From de0489fa0526ad53073368c3299294fd49ea8c5c Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 12:56:57 -0500 Subject: [PATCH 01/18] workflow: Always test chart install with latest image. --- .github/workflows/dockerfile.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dockerfile.yaml b/.github/workflows/dockerfile.yaml index df2d02c96a..60aa7aa0b3 100644 --- a/.github/workflows/dockerfile.yaml +++ b/.github/workflows/dockerfile.yaml @@ -105,11 +105,9 @@ jobs: --lint-conf lintconf.yaml - name: Create kind cluster - if: steps.list-changed.outputs.changed == 'true' uses: helm/kind-action@v1 - name: Log in to GHCR - if: steps.list-changed.outputs.changed == 'true' uses: docker/login-action@v3 with: registry: ghcr.io @@ -117,23 +115,21 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Load image into kind - if: steps.list-changed.outputs.changed == 'true' run: | docker pull ghcr.io/${{ github.repository }}:pr-${{ github.event.pull_request.number }} kind load docker-image ghcr.io/${{ github.repository }}:pr-${{ github.event.pull_request.number }} --name chart-testing - name: Run chart-testing (install) id: chart-testing-install - if: steps.list-changed.outputs.changed == 'true' run: | ct install --github-groups \ --chart-dirs kubernetes/chart \ - --target-branch ${{ github.event.repository.default_branch }} \ + --all \ --helm-extra-set-args "--set image.tag=pr-${{ github.event.pull_request.number }}" \ --skip-clean-up - name: Fetch logs - if: steps.list-changed.outputs.changed == 'true' && ( success() || failure() ) + if: success() || failure() continue-on-error: true run: | namespace=$(helm list --all-namespaces --output json \ From 580db9b3686462fa1e1a231f7c62263ca2537422 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 15:25:42 -0500 Subject: [PATCH 02/18] Dockerfile: Remove CUSTOM_CA_CERTIFICATES. This was removed from Zulip Server itself in zulip/zulip@72f5df2e09c31679f949b4e1d1b0cdd23123f48b. --- Dockerfile | 4 ---- docker-compose.yml | 2 -- 2 files changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8b6bdb5fde..65cb53ef40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,8 +34,6 @@ RUN git clone "$ZULIP_GIT_URL" -b "$ZULIP_GIT_REF" WORKDIR /home/zulip/zulip -ARG CUSTOM_CA_CERTIFICATES - # Finally, we provision the development environment and build a release tarball RUN SKIP_VENV_SHELL_WARNING=1 ./tools/provision --build-release-tarball-only && \ uv run --no-sync ./tools/build-release-tarball docker && \ @@ -51,8 +49,6 @@ ENV DATA_DIR="/data" COPY --from=build /tmp/zulip-server-docker.tar.gz /root/ COPY custom_zulip_files/ /root/custom_zulip -ARG CUSTOM_CA_CERTIFICATES - WORKDIR /root RUN \ # Make sure Nginx is started by Supervisor. diff --git a/docker-compose.yml b/docker-compose.yml index 164beb95cf..a652aad46a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -56,8 +56,6 @@ services: ## Change these if you want to build zulip from a different repo/branch ZULIP_GIT_URL: https://github.com/zulip/zulip.git ZULIP_GIT_REF: "11.4" - ## Set this up if you plan to use your own CA certificate bundle for building - # CUSTOM_CA_CERTIFICATES: ports: - "25:25" - "80:80" From 0cbd1d0111e9046b484f5299e4555bc803e585dc Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 20:55:31 -0500 Subject: [PATCH 03/18] entrypoint: Typo fix. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index dcb3446220..5aaf44f16d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -410,7 +410,7 @@ zulipFirstStartInit() { su zulip -c /home/zulip/deployments/current/scripts/setup/initialize-database RETURN_CODE=$? if [[ $RETURN_CODE != 0 ]]; then - echo "Zulip first start database initi failed in \"initialize-database\" exit code $RETURN_CODE. Exiting." + echo "Zulip first start database init failed in \"initialize-database\" exit code $RETURN_CODE. Exiting." exit $RETURN_CODE fi set -e From 9e75602701c522b14c7b8897cfe330a60dd512fe Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 20:57:04 -0500 Subject: [PATCH 04/18] entrypoint: Remove stray close paren. This was left over in a refactoring in 33edaf380b75, and resulted in every backup directory having a close paren at the end of it. --- entrypoint.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 5aaf44f16d..ad9a3d3b3c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -535,8 +535,7 @@ appBackup() { echo "Backup process failed. Exiting." exit 1 fi - local BACKUP_FOLDER - BACKUP_FOLDER="/tmp/backup-$TIMESTAMP)" + local BACKUP_FOLDER="/tmp/backup-$TIMESTAMP" mkdir -p "$BACKUP_FOLDER" waitingForDatabase pg_dump -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" "$DB_NAME" >"$BACKUP_FOLDER/database-postgres.sql" From 282aa2131d83d03e9f37d2de5881e5b3315b3eae Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 21:01:39 -0500 Subject: [PATCH 05/18] entrypoint: Fix defaulting in SSL_CERTIFICATE_GENERATION. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index ad9a3d3b3c..c5d5a5a27f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -32,7 +32,7 @@ NGINX_PROXY_BUFFERING="${NGINX_PROXY_BUFFERING:-off}" NGINX_MAX_UPLOAD_SIZE="${NGINX_MAX_UPLOAD_SIZE:-80m}" TRUST_GATEWAY_IP="${TRUST_GATEWAY_IP:-False}" # Zulip certificate parameters -SSL_CERTIFICATE_GENERATION="${SSL_CERTIFICATE_GENERATION:self-signed}" +SSL_CERTIFICATE_GENERATION="${SSL_CERTIFICATE_GENERATION:-self-signed}" # Zulip related settings ZULIP_AUTH_BACKENDS="${ZULIP_AUTH_BACKENDS:-EmailAuthBackend}" ZULIP_RUN_POST_SETUP_SCRIPTS="${ZULIP_RUN_POST_SETUP_SCRIPTS:-True}" From 869a5436fcbab6c0eb75888471936f9020dec985 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 21:03:10 -0500 Subject: [PATCH 06/18] entrypoint: Consistently use local. Sadly, shellcheck cannot enforce this. --- entrypoint.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index c5d5a5a27f..875e15e932 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -47,6 +47,7 @@ MANUAL_CONFIGURATION="${MANUAL_CONFIGURATION:-false}" LINK_SETTINGS_TO_DATA="${LINK_SETTINGS_TO_DATA:-false}" # entrypoint.sh specific variable(s) SETTINGS_PY="/etc/zulip/settings.py" +GENERATE_CERTBOT_CERT_SCHEDULED="" # BEGIN appRun functions # === initialConfiguration === @@ -143,6 +144,7 @@ puppetConfiguration() { fi if [ "$TRUST_GATEWAY_IP" == "True" ] || [ "$TRUST_GATEWAY_IP" == "true" ]; then + local GATEWAY_IP GATEWAY_IP=$(ip route | grep default | awk '{print $3}') echo "Trusting local network gateway $GATEWAY_IP" LOADBALANCER_IPS="${LOADBALANCER_IPS:+$LOADBALANCER_IPS,}$GATEWAY_IP" @@ -174,6 +176,8 @@ puppetConfiguration() { /home/zulip/deployments/current/scripts/zulip-puppet-apply -f } configureCerts() { + local GENERATE_SELF_SIGNED_CERT + local GENERATE_CERTBOT_CERT case "$SSL_CERTIFICATE_GENERATION" in self-signed) GENERATE_SELF_SIGNED_CERT="True" @@ -267,6 +271,7 @@ authenticationBackends() { local FIRST=true local auth_backends IFS=, read -r -a auth_backends <<<"$ZULIP_AUTH_BACKENDS" + local AUTH_BACKEND for AUTH_BACKEND in "${auth_backends[@]}"; do if [ "$FIRST" = true ]; then setConfigurationValue "AUTHENTICATION_BACKENDS" "('zproject.backends.${AUTH_BACKEND//\'/\'}',)" "$SETTINGS_PY" "array" @@ -357,11 +362,11 @@ initialConfiguration() { zulipConfiguration else # Check that the configuration will work - root_path="/etc/zulip" + local root_path="/etc/zulip" if [ "$LINK_SETTINGS_TO_DATA" = "True" ] || [ "$LINK_SETTINGS_TO_DATA" = "true" ]; then root_path="/data/settings/etc-zulip" fi - failure=0 + local failure=0 for conf_file in zulip.conf zulip-secrets.conf settings.py; do if [ ! -f "/etc/zulip/$conf_file" ]; then echo "ERROR: $root_path/$conf_file does not exist!" @@ -420,8 +425,9 @@ zulipFirstStartInit() { zulipMigration() { echo "Running new database migrations..." set +e + local RETURN_CODE=0 su zulip -c "/home/zulip/deployments/current/manage.py migrate --noinput" - local RETURN_CODE=$? + RETURN_CODE=$? if [[ $RETURN_CODE != 0 ]]; then echo "Zulip migration failed with exit code $RETURN_CODE. Exiting." exit $RETURN_CODE @@ -516,7 +522,7 @@ appInit() { bootstrappingEnvironment } appManagePy() { - COMMAND="$1" + local COMMAND="$1" shift 1 if [ -z "$COMMAND" ]; then echo "No command given for manage.py. Defaulting to \"shell\"." From c1252ea18ec5e5d76fb03b4fc88832406ab0a032 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 11:59:33 -0500 Subject: [PATCH 07/18] entrypoint: Skip SETTING_RATE_LIMITING=True, which is the default. --- entrypoint.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 875e15e932..c7a3fc0f93 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -18,7 +18,6 @@ SETTING_RABBITMQ_HOST="${SETTING_RABBITMQ_HOST:-127.0.0.1}" SETTING_RABBITMQ_USER="${SETTING_RABBITMQ_USER:-zulip}" export RABBITMQ_NODE="$SETTING_RABBITMQ_HOST" # Redis -SETTING_RATE_LIMITING="${SETTING_RATE_LIMITING:-True}" SETTING_REDIS_HOST="${SETTING_REDIS_HOST:-127.0.0.1}" SETTING_REDIS_PORT="${SETTING_REDIS_PORT:-6379}" # Memcached From 93cce300b50be9312cc77b5b4768c875dddb3f28 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 12:08:45 -0500 Subject: [PATCH 08/18] entrypoint: Add a function to normalize True/False values. --- entrypoint.sh | 64 +++++++++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index c7a3fc0f93..06ccf23bee 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -7,6 +7,30 @@ fi set -e shopt -s extglob +normalize_bool() { + # Returns either "True" or "False" + local varname="$1" + local raw_value="${!varname:-}" + local value="${raw_value,,}" # Convert to lowercase + local default="${2:-False}" + + case "$value" in + true | enable | enabled | yes | y | 1 | on) + echo "True" + ;; + false | disable | disabled | no | n | 0 | off) + echo "False" + ;; + "") + echo "$default" + ;; + *) + echo "WARNING: Invalid boolean ('$raw_value') for '$varname'; defaulting to $default" >&2 + echo "$default" + ;; + esac +} + # DB aka Database DB_HOST="${DB_HOST:-127.0.0.1}" DB_HOST_PORT="${DB_HOST_PORT:-5432}" @@ -25,25 +49,26 @@ if [ -z "$SETTING_MEMCACHED_LOCATION" ]; then SETTING_MEMCACHED_LOCATION="127.0.0.1:11211" fi # Nginx settings -DISABLE_HTTPS="${DISABLE_HTTPS:-false}" +DISABLE_HTTPS="$(normalize_bool DISABLE_HTTPS)" NGINX_WORKERS="${NGINX_WORKERS:-2}" NGINX_PROXY_BUFFERING="${NGINX_PROXY_BUFFERING:-off}" NGINX_MAX_UPLOAD_SIZE="${NGINX_MAX_UPLOAD_SIZE:-80m}" -TRUST_GATEWAY_IP="${TRUST_GATEWAY_IP:-False}" +TRUST_GATEWAY_IP="$(normalize_bool TRUST_GATEWAY_IP)" # Zulip certificate parameters SSL_CERTIFICATE_GENERATION="${SSL_CERTIFICATE_GENERATION:-self-signed}" # Zulip related settings ZULIP_AUTH_BACKENDS="${ZULIP_AUTH_BACKENDS:-EmailAuthBackend}" -ZULIP_RUN_POST_SETUP_SCRIPTS="${ZULIP_RUN_POST_SETUP_SCRIPTS:-True}" +ZULIP_RUN_POST_SETUP_SCRIPTS="$(normalize_bool ZULIP_RUN_POST_SETUP_SCRIPTS True)" +QUEUE_WORKERS_MULTIPROCESS="$(normalize_bool QUEUE_WORKERS_MULTIPROCESS)" # Zulip user setup -FORCE_FIRST_START_INIT="${FORCE_FIRST_START_INIT:-False}" +FORCE_FIRST_START_INIT="$(normalize_bool FORCE_FIRST_START_INIT)" # Auto backup settings -AUTO_BACKUP_ENABLED="${AUTO_BACKUP_ENABLED:-True}" +AUTO_BACKUP_ENABLED="$(normalize_bool AUTO_BACKUP_ENABLED True)" AUTO_BACKUP_INTERVAL="${AUTO_BACKUP_INTERVAL:-30 3 * * *}" # Zulip configuration function specific variable(s) -SPECIAL_SETTING_DETECTION_MODE="${SPECIAL_SETTING_DETECTION_MODE:-}" -MANUAL_CONFIGURATION="${MANUAL_CONFIGURATION:-false}" -LINK_SETTINGS_TO_DATA="${LINK_SETTINGS_TO_DATA:-false}" +SPECIAL_SETTING_DETECTION_MODE="$(normalize_bool SPECIAL_SETTING_DETECTION_MODE)" +MANUAL_CONFIGURATION="$(normalize_bool MANUAL_CONFIGURATION)" +LINK_SETTINGS_TO_DATA="$(normalize_bool LINK_SETTINGS_TO_DATA)" # entrypoint.sh specific variable(s) SETTINGS_PY="/etc/zulip/settings.py" GENERATE_CERTBOT_CERT_SCHEDULED="" @@ -58,7 +83,7 @@ prepareDirectories() { ln -sfT "$DATA_DIR/uploads" /home/zulip/uploads chown zulip:zulip -R "$DATA_DIR/uploads" # Link settings folder - if [ "$LINK_SETTINGS_TO_DATA" = "True" ] || [ "$LINK_SETTINGS_TO_DATA" = "true" ]; then + if [ "$LINK_SETTINGS_TO_DATA" = "True" ]; then # Create settings directories if [ ! -d "$DATA_DIR/settings" ]; then mkdir -p "$DATA_DIR/settings" @@ -130,19 +155,19 @@ nginxConfiguration() { puppetConfiguration() { echo "Executing puppet configuration ..." - if [ "$DISABLE_HTTPS" == "True" ] || [ "$DISABLE_HTTPS" == "true" ]; then + if [ "$DISABLE_HTTPS" == "True" ]; then echo "Disabling https in nginx." crudini --set /etc/zulip/zulip.conf application_server http_only true fi - if [ "$QUEUE_WORKERS_MULTIPROCESS" == "True" ] || [ "$QUEUE_WORKERS_MULTIPROCESS" == "true" ]; then + if [ "$QUEUE_WORKERS_MULTIPROCESS" == "True" ]; then echo "Setting queue workers to run in multiprocess mode ..." crudini --set /etc/zulip/zulip.conf application_server queue_workers_multiprocess true - elif [ "$QUEUE_WORKERS_MULTIPROCESS" == "False" ] || [ "$QUEUE_WORKERS_MULTIPROCESS" == "false" ]; then + else echo "Setting queue workers to run in multithreaded mode ..." crudini --set /etc/zulip/zulip.conf application_server queue_workers_multiprocess false fi - if [ "$TRUST_GATEWAY_IP" == "True" ] || [ "$TRUST_GATEWAY_IP" == "true" ]; then + if [ "$TRUST_GATEWAY_IP" == "True" ]; then local GATEWAY_IP GATEWAY_IP=$(ip route | grep default | awk '{print $3}') echo "Trusting local network gateway $GATEWAY_IP" @@ -320,8 +345,7 @@ zulipConfiguration() { || [ "$setting_key" = "ALLOWED_HOSTS" ]; then type="array" fi - if [ "$SPECIAL_SETTING_DETECTION_MODE" = "True" ] || [ "$SPECIAL_SETTING_DETECTION_MODE" = "true" ] \ - || [ "$type" = "string" ]; then + if [ "$SPECIAL_SETTING_DETECTION_MODE" = "True" ] || [ "$type" = "string" ]; then type="" fi if [ "$setting_key" = "EMAIL_HOST_USER" ] \ @@ -338,7 +362,7 @@ zulipConfiguration() { echo "Zulip configuration succeeded." } autoBackupConfiguration() { - if [ "$AUTO_BACKUP_ENABLED" != "True" ] && [ "$AUTO_BACKUP_ENABLED" != "true" ]; then + if [ "$AUTO_BACKUP_ENABLED" != "True" ]; then rm -f /etc/cron.d/autobackup echo "Auto backup is disabled. Continuing." return 0 @@ -352,7 +376,7 @@ initialConfiguration() { puppetConfiguration nginxConfiguration configureCerts - if [ "$MANUAL_CONFIGURATION" = "False" ] || [ "$MANUAL_CONFIGURATION" = "false" ]; then + if [ "$MANUAL_CONFIGURATION" = "False" ]; then # Start with the settings template file. cp -a /home/zulip/deployments/current/zproject/prod_settings_template.py "$SETTINGS_PY" databaseConfiguration @@ -362,7 +386,7 @@ initialConfiguration() { else # Check that the configuration will work local root_path="/etc/zulip" - if [ "$LINK_SETTINGS_TO_DATA" = "True" ] || [ "$LINK_SETTINGS_TO_DATA" = "true" ]; then + if [ "$LINK_SETTINGS_TO_DATA" = "True" ]; then root_path="/data/settings/etc-zulip" fi local failure=0 @@ -405,7 +429,7 @@ waitingForDatabase() { } zulipFirstStartInit() { echo "Executing Zulip first start init ..." - if [ -e "$DATA_DIR/.initiated" ] && [ "$FORCE_FIRST_START_INIT" != "True" ] && [ "$FORCE_FIRST_START_INIT" != "true" ]; then + if [ -e "$DATA_DIR/.initiated" ] && [ "$FORCE_FIRST_START_INIT" != "True" ]; then echo "First Start Init not needed. Continuing." return 0 fi @@ -438,7 +462,7 @@ zulipMigration() { } runPostSetupScripts() { echo "Post setup scripts execution ..." - if [ "$ZULIP_RUN_POST_SETUP_SCRIPTS" != "True" ] && [ "$ZULIP_RUN_POST_SETUP_SCRIPTS" != "true" ]; then + if [ "$ZULIP_RUN_POST_SETUP_SCRIPTS" != "True" ]; then echo "Not running post setup scripts. ZULIP_RUN_POST_SETUP_SCRIPTS isn't true." return 0 fi From f8c965cdc3b5b9cb33f7cb08fb2b3b1902eb3a41 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 12:21:30 -0500 Subject: [PATCH 09/18] entrypoint: File for setConfigurationValue is only ever $SETTINGS_PY. --- entrypoint.sh | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 06ccf23bee..8db2b0a14b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -102,14 +102,9 @@ setConfigurationValue() { echo "No KEY given for setConfigurationValue." return 1 fi - if [ -z "$3" ]; then - echo "No FILE given for setConfigurationValue." - return 1 - fi local KEY="$1" local VALUE - local FILE="$3" - local TYPE="$4" + local TYPE="$3" if [ -z "$TYPE" ]; then case "$2" in [Tt][Rr][Uu][Ee] | [Ff][Aa][Ll][Ss][Ee] | [Nn]one) @@ -142,8 +137,8 @@ setConfigurationValue() { VALUE="$KEY = '${2//\'/\'}'" ;; esac - echo "$VALUE" >>"$FILE" - echo "Setting key \"$KEY\", type \"$TYPE\" in file \"$FILE\"." + echo "$VALUE" >>"$SETTINGS_PY" + echo "Setting key \"$KEY\", type \"$TYPE\"." } nginxConfiguration() { echo "Executing nginx configuration ..." @@ -284,9 +279,9 @@ secretsConfiguration() { } databaseConfiguration() { echo "Setting database configuration ..." - setConfigurationValue "REMOTE_POSTGRES_HOST" "$DB_HOST" "$SETTINGS_PY" "string" - setConfigurationValue "REMOTE_POSTGRES_PORT" "$DB_HOST_PORT" "$SETTINGS_PY" "string" - setConfigurationValue "REMOTE_POSTGRES_SSLMODE" "$REMOTE_POSTGRES_SSLMODE" "$SETTINGS_PY" "string" + setConfigurationValue "REMOTE_POSTGRES_HOST" "$DB_HOST" "string" + setConfigurationValue "REMOTE_POSTGRES_PORT" "$DB_HOST_PORT" "string" + setConfigurationValue "REMOTE_POSTGRES_SSLMODE" "$REMOTE_POSTGRES_SSLMODE" "string" # The password will be set in secretsConfiguration echo "Database configuration succeeded." } @@ -298,10 +293,10 @@ authenticationBackends() { local AUTH_BACKEND for AUTH_BACKEND in "${auth_backends[@]}"; do if [ "$FIRST" = true ]; then - setConfigurationValue "AUTHENTICATION_BACKENDS" "('zproject.backends.${AUTH_BACKEND//\'/\'}',)" "$SETTINGS_PY" "array" + setConfigurationValue "AUTHENTICATION_BACKENDS" "('zproject.backends.${AUTH_BACKEND//\'/\'}',)" "array" FIRST=false else - setConfigurationValue "AUTHENTICATION_BACKENDS += ('zproject.backends.${AUTH_BACKEND//\'/\'}',)" "" "$SETTINGS_PY" "literal" + setConfigurationValue "AUTHENTICATION_BACKENDS += ('zproject.backends.${AUTH_BACKEND//\'/\'}',)" "" "literal" fi echo "Adding authentication backend \"$AUTH_BACKEND\"." done @@ -353,7 +348,7 @@ zulipConfiguration() { || [ "$setting_key" = "EXTERNAL_HOST" ]; then type="string" fi - setConfigurationValue "$setting_key" "$setting_var" "$SETTINGS_PY" "$type" + setConfigurationValue "$setting_key" "$setting_var" "$type" done if ! su zulip -c "/home/zulip/deployments/current/manage.py checkconfig"; then echo "Error in the Zulip configuration. Exiting." From ab39e18ae85a9972901d9fd3a47603f69ddf39ea Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 12:27:24 -0500 Subject: [PATCH 10/18] entrypoint: Remove confusing SPECIAL_SETTING_DETECTION_MODE. Defaulting to "False", this had the effect, if "True", of undoing the special-setting detection for the hard-coded list of setting names, and attempting to guess based only on the value. The name is at odds with the behaviour, and the behaviour seems unlikely to have been wanted. --- entrypoint.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 8db2b0a14b..0f54554bee 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -66,7 +66,6 @@ FORCE_FIRST_START_INIT="$(normalize_bool FORCE_FIRST_START_INIT)" AUTO_BACKUP_ENABLED="$(normalize_bool AUTO_BACKUP_ENABLED True)" AUTO_BACKUP_INTERVAL="${AUTO_BACKUP_INTERVAL:-30 3 * * *}" # Zulip configuration function specific variable(s) -SPECIAL_SETTING_DETECTION_MODE="$(normalize_bool SPECIAL_SETTING_DETECTION_MODE)" MANUAL_CONFIGURATION="$(normalize_bool MANUAL_CONFIGURATION)" LINK_SETTINGS_TO_DATA="$(normalize_bool LINK_SETTINGS_TO_DATA)" # entrypoint.sh specific variable(s) @@ -312,7 +311,7 @@ zulipConfiguration() { [[ "$key" == SETTING_*([0-9A-Za-z_]) ]] || continue local setting_key="${key#SETTING_}" local setting_var="${!key}" - local type="string" + local type="" if [ -z "$setting_var" ]; then echo "Empty var for key \"$setting_key\"." continue @@ -340,9 +339,6 @@ zulipConfiguration() { || [ "$setting_key" = "ALLOWED_HOSTS" ]; then type="array" fi - if [ "$SPECIAL_SETTING_DETECTION_MODE" = "True" ] || [ "$type" = "string" ]; then - type="" - fi if [ "$setting_key" = "EMAIL_HOST_USER" ] \ || [ "$setting_key" = "EMAIL_HOST_PASSWORD" ] \ || [ "$setting_key" = "EXTERNAL_HOST" ]; then From 09323a9321fd86a789b4eb13753122ba72b40a82 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 21:21:38 -0500 Subject: [PATCH 11/18] entrypoint: Remove now-unused migration sentinel. --- entrypoint.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0f54554bee..adcdc7f2bc 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -447,8 +447,6 @@ zulipMigration() { exit $RETURN_CODE fi set -e - rm -rf "$DATA_DIR/.zulip-*" - touch "$DATA_DIR/.zulip-$ZULIP_VERSION" echo "Database migrations completed." } runPostSetupScripts() { From 663506af30d0cf95b48e721b6804175b1978d2a9 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 21:24:50 -0500 Subject: [PATCH 12/18] entrypoint: Fix undeclared ZULIP_VERSION/ZULIP_CHECKSUM. The latter has no useful meaning anymore, and was removed in 149932e86336. --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index adcdc7f2bc..337d3de259 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -622,9 +622,9 @@ appHelp() { echo "> [COMMAND] - Run given command with arguments in shell" } appVersion() { - echo "This container contains:" - echo "> Zulip server $ZULIP_VERSION" - echo "> Checksum: $ZULIP_CHECKSUM" + local ZULIP_VERSION + ZULIP_VERSION="$(su zulip -c "cd ~/deployments/current && python3 -c 'import version; print(version.ZULIP_VERSION)'")" + echo "This container contains Zulip Server $ZULIP_VERSION" exit 0 } # END app functions From 8f5fd809bb136dc0459e1d399f7103a1fd4b4bc1 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 22:05:05 -0500 Subject: [PATCH 13/18] entrypoint: Remove unnecessary RABBITMQ_NODE setting. We do not call rabbitmqctl directly anymore. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 337d3de259..2363790c87 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -40,7 +40,7 @@ REMOTE_POSTGRES_SSLMODE="${REMOTE_POSTGRES_SSLMODE:-prefer}" # RabbitMQ SETTING_RABBITMQ_HOST="${SETTING_RABBITMQ_HOST:-127.0.0.1}" SETTING_RABBITMQ_USER="${SETTING_RABBITMQ_USER:-zulip}" -export RABBITMQ_NODE="$SETTING_RABBITMQ_HOST" + # Redis SETTING_REDIS_HOST="${SETTING_REDIS_HOST:-127.0.0.1}" SETTING_REDIS_PORT="${SETTING_REDIS_PORT:-6379}" From 4bc85ffc63241f8ca2692abe267f4b53b5a4a3f6 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 22:05:53 -0500 Subject: [PATCH 14/18] entrypoint: Normal defaulting works fine for SETTING_MEMCACHED_LOCATION. --- entrypoint.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 2363790c87..b54fd8725c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -45,9 +45,7 @@ SETTING_RABBITMQ_USER="${SETTING_RABBITMQ_USER:-zulip}" SETTING_REDIS_HOST="${SETTING_REDIS_HOST:-127.0.0.1}" SETTING_REDIS_PORT="${SETTING_REDIS_PORT:-6379}" # Memcached -if [ -z "$SETTING_MEMCACHED_LOCATION" ]; then - SETTING_MEMCACHED_LOCATION="127.0.0.1:11211" -fi +SETTING_MEMCACHED_LOCATION="${SETTING_MEMCACHED_LOCATION:-127.0.0.1:11211}" # Nginx settings DISABLE_HTTPS="$(normalize_bool DISABLE_HTTPS)" NGINX_WORKERS="${NGINX_WORKERS:-2}" From 3d37017b517dd89d77fb23139a89a64dd3b162e3 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 22:06:43 -0500 Subject: [PATCH 15/18] entrypoint: Remove NGINX_PROXY_BUFFERING footgun. It is not clear why this was added in the first place, but all it can do is produce 502's. --- entrypoint.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index b54fd8725c..730bbec4f8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -49,7 +49,6 @@ SETTING_MEMCACHED_LOCATION="${SETTING_MEMCACHED_LOCATION:-127.0.0.1:11211}" # Nginx settings DISABLE_HTTPS="$(normalize_bool DISABLE_HTTPS)" NGINX_WORKERS="${NGINX_WORKERS:-2}" -NGINX_PROXY_BUFFERING="${NGINX_PROXY_BUFFERING:-off}" NGINX_MAX_UPLOAD_SIZE="${NGINX_MAX_UPLOAD_SIZE:-80m}" TRUST_GATEWAY_IP="$(normalize_bool TRUST_GATEWAY_IP)" # Zulip certificate parameters @@ -141,7 +140,6 @@ nginxConfiguration() { echo "Executing nginx configuration ..." sed -i "s/worker_processes .*/worker_processes $NGINX_WORKERS;/g" /etc/nginx/nginx.conf sed -i "s/client_max_body_size .*/client_max_body_size $NGINX_MAX_UPLOAD_SIZE;/g" /etc/nginx/nginx.conf - sed -i "s/proxy_buffering .*/proxy_buffering $NGINX_PROXY_BUFFERING;/g" /etc/nginx/zulip-include/proxy_longpolling echo "Nginx configuration succeeded." } puppetConfiguration() { From fcceb1de928702282b75b7c256bfc854586efcd3 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 22:10:18 -0500 Subject: [PATCH 16/18] entrypoint: Remove unused emptyreturn case. The only use of this was removed in 4a5b885f2cf3. --- entrypoint.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 730bbec4f8..7224eee36e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -118,11 +118,6 @@ setConfigurationValue() { esac fi case "$TYPE" in - emptyreturn) - if [ -z "$2" ]; then - return 0 - fi - ;; literal) VALUE="$1" ;; From c0858697cba4bef039fe99db0b0857f849b60aee Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 22:21:13 -0500 Subject: [PATCH 17/18] entrypoint: Reorganize settings at top, make complete. --- entrypoint.sh | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7224eee36e..71af9e54fb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -31,12 +31,15 @@ normalize_bool() { esac } -# DB aka Database +## Settings + +# PostgreSQL DB_HOST="${DB_HOST:-127.0.0.1}" DB_HOST_PORT="${DB_HOST_PORT:-5432}" DB_NAME="${DB_NAME:-zulip}" DB_USER="${DB_USER:-zulip}" REMOTE_POSTGRES_SSLMODE="${REMOTE_POSTGRES_SSLMODE:-prefer}" + # RabbitMQ SETTING_RABBITMQ_HOST="${SETTING_RABBITMQ_HOST:-127.0.0.1}" SETTING_RABBITMQ_USER="${SETTING_RABBITMQ_USER:-zulip}" @@ -44,29 +47,41 @@ SETTING_RABBITMQ_USER="${SETTING_RABBITMQ_USER:-zulip}" # Redis SETTING_REDIS_HOST="${SETTING_REDIS_HOST:-127.0.0.1}" SETTING_REDIS_PORT="${SETTING_REDIS_PORT:-6379}" + # Memcached SETTING_MEMCACHED_LOCATION="${SETTING_MEMCACHED_LOCATION:-127.0.0.1:11211}" -# Nginx settings + +# Nginx and HTTP(S) settings DISABLE_HTTPS="$(normalize_bool DISABLE_HTTPS)" NGINX_WORKERS="${NGINX_WORKERS:-2}" NGINX_MAX_UPLOAD_SIZE="${NGINX_MAX_UPLOAD_SIZE:-80m}" +LOADBALANCER_IPS="${LOADBALANCER_IPS:-}" TRUST_GATEWAY_IP="$(normalize_bool TRUST_GATEWAY_IP)" -# Zulip certificate parameters SSL_CERTIFICATE_GENERATION="${SSL_CERTIFICATE_GENERATION:-self-signed}" -# Zulip related settings + +# Outgoing proxy settings +PROXY_ALLOW_ADDRESSES="${PROXY_ALLOW_ADDRESSES:-}" +PROXY_ALLOW_RANGES="${PROXY_ALLOW_RANGES:-}" + +# Core Zulip settings ZULIP_AUTH_BACKENDS="${ZULIP_AUTH_BACKENDS:-EmailAuthBackend}" -ZULIP_RUN_POST_SETUP_SCRIPTS="$(normalize_bool ZULIP_RUN_POST_SETUP_SCRIPTS True)" QUEUE_WORKERS_MULTIPROCESS="$(normalize_bool QUEUE_WORKERS_MULTIPROCESS)" -# Zulip user setup + +# Configuration controls FORCE_FIRST_START_INIT="$(normalize_bool FORCE_FIRST_START_INIT)" +ZULIP_RUN_POST_SETUP_SCRIPTS="$(normalize_bool ZULIP_RUN_POST_SETUP_SCRIPTS True)" +ZULIP_CUSTOM_SETTINGS="${ZULIP_CUSTOM_SETTINGS:-}" +MANUAL_CONFIGURATION="$(normalize_bool MANUAL_CONFIGURATION)" +LINK_SETTINGS_TO_DATA="$(normalize_bool LINK_SETTINGS_TO_DATA)" + # Auto backup settings AUTO_BACKUP_ENABLED="$(normalize_bool AUTO_BACKUP_ENABLED True)" AUTO_BACKUP_INTERVAL="${AUTO_BACKUP_INTERVAL:-30 3 * * *}" -# Zulip configuration function specific variable(s) -MANUAL_CONFIGURATION="$(normalize_bool MANUAL_CONFIGURATION)" -LINK_SETTINGS_TO_DATA="$(normalize_bool LINK_SETTINGS_TO_DATA)" -# entrypoint.sh specific variable(s) + +## Constants SETTINGS_PY="/etc/zulip/settings.py" + +## Global state GENERATE_CERTBOT_CERT_SCHEDULED="" # BEGIN appRun functions From 85aa438513b1bd32020f51271e1e05dc2e4cf8bf Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 12 Nov 2025 22:21:28 -0500 Subject: [PATCH 18/18] entrypoint: Enable `set -u`. --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index 71af9e54fb..9af05eb1c2 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,6 +5,7 @@ if [ "$DEBUG" = "true" ] || [ "$DEBUG" = "True" ]; then set -o functrace fi set -e +set -u shopt -s extglob normalize_bool() {