updated dockerfiles

Dockerfile

@@ -24,7 +24,8 @@ COPY Pipfile* ./
 
 #Dependencies
 RUN apt-get update \
-	&& apt-get -y --no-install-recommends install \
+  && apt-get -y --no-install-recommends install \
+		anacron \
 		build-essential \
 		curl \
 		ghostscript \
@@ -43,30 +44,38 @@ RUN apt-get update \
 		tesseract-ocr-spa \
 		tzdata \
 		unpaper \
-	&& pip install --upgrade pipenv \
+	&& pip install --upgrade pipenv supervisor \
 	&& pipenv install --system --deploy \
 	&& pipenv --clear \
 	&& apt-get -y purge build-essential \
 	&& apt-get -y autoremove --purge \
-	&& rm -rf /var/lib/apt/lists/*
+	&& rm -rf /var/lib/apt/lists/* \
+	&& mkdir /var/log/supervisord /var/run/supervisord
 
-# # Copy application
+# copy scripts
+# this fixes issues with imagemagick and PDF
+COPY scripts/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml
 COPY scripts/gunicorn.conf.py ./
+COPY scripts/supervisord.conf /etc/supervisord.conf
+COPY scripts/paperless-cron /etc/cron.daily/
+COPY scripts/docker-entrypoint.sh /sbin/docker-entrypoint.sh
+
+# copy app
 COPY src/ ./src/
 COPY --from=frontend /usr/src/paperless/src-ui/dist/paperless-ui/ ./src/documents/static/
 
-RUN addgroup --gid 1000 paperless && \
-	  useradd --uid 1000 --gid paperless --home-dir /usr/src/paperless paperless && \
-	  chown -R paperless:paperless .
+# add users, setup scripts
+RUN addgroup --gid 1000 paperless \
+	&& useradd --uid 1000 --gid paperless --home-dir /usr/src/paperless paperless \
+	&& chown -R paperless:paperless . \
+	&& chmod 755 /sbin/docker-entrypoint.sh \
+	&& chmod +x /etc/cron.daily/paperless-cron \
+	&& rm /etc/cron.daily/apt-compat /etc/cron.daily/dpkg
 
 WORKDIR /usr/src/paperless/src/
 
 RUN sudo -HEu paperless python3 manage.py collectstatic --clear --no-input
 
 VOLUME ["/usr/src/paperless/data", "/usr/src/paperless/consume", "/usr/src/paperless/export"]
-
-COPY scripts/docker-entrypoint.sh /sbin/docker-entrypoint.sh
-RUN chmod 755 /sbin/docker-entrypoint.sh
 ENTRYPOINT ["/sbin/docker-entrypoint.sh"]
-
-CMD ["--help"]
+CMD ["python3", "manage.py", "--help"]

docker-compose.yml.example

@@ -1,4 +1,4 @@
-version: "3.8"
+version: "3.4"
 services:
   db:
     image: postgres:13
@@ -27,23 +27,12 @@ services:
       - data:/usr/src/paperless/data
       - media:/usr/src/paperless/media
       - ./export:/usr/src/paperless/export
+      - ./consume:/usr/src/paperless/consume
     env_file: docker-compose.env
     environment:
       - PAPERLESS_OCR_LANGUAGES=
-    command: ["gunicorn", "-b", "0.0.0.0:8000"]
+    command: ["supervisord", "-c", "/etc/supervisord.conf"]
 
-  consumer:
-    image: paperless_app
-    depends_on:
-      - webserver
-      - db
-    restart: on-failure:5
-    volumes:
-      - data:/usr/src/paperless/data
-      - media:/usr/src/paperless/media
-      - ./consume:/usr/src/paperless/consume
-    env_file: docker-compose.env
-    command: ["document_consumer"]
 
 volumes:
   data:

scripts/docker-entrypoint.sh

@@ -79,22 +79,11 @@ install_languages() {
     done
 }
 
-if [[ "$1" != "/"* ]]; then
-    initialize
-
-    # Install additional languages if specified
-    if [[ ! -z "$PAPERLESS_OCR_LANGUAGES"  ]]; then
-        install_languages "$PAPERLESS_OCR_LANGUAGES"
-    fi
-
-    if [[ "$1" = "gunicorn" ]]; then
-        shift
-        cd /usr/src/paperless/src/ && \
-            exec sudo -HEu paperless gunicorn -c /usr/src/paperless/gunicorn.conf.py "$@" paperless.wsgi
-    fi
-
-		exec sudo -HEu paperless python3 manage.py "$@"
+initialize
 
+# Install additional languages if specified
+if [[ ! -z "$PAPERLESS_OCR_LANGUAGES"  ]]; then
+		install_languages "$PAPERLESS_OCR_LANGUAGES"
 fi
 
 exec "$@"

scripts/imagemagick-policy.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+  <!ELEMENT policymap (policy)+>
+  <!ATTLIST policymap xmlns CDATA #FIXED ''>
+  <!ELEMENT policy EMPTY>
+  <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
+    name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
+    stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
+]>
+<!--
+  Configure ImageMagick policies.
+
+  Domains include system, delegate, coder, filter, path, or resource.
+
+  Rights include none, read, write, execute and all.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+
+  Use a glob expression as a pattern.
+
+  Suppose we do not want users to process MPEG video images:
+
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+
+  Here we do not want users reading images from HTTP:
+
+    <policy domain="coder" rights="none" pattern="HTTP" />
+
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+
+    <policy domain="path" rights="read" pattern="/repository/*" />
+
+  Lets prevent users from executing any image filters:
+
+    <policy domain="filter" rights="none" pattern="*" />
+
+  Any large image is cached to disk rather than memory:
+
+    <policy domain="resource" name="area" value="1GP"/>
+
+  Define arguments for the memory, map, area, width, height and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+
+  Rules are processed in order.  Here we want to restrict ImageMagick to only
+  read or write a small subset of proven web-safe image types:
+
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
+-->
+<policymap>
+  <!-- <policy domain="system" name="shred" value="2"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <policy domain="resource" name="map" value="512MiB"/>
+  <policy domain="resource" name="width" value="16KP"/>
+  <policy domain="resource" name="height" value="16KP"/>
+  <!-- <policy domain="resource" name="list-length" value="128"/> -->
+  <policy domain="resource" name="area" value="128MB"/>
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
+  <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
+  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
+  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
+  <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+  <!-- <policy domain="system" name="pixel-cache-memory" value="anonymous"/> -->
+  <!-- <policy domain="system" name="shred" value="2"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- not needed due to the need to use explicitly by mvg: -->
+  <!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
+  <!-- use curl -->
+  <policy domain="delegate" rights="none" pattern="URL" />
+  <policy domain="delegate" rights="none" pattern="HTTPS" />
+  <policy domain="delegate" rights="none" pattern="HTTP" />
+  <!-- in order to avoid to get image with password text -->
+  <policy domain="path" rights="none" pattern="@*"/>
+  <!-- disable ghostscript format types -->
+  <policy domain="coder" rights="none" pattern="PS" />
+  <policy domain="coder" rights="none" pattern="PS2" />
+  <policy domain="coder" rights="none" pattern="PS3" />
+  <policy domain="coder" rights="none" pattern="EPS" />
+  <policy domain="coder" rights="read|write" pattern="PDF" />
+  <policy domain="coder" rights="none" pattern="XPS" />
+</policymap>

scripts/paperless-cron

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cd /usr/src/paperless/src
+
+sudo -HEu paperless python3 manage.py document_create_classifier

scripts/supervisord.conf

@@ -0,0 +1,33 @@
+[supervisord]
+nodaemon=true               ; start in foreground if true; default false
+logfile=/var/log/supervisord/supervisord.log ; main log file; default $CWD/supervisord.log
+pidfile=/var/log/supervisord/supervisord.pid ; supervisord pidfile; default supervisord.pid
+logfile_maxbytes=50MB        ; max main logfile bytes b4 rotation; default 50MB
+logfile_backups=10           ; # of main logfile backups; 0 means none, default 10
+loglevel=info                ; log level; default info; others: debug,warn,trace
+
+[program:gunicorn]
+command=gunicorn -c /usr/src/paperless/gunicorn.conf.py -b 0.0.0.0:8000 paperless.wsgi
+user=paperless
+
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:consumer]
+command=python3 manage.py document_consumer
+user=paperless
+
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:anacron]
+command=anacron -d
+
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0