diff --git a/Containers/apache/start.sh b/Containers/apache/start.sh index 44925db2..02a2f2ad 100644 --- a/Containers/apache/start.sh +++ b/Containers/apache/start.sh @@ -60,12 +60,6 @@ if [ -z "$ADDITIONAL_TRUSTED_DOMAIN" ]; then fi echo "$CADDYFILE" > /tmp/Caddyfile -# Remove windmill route if windmill is not enabled -if [ "$WINDMILL_ENABLED" != "yes" ]; then - CADDYFILE="$(sed '/# Windmill/{N;N;N;N;d}' /tmp/Caddyfile)" - echo "$CADDYFILE" > /tmp/Caddyfile -fi - # Fix the Caddyfile format caddy fmt --overwrite /tmp/Caddyfile diff --git a/Containers/windmill/Dockerfile b/Containers/windmill/Dockerfile index e1619308..d21115bb 100644 --- a/Containers/windmill/Dockerfile +++ b/Containers/windmill/Dockerfile @@ -62,7 +62,11 @@ RUN set -ex; \ # Create symlinks so postgres tools are on PATH ln -sf /usr/lib/postgresql/17/bin/postgres /usr/local/bin/postgres; \ ln -sf /usr/lib/postgresql/17/bin/initdb /usr/local/bin/initdb; \ - ln -sf /usr/lib/postgresql/17/bin/pg_ctl /usr/local/bin/pg_ctl + ln -sf /usr/lib/postgresql/17/bin/pg_ctl /usr/local/bin/pg_ctl; \ + \ + # Write a build-time marker so start.sh can detect image updates and + # clear the cache volume when a new image version is deployed. + date -u +%s > /etc/windmill-image-build-epoch COPY --chmod=775 start.sh /start.sh COPY --chmod=775 healthcheck.sh /healthcheck.sh @@ -79,7 +83,10 @@ COPY --chmod=664 supervisord.conf /supervisord.conf ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \ UV_TOOL_DIR=/tmp/windmill/cache/uv/tools \ WINDMILL_DIR=/tmp/windmill/cache \ - SSL_CERT_FILE=/etc/ssl/ca-bundle.crt + SSL_CERT_FILE=/etc/ssl/ca-bundle.crt \ + CURL_CA_BUNDLE=/etc/ssl/ca-bundle.crt \ + REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \ + NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"] diff --git a/Containers/windmill/start.sh b/Containers/windmill/start.sh index 014b1458..f1641242 100644 --- a/Containers/windmill/start.sh +++ b/Containers/windmill/start.sh @@ -9,22 +9,23 @@ fi export TZ="${TZ:-Etc/UTC}" -# The Docker daemon injects SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt and -# SSL_CERT_DIR=/etc/ssl/certs into every container, but /etc/ssl/certs/ is mode 700 -# (root only) in the base Windmill image, so uid=1000 cannot traverse it. -# Build a combined, world-readable CA bundle in the writable /tmp tmpfs and -# override all SSL cert env vars so Windmill and its sub-processes use it. -_COMBINED_BUNDLE="/tmp/ca-bundle.crt" -cat /etc/ssl/ca-bundle.crt /etc/ssl/cert.pem > "$_COMBINED_BUNDLE" 2>/dev/null || \ - cat /etc/ssl/ca-bundle.crt > "$_COMBINED_BUNDLE" 2>/dev/null || true -if [ -s "$_COMBINED_BUNDLE" ]; then - export SSL_CERT_FILE="$_COMBINED_BUNDLE" - export CURL_CA_BUNDLE="$_COMBINED_BUNDLE" - export REQUESTS_CA_BUNDLE="$_COMBINED_BUNDLE" - export NODE_EXTRA_CA_CERTS="$_COMBINED_BUNDLE" - # Unset SSL_CERT_DIR so rustls-native-certs does not also try to traverse - # the inaccessible /etc/ssl/certs/ directory. - unset SSL_CERT_DIR +# Clear the cache volume when the image has been updated. +# /etc/windmill-image-build-epoch is written at image build time. +# A copy is stored in the cache volume after first start. +# If the two differ the image was updated and any stale cached artefacts +# (uv tools, worker dirs) should be removed so Windmill starts clean. +IMAGE_EPOCH_FILE="/etc/windmill-image-build-epoch" +CACHE_EPOCH_FILE="/tmp/windmill/cache/.image-build-epoch" +if [ -f "$IMAGE_EPOCH_FILE" ]; then + IMAGE_EPOCH="$(cat "$IMAGE_EPOCH_FILE")" + if [ -f "$CACHE_EPOCH_FILE" ]; then + CACHE_EPOCH="$(cat "$CACHE_EPOCH_FILE")" + if [ "$IMAGE_EPOCH" != "$CACHE_EPOCH" ]; then + echo "Windmill image updated (was $CACHE_EPOCH, now $IMAGE_EPOCH). Clearing cache..." + find /tmp/windmill/cache -mindepth 1 -maxdepth 1 ! -name '.image-build-epoch' -exec rm -rf {} + + fi + fi + echo "$IMAGE_EPOCH" > "$CACHE_EPOCH_FILE" fi PGDATA="/var/lib/postgresql/data"