Support rootless (backwards compatible)

.github/workflows/build.yaml

@@ -57,14 +57,14 @@ jobs:
           outputs: type=image,"name=${{ env.DOCKER_REPO_DEV }}",push-by-digest=false,name-canonical=true,push=true
           context: ./build
           file: ./build/Dockerfile
-          tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}"
+          tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.sha }}"
           build-args: |
             version=${{ env.version }}
 
       - name: Run Trivy vulnerability scan
         uses: aquasecurity/trivy-action@0.30.0
         with:
-          image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}"
+          image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.sha }}"
           format: 'sarif'
           exit-code: 0
           severity: 'CRITICAL,HIGH'

README.md

@@ -29,41 +29,25 @@ tag | description
 `build` | latest `build` image
 `[version]-build` | `build` images
 
-## Initialization
+## Starting the container
 
-To initialize and add account to the bridge, run the following command.
+To initialize and add account to the bridge, run the following steps:
 
+1. Start the container with a named volume (protonmail) for persistent storage.
 ```
-docker run --rm -it -v protonmail:/root shenxn/protonmail-bridge init
+docker run -it -v protonmail:/root shenxn/protonmail-bridge
 ```
+2. When you are done, press `CTRL+P` followed by `CTRL+Q`. This detaches the container from your terminal and keeps it running in the background.
 
-If you want to use Docker Compose instead, you can create a copy of the provided example [docker-compose.yml](docker-compose.yml) file, modify it to suit your needs, and then run the following command:
+## Setting up the bridge
 
+If you have not set up an account, you need to do the folliwing steps in the protonmail-bridge CLI interface:
+1. Connect to the running container by getting it's name using `docker ps` and then running:
 ```
-docker compose run protonmail-bridge init
+docker attach <container_name>
 ```
-
-Wait for the bridge to startup, then you will see a prompt appear for [Proton Mail Bridge interactive shell](https://proton.me/support/bridge-cli-guide). Use the `login` command and follow the instructions to add your account into the bridge. Then use `info` to see the configuration information (username and password). After that, use `exit` to exit the bridge. You may need `CTRL+C` to exit the docker entirely.
-
-## Run
-
-To run the container, use the following command.
-
-```
-docker run -d --name=protonmail-bridge -v protonmail:/root -p 1025:25/tcp -p 1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge
-```
-
-Or, if using Docker Compose, use the following command.
-
-```
-docker compose up -d
-```
-
-## Kubernetes
-
-If you want to run this image in a Kubernetes environment. You can use the [Helm](https://helm.sh/) chart (https://github.com/k8s-at-home/charts/tree/master/charts/stable/protonmail-bridge) created by [@Eagleman7](https://github.com/Eagleman7). More details can be found in [#23](https://github.com/shenxn/protonmail-bridge-docker/issues/23).
-
-If you don't want to use Helm, you can also reference to the guide ([#6](https://github.com/shenxn/protonmail-bridge-docker/issues/6)) written by [@ghudgins](https://github.com/ghudgins).
+2. Use the `add` command to add your ProtonMail account. You will be prompted to enter your ProtonMail username and password.
+3. After adding your account, use the `info` command to see the configuration information (username and password).
 
 ## Security
 
@@ -75,19 +59,6 @@ docker run -d --name=protonmail-bridge -v protonmail:/root -p 127.0.0.1:1025:25/
 
 Besides, you can publish only port 25 (SMTP) if you don't need to receive any email (e.g. as a email notification service).
 
-## Compatibility
-
-The bridge currently only supports some of the email clients. More details can be found on the official website. I've tested this on a Synology DiskStation and it runs well. However, you may need ssh onto it to run the interactive docker command to add your account. The main reason of using this instead of environment variables is that it seems to be the best way to support two-factor authentication.
-
 ## Bridge CLI Guide
 
 The initialization step exposes the bridge CLI so you can do things like switch between combined and split mode, change proxy, etc. The [official guide](https://protonmail.com/support/knowledge-base/bridge-cli-guide/) gives more information on to use the CLI.
-
-## Build
-
-For anyone who want to build this container on your own (for development or security concerns), here is the guide to do so. First, you need to `cd` into the directory (`deb` or `build`, depending on which type of image you want). Then just run the docker build command
-```
-docker build .
-```
-
-That's it. The `Dockerfile` and bash scripts handle all the downloading, building, and packing. You can also add tags, push to your favorite docker registry, or use `buildx` to build multi architecture images.

build/Dockerfile

@@ -14,12 +14,19 @@ RUN make build-nogui vault-editor
 FROM debian:sid-slim
 LABEL maintainer="Simon Felding <sife@adm.ku.dk>"
 
+# These are only exported if running as root
 EXPOSE 25/tcp
 EXPOSE 143/tcp
 
+EXPOSE 2025/tcp
+EXPOSE 2143/tcp
+
+ENV PROTONMAIL_TelemetryDisabled=false
+ENV PROTONMAIL_AutoUpdate=false
+
 # Install dependencies and protonmail bridge
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 ca-certificates \
+    && apt-get install -y --no-install-recommends procps jq socat pass libsecret-1-0 ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy bash scripts

build/entrypoint.sh

@@ -2,34 +2,67 @@
 
 set -ex
 
-# Initialize
 if [[ $1 == init ]]; then
+    echo "The init command is deprecated. Go to our github repo for setup instructions."
+fi
+
+if [[ $HOME == "/" ]] then
+    echo "When running rootless, you must set a home dir as the HOME env var. We recommend /data. Make sure it is writable by the user running the container (currently id is $(id -u) and HOME is $HOME)."
+    exit 1
+fi
+
+# give friendly error if you don't have protonmail data
+if [[ `find $HOME | wc -l` == 1 ]]; then # 1 because find $HOME will always return $HOME
+    echo 'Protonmail does not seem to have been initialized yet. Enter the container with something like `docker exec -it <container_name>` and type "help" for instructions on how to set up the ProtonMail Bridge'
+    timeout 10s /protonmail/proton-bridge --noninteractive # this starts the bridge in non-interactive mode and kills it after 20 seconds, so we can populate the vault with default values and override them with the env variables in the later step.
+fi
+
+# give friendly error if the user doesn't own the data
+if [[ $(id -u) != 0 ]]; then
+    if [[ `find $HOME/.* -not -user $(id -u) | wc -l` != 0 ]]; then
+        echo "You do not own the data in $HOME. Please chown it to $(id -u), run the container as the owner of the data or run the container as root."
+        exit 1
+    fi
+fi
 
-    # Initialize pass
+if [[ ! -f $HOME/.gnupg ]]; then
+    echo "No GPG key found in $HOME/.gnupg. Running gpg --generate-key."
     gpg --generate-key --batch /protonmail/gpgparams
     pass init pass-key
-
-    # Kill the other instance as only one can be running at a time.
-    # This allows users to run entrypoint init inside a running conainter
-    # which is useful in a k8s environment.
-    # || true to make sure this would not fail in case there is no running instance.
-    pkill protonmail-bridge || true
-
-    # Login
-    /protonmail/proton-bridge --cli $@
+fi
+# delete lock files if they exist - this can happen if the container is restarted forcefully
 
-else
+if [[ `find $HOME -name "*.lock" | wc -l` != 0 ]]; then
+    echo "Deleting lock files in $HOME. This can happen if the container is restarted forcefully."
+    find $HOME -name "*.lock" -delete
+fi
 
-    # socat will make the conn appear to come from 127.0.0.1
-    # ProtonMail Bridge currently expects that.
-    # It also allows us to bind to the real ports :)
+# socat will make the conn appear to come from 127.0.0.1
+# ProtonMail Bridge currently expects that.
+# It also allows us to bind to the real ports :)
+if [[ $(id -u) == 0 ]]; then
     socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
     socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+else
+    socat TCP-LISTEN:2025,fork TCP:127.0.0.1:1025 &
+    socat TCP-LISTEN:2143,fork TCP:127.0.0.1:1143 &
+fi
 
-    # Start protonmail
-    # Fake a terminal, so it does not quit because of EOF...
-    rm -f faketty
-    mkfifo faketty
-    cat faketty | /protonmail/proton-bridge --cli $@
+# Broken until https://github.com/ProtonMail/proton-bridge/issues/512 is resolved.
+# check if the vault-editor can read the config
+/protonmail/vault-editor read 2>&1 1>/dev/null
+# Modify the protonmail config with env variables and expected values. Env variables must be converted from string to boolean.
+/protonmail/vault-editor read | \
+jq '.Settings.AutoUpdate = (env.PROTONMAIL_AutoUpdate | if . == "true" then true else false end)
+| .Settings.TelemetryDisabled = (env.PROTONMAIL_TelemetryDisabled | if . == "true" then true else false end)
+| .Settings.GluonDir |= "\(env.HOME)/.local/share/protonmail/bridge-v3/gluon"
+| .Settings.Autostart = false
+| .Settings.SMTPPort = 1025
+| .Settings.IMAPPort = 1143 ' \
+| /protonmail/vault-editor write
 
-fi
+# Start protonmail
+echo "Starting ProtonMail Bridge. Connect to the CLI with `docker exec -it <container_name>` and type 'help' for instructions."
+/protonmail/proton-bridge --cli $@
+echo "ProtonMail bridge stopped. waiting 30 seconds before exiting in order to preserve the logs."
+sleep 30 # so we have time to read the logs in case of a crash loop

deb/Dockerfile

@@ -12,9 +12,13 @@ RUN bash /install.sh
 FROM debian:sid-slim
 LABEL maintainer="Simon Felding <sife@adm.ku.dk>"
 
+# These are only exported if running as root
 EXPOSE 25/tcp
 EXPOSE 143/tcp
 
+EXPOSE 2025/tcp
+EXPOSE 2143/tcp
+
 WORKDIR /protonmail
 
 # Copy bash scripts

deb/entrypoint.sh

@@ -30,20 +30,44 @@ if [[ $1 == init ]]; then
     pass init pass-key
 
     # Login
-    protonmail-bridge --cli
+    protonmail-bridge --cli $@
 
 else
+    if [[ $HOME == "/" ]] then
+        echo "When running rootless, you must set a home dir as the HOME env var. We recommend /data. Make sure it is writable by the user running the container (currently id is $(id -u) and HOME is $HOME)."
+        exit 1
+    fi
+
+    # give friendly error if you don't have protonmail data
+    if [[ `find $HOME | wc -l` == 1 ]]; then # 1 because find $HOME will always return $HOME
+        echo "No files found - start the container with the init command, or copy/mount files into it at $HOME first. Sleeping 5 minutes before exiting so you have time to copy the files over."
+        sleep 300
+        exit 1
+    fi
+
+    # give friendly error if the user doesn't own the data
+    if [[ $(id -u) != 0 ]]; then
+        if [[ `find $HOME/.* -not -user $(id -u) | wc -l` != 0 ]]; then
+          echo "You do not own the data in $HOME. Please chown it to $(id -u), run the container as the owner of the data or run the container as root."
+          exit 1
+        fi
+    fi
+
+    # delete lock files if they exist - this can happen if the container is restarted forcefully
+    find $HOME -name "*.lock" -delete
 
     # socat will make the conn appear to come from 127.0.0.1
     # ProtonMail Bridge currently expects that.
     # It also allows us to bind to the real ports :)
-    socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
-    socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+    if [[ $(id -u) == 0 ]]; then
+        socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
+        socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+    fi
+
+    socat TCP-LISTEN:2025,fork TCP:127.0.0.1:1025 &
+    socat TCP-LISTEN:2143,fork TCP:127.0.0.1:1143 &
 
     # Start protonmail
-    # Fake a terminal, so it does not quit because of EOF...
-    rm -f faketty
-    mkfifo faketty
-    cat faketty | protonmail-bridge --cli
+    /protonmail/proton-bridge --noninteractive $@
 
 fi

docker-compose.yml

@@ -1,14 +1,19 @@
-version: '2.1'
-
 services:
   protonmail-bridge:
     image: shenxn/protonmail-bridge
+    container_name: protonmail-bridge
     ports:
       - 1025:25/tcp
       - 1143:143/tcp
     restart: unless-stopped
     volumes:
       - protonmail:/root
+    stdin_open: true
+    tty: true
+    logging:
+      options:
+        max-size: "1m"
+        max-file: "10"
 volumes:
   protonmail:
     name: protonmail