Merge branch hotfix/v9.3.1 into develop

Co-authored-by: danilapog <danil.titarenko@onlyoffice.com>
Co-committed-by: danilapog <danil.titarenko@onlyoffice.com>

.github/ISSUE_TEMPLATE.md

@@ -1,13 +0,0 @@
-**Do you want to request a *feature* or report a *bug*?**
-
-**What is the current behavior?**
-
-**If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.**
-
-**What is the expected behavior?**
-
-**Did this work in previous versions of DocumentServer?**
-
-**DocumentServer Docker tag:**
-
-**Host Operating System:**

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,83 @@
+name: "Bug report"
+description: "Use this template if you're running into issues with DocumentServer Docker container."
+body:
+  - type: checkboxes
+    id: unique
+    attributes:
+      label: "This issue is unique."
+      options:
+      - label: "I have used the [search tool](https://github.com/ONLYOFFICE/Docker-DocumentServer/issues?q=) and did not find an issue describing my bug."
+        required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      description: "Select the operating system where Docker is running."
+      multiple: true
+      options:
+      - Windows
+      - macOS
+      - Linux
+    validations:
+      required: true
+  - type: dropdown
+    id: architecture
+    attributes:
+      label: Architecture
+      description: "Select the architecture of the system."
+      options:
+      - x86_64
+      - arm64
+    validations:
+      required: true
+  - type: input
+    id: docker-version
+    attributes:
+      label: "Docker version"
+      description: "Provide your Docker version (run `docker --version`)."
+      placeholder: "Example: Docker version 24.0.5"
+    validations:
+      required: true
+  - type: input
+    id: docs-version
+    attributes:
+      label: "ONLYOFFICE-Docs version"
+      description: "Please provide the exact version or Docker tag you are using."
+      placeholder: "Example: 8.0.1 or latest"
+    validations:
+      required: true
+  - type: textarea
+    id: repro-steps
+    attributes:
+      label: "Reproduction Steps"
+      description: "Provide information on how to reproduce this bug. Make sure your instructions are clear."
+      placeholder: |
+        Example:
+        1. Pull the latest DocumentServer image
+        2. Start container with docker-compose
+        3. Access http://localhost
+        4. Observe the issue
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: "Expected Behavior"
+      description: "What did you expect to happen?"
+      placeholder: "Example: The container should start successfully and be accessible on port 80."
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: "Actual Behavior"
+      description: "What did actually happen?"
+      placeholder: "Example: The container starts but DocumentServer returns 502 Bad Gateway error."
+    validations:
+      required: true
+  - type: textarea
+    id: additional
+    attributes:
+      label: "Additional information"
+      description: "If you have any screenshots, error messages, logs, or other information that you feel is necessary to explain the issue, feel free to attach them here."
+      placeholder: "Example: Container logs, error messages, configuration details, etc."

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: DocumentServer Docker Documentation
+    url: https://helpcenter.onlyoffice.com/docs/installation/developer/docker
+    about: Check the Docker documentation for configuration and deployment guides.
+  - name: Community Forum
+    url: https://community.onlyoffice.com/
+    about: Ask questions and get help from the ONLYOFFICE community.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,14 @@
+name: "Feature request"
+description: "Use this form to suggest a feature."
+body:
+  - type: checkboxes
+    attributes:
+      label: "This issue is unique."
+      options:
+      - label: "I have used the [search tool](https://github.com/ONLYOFFICE/Docker-DocumentServer/issues?q=) and did not find an issue describing my idea."
+        required: true
+  - type: textarea
+    attributes:
+      label: Your idea.
+    validations:
+      required: true

.github/workflows/4testing-build.yml

@@ -1,5 +1,14 @@
 ### This workflow setup instance then build and push images ###
 name: 4testing multiarch-build
+run-name: >-
+  Build #${{ inputs.build }} [
+  ${{ inputs.amd64 && 'AMD64' || '-' }}
+  ${{ inputs.arm64 && 'ARM64' || '-' }}
+  ] [
+  ${{ inputs.community && 'CE' || '-' }}
+  ${{ inputs.developer && 'DE' || '-' }}
+  ${{ inputs.enterprise && 'EE' || '-' }}
+  ]
 
 on:
   workflow_dispatch:
@@ -38,66 +47,101 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: matrix
+        env:
+          BRANCH_NAME: ${{ github.ref_name }}
+          AMD64: ${{ github.event.inputs.amd64 }}
+          ARM64: ${{ github.event.inputs.arm64 }}
+          COMMUNITY: ${{ github.event.inputs.community }}
+          ENTERPRISE: ${{ github.event.inputs.enterprise }}
+          DEVELOPER: ${{ github.event.inputs.developer }}
         run: |
           set -ex
 
-          BRANCH_NAME=${GITHUB_REF#refs/heads/}
-          if ! [[ $BRANCH_NAME == develop || $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then
+          if ! [[ "$BRANCH_NAME" == develop || "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then
             echo "Wrong branch."
             exit 1
           fi
 
-          [ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64")
-          [ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64")
+          [ "${AMD64}" = true ] && PLATFORMS+=("amd64")
+          [ "${ARM64}" = true ] && PLATFORMS+=("arm64")
           if [ -z ${PLATFORMS} ]; then
             echo "None of the platforms are selected."
             exit 1
           fi
 
-          [ ${{ github.event.inputs.community }} = true ] && EDITIONS+=("community")
-          [ ${{ github.event.inputs.enterprise }} = true ] && EDITIONS+=("enterprise")
-          [ ${{ github.event.inputs.developer }} = true ] && EDITIONS+=("developer")
+          [ "${COMMUNITY}" = true ] && EDITIONS+=("community")
+          [ "${ENTERPRISE}" = true ] && EDITIONS+=("enterprise")
+          [ "${DEVELOPER}" = true ] && EDITIONS+=("developer")
           if [ -z ${EDITIONS} ]; then
             echo "None of the editions are selected."
             exit 1
           fi
-          echo "::set-output name=editions::$(jq -n -c --arg s "${EDITIONS[*]}" '($s|split(" "))')"
+          echo "editions=$(jq -n -c --arg s "${EDITIONS[*]}" '($s|split(" "))')" >> $GITHUB_OUTPUT
+          echo "platforms=$(jq -c -n '$ARGS.positional' --args "${PLATFORMS[@]}")" >> $GITHUB_OUTPUT
     outputs:
       editions: ${{ steps.matrix.outputs.editions }}
+      platforms: ${{ steps.matrix.outputs.platforms }}
 
   build:
-    name: "Build ${{ matrix.image }}-${{ matrix.edition }}"
-    runs-on: ubuntu-latest
+    name: "Build ${{ matrix.image }}-${{ matrix.edition }}:${{ matrix.platform }}"
+    runs-on: ${{ matrix.runner }}
     needs: prepare
     strategy:
       fail-fast: false
       matrix:
         image: ["documentserver"]
         edition: ${{ fromJSON(needs.prepare.outputs.editions) }}
+        platform: ${{ fromJSON(needs.prepare.outputs.platforms) }}
+        include:
+          - platform: amd64
+            runner: ubuntu-latest
+          - platform: arm64
+            runner: ubuntu-24.04-arm
     steps:
       - name: Checkout code 
-        uses: actions/checkout@v3
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
+      - name: Prepare fonts cache
+        id: fonts
+        uses: actions/cache@v4
+        with:
+          path: fonts
+          key: fonts-${{ runner.os }}-v1
+
+      - name: Install fonts if not cached
+        if: steps.fonts.outputs.cache-hit != 'true'
+        run: |
+          sudo apt-get update
+          echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" | sudo debconf-set-selections
+          sudo apt-get install -y ttf-mscorefonts-installer
+          mkdir -p fonts/msttcorefonts
+          cp -a /usr/share/fonts/truetype/msttcorefonts/* fonts/msttcorefonts/
+
       - name: Build 4testing
+        id: build-ds
+        env:
+          BRANCH_NAME: ${{ github.ref_name }}
+          PLATFORM: linux/${{ matrix.platform }}
+          BUILD_NUMBER: ${{ github.event.inputs.build }}
+          EDITION: ${{ matrix.edition }}
+          IMAGE: ${{ matrix.image }}
+          PACKAGE_BASEURL: ${{ secrets.REPO_BASEURL }}
         run: |
           set -eux
 
           ### ==>> At this step build variable declaration ###
 
-          case ${{ matrix.edition }} in
+          case "${EDITION}" in
             community)
               PRODUCT_EDITION=""
               ;;
@@ -109,31 +153,167 @@ jobs:
               ;;
           esac
 
-          [ ${{ github.event.inputs.amd64 }} = true ] && PLATFORMS+=("amd64")
-          [ ${{ github.event.inputs.arm64 }} = true ] && PLATFORMS+=("arm64")
-          PLATFORM=$(echo ${PLATFORMS[*]/#/linux/} | tr ' ' ',')
-
-          BRANCH_NAME=${GITHUB_REF#refs/heads/}
-          if [ $BRANCH_NAME = develop ]; then
+          if [ "$BRANCH_NAME" = develop ]; then
             BUILD_CHANNEL=nightly
             PRODUCT_VERSION=99.99.99
-          elif [[ $BRANCH_NAME =~ hotfix || $BRANCH_NAME =~ release ]]; then
+          elif [[ "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then
             BUILD_CHANNEL=test
             PRODUCT_VERSION=${BRANCH_NAME#*/v}
           fi
-          BUILD_NUMBER=${{ github.event.inputs.build }}
 
           export PRODUCT_EDITION
-          export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}~stretch
-          export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}/${BUILD_CHANNEL}
+          export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}
           export BUILD_CHANNEL
-          export PLATFORM
           export DOCKERFILE=Dockerfile
           export PREFIX_NAME=4testing-
-          export TAG=${PRODUCT_VERSION}.${BUILD_NUMBER}
+          export TAG=${PRODUCT_VERSION}.${BUILD_NUMBER}-${{ matrix.platform }}
 
           ### ==>> Build and push images at this step ###
 
-          docker buildx bake -f docker-bake.hcl ${{ matrix.image }} --push
+          docker buildx bake --sbom=true --provenance=mode=max -f docker-bake.hcl "${IMAGE}" --push
           echo "DONE: Build success"
+
+          ### Set output for Zap scanner
+          ### NOTE: Output will be used only in release/hotfix branches
+          
+          echo "version=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
         shell: bash
+
+      # Run scanner only when edition is community 
+      # and branch hit release/ or hotfix/
+      - name: Trigger zap manualy
+        if: >-
+             matrix.edition == 'community' &&
+             matrix.platform == 'amd64' &&
+             (startsWith(steps.build-ds.outputs.branch, 'release/') ||
+              startsWith(steps.build-ds.outputs.branch, 'hotfix/'))
+        env:
+          VERSION: ${{ steps.build-ds.outputs.version }}
+          BRANCH: ${{ steps.build-ds.outputs.branch }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+            gh workflow run zap-ds.yaml \
+                 --repo "${REPO}" \
+                 -f branch="${BRANCH}" \
+                 -f version="${VERSION}"
+        shell: bash
+
+      - name: Save build result to file
+        if: always()
+        run: |
+          mkdir -p build-result
+
+          cat > build-result/info.json <<EOF
+          {
+            "status": "${{ job.status }}"
+          }
+          EOF
+
+      - name: Upload build result artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-result-${{ matrix.edition }}-${{ matrix.platform }}
+          path: build-result
+
+  make-images:
+    runs-on: ubuntu-latest
+    needs: [prepare,build]
+    if: always()
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ["documentserver"]
+        edition: ${{ fromJSON(needs.prepare.outputs.editions) }}
+    steps:
+      - name: Download all build results
+        uses: actions/download-artifact@v4
+        with:
+          path: build-results
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: "Make images documentserver"
+        env:
+          EDITION: ${{ matrix.edition }}
+          BUILD_NUMBER: ${{ github.event.inputs.build }}
+          BRANCH_NAME: ${{ github.ref_name }}
+        run: |
+           case "${EDITION}" in
+             community)
+               PRODUCT_EDITION=""
+               ;;
+             enterprise)
+               PRODUCT_EDITION="-ee"
+               ;;
+             developer)
+               PRODUCT_EDITION="-de"
+               ;;
+           esac
+
+           AMD64_STATUS=$(cat ./build-results/build-result-${{ matrix.edition }}-amd64/info.json | jq -r .status)
+           ARM64_STATUS=$(cat ./build-results/build-result-${{ matrix.edition }}-arm64/info.json | jq -r .status)
+
+           echo "ARM64 status: ${ARM64_STATUS}"
+           echo "AMD64 status: ${AMD64_STATUS}"
+
+           if [ "$BRANCH_NAME" = develop ]; then
+            BUILD_CHANNEL=nightly
+            PRODUCT_VERSION=99.99.99
+           elif [[ "$BRANCH_NAME" =~ hotfix || "$BRANCH_NAME" =~ release ]]; then
+            BUILD_CHANNEL=test
+            PRODUCT_VERSION=${BRANCH_NAME#*/v}
+           fi
+
+           export TAG=${PRODUCT_VERSION}.${BUILD_NUMBER}
+
+           FROM_TAGS=()
+           PUSH_TAGS=()
+
+           check_image() {
+                local img="$1"
+                local timeout=120
+                local interval=20
+                local elapsed=0
+
+                echo "Checking for image: $img"
+
+                while (( elapsed < timeout )); do
+                  if docker manifest inspect "$img" > /dev/null 2>&1; then
+                    echo "Found image: $img"
+                    FROM_TAGS+=( "$img" )
+                    return 0
+                  fi
+
+                  echo "Image not found yet, retrying in ${interval}s..."
+                  sleep $interval
+                  elapsed=$(( elapsed + interval ))
+                done
+
+                echo "ERROR: Image not found after ${timeout}s: $img"
+                return 1
+              }
+
+           if [[ "${AMD64_STATUS}" == "success" ]]; then
+              check_image "${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}-amd64"
+           fi
+
+           if [[ "${ARM64_STATUS}" == "success" ]]; then
+              check_image "${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}-arm64"
+           fi
+
+           PUSH_TAGS=(
+               -t "${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}"
+           )
+
+           if [[ "${BUILD_CHANNEL}" == "nightly" ]]; then
+              PUSH_TAGS+=( -t "${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}:latest" )
+           fi
+
+           docker buildx imagetools create "${PUSH_TAGS[@]}" "${FROM_TAGS[@]}"

.github/workflows/cron-rebuild-trigger.yml

@@ -0,0 +1,22 @@
+---
+name: Trigger 4testing rebuild
+
+run-name: "Weekly 4testing rebuild trigger"
+
+on: 
+  schedule:
+    # Run every Saturday at 10 p.m.   
+    - cron: '00 22 * * 6'
+  
+jobs: 
+  trigger-rebuild:
+    name: "trigget-rebuild"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Rebuild 4testing manualy
+        env: 
+          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+        run: |
+          gh workflow run rebuild.yml \
+              --repo ONLYOFFICE/Docker-DocumentServer \
+              -f repo=4test

.github/workflows/dockerhub-description-size.yml

@@ -0,0 +1,30 @@
+name: Check DockerHub README limit
+
+on:
+  push:
+    paths:
+      - README.md
+
+env:
+  MAX_BYTES: "25000"
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Measure size
+        id: measure
+        run: |
+          BYTES=$(wc -c < README.md | tr -d '[:space:]')
+          echo "BYTES=$BYTES" >> "$GITHUB_OUTPUT"
+
+      - name: Fail if oversize
+        run: |
+          BYTES='${{ steps.measure.outputs.BYTES }}'
+          echo "README.md size: $BYTES bytes (limit $MAX_BYTES)"
+          if [ "$BYTES" -gt "$MAX_BYTES" ]; then
+            echo "::error::README.md exceeds Docker Hub 25 KB limit"
+            exit 1
+          fi

.github/workflows/rebuild.yml

@@ -0,0 +1,224 @@
+---
+name: Rebuild Docker-Documentserver 
+
+run-name: >
+        Rebuild DocumentServer with secure updates for repo: ${{ github.event.inputs.repo }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      repo:
+        type: choice
+        description: Please, choose upload repo..
+        options:
+        - '4test'
+        - 'stable'
+
+permissions:
+  # All other permissions are set to none
+  contents: read
+  # Technically read access while waiting for images should be more than enough. However,
+  # there is a bug in GitHub Actions/Packages and in case private repositories are used, you get a permission
+  # denied error when attempting to just pull private image, changing the token permission to write solves the
+  # issue. This is not dangerous, because if it is for "ONLYOFFICE/Docker-DocumentServer", only maintainers can use ds-rebuild.yaml
+  # If it is for a fork, then the token is read-only anyway.
+  packages: read
+
+env: 
+  COMPANY_NAME: "onlyoffice"
+  PRODUCT_NAME: "documentserver" 
+  REGISTRY_URL: "https://hub.docker.com/v2/repositories"  
+
+jobs:
+  rebuild-info:
+    name: "Rebuild-info"
+    runs-on: "ubuntu-22.04"
+    env:
+      REPO_INPUTS: ${{ github.event.inputs.repo }}
+      EVENT: ${{ github.event_name }}
+    outputs: 
+      stable-versions: ${{ steps.selective-checks.outputs.stable-versions }}
+      ucs-versions: ${{ steps.selective-checks.outputs.ucs-versions }}
+      minor-tags: ${{ steps.selective-checks.outputs.minor-tags }}
+      ucs-rebuild-condition: ${{ steps.selective-checks.outputs.ucs-rebuild-condition }}
+      prefix-name: ${{ steps.selective-checks.outputs.prefix-name }}
+      repo: ${{ steps.selective-checks.outputs.repo }}
+    steps:
+      - name: Selective checks
+        id: selective-checks
+        run: |
+            set -e
+
+            REPO=${REPO_INPUTS:-"4test"}
+
+            if [ "${REPO}" == "stable" ]; then
+                 UCS_REBUILD=true
+                 UCS_VERSIONS=($(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}-ucs/tags/?page_size=100 | \
+                            jq -r '.results|.[]|.name' | grep -oxE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.1' || true))
+                 echo "ucs-versions=$(jq -c -n '$ARGS.positional' --args "${UCS_VERSIONS[@]}")" >> "$GITHUB_OUTPUT"
+            elif
+               [ "${REPO}" == "4test" ]; then 
+                 UCS_REBUILD=false
+                 PREFIX_NAME=4testing-
+            fi
+            
+            STABLE_VERSIONS=($(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}/tags/?page_size=100 | \
+                            jq -r '.results|.[]|.name' | grep -oxE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.1' || true))
+                            
+            # When rebuilding stable versions of the document server, 
+            # it is necessary to determine the version from which the 
+            # minor x.x tag will need to be pushed.        
+            
+            VERSIONS=(${STABLE_VERSIONS[@]})
+            for i in {1..10}; do
+                 if [ -z "${VERSIONS}" ]; then
+                     break
+                 else 
+                     TEMPLATE=${VERSIONS[0]%.*.*}
+                     TEMPLATE_MINOR=$(printf -- '%s\n' "${VERSIONS[@]}" | grep -o -m 1 "${VERSIONS[0]%.*.*}.[0-9].[0-9]")
+                     MINOR_TAGS+=(${TEMPLATE_MINOR%.*})
+            
+                     for v in ${MINOR_TAGS[@]}; do
+                          VERSIONS=(${VERSIONS[@]//${v%.*}.*.*})
+                     done
+                 fi
+            done
+            
+            echo "Stable releases that will be rebuilded"
+            echo "--------------------------------------"
+            echo "${STABLE_VERSIONS[@]}"
+            echo
+            echo 
+            echo "Ucs releases that will be rebuilded"
+            echo "-----------------------------------"
+            echo "${UCS_VERSIONS[@]}"
+            
+            echo "stable-versions=$(jq -c -n '$ARGS.positional' --args "${STABLE_VERSIONS[@]}")" >> "$GITHUB_OUTPUT"
+            echo "minor-tags=${MINOR_TAGS[@]}" >> "$GITHUB_OUTPUT"
+            echo "ucs-rebuild-condition=${UCS_REBUILD}" >> "$GITHUB_OUTPUT"
+            echo "prefix-name=${PREFIX_NAME}" >>  "$GITHUB_OUTPUT"
+            echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
+        shell: bash
+
+  re-build-stable:
+    name: "Rebuild stable:${{ matrix.version }} ${{ matrix.edition }}"
+    needs: [rebuild-info]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        type: ["stable"]
+        edition: ["", "-ee", "-de"]
+        version: ${{fromJSON(needs.rebuild-info.outputs.stable-versions)}}
+    steps:
+      - name: Checkout code 
+        uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2      
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+     # Determines the new build number based 
+     # on data from the hub.docker registry
+      - name: Declare release number
+        id: release-number
+        env: 
+          REBUILD_VERSION: ${{ matrix.version }}
+        run: |
+          MINOR_VERSION=${REBUILD_VERSION%.*} 
+          LAST_RELEASE=$(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}/tags/?page_size=100 \
+          | jq -r '.results|.[]|.name' | grep -Eo -m1 "${MINOR_VERSION}.[0-9]{1,}")
+          LAST_RELEASE=${LAST_RELEASE#*.*.*.}
+          echo "release-number=$((LAST_RELEASE+1))" >> "$GITHUB_OUTPUT"   
+        shell: bash  
+    #  Note: Rebuilding images with an 
+    #  extra layer to update security and 
+    #  all dependencies. Update tags got +1 to previous release.
+      - name: Re-build documentserver-stable
+        env:
+          MINOR_TAGS_ST: ${{ needs.rebuild-info.outputs.minor-tags }}
+          VERSION: ${{ matrix.version }}
+          RELEASE_NUMBER: ${{ steps.release-number.outputs.release-number }}
+          PREFIX_NAME: ${{ needs.rebuild-info.outputs.prefix-name }}
+          REPO: ${{ needs.rebuild-info.outputs.repo }}
+          PRODUCT_EDITION: ${{ matrix.edition }}
+        run: |
+            set -eux
+            export PULL_TAG=${VERSION}
+            export TAG=${VERSION%.*}.${RELEASE_NUMBER}
+            export SHORTER_TAG=${VERSION%.*}
+            export SHORTEST_TAG=${VERSION%.*.*}
+            
+            if [ "${REPO}" == "stable" ]; then
+                 MINOR_TAGS=(${MINOR_TAGS_ST})
+                 for v in ${MINOR_TAGS[@]}; do
+                     if [ "${SHORTER_TAG}" == "${v}" ]; then
+                         export PUSH_MAJOR="true"
+                     fi
+                 done
+                 if [ "${SHORTER_TAG}" == "${MINOR_TAGS[0]}" ]; then
+                     export LATEST="true"
+                 fi
+            fi
+            docker buildx bake -f docker-bake.hcl documentserver-stable-rebuild --push
+        shell: bash
+  re-build-ucs:
+    name: "Rebuild ucs: ${{ matrix.version }} ${{ matrix.edition }}"
+    if: needs.rebuild-info.outputs.ucs-rebuild-condition == 'true'
+    needs: [rebuild-info]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        type: ["ucs"]
+        edition: ["", "-ee"]
+        version: ${{fromJSON(needs.rebuild-info.outputs.ucs-versions)}}
+    steps:
+      - name: Checkout code 
+        uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+      # Determines the new build number based 
+      # on data from the hub.docker registry
+      - name: Declare release number
+        id: release-number
+        env: 
+          REBUILD_VERSION: ${{ matrix.version }}
+        run: |
+          MINOR_VERSION=${REBUILD_VERSION%.*} 
+          LAST_RELEASE=$(curl -s -H -X ${REGISTRY_URL}/${COMPANY_NAME}/${PRODUCT_NAME}/tags/?page_size=100 \
+                        | jq -r '.results|.[]|.name' | grep -Eo -m1 "${MINOR_VERSION}.[0-9]{1,}")
+          LAST_RELEASE=${LAST_RELEASE#*.*.*.}
+          echo "release-number=$((LAST_RELEASE+1))" >> "$GITHUB_OUTPUT"
+        shell: bash       
+      #  Note: Rebuilding images with an 
+      #  extra layer to update security and 
+      #  all dependencies. Update tags +1 to previous release.
+      - name: Re-build documentserver-ucs
+        env: 
+          VERSION: ${{ matrix.version }}
+          RELEASE_NUMBER: ${{ steps.release-number.outputs.release-number }}
+          PRODUCT_EDITION: ${{ matrix.edition }}
+        run: |
+            set -eux
+            export PULL_TAG=${VERSION}
+            export TAG=${VERSION%.*}.${RELEASE_NUMBER}
+            export SHORTER_TAG=${VERSION%.*}
+            export SHORTEST_TAG=${VERSION%.*.*}
+          
+            export UCS_REBUILD=true
+            export UCS_PREFIX=-ucs
+          
+            docker buildx bake -f docker-bake.hcl documentserver-stable-rebuild --push
+        shell: bash

.github/workflows/stable-build.yml

@@ -1,5 +1,6 @@
 ### This workflow setup instance then build and push images ###
 name: Multi-arch build stable
+run-name: ${{ inputs.tag }} (${{ inputs.release_number }})
 
 on:
   workflow_dispatch:
@@ -8,10 +9,23 @@ on:
         description: 'Tag for release (ex. 1.2.3.45)'
         type: string
         required: true
+      release_number:
+        description: 'Sequence number of the release (ex. x.x.x.<number>)'
+        type: string
+        required: true
+        default: '1'
+      latest:
+        description: 'Push latest tag?'
+        type: boolean
+        required: true
+        default: true
 
 env:
   COMPANY_NAME: "onlyoffice"
-  PRODUCT_NAME: "documentserver" 
+  PRODUCT_NAME: "documentserver"
+  VERSION: ${{ github.event.inputs.tag }}
+  RELEASE_NUMBER: ${{ github.event.inputs.release_number }}
+  LATEST: ${{ github.event.inputs.latest }}
 
 jobs:
   build:
@@ -24,35 +38,74 @@ jobs:
         edition: ["", "-ee", "-de"]
     steps:
       - name: Checkout code 
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Build documentserver-release
+        env:
+          TARGET: ${{ matrix.images }}
+          PRODUCT_EDITION: ${{ matrix.edition }}
         run: |
           set -eux
-          VERSION=${{ github.event.inputs.tag }}
-          PRODUCT_EDITION=${{ matrix.edition }}
           TESTING_IMAGE=${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}
             export PRODUCT_EDITION
-            export TAG=${VERSION}
+            export PULL_TAG=${VERSION}
+            export TAG=${VERSION%.*}.${RELEASE_NUMBER}
             export SHORTER_TAG=${VERSION%.*}
             export SHORTEST_TAG=${VERSION%.*.*}
-            docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
+            docker buildx bake --sbom=true --provenance=mode=max -f docker-bake.hcl "${TARGET}" --push
             echo "DONE: Build success >> exit with 0"
             exit 0
         shell: bash
 
+     # Disable for now
+     # Related with issue:
+     # https://github.com/peter-evans/dockerhub-description/issues/294
+     #
+     #- name: Update Docker Hub README
+     #  uses: peter-evans/dockerhub-description@v4
+     #  with:
+     #    username: ${{ secrets.DOCKER_HUB_USERNAME }}
+     #    password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+     #    repository: ${{ env.COMPANY_NAME }}/${{ env.PRODUCT_NAME }}${{ matrix.edition }}
+
+  release_4enterprise:
+    name: "Release image: onlyoffice4enterprise"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME_ENTERPRISE }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN_ENTERPRISE }}
+
+      - name: release 4enterpise
+        shell: bash
+        run: |
+          export TAG=${VERSION%.*}.${RELEASE_NUMBER}
+          docker buildx imagetools create --tag onlyoffice4enterprise/documentserver-ee:${TAG} \
+                                                onlyoffice/4testing-documentserver-ee:${VERSION}
+
   build-nonexample:
     name: "Release image: DocumentServer${{ matrix.edition }}-nonExample"
     runs-on: ubuntu-latest
@@ -65,26 +118,29 @@ jobs:
         edition: ["", "-ee", "-de"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: build image
+        env:
+          TARGET: ${{ matrix.images }}
+          PRODUCT_EDITION: ${{ matrix.edition }}
         run: |
           set -eux
-          export PRODUCT_EDITION=${{ matrix.edition }}
-          export TAG=${{ github.event.inputs.tag }}
-          docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
+          export PULL_TAG=${VERSION%.*}.${RELEASE_NUMBER}
+          export TAG=${VERSION%.*}.${RELEASE_NUMBER}
+          docker buildx bake --sbom=true --provenance=mode=max -f docker-bake.hcl "${TARGET}" --push
         shell: bash
 
   build-ucs-ubuntu20:
@@ -94,31 +150,32 @@ jobs:
       fail-fast: false
       matrix:
         edition: ["", "-ee"]
+        platform: ["amd64"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: build UCS
+        env:
+          PACKAGE_BASEURL: ${{ secrets.REPO_BASEURL }}
+          PRODUCT_EDITION: ${{ matrix.edition }}
+          PLATFORM: linux/${{ matrix.platform }}
         run: |
            set -eux
-           export PRODUCT_EDITION=${{ matrix.edition }}
-           export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}/test
            export DOCKERFILE=Dockerfile
-           export BASE_IMAGE=ubuntu:20.04
+           export BASE_VERSION=20.04
            export PG_VERSION=12
-           export TAG=${{ github.event.inputs.tag }}
-           export PACKAGE_VERSION=$( echo ${TAG} |  sed -E 's/(.*)\./\1-/')~stretch
-           docker buildx bake -f docker-bake.hcl documentserver-ucs --push
+           export PACKAGE_SUFFIX=
+           export TAG=${VERSION%.*}.${RELEASE_NUMBER}
+           export PACKAGE_VERSION=$( echo ${VERSION} |  sed -E 's/(.*)\./\1-/')
+           docker buildx bake --sbom=true --provenance=mode=max -f docker-bake.hcl documentserver-ucs --push
         shell: bash

.github/workflows/zap-ds.yaml

@@ -0,0 +1,70 @@
+---
+name: Scanning DocumentServer with ZAP
+
+run-name: > 
+      ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Set DocumentServer version that will be deployed'
+        type: string
+        required: true
+      branch:
+        description: 'The branch from which the scan will be performed'
+        type: string
+        required: true
+jobs:
+  zap:
+    name: "Zap scanning DocumentServer"
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run DS
+        id: run-ds
+        env:
+          TAG: ${{ github.event.inputs.version }}
+        run: |
+           # Create ssl certs
+           openssl genrsa -out tls.key 2048
+           openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
+           openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
+           openssl dhparam -out dhparam.pem 2048
+           sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
+           sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
+           sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
+           sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
+           sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
+           rm ./tls.key ./tls.crt ./dhparam.pem
+
+           # Run Ds with enabled ssl
+           export CONTAINER_NAME="documentserver"
+           sudo docker run -itd \
+                           --name ${CONTAINER_NAME} \
+                           -p 80:80 \
+                           -p 443:443 \
+                           -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
+                           onlyoffice/4testing-documentserver:${TAG}
+           sleep 60
+           sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
+           LOCAL_IP=$(hostname -I | awk '{print $1}')
+           echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
+
+      # Scan DocumentServer with ZAP.
+      # NOTE: Full scan get a lot of time.
+      # If you want make scan more faster (but less accurate) remove `cmd options` field
+      # -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
+      # Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.12.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
+          allow_issue_writing: false
+          #cmd_options: '-j'

.travis.yml

@@ -32,23 +32,23 @@ env:
     SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key
 
 
+  # postgresql 16
+  - config: postgres.yml
+    POSTGRES_VERSION: 16
+
+  # postgresql 15
+  - config: postgres.yml
+    POSTGRES_VERSION: 15
+
+  # postgresql 14
+  - config: postgres.yml
+    POSTGRES_VERSION: 14
+
+  # postgresql 13
+  - config: postgres.yml
+    POSTGRES_VERSION: 13
+
   # postgresql 12
-  - config: postgres.yml
-    POSTGRES_VERSION: 12
-
-  # postgresql 11
-  - config: postgres.yml
-    POSTGRES_VERSION: 11
-
-  # postgresql 10
-  - config: postgres.yml
-    POSTGRES_VERSION: 10
-
-  # postgresql 9
-  - config: postgres.yml
-    POSTGRES_VERSION: 9
-
-  # postgresql 9.5
   - config: postgres.yml
 
   # postgresql custom values

Dockerfile

@@ -1,28 +1,49 @@
-ARG BASE_IMAGE=ubuntu:22.04
+ARG BASE_VERSION=24.04
 
-FROM ${BASE_IMAGE} as documentserver
-LABEL maintainer Ascensio System SIA <support@onlyoffice.com>
+ARG BASE_IMAGE=ubuntu:$BASE_VERSION
 
-ARG PG_VERSION=14
+FROM ${BASE_IMAGE} AS documentserver
+LABEL maintainer="Ascensio System SIA <support@onlyoffice.com>"
 
-ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive PG_VERSION=${PG_VERSION}
+ARG BASE_VERSION
+ARG PG_VERSION=16
+ARG PACKAGE_SUFFIX=t64
+
+ENV OC_RELEASE_NUM=23
+ENV OC_RU_VER=7
+ENV OC_RU_REVISION_VER=0
+ENV OC_RESERVED_NUM=25
+ENV OC_RU_DATE=01
+ENV OC_PATH=${OC_RELEASE_NUM}${OC_RU_VER}0000
+ENV OC_FILE_SUFFIX=${OC_RELEASE_NUM}.${OC_RU_VER}.${OC_RU_REVISION_VER}.${OC_RESERVED_NUM}.${OC_RU_DATE}
+ENV OC_VER_DIR=${OC_RELEASE_NUM}_${OC_RU_VER}
+ENV OC_DOWNLOAD_URL=https://download.oracle.com/otn_software/linux/instantclient/${OC_PATH}
+
+ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive PG_VERSION=${PG_VERSION} BASE_VERSION=${BASE_VERSION}
 
 ARG ONLYOFFICE_VALUE=onlyoffice
+COPY fonts/ /usr/share/fonts/truetype/
 
 RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     apt-get -y update && \
     apt-get -yq install wget apt-transport-https gnupg locales lsb-release && \
+    wget -q -O /etc/apt/sources.list.d/mssql-release.list "https://packages.microsoft.com/config/ubuntu/$BASE_VERSION/prod.list" && \
+    wget -q -O /tmp/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc && \
+    apt-key add /tmp/microsoft.asc && \
+    gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg < /tmp/microsoft.asc && \
+    apt-get -y update && \
     locale-gen en_US.UTF-8 && \
     echo ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true | debconf-set-selections && \
-    apt-get -yq install \
+    ACCEPT_EULA=Y apt-get -yq install \
         adduser \
         apt-utils \
         bomstrip \
         certbot \
+        cron \
         curl \
-        gconf-service \
         htop \
-        libasound2 \
+        libaio1${PACKAGE_SUFFIX} \
+        libasound2${PACKAGE_SUFFIX} \
         libboost-regex-dev \
         libcairo2 \
         libcurl3-gnutls \
@@ -34,6 +55,7 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
         libxml2 \
         libxss1 \
         libxtst6 \
+        mssql-tools18 \
         mysql-client \
         nano \
         net-tools \
@@ -44,13 +66,16 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
         pwgen \
         rabbitmq-server \
         redis-server \
-        software-properties-common \
         sudo \
         supervisor \
         ttf-mscorefonts-installer \
+        unixodbc-dev \
+        unzip \
         xvfb \
-        zlib1g && \
-    if [  $(ls -l /usr/share/fonts/truetype/msttcorefonts | wc -l) -ne 61 ]; \
+        xxd \
+        zlib1g || dpkg --configure -a && \
+    # Added dpkg --configure -a to handle installation issues with rabbitmq-server on arm64 architecture
+    if [  $(find /usr/share/fonts/truetype/msttcorefonts -maxdepth 1 -type f -iname '*.ttf' | wc -l) -lt 30 ]; \
         then echo 'msttcorefonts failed to download'; exit 1; fi  && \
     echo "SERVER_ADDITIONAL_ERL_ARGS=\"+S 1:1\"" | tee -a /etc/rabbitmq/rabbitmq-env.conf && \
     sed -i "s/bind .*/bind 127.0.0.1/g" /etc/redis/redis.conf && \
@@ -59,6 +84,12 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     service postgresql restart && \
     sudo -u postgres psql -c "CREATE USER $ONLYOFFICE_VALUE WITH password '$ONLYOFFICE_VALUE';" && \
     sudo -u postgres psql -c "CREATE DATABASE $ONLYOFFICE_VALUE OWNER $ONLYOFFICE_VALUE;" && \
+    wget -O basic.zip ${OC_DOWNLOAD_URL}/instantclient-basic-linux.$(dpkg --print-architecture | sed 's/amd64/x64/')-${OC_FILE_SUFFIX}.zip && \
+    wget -O sqlplus.zip ${OC_DOWNLOAD_URL}/instantclient-sqlplus-linux.$(dpkg --print-architecture | sed 's/amd64/x64/')-${OC_FILE_SUFFIX}.zip && \
+    unzip -o basic.zip -d /usr/share && \
+    unzip -o sqlplus.zip -d /usr/share && \
+    mv /usr/share/instantclient_${OC_VER_DIR} /usr/share/instantclient && \
+    find /usr/lib /lib -name "libaio.so.1$PACKAGE_SUFFIX" -exec bash -c 'ln -sf "$0" "$(dirname "$0")/libaio.so.1"' {} \; && \
     service postgresql stop && \
     service redis-server stop && \
     service rabbitmq-server stop && \
@@ -66,8 +97,10 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     service nginx stop && \
     rm -rf /var/lib/apt/lists/*
 
-COPY config /app/ds/setup/config/
+COPY config/supervisor/supervisor /etc/init.d/
+COPY config/supervisor/ds/*.conf /etc/supervisor/conf.d/
 COPY run-document-server.sh /app/ds/run-document-server.sh
+COPY oracle/sqlplus /usr/bin/sqlplus
 
 EXPOSE 80 443
 
@@ -81,6 +114,7 @@ ARG PACKAGE_BASEURL="http://download.onlyoffice.com/install/documentserver/linux
 ENV COMPANY_NAME=$COMPANY_NAME \
     PRODUCT_NAME=$PRODUCT_NAME \
     PRODUCT_EDITION=$PRODUCT_EDITION \
+    DS_PLUGIN_INSTALLATION=false \
     DS_DOCKER_INSTALLATION=true
 
 RUN PACKAGE_FILE="${COMPANY_NAME}-${PRODUCT_NAME}${PRODUCT_EDITION}${PACKAGE_VERSION:+_$PACKAGE_VERSION}_${TARGETARCH:-$(dpkg --print-architecture)}.deb" && \
@@ -88,9 +122,18 @@ RUN PACKAGE_FILE="${COMPANY_NAME}-${PRODUCT_NAME}${PRODUCT_EDITION}${PACKAGE_VER
     apt-get -y update && \
     service postgresql start && \
     apt-get -yq install /tmp/$PACKAGE_FILE && \
+    if [ "${PRODUCT_EDITION}" != "-ee" ] && [ "${PRODUCT_EDITION}" != "-de" ]; then rm -f /etc/supervisor/conf.d/ds-adminpanel.conf && sed -i 's/,adminpanel//' /etc/supervisor/conf.d/ds.conf; fi && \
+    PGPASSWORD=$ONLYOFFICE_VALUE dropdb -h localhost -p 5432 -U $ONLYOFFICE_VALUE $ONLYOFFICE_VALUE && \
+    sudo -u postgres psql -c "DROP ROLE onlyoffice;" && \
     service postgresql stop && \
+    chmod 755 /etc/init.d/supervisor && \
+    sed "s/COMPANY_NAME/${COMPANY_NAME}/g" -i /etc/supervisor/conf.d/*.conf && \
     service supervisor stop && \
     chmod 755 /app/ds/*.sh && \
+    printf "\nGO" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/mssql/createdb.sql" && \
+    printf "\nGO" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/mssql/removetbl.sql" && \
+    printf "\nexit" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/oracle/createdb.sql" && \
+    printf "\nexit" >> "/var/www/$COMPANY_NAME/documentserver/server/schema/oracle/removetbl.sql" && \
     rm -f /tmp/$PACKAGE_FILE && \
     rm -rf /var/log/$COMPANY_NAME && \
     rm -rf /var/lib/apt/lists/*

Makefile

@@ -8,11 +8,10 @@ BUILD_CHANNEL ?= nightly
 ONLYOFFICE_VALUE ?= onlyoffice
 
 COMPANY_NAME_LOW = $(shell echo $(COMPANY_NAME) | tr A-Z a-z)
-COMPANY_NAME_ESC = $(subst -,,$(COMPANY_NAME_LOW))
 
 PACKAGE_NAME := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)$(PRODUCT_EDITION)
 PACKAGE_VERSION ?= $(PRODUCT_VERSION)-$(BUILD_NUMBER)~stretch
-PACKAGE_BASEURL ?= https://s3.eu-west-1.amazonaws.com/repo-doc-onlyoffice-com/server/linux/debian/$(BUILD_CHANNEL)
+PACKAGE_BASEURL ?= https://s3.eu-west-1.amazonaws.com/repo-doc-onlyoffice-com/server/linux/debian
 
 ifeq ($(BUILD_CHANNEL),$(filter $(BUILD_CHANNEL),nightly test))
 	DOCKER_TAG := $(PRODUCT_VERSION).$(BUILD_NUMBER)
@@ -20,7 +19,8 @@ else
 	DOCKER_TAG := $(PRODUCT_VERSION).$(BUILD_NUMBER)-$(subst /,-,$(GIT_BRANCH))
 endif
 
-DOCKER_IMAGE := $(COMPANY_NAME_ESC)/4testing-$(PRODUCT_NAME)$(PRODUCT_EDITION)
+DOCKER_ORG ?= $(COMPANY_NAME_LOW)
+DOCKER_IMAGE := $(DOCKER_ORG)/4testing-$(PRODUCT_NAME)$(PRODUCT_EDITION)
 DOCKER_DUMMY := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)$(PRODUCT_EDITION)__$(DOCKER_TAG).dummy
 DOCKER_ARCH := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)_$(DOCKER_TAG).tar.gz
 

README.md

@@ -6,11 +6,14 @@
     - [Storing Data](#storing-data)
     - [Running ONLYOFFICE Document Server on Different Port](#running-onlyoffice-document-server-on-different-port)
     - [Running ONLYOFFICE Document Server using HTTPS](#running-onlyoffice-document-server-using-https)
+        + [Using the automatically generated Let's Encrypt SSL Certificates](#using-the-automatically-generated-lets-encrypt-ssl-certificates)
         + [Generation of Self Signed Certificates](#generation-of-self-signed-certificates)
         + [Strengthening the Server Security](#strengthening-the-server-security)
         + [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)
         + [Available Configuration Parameters](#available-configuration-parameters)
-* [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers)
+* [Installing ONLYOFFICE Document Server using Docker Compose](#installing-onlyoffice-document-server-using-docker-compose)
+* [Installing ONLYOFFICE Document Server as a part of ONLYOFFICE Workspace](#installing-onlyoffice-document-server-as-a-part-of-onlyoffice-workspace)
+* [ONLYOFFICE Document Server ipv6 setup](#onlyoffice-document-server-ipv6-setup)
 * [Issues](#issues)
     - [Docker Issues](#docker-issues)
     - [Document Server usage Issues](#document-server-usage-issues)
@@ -19,28 +22,34 @@
 
 ## Overview
 
-ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
+ONLYOFFICE Docs (Document Server) is an open-source office suite that comprises all the tools you need to work with documents, spreadsheets, presentations, PDFs, and PDF forms. The suite supports office files of all popular formats (DOCX, ODT, XLSX, ODS, CSV, PPTX, ODP, etc.) and enables collaborative editing in real time.
 
-Starting from version 6.0, Document Server is distributed as ONLYOFFICE Docs. It has [three editions](https://github.com/ONLYOFFICE/DocumentServer#onlyoffice-document-server-editions). With this image, you will install the free Community version. 
+Starting from version 6.0, Document Server is distributed as ONLYOFFICE Docs. It has [three editions](https://github.com/ONLYOFFICE/DocumentServer#onlyoffice-docs-editions). With this image, you will install the free Community version. 
 
-ONLYOFFICE Docs can be used as a part of ONLYOFFICE Workspace or with third-party sync&share solutions (e.g. Nextcloud, ownCloud, Seafile) to enable collaborative editing within their interface.
+ONLYOFFICE Docs can be used as a part of [ONLYOFFICE DocSpace](https://www.onlyoffice.com/docspace.aspx) and ONLYOFFICE Workspace, or with [third-party sync&share solutions](https://www.onlyoffice.com/all-connectors.aspx) (e.g. Odoo, Moodle, Nextcloud, ownCloud, Seafile, etc.) to enable collaborative editing within their interface.
 
-***Important*** Please update `docker-enginge` to latest version (`20.10.21` as of writing this doc) before using it. We use `ubuntu:22.04` as base image and it older versions of docker have compatibility problems with it
+***Important*** Please update `docker-engine` to latest version (`20.10.21` as of writing this doc) before using it. We use `ubuntu:24.04` as base image and older versions of docker have compatibility problems with it
 
 ## Functionality ##
-* ONLYOFFICE Document Editor
-* ONLYOFFICE Spreadsheet Editor
-* ONLYOFFICE Presentation Editor
-* ONLYOFFICE Documents application for iOS
-* Collaborative editing
-* Hieroglyph support
-* Support for all the popular formats: DOC, DOCX, TXT, ODT, RTF, ODP, EPUB, ODS, XLS, XLSX, CSV, PPTX, HTML
 
-Integrating it with ONLYOFFICE Community Server you will be able to:
-* view and edit files stored on Drive, Box, Dropbox, OneDrive, OwnCloud connected to ONLYOFFICE;
-* share files;
-* embed documents on a website;
-* manage access rights to documents.
+Take advantage of the powerful editors included in ONLYOFFICE Docs:
+
+* [ONLYOFFICE Document Editor](https://www.onlyoffice.com/document-editor.aspx)
+* [ONLYOFFICE Spreadsheet Editor](https://www.onlyoffice.com/spreadsheet-editor.aspx)
+* [ONLYOFFICE Presentation Editor](https://www.onlyoffice.com/presentation-editor.aspx)
+* [ONLYOFFICE Form Creator](https://www.onlyoffice.com/form-creator.aspx)
+* [ONLYOFFICE PDF Editor](https://www.onlyoffice.com/pdf-editor.aspx)
+* [ONLYOFFICE Diagram Viewer](https://www.onlyoffice.com/diagram-viewer.aspx) 
+
+The editors empower you to create, edit, save, and export text docs, sheets, presentations, PDFs, create and fill out PDF forms, open diagrams, all while offering additional advanced features such as:
+
+* Collaborative editing (review & track changes, comments, chat)
+* [AI-powered assistants](https://www.onlyoffice.com/ai-assistants.aspx) 
+* Spell-checking 
+* Scalable UI options (including dark mode)
+* [Security tools & services](https://www.onlyoffice.com/security.aspx)
+
+ONLYOFFICE Docs offer support for plugins allowing you to add specific features to the editors that are not directly related to the OOXML format. For more details, see [our API](https://api.onlyoffice.com/docs/plugin-and-macros/get-started/overview/) or visit the [plugins repo](https://github.com/ONLYOFFICE/onlyoffice.github.io). Would like to explore the existing plugins? Open the [Marketplace](https://www.onlyoffice.com/app-directory).
 
 ## Recommended System Requirements
 
@@ -48,7 +57,7 @@ Integrating it with ONLYOFFICE Community Server you will be able to:
 * **CPU**: dual-core 2 GHz or higher
 * **Swap**: at least 2 GB
 * **HDD**: at least 2 GB of free space
-* **Distribution**: 64-bit Red Hat, CentOS or other compatible distributive with kernel version 3.8 or later, 64-bit Debian, Ubuntu or other compatible distributive with kernel version 3.8 or later
+* **Distribution**: 64-bit Red Hat, CentOS or other compatible distribution with kernel version 3.8 or later, 64-bit Debian, Ubuntu or other compatible distribution with kernel version 3.8 or later
 * **Docker**: version 1.9.0 or later
 
 ## Running Docker Image
@@ -93,7 +102,7 @@ To change the port, use the -p command. E.g.: to make your portal accessible via
         sudo docker run -i -t -d -p 443:443 \
         -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  onlyoffice/documentserver
 
-Access to the onlyoffice application can be secured using SSL so as to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. Below the instructions on achieving this are provided.
+Access to the ONLYOFFICE application can be secured using SSL so as to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. Below the instructions on achieving this are provided.
 
 To secure the application via SSL basically two things are needed:
 
@@ -105,7 +114,7 @@ So you need to create and install the following files:
         /app/onlyoffice/DocumentServer/data/certs/tls.key
         /app/onlyoffice/DocumentServer/data/certs/tls.crt
 
-When using CA certified certificates (e.g [Let's encrypt](https://letsencrypt.org)), these files are provided to you by the CA. If you are using self-signed certificates you need to generate these files [yourself](#generation-of-self-signed-certificates).
+When using CA certified certificates (e.g. [Let's Encrypt](https://letsencrypt.org)), these files are provided to you by the CA. If you are using self-signed certificates you need to generate these files [yourself](#generation-of-self-signed-certificates).
 
 #### Using the automatically generated Let's Encrypt SSL Certificates
 
@@ -149,9 +158,9 @@ openssl dhparam -out dhparam.pem 2048
 
 #### Installation of the SSL Certificates
 
-Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
+Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the ONLYOFFICE server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
 
-The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
+The default path that the ONLYOFFICE application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
 
 The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner.
 
@@ -172,42 +181,77 @@ You are now just one step away from having our application secured.
 Below is the complete list of parameters that can be set using environment variables.
 
 - **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
-- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
+- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the ONLYOFFICE nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
 - **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`.
 - **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`.
 - **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
 - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
-- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.
+- **NODE_EXTRA_CA_CERTS**: The [NODE_EXTRA_CA_CERTS](https://nodejs.org/api/cli.html#node_extra_ca_certsfile "Node.js documentation") to extend CAs with the extra certificates for Node.js. Defaults to `/var/www/onlyoffice/Data/certs/extra-ca-certs.pem`.
+- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb`, `mysql`, `mssql` or `oracle`. Defaults to `postgres`.
 - **DB_HOST**: The IP address or the name of the host where the database server is running.
 - **DB_PORT**: The database server port number.
 - **DB_NAME**: The name of a database to use. Should be existing on container startup.
 - **DB_USER**: The new user name with superuser permissions for the database account.
 - **DB_PWD**: The password set for the database account.
+- **DB_SCHEMA**: Database schema name (optional).  
+  - **PostgreSQL** — schema for [search_path](https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATH), default `public`.  
+  - **MSSQL** — schema to set as [DEFAULT_SCHEMA](https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-user-transact-sql?view=sql-server-ver17#default_schema---schema_name--null-), default `dbo`.  
 - **AMQP_URI**: The [AMQP URI](https://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server.
 - **AMQP_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`.
+- **RABBIT_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened to the RabbitMQ message broker. Defaults to the soft limit from `ulimit -n`.
 - **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running.
 - **REDIS_SERVER_PORT**:  The Redis server port number.
+- **REDIS_SERVER_USER**: The Redis server username. The username is not set by default.
 - **REDIS_SERVER_PASS**: The Redis server password. The password is not set by default.
+- **REDIS_SERVER_DB**: The Redis database index number to select. Defaults to `0`.  
 - **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes.
-- **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process.
-- **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`.
+- **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process. Defaults to the soft limit from `ulimit -n`.
+- **NGINX_ACCESS_LOG**: Defines whether access logging is enabled. Defaults to `false`.
+- **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](https://nginx.org/en/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`.
 - **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `true`.
 - **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to random value.
 - **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`.
 - **JWT_IN_BODY**: Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to `false`.
 - **WOPI_ENABLED**: Specifies the enabling the wopi handlers. Defaults to `false`.
-- **USE_UNAUTHORIZED_STORAGE**: Set to `true`if using selfsigned certificates for your storage server e.g. Nextcloud. Defaults to `false`
+- **ALLOW_META_IP_ADDRESS**: Defines if it is allowed to connect meta IP address or not. Defaults to `false`.
+- **ALLOW_PRIVATE_IP_ADDRESS**: Defines if it is allowed to connect private IP address or not. Defaults to `false`.
+- **USE_UNAUTHORIZED_STORAGE**: Set to `true` if using self-signed certificates for your storage server e.g. Nextcloud. Defaults to `false`
 - **GENERATE_FONTS**: When 'true' regenerates fonts list and the fonts thumbnails etc. at each start. Defaults to `true`
+- **ADMINPANEL_ENABLED**: Enables admin panel service autostart. Defaults to `false`.
+- **EXAMPLE_ENABLED**: Enables example service autostart. Defaults to `false`.
 - **METRICS_ENABLED**: Specifies the enabling StatsD for ONLYOFFICE Document Server. Defaults to `false`.
 - **METRICS_HOST**: Defines StatsD listening host. Defaults to `localhost`.
 - **METRICS_PORT**: Defines StatsD listening port. Defaults to `8125`.
 - **METRICS_PREFIX**: Defines StatsD metrics prefix for backend services. Defaults to `ds.`.
 - **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
-- **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
+- **LETS_ENCRYPT_MAIL**: Defines the domain administrator mail address for Let's Encrypt certificate.
+- **PLUGINS_ENABLED**: Defines whether to enable default plugins. Defaults to `true`.
 
-## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
+## Installing ONLYOFFICE Document Server using Docker Compose
 
-ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:
+You can also install ONLYOFFICE Document Server using [docker-compose](https://docs.docker.com/compose/install "docker-compose"). 
+
+First you need to clone this [GitHub repository](https://github.com/ONLYOFFICE/Docker-DocumentServer/):
+
+```bash
+git clone https://github.com/ONLYOFFICE/Docker-DocumentServer
+```
+
+After that switch to the repository folder:
+
+```bash
+cd Docker-DocumentServer
+```
+
+After that, assuming you have docker-compose installed, execute the following command:
+
+```bash
+docker-compose up -d
+```
+
+## Installing ONLYOFFICE Document Server as a part of ONLYOFFICE Workspace
+
+ONLYOFFICE Document Server is a part of ONLYOFFICE Workspace that comprises also Community Server, Mail Server, and Control Panel. To install them, follow these easy steps:
 
 **STEP 1**: Create the `onlyoffice` network.
 
@@ -218,7 +262,7 @@ Then launch containers on it using the 'docker run --net onlyoffice' option:
 
 **STEP 2**: Install MySQL.
 
-Follow [these steps](#installing-mysql) to install MySQL server.
+Install MySQL server. You can find MySQL installation instructions in the [official MySQL documentation](https://dev.mysql.com/doc/).
 
 **STEP 3**: Generate JWT Secret
 
@@ -283,8 +327,9 @@ sudo docker run --net onlyoffice -i -t -d --privileged --restart=always --name o
  -e MAIL_SERVER_DB_NAME=onlyoffice_mailserver \
  -e MAIL_SERVER_DB_PORT=3306 \
  -e MAIL_SERVER_DB_USER=root \
- -e MAIL_SERVER_DB_PASS=my-secret-pw \
- 
+ -e MAIL_SERVER_DB_PASS=my-secret-pw \ 
+ -e CONTROL_PANEL_PORT_80_TCP=80 \
+ -e CONTROL_PANEL_PORT_80_TCP_ADDR=onlyoffice-control-panel \
  -v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
  -v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
  -v /app/onlyoffice/CommunityServer/letsencrypt:/etc/letsencrypt \
@@ -297,34 +342,58 @@ Where `${MAIL_SERVER_IP}` is the IP address for **ONLYOFFICE Mail Server**. You
 MAIL_SERVER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' onlyoffice-mail-server)
 ```
 
-Alternatively, you can use an automatic installation script to install the whole ONLYOFFICE Community Edition at once. For the mail server correct work you need to specify its hostname 'yourdomain.com'.
+Alternatively, you can use an automatic installation script to install ONLYOFFICE Workspace at once. For the mail server correct work you need to specify its hostname 'yourdomain.com'.
 
-**STEP 1**: Download the Community Edition Docker script file
+**STEP 1**: Download the ONLYOFFICE Workspace Docker script file
 
 ```bash
-wget https://download.onlyoffice.com/install/opensource-install.sh
+wget https://download.onlyoffice.com/install/workspace-install.sh
 ```
 
-**STEP 2**: Install ONLYOFFICE Community Edition executing the following command:
+**STEP 2**: Install ONLYOFFICE Workspace executing the following command:
 
 ```bash
-bash opensource-install.sh -md yourdomain.com
+bash workspace-install.sh -md yourdomain.com
 ```
 
-Or, use [docker-compose](https://docs.docker.com/compose/install "docker-compose"). For the mail server correct work you need to specify its hostname 'yourdomain.com'. Assuming you have docker-compose installed, execute the following command:
+Or, use [docker-compose](https://docs.docker.com/compose/install "docker-compose"). First you need to clone this [GitHub repository](https://github.com/ONLYOFFICE/Docker-CommunityServer/):
 
 ```bash
 wget https://raw.githubusercontent.com/ONLYOFFICE/Docker-CommunityServer/master/docker-compose.groups.yml
-docker-compose up -d
+docker-compose -f docker-compose.groups.yml up -d
 ```
 
+## ONLYOFFICE Document Server ipv6 setup
+
+(Works and is supported only for Linux hosts)
+
+Docker does not currently provide ipv6 addresses to containers by default. This function is experimental now.
+
+To set up interaction via ipv6, you need to enable support for this feature in your Docker. For this you need:
+- create the `/etc/docker/daemon.json` file with the following content:
+
+```
+{
+"ipv6": true,
+"fixed-cidr-v6": "2001:db8:abc1::/64"
+}
+```
+- restart docker with the following command: `systemctl restart docker`
+
+After that, all running containers receive an ipv6 address and have an inet6 interface.
+
+You can check your default bridge network and see the field there
+`EnableIPv6=true`. A new ipv6 subnet will also be added.
+
+For more information, visit the official [Docker manual site](https://docs.docker.com/config/daemon/ipv6/)
+
 ## Issues
 
 ### Docker Issues
 
 As a relatively new project Docker is being worked on and actively developed by its community. So it's recommended to use the latest version of Docker, because the issues that you encounter might have already been fixed with a newer Docker release.
 
-The known Docker issue with ONLYOFFICE Document Server with rpm-based distributives is that sometimes the processes fail to start inside Docker container. Fedora and RHEL/CentOS users should try disabling selinux with setenforce 0. If it fixes the issue then you can either stick with SELinux disabled which is not recommended by RedHat, or switch to using Ubuntu.
+The known Docker issue with ONLYOFFICE Document Server with rpm-based distributives is that sometimes the processes fail to start inside Docker container. Fedora and RHEL/CentOS users should try disabling SELinux with setenforce 0. If it fixes the issue then you can either stick with SELinux disabled which is not recommended by Red Hat, or switch to using Ubuntu.
 
 ### Document Server usage issues
 
@@ -338,21 +407,23 @@ Please note, that both executing the script and disconnecting users may take a l
 
 ## Project Information
 
-Official website: [https://www.onlyoffice.com](https://www.onlyoffice.com/?utm_source=github&utm_medium=cpc&utm_campaign=GitHubDockerDS)
+Official website: [www.onlyoffice.com](https://www.onlyoffice.com/?utm_source=github&utm_medium=cpc&utm_campaign=GitHubDockerDS)
 
-Code repository: [https://github.com/ONLYOFFICE/DocumentServer](https://github.com/ONLYOFFICE/DocumentServer "https://github.com/ONLYOFFICE/DocumentServer")
+Code repository: [github.com/ONLYOFFICE/DocumentServer](https://github.com/ONLYOFFICE/DocumentServer "https://github.com/ONLYOFFICE/DocumentServer")
 
-Docker Image: [https://github.com/ONLYOFFICE/Docker-DocumentServer](https://github.com/ONLYOFFICE/Docker-DocumentServer "https://github.com/ONLYOFFICE/Docker-DocumentServer")
+Docker Image: [github.com/ONLYOFFICE/Docker-DocumentServer](https://github.com/ONLYOFFICE/Docker-DocumentServer "https://github.com/ONLYOFFICE/Docker-DocumentServer")
 
-License: [GNU AGPL v3.0](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=4358397&doc=K0ZUdlVuQzQ0RFhhMzhZRVN4ZFIvaHlhUjN2eS9XMXpKR1M5WEppUk1Gcz0_IjQzNTgzOTci0 "GNU AGPL v3.0")
+License: [GNU AGPL v3.0](https://onlyo.co/38YZGJh)
 
-Free version vs commercial builds comparison: https://github.com/ONLYOFFICE/DocumentServer#onlyoffice-document-server-editions
-
-SaaS version: [https://www.onlyoffice.com/cloud-office.aspx](https://www.onlyoffice.com/cloud-office.aspx?utm_source=github&utm_medium=cpc&utm_campaign=GitHubDockerDS)
+Free version vs commercial builds comparison: https://github.com/ONLYOFFICE/DocumentServer#onlyoffice-docs-editions
 
 ## User Feedback and Support
 
-If you have any problems with or questions about this image, please visit our official forum to find answers to your questions: [forum.onlyoffice.com][1] or you can ask and answer ONLYOFFICE development questions on [Stack Overflow][2].
+If you face any issues or have questions about this image, visit our official forum: [forum.onlyoffice.com][1].
+
+You are also welcome to ask and answer ONLYOFFICE development questions on [Stack Overflow][2], as well as share your suggestions on [feedback.onlyoffice.com](https://feedback.onlyoffice.com/forums/966080-your-voice-matters).
+
+Join [our Discord community](https://discord.gg/Hcgtf5n4uF) for connecting with fellow developers.
 
   [1]: https://forum.onlyoffice.com
-  [2]: https://stackoverflow.com/questions/tagged/onlyoffice
+  [2]: https://stackoverflow.com/questions/tagged/onlyoffice

cluster.yml

@@ -1,108 +0,0 @@
-version: '2.1'
-
-x-ds-image:
-  &ds-image
-  ${COMPANY_NAME:-onlyoffice}/${PRODUCT_NAME:-documentserver-de}:${PRODUCT_VERSION:-latest}
-
-services:
-  onlyoffice-documentserver-data:  
-    container_name: onlyoffice-documentserver-data
-    image: *ds-image
-    environment:
-      - ONLYOFFICE_DATA_CONTAINER=true
-      - DB_HOST=onlyoffice-postgresql
-      - DB_PORT=5432
-      - DB_NAME=onlyoffice
-      - DB_USER=onlyoffice
-      - AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
-      - REDIS_SERVER_HOST=onlyoffice-redis
-      - REDIS_SERVER_PORT=6379
-      # Uncomment strings below to enable the JSON Web Token validation.
-      #- JWT_ENABLED=true
-      #- JWT_SECRET=secret
-      #- JWT_HEADER=Authorization
-      #- JWT_IN_BODY=true
-    stdin_open: true
-    restart: always
-    volumes:
-       - /etc/onlyoffice
-       - /var/www/onlyoffice/Data
-       - /var/log/onlyoffice
-       - /var/lib/onlyoffice/documentserver/App_Data/cache/files
-       - /var/www/onlyoffice/documentserver-example/public/files
-       - /usr/share/fonts
-       
-  onlyoffice-documentserver:
-    image: *ds-image
-    depends_on:
-      - onlyoffice-documentserver-data
-      - onlyoffice-postgresql
-      - onlyoffice-redis
-      - onlyoffice-rabbitmq
-    environment:
-      - ONLYOFFICE_DATA_CONTAINER_HOST=onlyoffice-documentserver-data
-      - BALANCE=uri depth 3
-      - EXCLUDE_PORTS=443
-      - HTTP_CHECK=GET /healthcheck
-      - EXTRA_SETTINGS=http-check expect string true
-      # Uncomment the string below to redirect HTTP request to HTTPS request.
-      #- FORCE_SSL=true
-    stdin_open: true
-    restart: always
-    expose:
-      - '80'
-    volumes_from:
-     - onlyoffice-documentserver-data
-
-  onlyoffice-haproxy:
-    container_name: onlyoffice-haproxy
-    image: dockercloud/haproxy:1.5.1
-    depends_on:
-      - onlyoffice-documentserver
-    environment:
-      - MODE=http
-      # Uncomment the string below to specify the path of ssl certificates
-      #- CERT_FOLDER=/certs/
-    stdin_open: true
-    links:
-     - onlyoffice-documentserver
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      # Uncomment the string below to map a ssl certificate from host
-      # to the proxy container
-      #- /app/onlyoffice/DocumentServer/data/certs/onlyoffice.pem:/certs/cert1.pem
-    restart: always
-    ports:
-      - '80:80'
-      - '443:443'
-      - '1936:1936'
-       
-  onlyoffice-redis:
-    container_name: onlyoffice-redis
-    image: redis
-    restart: always
-    expose:
-      - '6379'
-
-  onlyoffice-rabbitmq:
-    container_name: onlyoffice-rabbitmq
-    image: rabbitmq
-    restart: always
-    expose:
-      - '5672'
-
-  onlyoffice-postgresql:
-    container_name: onlyoffice-postgresql
-    image: postgres:9.5
-    environment:
-      - POSTGRES_DB=onlyoffice
-      - POSTGRES_USER=onlyoffice
-      - POSTGRES_HOST_AUTH_METHOD=trust
-    restart: always
-    expose:
-      - '5432'
-    volumes:
-      - postgresql_data:/var/lib/postgresql
-
-volumes:
-  postgresql_data:

config/supervisor/ds/ds-adminpanel.conf

@@ -0,0 +1,13 @@
+[program:adminpanel]
+command=/var/www/COMPANY_NAME/documentserver/server/AdminPanel/server/adminpanel
+directory=/var/www/COMPANY_NAME/documentserver/server/AdminPanel
+user=ds
+environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1,APPLICATION_NAME=COMPANY_NAME
+stdout_logfile=/var/log/COMPANY_NAME/documentserver/adminpanel/out.log
+stdout_logfile_backups=0
+stdout_logfile_maxbytes=0
+stderr_logfile=/var/log/COMPANY_NAME/documentserver/adminpanel/err.log
+stderr_logfile_backups=0
+stderr_logfile_maxbytes=0
+autostart=false
+autorestart=false

config/supervisor/ds/ds-converter.conf

@@ -2,7 +2,7 @@
 command=/var/www/COMPANY_NAME/documentserver/server/FileConverter/converter
 directory=/var/www/COMPANY_NAME/documentserver/server/FileConverter
 user=ds
-environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1,APPLICATION_NAME=COMPANY_NAME
+environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1,APPLICATION_NAME=COMPANY_NAME,LD_LIBRARY_PATH=/var/www/COMPANY_NAME/documentserver/server/FileConverter/bin
 stdout_logfile=/var/log/COMPANY_NAME/documentserver/converter/out.log
 stdout_logfile_backups=0
 stdout_logfile_maxbytes=0

config/supervisor/ds/ds-docservice.conf

@@ -2,7 +2,7 @@
 command=/var/www/COMPANY_NAME/documentserver/server/DocService/docservice
 directory=/var/www/COMPANY_NAME/documentserver/server/DocService
 user=ds
-environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1
+environment=NODE_ENV=production-linux,NODE_CONFIG_DIR=/etc/COMPANY_NAME/documentserver,NODE_DISABLE_COLORS=1,PKG_NATIVE_CACHE_PATH=/tmp/.cache,APPLICATION_NAME=COMPANY_NAME
 stdout_logfile=/var/log/COMPANY_NAME/documentserver/docservice/out.log
 stdout_logfile_backups=0
 stdout_logfile_maxbytes=0

config/supervisor/ds/ds-metrics.conf

@@ -9,5 +9,5 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/var/log/COMPANY_NAME/documentserver/metrics/err.log
 stderr_logfile_backups=0
 stderr_logfile_maxbytes=0
-autostart=true
-autorestart=true
+autostart=false
+autorestart=false

config/supervisor/ds/ds.conf

@@ -1,2 +1,2 @@
 [group:ds]
-programs=docservice,converter,metrics,example
+programs=docservice,converter,metrics,example,adminpanel

config/supervisor/supervisord.conf

@@ -1,27 +0,0 @@
-; supervisor config file
-
-[inet_http_server]
-port = 127.0.0.1:9001
-
-[supervisord]
-logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
-pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
-
-; the below section must remain in the config file for RPC
-; (supervisorctl/web interface) to work, additional interfaces may be
-; added by defining them in separate rpcinterface: sections
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl = http://localhost:9001 ; use a unix:// URL  for a unix socket
-
-; The [include] section can just contain the "files" setting.  This
-; setting can list multiple files (separated by whitespace or
-; newlines).  It can also contain wildcards.  The filenames are
-; interpreted as relative to this file.  Included files *cannot*
-; include files themselves.
-
-[include]
-files = /etc/supervisor/conf.d/*.conf

docker-bake.hcl

@@ -10,6 +10,10 @@ variable "SHORTEST_TAG" {
     default = ""
 }
 
+variable "PULL_TAG" {
+    default = ""
+}
+
 variable "COMPANY_NAME" {
     default = ""
 }
@@ -50,9 +54,21 @@ variable "BUILD_CHANNEL" {
     default = ""
 }
 
+variable "PUSH_MAJOR" {
+    default = "false"
+}
+
+variable "LATEST" {
+    default = "false"
+}
+
 ### ↓ Variables for UCS build ↓
 
-variable "BASE_IMAGE" {
+variable "BASE_VERSION" {
+    default     = ""
+}
+
+variable "PACKAGE_SUFFIX" {
     default     = ""
 }
 
@@ -60,14 +76,21 @@ variable "PG_VERSION" {
     default     = ""
 }
 
+variable "UCS_REBUILD" {
+    default = ""
+}
+
+variable "UCS_PREFIX" {
+    default = ""
+}
+
 ### ↑ Variables for UCS build ↑
 
 target "documentserver" {
     target = "documentserver"
     dockerfile = "${DOCKERFILE}"
     tags = [
-           "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}",
-           equal("nightly",BUILD_CHANNEL) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest": "",
+           "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}"
            ]
     platforms = ["${PLATFORM}"]
     args = {
@@ -86,11 +109,10 @@ target "documentserver-stable" {
     tags = ["docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}",
             "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTER_TAG}",
             "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTEST_TAG}",
-            "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest",
-            equal("-ee",PRODUCT_EDITION) ? "docker.io/${COMPANY_NAME}4enterprise/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}": "",]
+            equal("true",LATEST) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest": "",]
     platforms = ["linux/amd64", "linux/arm64"]
     args = {
-        "TAG": "${TAG}"
+        "PULL_TAG": "${PULL_TAG}"
         "COMPANY_NAME": "${COMPANY_NAME}"
         "PRODUCT_NAME": "${PRODUCT_NAME}"
         "PRODUCT_EDITION": "${PRODUCT_EDITION}"
@@ -103,14 +125,15 @@ target "documentserver-ucs" {
     tags = [
            "docker.io/${COMPANY_NAME}/${PRODUCT_NAME}${PRODUCT_EDITION}-ucs:${TAG}"
            ]
-    platforms = ["linux/amd64", "linux/arm64"]
+    platforms = ["${PLATFORM}"]
     args = {
         "PRODUCT_EDITION": "${PRODUCT_EDITION}"
         "PRODUCT_NAME": "${PRODUCT_NAME}"
         "COMPANY_NAME": "${COMPANY_NAME}"
         "PACKAGE_VERSION": "${PACKAGE_VERSION}"
         "PACKAGE_BASEURL": "${PACKAGE_BASEURL}"
-        "BASE_IMAGE": "${BASE_IMAGE}"
+        "PACKAGE_SUFFIX": "${PACKAGE_SUFFIX}"
+        "BASE_VERSION": "${BASE_VERSION}"
         "PG_VERSION": "${PG_VERSION}"
     }
 }
@@ -121,9 +144,29 @@ target "documentserver-nonexample" {
     tags = [ "docker.io/${COMPANY_NAME}/${PRODUCT_NAME}${PREFIX_NAME}${PRODUCT_EDITION}:${TAG}-nonexample" ]
     platforms = ["linux/amd64", "linux/arm64"]
     args = {
-        "TAG": "${TAG}"
+        "PULL_TAG": "${PULL_TAG}"
         "COMPANY_NAME": "${COMPANY_NAME}"
         "PRODUCT_NAME": "${PRODUCT_NAME}"
         "PRODUCT_EDITION": "${PRODUCT_EDITION}"
     } 
 }
+
+target "documentserver-stable-rebuild" {
+    target = "documentserver-stable-rebuild"
+    dockerfile = "production.dockerfile"
+    tags = equal("true",UCS_REBUILD) ? ["docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}-ucs:${TAG}",] : [
+                                        "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}",
+                equal("",PREFIX_NAME) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTER_TAG}": "",
+             equal("true",PUSH_MAJOR) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${SHORTEST_TAG}": "",
+                equal("",PREFIX_NAME) && equal("true",LATEST) ? "docker.io/${COMPANY_NAME}/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:latest": "",
+         equal("-ee",PRODUCT_EDITION) && equal("",PREFIX_NAME) ? "docker.io/${COMPANY_NAME}4enterprise/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}": "",
+                                 ]
+    platforms = ["linux/amd64", "linux/arm64"]
+    args = {
+        "UCS_PREFIX": "${UCS_PREFIX}"
+        "PULL_TAG": "${PULL_TAG}"
+        "COMPANY_NAME": "${COMPANY_NAME}"
+        "PRODUCT_NAME": "${PRODUCT_NAME}"
+        "PRODUCT_EDITION": "${PRODUCT_EDITION}"
+    }
+}

docker-compose.yml

@@ -1,8 +1,8 @@
-version: '2'
 services:
   onlyoffice-documentserver:
     build:
       context: .
+    image: onlyoffice/documentserver #[-de,-ee]
     container_name: onlyoffice-documentserver
     depends_on:
       - onlyoffice-postgresql
@@ -22,6 +22,12 @@ services:
     ports:
       - '80:80'
       - '443:443'
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/info/info.json"]
+      interval: 30s
+      retries: 5
+      start_period: 60s
+      timeout: 10s
     stdin_open: true
     restart: always
     stop_grace_period: 60s
@@ -34,14 +40,20 @@ services:
        
   onlyoffice-rabbitmq:
     container_name: onlyoffice-rabbitmq
-    image: rabbitmq
+    image: rabbitmq:3
     restart: always
     expose:
       - '5672'
+    healthcheck:
+      test: ["CMD", "rabbitmq-diagnostics", "status"]
+      interval: 10s
+      retries: 3
+      start_period: 10s
+      timeout: 10s
 
   onlyoffice-postgresql:
     container_name: onlyoffice-postgresql
-    image: postgres:9.5
+    image: postgres:15
     environment:
       - POSTGRES_DB=onlyoffice
       - POSTGRES_USER=onlyoffice
@@ -51,6 +63,12 @@ services:
       - '5432'
     volumes:
       - postgresql_data:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U onlyoffice"]
+      interval: 10s
+      retries: 3
+      start_period: 10s
+      timeout: 10s
 
 volumes:
   postgresql_data:

oracle/sqlplus

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+CLIENTDIR=/usr/share/instantclient
+export LD_LIBRARY_PATH=$CLIENTDIR
+$CLIENTDIR/sqlplus $@
+

production.dockerfile

@@ -1,15 +1,24 @@
 ### Arguments avavlivable only for FROM instruction ### 
-ARG TAG=latest
+ARG PULL_TAG=latest
 ARG COMPANY_NAME=onlyoffice
 ARG PRODUCT_EDITION=
+### Rebuild arguments
+ARG UCS_PREFIX=
+ARG IMAGE=${COMPANY_NAME}/documentserver${PRODUCT_EDITION}${UCS_PREFIX}:${PULL_TAG}
 
 ### Build main-release ###
 
-FROM ${COMPANY_NAME}/4testing-documentserver${PRODUCT_EDITION}:${TAG} as documentserver-stable
+FROM ${COMPANY_NAME}/4testing-documentserver${PRODUCT_EDITION}:${PULL_TAG} as documentserver-stable
+
+### Rebuild stable images with secure updates 
+FROM ${IMAGE} as documentserver-stable-rebuild
+RUN    echo "This is rebuild" \
+    && apt-get update -y \
+    && apt-get upgrade -y
 
 ### Build nonexample ###
  
-FROM ${COMPANY_NAME}/documentserver${PRODUCT_EDITION}:${TAG} as documentserver-nonexample
+FROM ${COMPANY_NAME}/documentserver${PRODUCT_EDITION}:${PULL_TAG} as documentserver-nonexample
 
 ARG COMPANY_NAME=onlyoffice
 ARG PRODUCT_NAME=documentserver

run-document-server.sh

@@ -2,11 +2,21 @@
 
 umask 0022
 
-function clean_exit {
-  /usr/bin/documentserver-prepare4shutdown.sh
+start_process() {
+  "$@" &
+  CHILD=$!; wait "$CHILD"; CHILD="";
 }
 
-trap clean_exit SIGTERM
+function clean_exit {
+  [[ -z "$CHILD" ]] || kill -s SIGTERM "$CHILD" 2>/dev/null
+  if [ ${ONLYOFFICE_DATA_CONTAINER} == "false" ] && \
+  [ ${ONLYOFFICE_DATA_CONTAINER_HOST} == "localhost" ]; then
+    /usr/bin/documentserver-prepare4shutdown.sh
+  fi
+  exit
+}
+
+trap clean_exit SIGTERM SIGQUIT SIGABRT SIGINT
 
 # Define '**' behavior explicitly
 shopt -s globstar
@@ -20,7 +30,9 @@ DS_LOG_DIR="${LOG_DIR}/documentserver"
 LIB_DIR="/var/lib/${COMPANY_NAME}"
 DS_LIB_DIR="${LIB_DIR}/documentserver"
 CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
+SUPERVISOR_CONF_DIR="/etc/supervisor/conf.d"
 IS_UPGRADE="false"
+PLUGINS_ENABLED=${PLUGINS_ENABLED:-true}
 
 ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
 ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
@@ -39,12 +51,11 @@ if [ "${RELEASE_DATE}" != "${PREV_RELEASE_DATE}" ]; then
   fi
 fi
 
-SSL_CERTIFICATES_DIR="/usr/share/ca-certificates/ds"
-mkdir -p ${SSL_CERTIFICATES_DIR}
-if [[ -d ${DATA_DIR}/certs ]] && [ -e ${DATA_DIR}/certs/*.crt ]; then
-  cp -f ${DATA_DIR}/certs/* ${SSL_CERTIFICATES_DIR}
-  chmod 644 ${SSL_CERTIFICATES_DIR}/*.crt ${SSL_CERTIFICATES_DIR}/*.pem
-  chmod 400 ${SSL_CERTIFICATES_DIR}/*.key
+SSL_CERTIFICATES_DIR="/usr/share/ca-certificates/ds"; mkdir -p ${SSL_CERTIFICATES_DIR}
+find "${DATA_DIR}/certs" -type f \( -iname '*.crt' -o -iname '*.pem' -o -iname '*.key' \) -exec cp -f {} "${SSL_CERTIFICATES_DIR}"/ \;
+if find "${SSL_CERTIFICATES_DIR}" -maxdepth 1 -type f | read _; then
+  find "${SSL_CERTIFICATES_DIR}" -type f \( -iname '*.crt' -o -iname '*.pem' \) -exec chmod 644 {} \;
+  find "${SSL_CERTIFICATES_DIR}" -type f -iname '*.key' -exec chmod 400 {} \;
 fi
 
 if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.crt ]]; then
@@ -57,6 +68,25 @@ if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.key ]
 else
   SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
 fi
+
+#When set, the well known "root" CAs will be extended with the extra certificates in file
+NODE_EXTRA_CA_CERTS=${NODE_EXTRA_CA_CERTS:-${SSL_CERTIFICATES_DIR}/extra-ca-certs.pem}
+if [[ -f ${NODE_EXTRA_CA_CERTS} ]]; then
+  NODE_EXTRA_ENVIRONMENT="${NODE_EXTRA_CA_CERTS}"
+elif [[ -f ${SSL_CERTIFICATE_PATH} ]]; then
+  SSL_CERTIFICATE_SUBJECT=$(openssl x509 -subject -noout -in "${SSL_CERTIFICATE_PATH}" | sed 's/subject=//')
+  SSL_CERTIFICATE_ISSUER=$(openssl x509 -issuer -noout -in "${SSL_CERTIFICATE_PATH}" | sed 's/issuer=//')
+
+  #Add self-signed certificate to trusted list for validating Docs requests to the test example 
+  if [[ -n $SSL_CERTIFICATE_SUBJECT && $SSL_CERTIFICATE_SUBJECT == $SSL_CERTIFICATE_ISSUER ]]; then
+    NODE_EXTRA_ENVIRONMENT="${SSL_CERTIFICATE_PATH}"
+  fi
+fi
+
+if [[ -n $NODE_EXTRA_ENVIRONMENT ]]; then
+  sed -i "s|^environment=.*$|&,NODE_EXTRA_CA_CERTS=${NODE_EXTRA_ENVIRONMENT}|" ${SUPERVISOR_CONF_DIR}/*.conf
+fi
+
 CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
 SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
 SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
@@ -73,12 +103,15 @@ NGINX_ONLYOFFICE_EXAMPLE_CONF="${NGINX_ONLYOFFICE_EXAMPLE_PATH}/includes/ds-exam
 
 NGINX_CONFIG_PATH="/etc/nginx/nginx.conf"
 NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
+NGINX_ACCESS_LOG=${NGINX_ACCESS_LOG:-false}
 # Limiting the maximum number of simultaneous connections due to possible memory shortage
-[ $(ulimit -n) -gt 1048576 ] && NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-1048576} || NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-$(ulimit -n)}
+LIMIT=$(ulimit -n); [ "$LIMIT" = "unlimited" ] || [ "$LIMIT" -gt 1048576 ] && LIMIT=1048576
+NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-$LIMIT}
+RABBIT_CONNECTIONS=${RABBIT_CONNECTIONS:-$LIMIT}
 
 JWT_ENABLED=${JWT_ENABLED:-true}
 
-# validate user's vars before usinig in json
+# validate user's vars before using in json
 if [ "${JWT_ENABLED}" == "true" ]; then
   JWT_ENABLED="true"
 else
@@ -92,6 +125,8 @@ JWT_HEADER=${JWT_HEADER:-Authorization}
 JWT_IN_BODY=${JWT_IN_BODY:-false}
 
 WOPI_ENABLED=${WOPI_ENABLED:-false}
+ALLOW_META_IP_ADDRESS=${ALLOW_META_IP_ADDRESS:-false}
+ALLOW_PRIVATE_IP_ADDRESS=${ALLOW_PRIVATE_IP_ADDRESS:-false}
 
 GENERATE_FONTS=${GENERATE_FONTS:-true}
 
@@ -101,6 +136,8 @@ else
   REDIS_ENABLED=true
 fi
 
+[[ "${PRODUCT_EDITION}" =~ ^-(ee|de)$ ]] && ADMINPANEL_AVAILABLE=true || ADMINPANEL_AVAILABLE=false
+
 ONLYOFFICE_DEFAULT_CONFIG=${CONF_DIR}/local.json
 ONLYOFFICE_LOG4JS_CONFIG=${CONF_DIR}/log4js/production.json
 ONLYOFFICE_EXAMPLE_CONFIG=${CONF_DIR}-example/local.json
@@ -149,6 +186,15 @@ read_setting(){
     "mariadb"|"mysql")
       DB_PORT=${DB_PORT:-"3306"}
       ;;
+    "dameng")
+      DB_PORT=${DB_PORT:-"5236"}
+      ;;
+    "mssql")
+      DB_PORT=${DB_PORT:-"1433"}
+      ;;
+    "oracle")
+      DB_PORT=${DB_PORT:-"1521"}
+      ;;
     "")
       DB_PORT=${DB_PORT:-${POSTGRESQL_SERVER_PORT:-$(${JSON} services.CoAuthoring.sql.dbPort)}}
       ;;
@@ -227,8 +273,30 @@ waiting_for_connection(){
   done
 }
 
+waiting_for_db_ready(){
+  case $DB_TYPE in
+    "oracle")
+      ORACLE_SQL="sqlplus $DB_USER/$DB_PWD@//$DB_HOST:$DB_PORT/${DB_NAME}"
+      DB_TEST="echo \"SELECT version FROM V\$INSTANCE;\" | $ORACLE_SQL 2>/dev/null | grep \"Connected\" | wc -l"
+      ;;
+    *)
+      return
+      ;;
+  esac
+
+  for (( i=1; i <= 10; i++ )); do
+    RES=$(eval $DB_TEST)
+    if [ "$RES" -ne "0" ]; then
+      echo "Database is ready"
+      break
+    fi
+    sleep 5
+  done
+}
+
 waiting_for_db(){
   waiting_for_connection $DB_HOST $DB_PORT
+  waiting_for_db_ready
 }
 
 waiting_for_amqp(){
@@ -248,6 +316,7 @@ update_statsd_settings(){
   ${JSON} -I -e "this.statsd.host = '${METRICS_HOST}'"
   ${JSON} -I -e "this.statsd.port = '${METRICS_PORT}'"
   ${JSON} -I -e "this.statsd.prefix = '${METRICS_PREFIX}'"
+  sed -i -E "s/(autostart|autorestart)=.*$/\1=${METRICS_ENABLED}/g" ${SUPERVISOR_CONF_DIR}/ds-metrics.conf
 }
 
 update_db_settings(){
@@ -308,10 +377,11 @@ update_redis_settings(){
   ${JSON} -I -e "this.services.CoAuthoring.redis.host = '${REDIS_SERVER_HOST}'"
   ${JSON} -I -e "this.services.CoAuthoring.redis.port = '${REDIS_SERVER_PORT}'"
 
-  if [ -n "${REDIS_SERVER_PASS}" ]; then
-    ${JSON} -I -e "this.services.CoAuthoring.redis.options = {'password':'${REDIS_SERVER_PASS}'}"
-  fi
-
+  ${JSON} -I -e  "this.services.CoAuthoring.redis.options = {
+    ${REDIS_SERVER_USER:+username: '${REDIS_SERVER_USER}',}
+    ${REDIS_SERVER_PASS:+password: '${REDIS_SERVER_PASS}',}
+    ${REDIS_SERVER_DB:+database: '${REDIS_SERVER_DB}',}
+  }"
 }
 
 update_ds_settings(){
@@ -322,6 +392,7 @@ update_ds_settings(){
   ${JSON} -I -e "this.services.CoAuthoring.secret.inbox.string = '${JWT_SECRET}'"
   ${JSON} -I -e "this.services.CoAuthoring.secret.outbox.string = '${JWT_SECRET}'"
   ${JSON} -I -e "this.services.CoAuthoring.secret.session.string = '${JWT_SECRET}'"
+  ${JSON} -I -e "this.services.CoAuthoring.secret.browser.string = '${JWT_SECRET}'"
 
   ${JSON} -I -e "this.services.CoAuthoring.token.inbox.header = '${JWT_HEADER}'"
   ${JSON} -I -e "this.services.CoAuthoring.token.outbox.header = '${JWT_HEADER}'"
@@ -340,9 +411,29 @@ update_ds_settings(){
     ${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults.rejectUnauthorized===undefined)this.services.CoAuthoring.requestDefaults.rejectUnauthorized=false"
   fi
 
-  if [ "${WOPI_ENABLED}" == "true" ]; then
-    ${JSON} -I -e "if(this.wopi===undefined)this.wopi={}"
-    ${JSON} -I -e "this.wopi.enable = true"
+  WOPI_PRIVATE_KEY="${DATA_DIR}/wopi_private.key"
+  WOPI_PUBLIC_KEY="${DATA_DIR}/wopi_public.key"
+
+  [ ! -f "${WOPI_PRIVATE_KEY}" ] && echo -n "Generating WOPI private key..." && openssl genpkey -algorithm RSA -outform PEM -out "${WOPI_PRIVATE_KEY}" >/dev/null 2>&1 && echo "Done"
+  [ ! -f "${WOPI_PUBLIC_KEY}" ] && echo -n "Generating WOPI public key..." && openssl rsa -RSAPublicKey_out -in "${WOPI_PRIVATE_KEY}" -outform "MS PUBLICKEYBLOB" -out "${WOPI_PUBLIC_KEY}" >/dev/null 2>&1  && echo "Done"
+  WOPI_MODULUS=$(openssl rsa -pubin -inform "MS PUBLICKEYBLOB" -modulus -noout -in "${WOPI_PUBLIC_KEY}" | sed 's/Modulus=//' | xxd -r -p | openssl base64 -A)
+  WOPI_EXPONENT=$(openssl rsa -pubin -inform "MS PUBLICKEYBLOB" -text -noout -in "${WOPI_PUBLIC_KEY}" | grep -oP '(?<=Exponent: )\d+')
+  
+  ${JSON} -I -e "if(this.wopi===undefined)this.wopi={};"
+  ${JSON} -I -e "this.wopi.enable = ${WOPI_ENABLED}"
+  ${JSON} -I -e "this.wopi.privateKey = '$(awk '{printf "%s\\n", $0}' ${WOPI_PRIVATE_KEY})'"
+  ${JSON} -I -e "this.wopi.privateKeyOld = '$(awk '{printf "%s\\n", $0}' ${WOPI_PRIVATE_KEY})'"
+  ${JSON} -I -e "this.wopi.publicKey = '$(openssl base64 -in ${WOPI_PUBLIC_KEY} -A)'"
+  ${JSON} -I -e "this.wopi.publicKeyOld = '$(openssl base64 -in ${WOPI_PUBLIC_KEY} -A)'"
+  ${JSON} -I -e "this.wopi.modulus = '${WOPI_MODULUS}'"
+  ${JSON} -I -e "this.wopi.modulusOld = '${WOPI_MODULUS}'"
+  ${JSON} -I -e "this.wopi.exponent = ${WOPI_EXPONENT}"
+  ${JSON} -I -e "this.wopi.exponentOld = ${WOPI_EXPONENT}"
+
+  if [ "${ALLOW_META_IP_ADDRESS}" = "true" ] || [ "${ALLOW_PRIVATE_IP_ADDRESS}" = "true" ]; then
+    ${JSON} -I -e "if(this.services.CoAuthoring['request-filtering-agent']===undefined)this.services.CoAuthoring['request-filtering-agent']={}"
+    [ "${ALLOW_META_IP_ADDRESS}" = "true" ] && ${JSON} -I -e "this.services.CoAuthoring['request-filtering-agent'].allowMetaIPAddress = true"
+    [ "${ALLOW_PRIVATE_IP_ADDRESS}" = "true" ] && ${JSON} -I -e "this.services.CoAuthoring['request-filtering-agent'].allowPrivateIPAddress = true"
   fi
 }
 
@@ -362,6 +453,10 @@ create_postgresql_db(){
   sudo -u postgres psql -c "CREATE DATABASE $DB_NAME OWNER $DB_USER;"
 }
 
+create_mssql_db(){
+  ${MSSQL/ -d $DB_NAME/} -b -Q "IF NOT EXISTS (SELECT * FROM sys.databases WHERE name = '$DB_NAME') BEGIN CREATE DATABASE [$DB_NAME]; END"
+}
+
 create_db_tbl() {
   case $DB_TYPE in
     "postgres")
@@ -370,6 +465,12 @@ create_db_tbl() {
     "mariadb"|"mysql")
       create_mysql_tbl
     ;;
+    "mssql")
+      create_mssql_tbl
+    ;;
+    "oracle")
+      create_oracle_tbl
+    ;;
   esac
 }
 
@@ -381,9 +482,31 @@ upgrade_db_tbl() {
     "mariadb"|"mysql")
       upgrade_mysql_tbl
     ;;
+    "mssql")
+      upgrade_mssql_tbl
+    ;;
+    "oracle")
+      upgrade_oracle_tbl
+    ;;
   esac
 }
 
+postgresql_check_schema(){
+    DB_SCHEMA=${DB_SCHEMA:-$(${JSON} services.CoAuthoring.sql.pgPoolExtraOptions.options 2>/dev/null | sed -n 's/.*search_path=\([^, ]*\).*/\1/p')}
+    if [ -n "${DB_SCHEMA}" ]; then
+      export PGOPTIONS="-c search_path=${DB_SCHEMA}"
+      $PSQL -c "CREATE SCHEMA IF NOT EXISTS ${DB_SCHEMA};" >/dev/null 2>&1
+      ${JSON} -I -e "this.services.CoAuthoring.sql.pgPoolExtraOptions ||= {}; this.services.CoAuthoring.sql.pgPoolExtraOptions.options = '${PGOPTIONS}'"
+    fi
+}
+
+mssql_check_schema(){
+  if [ -n "${DB_SCHEMA}" ]; then
+    ${MSSQL} -b -Q "DECLARE @s sysname=N'${DB_SCHEMA}'; IF SCHEMA_ID(@s) IS NULL BEGIN DECLARE @sql nvarchar(max); SET @sql=N'CREATE SCHEMA '+QUOTENAME(@s)+N' AUTHORIZATION '+QUOTENAME(N'${DB_USER}'); EXEC(@sql); END"
+    ${MSSQL} -b -Q "DECLARE @s sysname=N'${DB_SCHEMA}'; DECLARE @u sysname=N'${DB_USER}'; IF USER_ID(@u) IS NOT NULL BEGIN DECLARE @sql nvarchar(max); SET @sql=N'ALTER USER '+QUOTENAME(@u)+N' WITH DEFAULT_SCHEMA = '+QUOTENAME(@s); EXEC(@sql); END"
+  fi
+}
+
 upgrade_postgresql_tbl() {
   if [ -n "$DB_PWD" ]; then
     export PGPASSWORD=$DB_PWD
@@ -391,6 +514,7 @@ upgrade_postgresql_tbl() {
 
   PSQL="psql -q -h$DB_HOST -p$DB_PORT -d$DB_NAME -U$DB_USER -w"
 
+  postgresql_check_schema
   $PSQL -f "$APP_DIR/server/schema/postgresql/removetbl.sql"
   $PSQL -f "$APP_DIR/server/schema/postgresql/createdb.sql"
 }
@@ -403,12 +527,33 @@ upgrade_mysql_tbl() {
   $MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/createdb.sql" >/dev/null 2>&1
 }
 
+upgrade_mssql_tbl() {
+  if [ -n "$DB_PWD" ]; then
+    export SQLCMDPASSWORD=$DB_PWD
+  fi
+
+  MSSQL="/opt/mssql-tools18/bin/sqlcmd -S $DB_HOST,$DB_PORT -d $DB_NAME -U $DB_USER -C"
+
+  mssql_check_schema
+  $MSSQL < "$APP_DIR/server/schema/mssql/removetbl.sql" >/dev/null 2>&1
+  $MSSQL < "$APP_DIR/server/schema/mssql/createdb.sql" >/dev/null 2>&1
+}
+
+upgrade_oracle_tbl() {
+  ORACLE_SQL="sqlplus $DB_USER/$DB_PWD@//$DB_HOST:$DB_PORT/${DB_NAME}"
+
+  $ORACLE_SQL @$APP_DIR/server/schema/oracle/removetbl.sql >/dev/null 2>&1
+  $ORACLE_SQL @$APP_DIR/server/schema/oracle/createdb.sql >/dev/null 2>&1
+}
+
 create_postgresql_tbl() {
   if [ -n "$DB_PWD" ]; then
     export PGPASSWORD=$DB_PWD
   fi
 
   PSQL="psql -q -h$DB_HOST -p$DB_PORT -d$DB_NAME -U$DB_USER -w"
+
+  postgresql_check_schema
   $PSQL -f "$APP_DIR/server/schema/postgresql/createdb.sql"
 }
 
@@ -422,18 +567,45 @@ create_mysql_tbl() {
   $MYSQL $DB_NAME < "$APP_DIR/server/schema/mysql/createdb.sql" >/dev/null 2>&1
 }
 
+create_mssql_tbl() {  
+  if [ -n "$DB_PWD" ]; then
+    export SQLCMDPASSWORD=$DB_PWD
+  fi
+
+  MSSQL="/opt/mssql-tools18/bin/sqlcmd -S $DB_HOST,$DB_PORT -d $DB_NAME -U $DB_USER -C"
+
+  create_mssql_db
+  mssql_check_schema
+  $MSSQL < "$APP_DIR/server/schema/mssql/createdb.sql" >/dev/null 2>&1
+}
+
+create_oracle_tbl() {
+  ORACLE_SQL="sqlplus $DB_USER/$DB_PWD@//$DB_HOST:$DB_PORT/${DB_NAME}"
+
+  $ORACLE_SQL @$APP_DIR/server/schema/oracle/createdb.sql >/dev/null 2>&1
+}
+
 update_welcome_page() {
   WELCOME_PAGE="${APP_DIR}-example/welcome/docker.html"
+  EXAMPLE_DISABLED_PAGE="${APP_DIR}-example/welcome/example-disabled.html"
+  if ${ADMINPANEL_AVAILABLE}; then
+    ADMIN_DISABLED_PAGE="${APP_DIR}-example/welcome/admin-disabled.html"
+    sed -Ei 's#sudo systemctl start ds-(adminpanel|example)#sudo docker exec $(sudo docker ps -q) supervisorctl start ds:\1#g' "$ADMIN_DISABLED_PAGE" "$EXAMPLE_DISABLED_PAGE"
+  else
+    sed -Ei 's#sudo systemctl start ds-example#sudo docker exec $(sudo docker ps -q) supervisorctl start ds:example#g' "$EXAMPLE_DISABLED_PAGE"
+  fi
+
+  TARGET_PAGES="$WELCOME_PAGE $EXAMPLE_DISABLED_PAGE${ADMIN_DISABLED_PAGE:+ $ADMIN_DISABLED_PAGE}"
   if [[ -e $WELCOME_PAGE ]]; then
     DOCKER_CONTAINER_ID=$(basename $(cat /proc/1/cpuset))
     (( ${#DOCKER_CONTAINER_ID} < 12 )) && DOCKER_CONTAINER_ID=$(hostname)
     if (( ${#DOCKER_CONTAINER_ID} >= 12 )); then
       if [[ -x $(command -v docker) ]]; then
         DOCKER_CONTAINER_NAME=$(docker inspect --format="{{.Name}}" $DOCKER_CONTAINER_ID)
-        sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/' -i $WELCOME_PAGE
+        sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/' -i ${TARGET_PAGES}
         JWT_MESSAGE=$(echo $JWT_MESSAGE | sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_NAME#/}"'/')
       else
-        sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/' -i $WELCOME_PAGE
+        sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/' -i ${TARGET_PAGES}
         JWT_MESSAGE=$(echo $JWT_MESSAGE | sed 's/$(sudo docker ps -q)/'"${DOCKER_CONTAINER_ID::12}"'/')
       fi
     fi
@@ -444,7 +616,13 @@ update_nginx_settings(){
   # Set up nginx
   sed 's/^worker_processes.*/'"worker_processes ${NGINX_WORKER_PROCESSES};"'/' -i ${NGINX_CONFIG_PATH}
   sed 's/worker_connections.*/'"worker_connections ${NGINX_WORKER_CONNECTIONS};"'/' -i ${NGINX_CONFIG_PATH}
-  sed 's/access_log.*/'"access_log off;"'/' -i ${NGINX_CONFIG_PATH}
+
+  if [ "${NGINX_ACCESS_LOG}" = "true" ]; then
+    touch "${DS_LOG_DIR}/nginx.access.log"
+    sed -ri 's|^\s*access_log\b.*;|access_log '"${DS_LOG_DIR}"'/nginx.access.log;|' "${NGINX_CONFIG_PATH}" "${NGINX_ONLYOFFICE_PATH}/includes/ds-common.conf" 2>/dev/null
+  else
+    sed -ri 's|^\s*access_log\b.*;|access_log off;|' "${NGINX_CONFIG_PATH}"
+  fi
 
   # setup HTTPS
   if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then
@@ -488,16 +666,7 @@ update_nginx_settings(){
     sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF}
   fi
 
-  documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false
-}
-
-update_supervisor_settings(){
-  # Copy modified supervisor start script
-  cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisor /etc/init.d/
-  # Copy modified supervisor config
-  cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
-  sed "s/COMPANY_NAME/${COMPANY_NAME}/g" -i ${SYSCONF_TEMPLATES_DIR}/supervisor/ds/*.conf
-  cp ${SYSCONF_TEMPLATES_DIR}/supervisor/ds/*.conf etc/supervisor/conf.d/
+  start_process documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false
 }
 
 update_log_settings(){
@@ -514,11 +683,11 @@ update_release_date(){
 }
 
 # create base folders
-for i in converter docservice metrics; do
-  mkdir -p "${DS_LOG_DIR}/$i"
+for SUPERVISOR_CONF in "${SUPERVISOR_CONF_DIR}"/ds-*.conf; do
+  SERVICE_NAME=$(sed "s|^${SUPERVISOR_CONF_DIR}/ds-||; s|\.conf$||" <<<"$SUPERVISOR_CONF")
+  mkdir -p "$DS_LOG_DIR/$SERVICE_NAME" && touch "$DS_LOG_DIR/$SERVICE_NAME"/{out,err}.log
 done
-
-mkdir -p ${DS_LOG_DIR}-example
+mkdir -p "${DS_LOG_DIR}-example" && touch "${DS_LOG_DIR}-example"/{out,err}.log
 
 # create app folders
 for i in ${DS_LIB_DIR}/App_Data/cache/files ${DS_LIB_DIR}/App_Data/docbuilder ${DS_LIB_DIR}-example/files; do
@@ -526,11 +695,16 @@ for i in ${DS_LIB_DIR}/App_Data/cache/files ${DS_LIB_DIR}/App_Data/docbuilder ${
 done
 
 # change folder rights
-for i in ${LOG_DIR} ${LIB_DIR}; do
+chown ds:ds "${DATA_DIR}"
+for i in ${DS_LOG_DIR} ${DS_LOG_DIR}-example ${LIB_DIR}; do
   chown -R ds:ds "$i"
   chmod -R 755 "$i"
 done
 
+# Bug 75324 - Update permissions for runtime.json
+AI_CONFIG_FILE="${DATA_DIR}/runtime.json"
+[ -f "${AI_CONFIG_FILE}" ] && { chown ds:ds "${AI_CONFIG_FILE}" && chmod 644 "${AI_CONFIG_FILE}"; }
+
 if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
 
   read_setting
@@ -573,6 +747,9 @@ if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
         chmod 400 ${RABBITMQ_DATA}/.erlang.cookie
     fi
 
+    sed -i '/^[[:space:]]*ulimit[[:space:]]\+-n[[:space:]]\+/d' /etc/default/rabbitmq-server
+    printf 'ulimit -n %s\n' "${RABBIT_CONNECTIONS}" >> /etc/default/rabbitmq-server
+
     LOCAL_SERVICES+=("rabbitmq-server")
     # allow Rabbitmq startup after container kill
     rm -rf /var/run/rabbitmq
@@ -594,20 +771,21 @@ else
   waiting_for_datacontainer
 
   # read settings after the data container in ready state
-  # to prevent get unconfigureted data
+  # to prevent get unconfigured data
   read_setting
   
   update_welcome_page
 fi
 
-find /etc/${COMPANY_NAME} -exec chown ds:ds {} \;
+find /etc/${COMPANY_NAME} ! -path '*logrotate*' -exec chown ds:ds {} \;
 
 #start needed local services
 for i in ${LOCAL_SERVICES[@]}; do
   service $i start
 done
 
-if [ ${PG_NEW_CLUSTER} = "true" ]; then
+PG_DB_EXISTS=$(PGPASSWORD="$DB_PWD" psql -h ${DB_HOST} -p${DB_PORT} -U "${DB_USER}" -tAc "SELECT 1 FROM pg_database WHERE datname='${DB_NAME}';" 2>/dev/null)
+if [ ${PG_NEW_CLUSTER} = "true" ] || [ "${PG_DB_EXISTS}" != "1" ]; then
   create_postgresql_db
   create_postgresql_tbl
 fi
@@ -625,8 +803,13 @@ if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
   fi
 
   update_nginx_settings
+  
+  if [ "${PLUGINS_ENABLED}" = "true" ]; then
+    ( documentserver-pluginsmanager.sh -r false --update="${APP_DIR}/sdkjs-plugins/plugin-list-default.json" >/dev/null; echo "[pluginsmanager] Plugins initialization finished" >/proc/1/fd/1 ) &
+  fi
 
-  update_supervisor_settings
+  ${ADMINPANEL_AVAILABLE} && [ "${ADMINPANEL_ENABLED:-false}" = "true" ] && sed -i 's,autostart=false,autostart=true,' ${SUPERVISOR_CONF_DIR}/ds-adminpanel.conf
+  [ "${EXAMPLE_ENABLED:-false}" = "true" ] && sed -i 's,autostart=false,autostart=true,' ${SUPERVISOR_CONF_DIR}/ds-example.conf
   service supervisor start
   
   # start cron to enable log rotating
@@ -634,23 +817,26 @@ if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
   service cron start
 fi
 
+# Fix to resolve the `unknown "cache_tag" variable` error
+start_process documentserver-flush-cache.sh -r false
+
 # nginx used as a proxy, and as data container status service.
 # it run in all cases.
 service nginx start
 
 if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
   if [ ! -f "${SSL_CERTIFICATE_PATH}" -a ! -f "${SSL_KEY_PATH}" ]; then
-    documentserver-letsencrypt.sh ${LETS_ENCRYPT_MAIL} ${LETS_ENCRYPT_DOMAIN}
+    start_process documentserver-letsencrypt.sh ${LETS_ENCRYPT_MAIL} ${LETS_ENCRYPT_DOMAIN}
   fi
 fi
 
 # Regenerate the fonts list and the fonts thumbnails
 if [ "${GENERATE_FONTS}" == "true" ]; then
-  documentserver-generate-allfonts.sh ${ONLYOFFICE_DATA_CONTAINER}
+  start_process documentserver-generate-allfonts.sh ${ONLYOFFICE_DATA_CONTAINER}
 fi
-documentserver-static-gzip.sh ${ONLYOFFICE_DATA_CONTAINER}
+
+start_process documentserver-static-gzip.sh ${ONLYOFFICE_DATA_CONTAINER}
 
 echo "${JWT_MESSAGE}" 
 
-tail -f /var/log/${COMPANY_NAME}/**/*.log &
-wait $!
+start_process bash -c "find '$DS_LOG_DIR' '$DS_LOG_DIR-example' -type f -name '*.log' | xargs tail -F"

tests/README.md

@@ -0,0 +1,3 @@
+The files in this folder are intended for use in integration auto-tests.
+
+All credentials are strictly for testing purposes only.

tests/damengdb/.env

@@ -0,0 +1 @@
+VERSION=latest

tests/damengdb/README.md

@@ -0,0 +1,19 @@
+## Stand Documentserver with damengdb
+
+### How it works
+
+For deploy stand, you need:
+
+**STEP 1**: Build you own images, do it with command:
+   
+```bash
+docker compose build
+```
+
+**STEP 2**: Wait build and when it finish deploy with command:
+
+```bash
+docker compose up -d 
+```
+
+Thats all.

tests/damengdb/damengdb.Dockerfile

@@ -0,0 +1,57 @@
+FROM onlyoffice/damengdb:8.1.2 as damengdb
+
+ARG DM8_USER="SYSDBA"
+ARG DM8_PASS="SYSDBA001"
+ARG DB_HOST="localhost"
+ARG DB_PORT="5236"
+ARG DISQL_BIN="/opt/dmdbms/bin"
+
+SHELL ["/bin/bash", "-c"]
+
+COPY <<"EOF" /wait_dm_ready.sh
+#!/usr/bin/env bash
+
+function wait_dm_ready() {
+  cd /opt/dmdbms/bin
+  for i in `seq 1  10`; do
+    echo `./disql /nolog <<EOF
+CONN SYSDBA/SYSDBA001@localhost
+exit
+EOF` | grep  "connection failure" > /dev/null 2>&1
+    if [ $? -eq 0 ]; then
+      echo "DM Database is not OK, please wait..."
+      sleep 10
+    else
+      echo "DM Database is OK"
+      break
+    fi
+  done
+}
+
+wait_dm_ready
+
+EOF
+
+COPY <<"EOF" /permissions.sql
+
+CREATE SYNONYM onlyoffice.DOC_CHANGES FOR sysdba.DOC_CHANGES;
+CREATE SYNONYM onlyoffice.TASK_RESULT FOR sysdba.TASK_RESULT;
+GRANT ALL PRIVILEGES ON sysdba.DOC_CHANGES TO onlyoffice;
+GRANT ALL PRIVILEGES ON sysdba.TASK_RESULT TO onlyoffice;
+
+EOF
+
+RUN   bash /opt/startup.sh > /dev/null 2>&1 \
+   &  mkdir -p /schema/damengdb \
+   && apt update -y ; apt install wget -y \
+   && wget https://raw.githubusercontent.com/ONLYOFFICE/server/master/schema/dameng/createdb.sql -P /schema/dameng/ \
+   && bash ./wait_dm_ready.sh \
+   && cd ${DISQL_BIN} \
+   && ./disql $DM8_USER/$DM8_PASS@$DB_HOST:$DB_PORT -e \
+      "create user "onlyoffice" identified by "onlyoffice" password_policy 0;" \
+   && ./disql $DM8_USER/$DM8_PASS@$DB_HOST:$DB_PORT -e \
+      "GRANT SELECT ON DBA_TAB_COLUMNS TO onlyoffice;" \
+   && echo "EXIT" | tee -a /schema/dameng/createdb.sql \
+   && ./disql $DM8_USER/$DM8_PASS@$DB_HOST:$DB_PORT \`/schema/dameng/createdb.sql \
+   && ./disql $DM8_USER/$DM8_PASS@$DB_HOST:$DB_PORT \`/permissions.sql \
+   && sleep 10

tests/damengdb/docker-compose.yml

@@ -0,0 +1,67 @@
+version: '2'
+services:
+  onlyoffice-documentserver:
+    build:
+      context: ../../.
+      dockerfile: Dockerfile
+      target: documentserver
+    container_name: onlyoffice-documentserver
+    depends_on:
+      - onlyoffice-dameng
+      - onlyoffice-rabbitmq
+    environment:
+      - DB_TYPE=dameng
+      - DB_HOST=onlyoffice-dameng
+      - DB_PORT=5236
+      - DB_NAME=onlyoffice
+      - DB_USER=onlyoffice
+      - AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
+      # Costomize the JSON Web Token validation parameters if needed.
+      #- JWT_ENABLED=false
+      #- JWT_SECRET=secret
+      #- JWT_HEADER=Authorization
+      #- JWT_IN_BODY=true
+    ports:
+      - '80:80'
+      - '443:443'
+    stdin_open: true
+    restart: always
+    stop_grace_period: 60s
+    volumes:
+       - /var/www/onlyoffice/Data
+       - /var/log/onlyoffice
+       - /var/lib/onlyoffice/documentserver/App_Data/cache/files
+       - /var/www/onlyoffice/documentserver-example/public/files
+       - /usr/share/fonts
+       
+  onlyoffice-rabbitmq:
+    container_name: onlyoffice-rabbitmq
+    image: rabbitmq
+    restart: always
+    expose:
+      - '5672'
+
+  onlyoffice-dameng:
+    container_name: onlyoffice-dameng
+    build:
+      context: .
+      dockerfile: damengdb.Dockerfile
+      target: damengdb
+      args:
+        DM8_USER: SYSDBA
+        DM8_PASS: SYSDBA001
+        DB_HOST: localhost
+        DB_PORT: 5236
+    environment:
+      - PAGE_SIZE=16
+      - LD_LIBRARY_PATH=/opt/dmdbms/bin
+      - INSTANCE_NAME=dm8_01
+    restart: always
+    expose:
+      - '5236'
+    volumes:
+      - dameng_data:/opt/dmdbms/data
+
+volumes:
+  dameng_data:
+  

tests/mssql/README.md

@@ -0,0 +1,17 @@
+## Stand Documentserver with mssql
+
+### How it works
+
+For deploy stand:
+
+**STEP 1**: Build you own images:
+   
+```bash
+sudo docker-compose build
+```
+
+**STEP 2**: Wait build complete and when:
+
+```bash
+sudo docker-compose up -d 
+```

tests/mssql/create_db_user.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+#generate SA password
+SYMBOLS='!#$%&*+,-.:;=?@^_~'
+for (( i=1; i <= 20; i++ )); do
+  PASS=$(tr -dc "A-Za-z0-9$SYMBOLS" </dev/urandom | head -c 15)
+  if [[ $PASS == *[0-9]* && 
+        $PASS != $(echo "$PASS" | tr [:upper:] ' ') && 
+        $PASS != $(echo "$PASS" | tr [:lower:] ' ') && 
+        $PASS != $(echo "$PASS" | tr "$SYMBOLS" ' ') ]]; then
+    break
+  fi
+done
+export MSSQL_SA_PASSWORD=$PASS
+
+CONNECTION_STR="/opt/mssql-tools/bin/sqlcmd -S localhost,1433 -U SA -P "$MSSQL_SA_PASSWORD" -C -Q"
+
+#start db
+/opt/mssql/bin/sqlservr &
+
+#wait for db up
+for (( i=1; i <= 10; i++ )); do
+  RES=$($CONNECTION_STR "SELECT @@VERSION;" 2>/dev/null | grep "affected" | wc -l)
+  if [ "$RES" -eq "1" ]; then
+    echo "Database is ready"
+    break
+  fi
+  sleep 10
+done
+
+#create new db user
+$CONNECTION_STR "IF NOT EXISTS (SELECT * FROM sys.sql_logins WHERE name = '$MSSQL_USER') BEGIN CREATE LOGIN $MSSQL_USER WITH PASSWORD = '$MSSQL_PASSWORD' , CHECK_POLICY = OFF; ALTER SERVER ROLE [dbcreator] ADD MEMBER [$MSSQL_USER]; END"

tests/mssql/docker-compose.yml

@@ -0,0 +1,38 @@
+version: '2.1'
+services:
+  onlyoffice-documentserver:
+    container_name: onlyoffice-documentserver
+    build:
+      context: ../../.
+      dockerfile: Dockerfile
+    depends_on:
+      - onlyoffice-mssql
+    environment:
+      - DB_TYPE=${DB_TYPE:-mssql}
+      - DB_HOST=${DB_HOST:-onlyoffice-mssql}
+      - DB_PORT=${DB_PORT:-1433}
+      - DB_NAME=${DB_NAME:-onlyoffice}
+      - DB_USER=${DB_USER:-onlyoffice}
+      - DB_PWD=${DB_PWD:-onlyoffice}
+    stdin_open: true
+    restart: always
+    ports:
+      - '80:80'
+
+  onlyoffice-mssql:
+    container_name: onlyoffice-mssql
+    build:
+      context: .
+      dockerfile: mssql.Dockerfile
+      args:
+        - MSSQL_DATABASE=${DB_NAME:-onlyoffice}
+        - MSSQL_USER=${DB_USER:-onlyoffice}
+        - MSSQL_PASSWORD=${DB_PWD:-onlyoffice}
+    restart: always
+    volumes:
+      - mssql_data:/var/opt/mssql
+    expose:
+      - '1433'
+
+volumes:
+  mssql_data:

tests/mssql/mssql.Dockerfile

@@ -0,0 +1,9 @@
+FROM mcr.microsoft.com/mssql/server:2022-latest as onlyoffice-mssql
+
+ENV ACCEPT_EULA=Y
+
+SHELL ["/bin/bash", "-c"]
+
+COPY create_db_user.sh /tmp/create_db_user.sh
+
+RUN bash /tmp/create_db_user.sh

tests/oracle/README.md

@@ -0,0 +1,17 @@
+## Stand Documentserver with oracle
+
+### How it works
+
+For deploy stand:
+
+**STEP 1**: Build you own images:
+   
+```bash
+sudo docker-compose build
+```
+
+**STEP 2**: Wait build complete and when:
+
+```bash
+sudo docker-compose up -d 
+```

tests/oracle/create_db_user.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+CONNECTION_STR="sqlplus sys/$ORACLE_PASSWORD@//localhost:1521/$ORACLE_DATABASE as sysdba"
+
+export ORACLE_PWD=$ORACLE_PASSWORD
+
+#start db
+/opt/oracle/runOracle.sh &
+
+#wait for db up
+for (( i=1; i <= 20; i++ )); do
+  RES=$(echo "SELECT version FROM V\$INSTANCE;" | $CONNECTION_STR 2>/dev/null | grep "Connected" | wc -l)
+  if [ "$RES" -ne "0" ]; then
+    echo "Database is ready"
+    break
+  fi
+  sleep 10
+done
+
+sleep 1
+
+#create new db user
+$CONNECTION_STR <<EOF
+CREATE USER $ORACLE_USER IDENTIFIED BY $ORACLE_PASSWORD;
+GRANT CREATE SESSION TO $ORACLE_USER;
+GRANT CREATE TABLE TO $ORACLE_USER; 
+ALTER USER $ORACLE_USER quota unlimited on USERS;
+EOF

tests/oracle/docker-compose.yml

@@ -0,0 +1,38 @@
+version: '2.1'
+services:
+  onlyoffice-documentserver:
+    container_name: onlyoffice-documentserver
+    build:
+      context: ../../.
+      dockerfile: Dockerfile
+    depends_on:
+      - onlyoffice-oracle
+    environment:
+      - DB_TYPE=${DB_TYPE:-oracle}
+      - DB_HOST=${DB_HOST:-onlyoffice-oracle}
+      - DB_PORT=${DB_PORT:-1521}
+      - DB_NAME=${DB_NAME:-xepdb1}
+      - DB_USER=${DB_USER:-onlyoffice}
+      - DB_PWD=${DB_PWD:-onlyoffice}
+    stdin_open: true
+    restart: always
+    ports:
+      - '80:80'
+
+  onlyoffice-oracle:
+    container_name: onlyoffice-oracle
+    build:
+      context: .
+      dockerfile: oracle.Dockerfile
+      args:
+        - ORACLE_DATABASE=${DB_NAME:-xepdb1}
+        - ORACLE_USER=${DB_USER:-onlyoffice}
+        - ORACLE_PASSWORD=${DB_PWD:-onlyoffice}
+    restart: always
+    volumes:
+      - oracle_data:/opt/oracle/oradata
+    expose:
+      - '1521'
+
+volumes:
+  oracle_data:

tests/oracle/oracle.Dockerfile

@@ -0,0 +1,15 @@
+FROM container-registry.oracle.com/database/express:21.3.0-xe as onlyoffice-oracle
+
+ARG ORACLE_DATABASE=
+ARG ORACLE_PASSWORD=
+ARG ORACLE_USER=
+
+ENV ORACLE_DATABASE=$ORACLE_DATABASE \
+    ORACLE_PASSWORD=$ORACLE_PASSWORD \
+    ORACLE_USER=$ORACLE_USER
+
+SHELL ["/bin/bash", "-c"]
+
+COPY create_db_user.sh /tmp/create_db_user.sh
+
+RUN bash /tmp/create_db_user.sh

tests/postgres.yml

@@ -20,7 +20,7 @@ services:
 
   onlyoffice-postgresql:
     container_name: onlyoffice-postgresql
-    image: postgres:${POSTGRES_VERSION:-9.5}
+    image: postgres:${POSTGRES_VERSION:-12}
     environment:
       - POSTGRES_DB=${POSTGRES_DB:-onlyoffice}
       - POSTGRES_USER=${POSTGRES_USER:-onlyoffice}

tests/prometheus.yml

@@ -0,0 +1,46 @@
+version: '2.1'
+services:
+  onlyoffice-documentserver:
+    container_name: onlyoffice-documentserver
+    build:
+      context: ../.
+    depends_on:
+      - onlyoffice-statsd-exporter
+    environment:
+      - METRICS_ENABLED=${METRICS_ENABLED:-true}
+      - METRICS_HOST=${METRICS_HOST:-onlyoffice-statsd-exporter}
+      - METRICS_PORT=${METRICS_PORT:-9125}
+      - METRICS_PREFIX=${METRICS_PREFIX:-ds.}
+    stdin_open: true
+    restart: always
+    ports:
+      - '80:80'
+
+  onlyoffice-statsd-exporter:
+    container_name: onlyoffice-statsd-exporter
+    image: prom/statsd-exporter
+    command: --statsd.event-flush-interval=30000ms
+    ports:
+      - '9102:9102'
+      - '9125:9125/tcp'
+      - '9125:9125/udp'
+
+  onlyoffice-prometheus:
+    container_name: onlyoffice-prometheus
+    image: prom/prometheus
+    ports:
+      - '9090:9090'
+    volumes:
+      - ./prometheus/prometheus-scrape/statsd-exporter.yml:/etc/prometheus/prometheus.yml
+
+  grafana:
+    container_name: onlyoffice-grafana
+    image: bitnami/grafana
+    ports:
+      - '3000:3000'
+    environment:
+      - 'GF_SECURITY_ADMIN_PASSWORD=G0pGE4'
+    volumes:
+      - ./prometheus/grafana/conf/prometheus.yml:/opt/bitnami/grafana/conf/provisioning/datasources/prometheus.yml
+      - ./prometheus/grafana/conf/default-provider.yaml:/opt/bitnami/grafana/conf/provisioning/dashboards/default-provider.yaml
+      - ./prometheus/grafana/dashboards:/opt/bitnami/grafana/dashboards

tests/prometheus/grafana/conf/default-provider.yaml

@@ -0,0 +1,23 @@
+apiVersion: 1
+providers:
+  # <string> an unique provider name
+- name: 'default-provider'
+  # <int> org id. will default to orgId 1 if not specified
+  orgId: 1
+  # <string, required> name of the dashboard folder. Required
+  folder: dashboards
+  # <string> folder UID. will be automatically generated if not specified
+  folderUid: ''
+  # <string, required> provider type. Required
+  type: file
+  # <bool> disable dashboard deletion
+  disableDeletion: false
+  # <bool> enable dashboard editing
+  editable: true
+  # <int> how often Grafana will scan for changed dashboards
+  updateIntervalSeconds: 10
+  options:
+    # <string, required> path to dashboard files on disk. Required
+    path: /opt/bitnami/grafana/dashboards
+    # <bool> enable folders creation for dashboards
+    #foldersFromFilesStructure: true

tests/prometheus/grafana/conf/prometheus.yml

@@ -0,0 +1,6 @@
+apiVersion: 1
+datasources:
+  - name: Prometheus
+    type: prometheus
+    url: http://onlyoffice-prometheus:9090
+    editable: true

tests/prometheus/prometheus-scrape/statsd-exporter.yml

@@ -0,0 +1,6 @@
+scrape_configs:
+  - job_name: 'statsd'
+    scrape_interval: 30s
+    static_configs:
+      - targets:
+        - onlyoffice-statsd-exporter:9102