dokku · josegonzalez · Sep 21, 2024 · Sep 21, 2024 · Sep 21, 2024 · Sep 21, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -70,7 +70,7 @@ jobs:
       - name: set matrix for build
         id: set-matrix
         run: |
-          json=$(python .github/commands/matrix)
+          json=$(python3 .github/commands/matrix)
           echo $json
           echo "matrix=$json" >> $GITHUB_OUTPUT
 
@@ -167,11 +167,15 @@ jobs:
       - name: ci-setup
         run: ./.github/commands/ci-setup
 
+      - name: docker-container-setup
+        run: |
+          ./tests/ci/setup.sh docker
+
       - name: test docker deploys
         shell: bash
         timeout-minutes: 20
         run: |
-          ./tests/ci/setup.sh docker
+          docker exec dokku bash -c "cat /etc/sudoers.d/dokku-nginx"
           DOKKU_SSH_PORT=3022 sudo -E make -e test-ci-docker
 
   go-tests:

diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,4 @@ tmp
 coverage.out
 site
 go.work.sum
+node_modules
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM phusion/baseimage:focal-1.2.0
+FROM phusion/baseimage:noble-1.0.0
 
 CMD ["/sbin/my_init"]
 
@@ -35,7 +35,7 @@ RUN mkdir -p /etc/apt/keyrings \
   && apt-get update \
   && apt-get upgrade -y \
   && apt-get -y --no-install-recommends --only-upgrade install openssl openssh-server \
-  && apt-get -y --no-install-recommends install rsync "/tmp/dokku-$(dpkg --print-architecture).deb" \
+  && DOKKU_INIT_SYSTEM=sv apt-get -y --no-install-recommends install rsync "/tmp/dokku-$(dpkg --print-architecture).deb" \
   && apt-get purge -y syslog-ng-core \
   && apt-get autoremove -y \
   && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

diff --git a/contrib/build-docs b/contrib/build-docs
@@ -125,7 +125,7 @@ main() {
 
   echo "====> Rebuild versions"
   if [[ -f "tmp/docs-build/versions.json" ]]; then
-    python contrib/sort-mkdocs-versions
+    python3 contrib/sort-mkdocs-versions
   else
     echo "      No version file exists"
   fi

diff --git a/contrib/release-dokku b/contrib/release-dokku
@@ -232,7 +232,7 @@ fn-repo-update() {
   if [[ "$RELEASE" == 'patch' ]]; then
     fn-replace-version "$CURRENT_VERSION" "$NEXT_VERSION" docs/assets/versions.json
   else
-    versions=$(python -c 'import json,sys;d=json.load(sys.stdin);d["max-versions"].append("'"${NEXT_VERSION}"'"); print(json.dumps(d, indent=2, sort_keys=True))' <docs/assets/versions.json)
+    versions=$(python3 -c 'import json,sys;d=json.load(sys.stdin);d["max-versions"].append("'"${NEXT_VERSION}"'"); print(json.dumps(d, indent=2, sort_keys=True))' <docs/assets/versions.json)
     echo "$versions" >docs/assets/versions.json
     git add docs/assets/versions.json
   fi

diff --git a/debian/control b/debian/control
@@ -3,9 +3,9 @@ Version: 0.34.9
 Section: web
 Priority: optional
 Architecture: amd64
-Depends: apache2-utils, locales, git, cpio, cron, curl, man-db, netcat, sshcommand, docker-engine-cs (>= 19.03.0) | docker-engine (>= 19.03.0) | docker-io (>= 19.03.0) | docker.io (>= 19.03.0) | docker-ce (>= 19.03.0) | docker-ee (>= 19.03.0) | moby-engine, docker-compose-plugin | moby-compose, docker-buildx-plugin | moby-buildx, docker-container-healthchecker, docker-image-labeler, lambda-builder, net-tools, netrc, parallel, procfile-util, rsync, rsyslog, dos2unix, jq, unzip, util-linux
+Depends: apache2-utils, locales, git, cpio, cron, curl, man-db, netcat, sshcommand, docker-engine-cs (>= 19.03.0) | docker-engine (>= 19.03.0) | docker-io (>= 19.03.0) | docker.io (>= 19.03.0) | docker-ce (>= 19.03.0) | docker-ee (>= 19.03.0) | moby-engine, docker-compose-plugin | moby-compose, docker-buildx-plugin | moby-buildx, docker-container-healthchecker, docker-image-labeler, lambda-builder, net-tools, netrc, parallel, procfile-util, rsync, dos2unix, jq, unzip, util-linux
 Recommends: herokuish, bash-completion, dokku-update, dokku-event-listener
-Pre-Depends: gliderlabs-sigil, nginx (>= 1.8.0) | openresty, bind9-dnsutils, cgroupfs-mount | cgroup-lite, plugn, sudo, python3, debconf
+Pre-Depends: gliderlabs-sigil, nginx (>= 1.8.0) | openresty, bind9-dnsutils, cgroupfs-mount | cgroup-lite, debconf, plugn, sudo, python3, rsyslog
 Maintainer: Jose Diaz-Gonzalez <dokku@josediazgonzalez.com>
 Description: Docker-powered PaaS that helps build and manage the lifecycle of applications
  Dokku is an extensible, open source Platform as a Service

diff --git a/docker/etc/my_init.d/10_dokku_init b/docker/etc/my_init.d/10_dokku_init
@@ -20,7 +20,11 @@ log-warn() {
 support-userns() {
   chown 0:0 /usr/bin/sudo
   chmod 4755 /usr/bin/sudo
-  chown 0:0 /usr/lib/sudo/sudoers.so
+  if [[ -f /usr/lib/sudo/sudoers.so ]]; then
+    chown 0:0 /usr/lib/sudo/sudoers.so
+  elif [[ -f /usr/libexec/sudo/sudoers.so ]]; then
+    chown 0:0 /usr/libexec/sudo/sudoers.so
+  fi
   chown -R 0:0 /etc/sudoers
   chown -R 0:0 /etc/sudoers.d
   chown -R 0:0 /run/sshd
@@ -54,6 +58,17 @@ main() {
     fi
   done
 
+  touch /etc/default/dokku
+  echo "export DOKKU_INIT_SYSTEM=sv" >>/etc/default/dokku
+  if [[ -x /usr/local/bin/docker ]]; then
+    echo "export DOCKER_BIN=/usr/local/bin/docker" >>/etc/default/dokku
+  fi
+
+  if [[ -n "$DOKKU_HOST_ROOT" ]]; then
+    echo "export DOKKU_HOST_ROOT=$DOKKU_HOST_ROOT" >>/etc/default/dokku
+    chown dokku:dokku /etc/default/dokku
+  fi
+
   if [[ -f /mnt/dokku/plugin-list ]]; then
     while read line; do
       local plugin_name="$(echo "$line" | awk -F: '{print $1}')"
@@ -65,23 +80,15 @@ main() {
     done </mnt/dokku/plugin-list
   fi
 
+  # run core install triggers to force create any folders that may be missing
+  dokku plugin:install --core
+
   if [[ -n "$DOKKU_HOSTNAME" ]]; then
     echo "dokku dokku/hostname string $DOKKU_HOSTNAME" | debconf-set-selections
     echo "dokku dokku/vhost_enable boolean true" | debconf-set-selections
     dokku --quiet domains:set-global "$DOKKU_HOSTNAME"
   fi
 
-  if [[ -x /usr/local/bin/docker ]]; then
-    mkdir -p /home/dokku/.dokkurc
-    echo "export DOCKER_BIN=/usr/local/bin/docker" >"/home/dokku/.dokkurc/DOCKER_BIN"
-  fi
-
-  if [[ -n "$DOKKU_HOST_ROOT" ]]; then
-    touch /etc/default/dokku
-    echo "export DOKKU_HOST_ROOT=$DOKKU_HOST_ROOT" >>/etc/default/dokku
-    chown dokku:dokku /etc/default/dokku
-  fi
-
   NGINX_ROOT="/etc/nginx"
   if [[ -x /usr/bin/openresty ]]; then
     NGINX_ROOT="/usr/local/openresty/nginx/conf"

diff --git a/docker/etc/ssh/sshd_config b/docker/etc/ssh/sshd_config
@@ -0,0 +1,133 @@
+#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+UseDNS no
+
+Port 22 
+Port 22333
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh_host_rsa_key
+#HostKey /etc/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile     .ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here! Also,
+# remember to set the UsePAM setting to 'no'.
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# SACL options
+# The default for the SACLSupport option is now "no", as this option has been
+# depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
+#SACLSupport no
+
+# Change to no to disable s/key passwords
+# Disabled for passenger-docker. We only allow key authentication.
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# Also, PAM will deny null passwords by default.  If you need to allow
+# null passwords, add the "     nullok" option to the end of the
+# securityserver.so line in /etc/pam.d/sshd.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       ForceCommand cvs server
diff --git a/docs/_build/entrypoint b/docs/_build/entrypoint
@@ -3,7 +3,7 @@ set -eo pipefail
 
 write-mkdocs() {
   if [[ -f /usr/src/source/contrib/write-mkdocs ]]; then
-    if ! python /usr/src/source/contrib/write-mkdocs; then
+    if ! python3 /usr/src/source/contrib/write-mkdocs; then
       exit 0
     fi
   fi

diff --git a/docs/networking/port-management.md b/docs/networking/port-management.md
@@ -163,7 +163,7 @@ For example, if the Dokku installation is configured with the domain `dokku.me`
 ```
 FROM ubuntu:24.04
 EXPOSE 1234
-CMD python -m SimpleHTTPServer 1234
+CMD python3 -m SimpleHTTPServer 1234
 ```
 
 The application would be exposed to the user at `node-js-app.dokku.me:1234`. If this is not desired, the following application configuration may be applied:

diff --git a/plugins/20_events/install b/plugins/20_events/install
@@ -72,8 +72,39 @@ EOF
     flag_rsyslog_needs_restart=y
   fi
 
-  if [[ -f "$DOKKU_RSYSLOG_FILTER" && "$flag_rsyslog_needs_restart" == "y" ]]; then
-    service rsyslog restart
+  local systemctl_path=/bin/systemctl
+  if [[ -x /usr/bin/systemctl ]]; then
+    systemctl_path=/usr/bin/systemctl
+  fi
+
+  if [[ -f "$DOKKU_RSYSLOG_FILTER" ]] && [[ "$flag_rsyslog_needs_restart" == "y" ]]; then
+    case "$DOKKU_DISTRO" in
+      debian | raspbian)
+        if [[ -x "$systemctl_path" ]]; then
+          systemctl restart rsyslog
+        else
+          /usr/sbin/invoke-rc.d rsyslog restart
+        fi
+        ;;
+      ubuntu)
+        if [[ "$DOKKU_INIT_SYSTEM" == "sv" ]]; then
+          # avoid failing runit init calls on install
+          # the runit binaries are not yet available during dockerfile building
+          true
+        elif [[ -x "$systemctl_path" ]]; then
+          systemctl restart rsyslog
+        elif [[ -x /usr/bin/sv ]]; then
+          # avoid failing runit init calls on install
+          # the runit binaries are not yet available during dockerfile building
+          true
+        else
+          invoke-rc.d rsyslog restart
+        fi
+        ;;
+      arch)
+        systemctl restart rsyslog
+        ;;
+    esac
   fi
 
   [[ ! "$DOKKU_EVENTS" ]] || dokku_log_plugn_trigger_call "$(basename "$0")" "$@"

diff --git a/plugins/docker-options/docker-args-deploy b/plugins/docker-options/docker-args-deploy
@@ -39,7 +39,7 @@ trigger-docker-options-docker-args() {
           ;;
 
         --restart*)
-          if [[ "$PHASE" == "deploy" ]]; then
+          if [[ "$PHASE" == "DEPLOY" ]]; then
             local output="$output $line"
           fi
           continue

diff --git a/plugins/nginx-vhosts/install b/plugins/nginx-vhosts/install
@@ -82,7 +82,9 @@ trigger-nginx-vhosts-install() {
       ;;
 
     ubuntu)
-      if [[ -x "$systemctl_path" ]]; then
+      if [[ "$DOKKU_INIT_SYSTEM" == "sv" ]]; then
+        echo "%dokku ALL=(ALL) NOPASSWD:/usr/bin/sv enable $NGINX_INIT_NAME, /usr/bin/sv disable $NGINX_INIT_NAME, /usr/bin/sv reload $NGINX_INIT_NAME, /usr/bin/sv start $NGINX_INIT_NAME, /usr/bin/sv stop $NGINX_INIT_NAME, $NGINX_BIN -t, $NGINX_BIN -t -c *" >"$NGINX_SUDOERS_FILE"
+      elif [[ -x "$systemctl_path" ]]; then
         echo "%dokku ALL=(ALL) NOPASSWD:$systemctl_path enable $NGINX_INIT_NAME, $systemctl_path disable $NGINX_INIT_NAME, $systemctl_path reload $NGINX_INIT_NAME, $systemctl_path start $NGINX_INIT_NAME, $systemctl_path stop $NGINX_INIT_NAME, $NGINX_BIN -t, $NGINX_BIN -t -c *" >"$NGINX_SUDOERS_FILE"
       elif [[ -x /usr/bin/sv ]]; then
         echo "%dokku ALL=(ALL) NOPASSWD:/usr/bin/sv enable $NGINX_INIT_NAME, /usr/bin/sv disable $NGINX_INIT_NAME, /usr/bin/sv reload $NGINX_INIT_NAME, /usr/bin/sv start $NGINX_INIT_NAME, /usr/bin/sv stop $NGINX_INIT_NAME, $NGINX_BIN -t, $NGINX_BIN -t -c *" >"$NGINX_SUDOERS_FILE"

diff --git a/plugins/nginx-vhosts/internal-functions b/plugins/nginx-vhosts/internal-functions
@@ -549,7 +549,9 @@ fn-nginx-vhosts-nginx-init-cmd() {
 
     ubuntu)
       # support docker-based installations
-      if [[ -x "$systemctl_path" ]]; then
+      if [[ "$DOKKU_INIT_SYSTEM" == "sv" ]]; then
+        sudo /usr/bin/sv "$CMD" "$NGINX_INIT_NAME"
+      elif [[ -x "$systemctl_path" ]]; then
         sudo "$systemctl_path" "$CMD" "$NGINX_INIT_NAME"
       elif [[ -x /usr/bin/sv ]]; then
         sudo /usr/bin/sv "$CMD" "$NGINX_INIT_NAME"

diff --git a/tests/apps/checks-root/.node-version b/tests/apps/checks-root/.node-version
@@ -0,0 +1 @@
+20.17.0
diff --git a/tests/apps/checks-root/index.js b/tests/apps/checks-root/index.js
@@ -1,5 +1,5 @@
-var express = require('express');
-var app = express();
+const express = require('express');
+const app = express();
 
 app.get('/', function(req, res) {
   res.sendStatus(404);