From ade96bf7362e823f679e392eab529bc4f1cc0bdd Mon Sep 17 00:00:00 2001 From: BookJJun-IJ Date: Wed, 24 Jun 2026 20:55:11 +0900 Subject: [PATCH] fix(odoo): resolve redirect loop and startup crash - Add --proxy-mode to fix infinite redirect loop behind Caddy reverse proxy - Add container_name for stable Caddy DNS resolution on pcs network - Add pre-install-cmd to generate odoo.conf (fixes wait-for-psql.py crash when config volume mounts an empty directory over /etc/odoo/) - Add rationale.md documenting root container usage --- Apps/Odoo/Rationale.md | 73 ++++++++++++------------------------ Apps/Odoo/docker-compose.yml | 14 ++++++- 2 files changed, 35 insertions(+), 52 deletions(-) diff --git a/Apps/Odoo/Rationale.md b/Apps/Odoo/Rationale.md index 1921b2c..deeaf9d 100644 --- a/Apps/Odoo/Rationale.md +++ b/Apps/Odoo/Rationale.md @@ -1,62 +1,35 @@ -# Odoo Security Rationale +# Odoo — Rationale -## Root Container Usage +## What deviation / exception is being requested -This application uses root containers (`user: "0:0"`) for both PostgreSQL and Odoo services. +Both services run as `user: "0:0"` (root): +- `postgres` (postgres:18.3) +- `odoo` (odoo:19.0) -### Why Root is Required +Authentication relies on Odoo's built-in onboarding — the database manager page requires a master password (`$APP_DEFAULT_PASSWORD`) on first access, then users log in with their created admin account. -**CasaOS Permission Behavior:** -- CasaOS automatically applies PUID:PGID (1000:1000) when no `user` field is specified -- This differs from standard Docker behavior and can cause conflicts with official images +## Why it is necessary -**PostgreSQL Service:** -- The official PostgreSQL image expects to run as the `postgres` user (UID 999) -- When CasaOS applies UID 1000, PostgreSQL cannot properly initialize or access its data directory -- Running as root allows PostgreSQL to properly manage file permissions in `/var/lib/postgresql/data` +CasaOS automatically applies `PUID:PGID` (1000:1000) when no `user` field is specified, which differs from standard Docker behavior. -**Odoo Service:** -- The official Odoo image expects to run as the `odoo` user -- Similar to PostgreSQL, CasaOS's automatic UID 1000 assignment conflicts with Odoo's internal user management -- Running as root ensures proper access to `/var/lib/odoo`, `/etc/odoo`, and `/mnt/extra-addons` +- **PostgreSQL**: The official image expects to run as the `postgres` user (UID 999). CasaOS's automatic UID 1000 prevents PostgreSQL from initializing or accessing its data directory. +- **Odoo**: The official image expects to run as the `odoo` user. UID 1000 conflicts with Odoo's internal user management and access to `/var/lib/odoo`, `/etc/odoo`, and `/mnt/extra-addons`. -### Security Mitigation +## Security mitigations in place -**Volume Isolation:** -- All volumes are mapped exclusively to `/DATA/AppData/$AppID/` -- No access to user directories (`/DATA/Documents/`, `/DATA/Media/`, etc.) -- No shared volumes with other applications +- **Volume isolation**: All volumes map exclusively to `/DATA/AppData/odoo/` — no access to user directories (`/DATA/Documents/`, `/DATA/Media/`, etc.). +- **Network isolation**: PostgreSQL is only reachable on the internal `odoo-internal` network. Only the Odoo web UI (port 80) is exposed via Caddy on the `pcs` network. +- **Official images**: `postgres:18.3` and `odoo:19.0` from Docker Hub, regularly updated and security-audited. +- **Resource limits**: PostgreSQL capped at 512M memory, Odoo at 1G. -**Network Isolation:** -- PostgreSQL is not exposed outside the Docker network -- Only Odoo's web interface (port 8069) is exposed via NSL Router -- Database communication is container-to-container only +## Alternatives considered and rejected -**Official Images:** -- Using official `postgres:15.15` and `odoo:18.0` images from Docker Hub -- These images have been security audited and are regularly updated -- Images include internal security measures and user management +- **Specific UIDs** (e.g. 999 for postgres): Breaks when upstream images change their internal user IDs; less maintainable across updates. +- **Custom entrypoint scripts**: Adds complexity and maintenance burden; deviates from official image best practices. -### Alternative Approaches Considered +## Data protection -1. **Using specific UIDs (999 for postgres, odoo UID for Odoo):** - - Would require knowing exact UIDs used by official images - - Would break when images change their internal user IDs - - Less maintainable across updates - -2. **Custom entrypoint scripts:** - - Would add complexity and maintenance burden - - Could introduce security vulnerabilities - - Would deviate from official image best practices - -3. **User directory access:** - - Not required for this application - - All data is contained within AppData directory - -### Conclusion - -Root containers are necessary for this application due to CasaOS's automatic PUID/PGID behavior conflicting with official PostgreSQL and Odoo images. The security risk is minimal because: -- Volumes are isolated to AppData only -- Using official, security-audited images -- No access to user directories or system files -- PostgreSQL is not exposed outside the container network \ No newline at end of file +- All persistent data is under `/DATA/AppData/odoo/` (postgres-data, odoo-data, config, addons). +- No shared volumes with other applications. +- PostgreSQL is not exposed outside the container network. +- `pre-install-cmd` guards config creation with an existence check (`if [ ! -f ... ]`) to preserve user modifications across reinstalls. diff --git a/Apps/Odoo/docker-compose.yml b/Apps/Odoo/docker-compose.yml index e55ab95..eb92529 100644 --- a/Apps/Odoo/docker-compose.yml +++ b/Apps/Odoo/docker-compose.yml @@ -29,8 +29,9 @@ services: odoo: image: odoo:19.0 + container_name: odoo user: "0:0" - command: odoo --http-port=80 + command: odoo --http-port=80 --data-dir=/var/lib/odoo --proxy-mode depends_on: postgres: condition: service_healthy @@ -208,5 +209,14 @@ x-casaos: **Remarque**: - La configuration initiale peut prendre quelques minutes - Après la création de la base de données, vous pouvez vous connecter avec votre compte administrateur + pre-install-cmd: | + mkdir -p /DATA/AppData/odoo/config/ /DATA/AppData/odoo/odoo-data/ /DATA/AppData/odoo/addons/ /DATA/AppData/odoo/postgres-data/ + if [ ! -f /DATA/AppData/odoo/config/odoo.conf ]; then + cat > /DATA/AppData/odoo/config/odoo.conf <<'CONF' + [options] + addons_path = /mnt/extra-addons/ + data_dir = /var/lib/odoo/ + CONF + fi index: / - scheme: https + scheme: https \ No newline at end of file