Update permission management, add helper and change default port to 8080

marcelfolaron · marcelfolaron · commit 867aa1c98c04 · 2025-02-19T10:09:28.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 .env
 .vscode
 .DS_store
+.codebuddy
+.idea
diff --git a/Dockerfile b/Dockerfile
@@ -97,7 +97,7 @@ COPY start.sh /start.sh
 RUN chmod +x /start.sh
 
 # Install Leantime
-ARG LEAN_VERSION=3.4.0
+ARG LEAN_VERSION=3.4.1
 RUN set -ex; \
     curl -fsSL --retry 3 https://github.com/Leantime/leantime/releases/download/v${LEAN_VERSION}/Leantime-v${LEAN_VERSION}.tar.gz -o leantime.tar.gz && \
     tar xzf leantime.tar.gz --strip-components 1 && \
@@ -107,5 +107,5 @@ RUN set -ex; \
 # Switch to non-root user
 USER www-data
 
-EXPOSE 80
+EXPOSE 8080
 ENTRYPOINT ["/sbin/tini", "--", "/start.sh"]
diff --git a/README.md b/README.md
@@ -17,8 +17,6 @@ This is the official <a href="https://hub.docker.com/r/leantime/leantime">Docker
 ## How to use this image
 Below you will find examples on how to get started with Leantime trough `docker run` or `docker compose`.
 
-
-
 ### Option 1: Quick Start with Docker Compose (Recommended)
 
 ```
@@ -52,6 +50,21 @@ docker network create leantime-net
 
 ## Docker specific configuration options
 
+### Port Configuration
+By default, Leantime runs on port 8080 internally. If you need to use port 80, you have two options:
+
+1. Map port 80 externally to 8080 internally in docker-compose.yml:
+
+```
+    ports: - "80:8080"
+```
+
+2. Add required capabilities (not recommended):
+
+```
+    cap_add: - CAP_NET_BIND_SERVICE
+```
+
 ### Running as Non-Root User
 Add the `user` directive to your docker-compose.yml:
 
diff --git a/config/nginx.conf b/config/nginx.conf
@@ -34,7 +34,7 @@ http {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     server {
-        listen 80;
+        listen 8080;
         server_name _;
         root /var/www/html/public;
         index index.php;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -22,19 +22,38 @@ services:
     #user: "www-data"                                        # Run as non-root user
     restart: unless-stopped
     env_file: ./.env                                        # Environment file with settings
+    # Add security options
+    security_opt:
+      - no-new-privileges:true
+    # Add capabilities
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+      - CAP_CHOWN
+      - CAP_SETGID
+      - CAP_SETUID
+    ports:
+      - "${LEAN_PORT:-8080}:8080"
     networks:
       - leantime-net
     volumes:
       - public_userfiles:/var/www/html/public/userfiles     # Volume to store public files, logo etc
       - userfiles:/var/www/html/userfiles                   # Original volume name for compatibility
       - plugins:/var/www/html/app/Plugins                   # Plugin storage
       - logs:/var/www/html/storage/logs                     # Log storage
-    ports:
-      - "${LEAN_PORT}:80"                                          # The port to expose and access Leantime
     depends_on:
       leantime_db:
         condition: service_healthy
 
+  # Add a helper container for volume permissions
+  # Run via docker compose --profile mysql_helper up -d
+  mysql_helper:
+    image: mysql:8.4
+    command: chown -R mysql:mysql /var/lib/mysql
+    volumes:
+      - db_data:/var/lib/mysql
+    user: root
+    profiles: [ "helper" ]
+
 volumes:
   db_data:
   userfiles:                                               # New volume for public files
diff --git a/sample.env b/sample.env
@@ -2,8 +2,10 @@
 # If you don't want to maintain a file like this you can pass in all variables via Server Variables
 
 ## Minimum Configuration, these are required for installation
+PUID=1000
+PGID=1000
 
-LEAN_PORT = '8081'                                 # The port to expose and access Leantime
+LEAN_PORT = '8080'                                 # The port to expose and access Leantime
 LEAN_APP_URL = ''                                  # Base URL, needed for subfolder or proxy installs (including http:// or https://)
 LEAN_APP_DIR = ''                                  # Base of application without trailing slash (used for cookies), e.g, /leantime
 
@@ -16,7 +18,7 @@ MYSQL_USER = 'lean'                                # Database username
 MYSQL_PASSWORD = 'changeme123'                     # Database password
 
 # Database - leantime container
-LEAN_DB_HOST = 'mysql_leantime'                    # Database host 
+LEAN_DB_HOST = 'mysql_leantime'                    # Database host
 LEAN_DB_USER = 'lean'                              # Database username (needs to be the same as MYSQL_USER)
 LEAN_DB_PASSWORD = 'changeme123'                   # Database password (needs to be the same as MYSQL_PASSWORD)
 LEAN_DB_DATABASE = 'leantime'                      # Database name (needs to be the same as MYSQL_DATABASE)
diff --git a/start.sh b/start.sh
@@ -1,41 +1,5 @@
 #!/bin/sh
 
-# Function to set permissions
-set_permissions() {
-    # Only set permissions if running as root
-    if [ "$(id -u)" = "0" ]; then
-        chown -R www-data:www-data /var/www/html
-        chmod -R 775 /var/www/html
-
-        # Ensure specific directories exist and have correct permissions
-        local dirs="/var/www/html/userfiles /var/www/html/public/userfiles /var/www/html/storage/logs /var/www/html/app/Plugins"
-        for dir in $dirs; do
-            mkdir -p "$dir"
-            chown -R www-data:www-data "$dir"
-            chmod 2775 "$dir"
-        done
-
-        # Ensure supervisord can write its pid file
-        mkdir -p /run && chown www-data:www-data /run
-    fi
-}
-
-# Handle PUID/PGID
-if [ -n "${PUID}" ] && [ -n "${PGID}" ]; then
-    if [ -n "${PUID}" ] && [ "${PUID}" != "1000" ]; then
-        usermod -u "${PUID}" www-data
-    fi
-    if [ -n "${PGID}" ] && [ "${PGID}" != "1000" ]; then
-        groupmod -g "${PGID}" www-data
-    fi
-
-    # After changing UID/GID, we need to fix permissions
-    set_permissions
-fi
-
-# Always ensure correct permissions
-set_permissions
-
 if [[  -n "${LEAN_DB_PASSWORD_FILE}" ]]; then
   LEAN_DB_PASSWORD=$(cat "${LEAN_DB_PASSWORD_FILE}")
   export LEAN_DB_PASSWORD
@@ -81,4 +45,7 @@ if [[  -n "${LEAN_EMAIL_SMTP_USERNAME_FILE}" ]]; then
   export LEAN_EMAIL_SMTP_USERNAME
 fi
 
+# Ensure supervisord can write its pid file
+mkdir -p /run
+
 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
