: [PATCH] Fix persistent folder check within containers The previous persistent folder check worked by checking if a file exists. If you used a bind-mount, then this file is not there. But when using a docker/podman volume those files are copied, and caused the container to not start. This change checks the `/proc/self/mountinfo` for a specific patern to see if the data folder is persistent or not. Fixes #2622 --- docker/Dockerfile.j2 | 9 ----- docker/amd64/Dockerfile | 9 ----- docker/amd64/Dockerfile.alpine | 9 ----- docker/amd64/Dockerfile.buildx | 9 ----- docker/amd64/Dockerfile.buildx.alpine | 9 ----- docker/arm64/Dockerfile | 9 ----- docker/arm64/Dockerfile.alpine | 9 ----- docker/arm64/Dockerfile.buildx | 9 ----- docker/arm64/Dockerfile.buildx.alpine | 9 ----- docker/armv6/Dockerfile | 9 ----- docker/armv6/Dockerfile.alpine | 9 ----- docker/armv6/Dockerfile.buildx | 9 ----- docker/armv6/Dockerfile.buildx.alpine | 9 ----- docker/armv7/Dockerfile | 9 ----- docker/armv7/Dockerfile.alpine | 9 ----- docker/armv7/Dockerfile.buildx | 9 ----- docker/armv7/Dockerfile.buildx.alpine | 9 ----- src/main.rs | 48 ++++++++++++++++++++++++--- 18 files changed, 43 insertions(+), 158 deletions(-) diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index 3778513ec4..4a4a98d54d 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -181,14 +181,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -250,7 +242,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check {% if package_arch_target is defined %} COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden . {% else %} diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile index fba481a1ea..34891a7ed3 100644 --- a/docker/amd64/Dockerfile +++ b/docker/amd64/Dockerfile @@ -84,14 +84,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -124,7 +116,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine index ef4631a9c3..9d36fd3f6d 100644 --- a/docker/amd64/Dockerfile.alpine +++ b/docker/amd64/Dockerfile.alpine @@ -78,14 +78,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -116,7 +108,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/amd64/Dockerfile.buildx b/docker/amd64/Dockerfile.buildx index 883869deee..6c66d59ceb 100644 --- a/docker/amd64/Dockerfile.buildx +++ b/docker/amd64/Dockerfile.buildx @@ -84,14 +84,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -124,7 +116,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/amd64/Dockerfile.buildx.alpine b/docker/amd64/Dockerfile.buildx.alpine index c59044e9d5..b2ecabc447 100644 --- a/docker/amd64/Dockerfile.buildx.alpine +++ b/docker/amd64/Dockerfile.buildx.alpine @@ -78,14 +78,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -116,7 +108,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile index 145b65868a..6fa6bfae30 100644 --- a/docker/arm64/Dockerfile +++ b/docker/arm64/Dockerfile @@ -104,14 +104,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -148,7 +140,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine index f19a142bf8..b998c7c4d8 100644 --- a/docker/arm64/Dockerfile.alpine +++ b/docker/arm64/Dockerfile.alpine @@ -78,14 +78,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -120,7 +112,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/arm64/Dockerfile.buildx b/docker/arm64/Dockerfile.buildx index 4ace6f450b..1f582af8eb 100644 --- a/docker/arm64/Dockerfile.buildx +++ b/docker/arm64/Dockerfile.buildx @@ -104,14 +104,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -148,7 +140,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/arm64/Dockerfile.buildx.alpine b/docker/arm64/Dockerfile.buildx.alpine index 8628104525..358e500166 100644 --- a/docker/arm64/Dockerfile.buildx.alpine +++ b/docker/arm64/Dockerfile.buildx.alpine @@ -78,14 +78,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -120,7 +112,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile index 94375eb64a..0bbaeca7e0 100644 --- a/docker/armv6/Dockerfile +++ b/docker/armv6/Dockerfile @@ -104,14 +104,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -153,7 +145,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine index 033fa5f019..ef4a198f4a 100644 --- a/docker/armv6/Dockerfile.alpine +++ b/docker/armv6/Dockerfile.alpine @@ -80,14 +80,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -122,7 +114,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv6/Dockerfile.buildx b/docker/armv6/Dockerfile.buildx index 1feee4f77e..17d5b8da3e 100644 --- a/docker/armv6/Dockerfile.buildx +++ b/docker/armv6/Dockerfile.buildx @@ -104,14 +104,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -153,7 +145,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv6/Dockerfile.buildx.alpine b/docker/armv6/Dockerfile.buildx.alpine index f1240f724c..ff93af8a11 100644 --- a/docker/armv6/Dockerfile.buildx.alpine +++ b/docker/armv6/Dockerfile.buildx.alpine @@ -80,14 +80,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -122,7 +114,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile index ac35c663f7..25c91be173 100644 --- a/docker/armv7/Dockerfile +++ b/docker/armv7/Dockerfile @@ -104,14 +104,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -148,7 +140,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine index 4aec831a53..d737b1f484 100644 --- a/docker/armv7/Dockerfile.alpine +++ b/docker/armv7/Dockerfile.alpine @@ -78,14 +78,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -120,7 +112,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv7/Dockerfile.buildx b/docker/armv7/Dockerfile.buildx index d75dd8476c..7bbded882d 100644 --- a/docker/armv7/Dockerfile.buildx +++ b/docker/armv7/Dockerfile.buildx @@ -104,14 +104,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -148,7 +140,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/docker/armv7/Dockerfile.buildx.alpine b/docker/armv7/Dockerfile.buildx.alpine index e90df821d1..ffa5dcf209 100644 --- a/docker/armv7/Dockerfile.buildx.alpine +++ b/docker/armv7/Dockerfile.buildx.alpine @@ -78,14 +78,6 @@ RUN touch src/main.rs # hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf -# Create a special empty file which we check within the application. -# If this file exists, then we exit Vaultwarden to prevent data loss when someone forgets to use volumes. -# If you really really want to use volatile storage you can set the env `I_REALLY_WANT_VOLATILE_STORAGE=true` -# This file should disappear if a volume is mounted on-top of this using a docker volume. -# We run this in the build image and copy it over, because the runtime image could be missing some executables. -# hadolint ignore=DL3059 -RUN touch /vaultwarden_docker_persistent_volume_check - ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -120,7 +112,6 @@ EXPOSE 3012 # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault -COPY --from=build /vaultwarden_docker_persistent_volume_check /data/vaultwarden_docker_persistent_volume_check COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . COPY docker/healthcheck.sh /healthcheck.sh diff --git a/src/main.rs b/src/main.rs index 20f40bc51a..ad47f3c5c5 100644 --- a/src/main.rs +++ b/src/main.rs @@ -61,6 +61,11 @@ use std::{ thread, }; +use tokio::{ + fs::File, + io::{AsyncBufReadExt, BufReader}, +}; + #[macro_use] mod error; mod api; @@ -89,7 +94,7 @@ async fn main() -> Result<(), Error> { let extra_debug = matches!(level, LF::Trace | LF::Debug); - check_data_folder(); + check_data_folder().await; check_rsa_keys().unwrap_or_else(|_| { error!("Error creating keys, exiting..."); exit(1); @@ -286,7 +291,7 @@ fn create_dir(path: &str, description: &str) { create_dir_all(path).expect(&err_msg); } -fn check_data_folder() { +async fn check_data_folder() { let data_folder = &CONFIG.data_folder(); let path = Path::new(data_folder); if !path.exists() { @@ -299,9 +304,10 @@ fn check_data_folder() { exit(1); } - let persistent_volume_check_file = format!("{data_folder}/vaultwarden_docker_persistent_volume_check"); - let check_file = Path::new(&persistent_volume_check_file); - if check_file.exists() && std::env::var("I_REALLY_WANT_VOLATILE_STORAGE").is_err() { + if is_running_in_docker() + && std::env::var("I_REALLY_WANT_VOLATILE_STORAGE").is_err() + && !docker_data_folder_is_persistent(data_folder).await + { error!( "No persistent volume!\n\ ########################################################################################\n\ @@ -314,6 +320,38 @@ fn check_data_folder() { } } +/// Detect when using Docker or Podman the DATA_FOLDER is either a bind-mount or a volume created manually. +/// If not created manually, then the data will not be persistent. +/// A none persistent volume in either Docker or Podman is represented by a 64 alphanumerical string. +/// If we detect this string, we will alert about not having a persistent self defined volume. +/// This probably means that someone forgot to add `-v /path/to/vaultwarden_data/:/data` +async fn docker_data_folder_is_persistent(data_folder: &str) -> bool { + if let Ok(mountinfo) = File::open("/proc/self/mountinfo").await { + // Since there can only be one mountpoint to the DATA_FOLDER + // We do a basic check for this mountpoint surrounded by a space. + let data_folder_match = if data_folder.starts_with('/') { + format!(" {data_folder} ") + } else { + format!(" /{data_folder} ") + }; + let mut lines = BufReader::new(mountinfo).lines(); + while let Some(line) = lines.next_line().await.unwrap_or_default() { + // Only execute a regex check if we find the base match + if line.contains(&data_folder_match) { + let re = regex::Regex::new(r"/volumes/[a-z0-9]{64}/_data /").unwrap(); + if re.is_match(&line) { + return false; + } + // If we did found a match for the mountpoint, but not the regex, then still stop searching. + break; + } + } + } + // In all other cases, just assume a true. + // This is just an informative check to try and prevent data loss. + true +} + fn check_rsa_keys() -> Result<(), crate::error::Error> { // If the RSA keys don't exist, try to create them let priv_path = CONFIG.private_rsa_key();