Nginx unit #361
Nginx unit #361
Conversation
cimnine
added
the
enhancement
tobiasge
force-pushed
the
nginx-unit
branch
3 times, most recently
from
b31a001 to
bfbe6d6
Compare
There was a problem hiding this comment.
I'm looking forward to when we have this change merged! Getting rid of the separate nginx container and the nginx-config volume hack would mean a lot.
But until then and additionally to the other comments we'll have to change the Github Action configuration as well. Here we could test with alpine:edge as an alternative build in there probably, but stick to a specific version of Alpine Linux, i.e. alpine:3.12 at the moment, for our regular builds.
As usual, feel free to disagree with any comment, but please state your reason for doing so :) Also feel free to ask for help with the build files.
tobiasge
force-pushed
the
nginx-unit
branch
2 times, most recently
from
de55626 to
26bc006
Compare
This comment was regarding the following code snippet: push.yml#L20-L23 |
There was a problem hiding this comment.
To be honest, I'm no particular fan of the change of the unitd configuration socket from unix-socket to tcp-socket. I believe it's easier to get wrong, e.g. security wise. It will also be harder to debug – for us in bug reports, but also for operation personnel –, because it'll never be clear in what configuration state a particular container is. I.e. was the configuration manipulated in the meantime?
Or in other words: I'm a fan of containers that are just configured at the start through files/secrets/environment variables, but are otherwise immutable. If the configuration changes, then restart/redeploy the container.
In your commit message (efaabf2) you've argued like this:
With this and the change made to unit in Alpine users can now load certificates into
the container an serve Netbox over an encrypted configuration.
I would still argue that this should be the job of a dedicated container, not the job of Netbox. (It's job is to serve the application.) E.g. in Kubernetes there are usually Ingress services taking care of this. Also, the big clouds have services like these. And usually they also take care of load balancing.
There was a problem hiding this comment.
To be honest, I'm no particular fan of the change of the unitd configuration socket from unix-socket to tcp-socket. I believe it's easier to get wrong, e.g. security wise. It will also be harder to debug – for us in bug reports, but also for operation personnel –, because it'll never be clear in what configuration state a particular container is. I.e. was the configuration manipulated in the meantime?
Ok, I will revert this change.
We now serve Netbox with an nginx-unit instance instead of Gunicorn. This allows us to get rid of the extra Nginx container because Unit is also serving the static files. The static files are now collected at container buildtime instead of every startup.
|
The build is now based on alpine:3.13 so I think we could go forward with a release. |
|
We will need more text in the release notes:
We will also have to make quite some changes to the wiki to explain how the virtual env works (or at least that it's there) and how people can now build custom containers that include their plugins now. |
Related Issue: -
New Behavior
Contrast to Current Behavior
Discussion: Benefits and Drawbacks
Removes Nginx container and with that the need to
In the current version Nginx Unit is build from sources, so the build will take a little bit longer
Changes to the Wiki
Proposed Release Note Entry
docker-compose.override.ymlmust be changed to forward traffic directly to the Netbox container/opt/netbox/venvDouble Check
developbranch.