Create Docker installation files #7
Conversation
timwoj
force-pushed
the
topic/timw/docker
branch
from
aabfe5c to
6dc2333
Compare
timwoj
force-pushed
the
topic/timw/docker
branch
from
6dc2333 to
9e1b49a
Compare
timwoj
force-pushed
the
topic/timw/docker
branch
from
9e1b49a to
b34fb38
Compare
There was a problem hiding this comment.
This looks much better than the previous setup.
I was unable to generate certificates like documented in the README with something failing in LE (maybe I picked an incorrect domain). What I ended up doing was remove the SSL config from nginx which allowed everything to start up even without certs. I could then see the site, but the database was probably unpopulated so the package listing was empty and I could not see a package details view. Ideally we'd have a way to get info for e.g., 10 packages, or at least document how the db can be populated manually (when I did this in the past it was very slow though).
This also removes the bash invocation from the first line, since php was complaining about parsing it.
- Mount the bropkg webroot directly on the nginx VM to allow access to the images and CSS. Also mount it in read-only mode. - Don't try to override the logging for nginx. It goes to 'docker logs' by default. - chown/chmod files as they're being copied for php, which is considerably faster than doing it after. - Don't expose the port for php publicly
- be more explicit about versions of anything we depend on - avoid unneeded Docker layers - slight trimming of installed packages
timwoj
force-pushed
the
topic/timw/docker
branch
from
250cc78 to
fcc4453
Compare
timwoj
force-pushed
the
topic/timw/docker
branch
from
521521b to
606fb82
Compare
| le_fixpermissions() { | ||
| echo "[INFO] Fixing permissions" | ||
| chown -R "${CHOWN:-root:root}" "${CERT_DIR_PATH}" | ||
| find "${CERT_DIR_PATH}" -type d -exec chmod 755 {} \; |
There was a problem hiding this comment.
If CERT_DIR_PATH does not exist this will definitely fail, let's make sure it exists by prefixing with
mkdir -p "${CERT_DIR_PATH}"|
|
||
| le_fixpermissions() { | ||
| echo "[INFO] Fixing permissions" | ||
| chown -R "${CHOWN:-root:root}" "${CERT_DIR_PATH}" |
There was a problem hiding this comment.
Running in my macos dev environment this failed for me since root is not a valid group name here and the failure was hard to see in all the output of the script. I'd suggest to move this to the top as a documented customization point (this part passed for me once I invoked the script with CHOWN=<username>:staff ...).
| cat >/etc/cron.d/certbot.cron <<EOF | ||
| # Run Let's Encrypt certbot renew twice a day at random times | ||
| 0 0,12 * * * root /usr/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && $SCRIPT_DIR/ssl-update.sh | ||
| EOF |
There was a problem hiding this comment.
This failed for me in my macos dev env which does not have cron installed so /etc/cron.d does not exist (and would't be user-writeable anyway). Let's at least make this conditional on the existance of that dir (though it still might not be writeable by the user running this). For dev I wouldn't want to run this as root at all, so that must not be a requirement.
| - Run the `cert_setup/init-certs.sh` script. This will generate a Let's Encrypt | ||
| certificate, store it in the location that nginx container will use, and add | ||
| a cron task to automatically update it. |
There was a problem hiding this comment.
I have no idea how I should set this up for development since LE seems to expect me to own a domain where I can put a challenge file; for all my attempts this part failed. Can you please add a dummy cert at the location expected for the default DOMAIN so the dev workflow just works?
I suspect all of this works for you since you have some cert in data/certbot/letsencrypt/live/; if you do a new checkout somewhere else and follow these instructions you should run into similar issues (do not assume that you have a host set up with a challenge since this is neither documented nor needed for frontend or backend development).
| docker compose -f docker-compose-dev.yml build | ||
| docker compose -f docker-compose-dev.yml up -d |
There was a problem hiding this comment.
This only starts the services in the dev config (the database), users also need to start the remaining services.
| docker compose -f docker-compose-dev.yml build | |
| docker compose -f docker-compose-dev.yml up -d | |
| docker compose -f docker-compose-dev.yml -f docker-compose.yml build | |
| docker compose -f docker-compose-dev.yml -f docker-compose.yml up -d |
This moves the existing manual installation steps to a docker version that should simplify management a little, along with letting us move everything to another host. A sample version of it is running at https://packages-docker.zeek.org, though without any package information currently due to a disk space issue with the package scanning.
There still feels like a bit too much manual editing of files during the installation, but it's probably fine and I'm just being picky.