-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge after #1160 - Docker - update to using Ubuntu 20.04 + minor changes related to recent PRs #1242
Merge after #1160 - Docker - update to using Ubuntu 20.04 + minor changes related to recent PRs #1242
Conversation
Additional Ubuntu packages: libcgi-pm-perl (for CGI::Cookie) libdbd-mariadb-perl (for alternate DB connector) iputils-ping (prevents ping during startup from failing) imagemagick (needed by openwebwork/pg#541) docker-compose.yml: * Set fixed container names (so names will not depend on name of directory where docker-compose is being run. * Sample lines to use some new sample DB config files + brief comments. * Sample line to make host /etc/localtime read-only available to the DB container. * Sample ulimits + timezone lines for the DB container. * Set the Docker container to mount the updated Lite.pm with the UTF-8 patch. * Sample lines to use either DB connector. Default remains the "old" DBD::mysql driver. * Modify the bottom "main" volumes section, so fixed persistant volumes are used for the OPL and the DB storage, regardless of the directory name where docker-compose is run.
I think it would be a good idea to add I will try to take a deeper look at the rest of this. |
…code to work, and a comment explaining how to enable it via the prepared sample line in docker-compose.yml.
Since we think that making that change involves a potential security risk if some malicious PDF file were to be processed (somehow) - I think it is better to force the end user to actively enable that change. I set up such an option in the newly added second commit. |
I agree that it is better to be optional. However, there has to be better way to do it than adding the entire policy.xml file for a single word change. |
I cannot think of anything simple which requires minimal effort for the end user.
I prefer to minimize repeated work on each startup, so don't like the second option. Many of the current and potential Docker users start off as newbies to Docker (so did I) and may find the process challenging when they get started and choose to ignore it until the issue makes problems. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that there is a lot of work to do on getting webwork ready to go for using the docker install in production. This pull request perhaps addresses some of that. Of course one of the biggest things needed is better documenation, but that is another matter.
One thing that needs to be done is to rename docker-compose.yml
to docker-compose.yml.dist
. That is a file that someone using the docker installation will need to modify, and so directions should specify to copy the .dist file as usual. The .env
file also needs to be renamed to .env.dist
as that file will also need to be modified for a production installation. Most of the files in the docker_config directory will needs this as well. It is debatable as to if the Dockerfile
should also be renamed in this way.
The current instructions on the wiki state to build the container using docker build .
. However, as we are using docker-compose.yml
, this should be docker-compose build
. This is the proper way to build the container when using a docker-compose.yml
file. If building in this way it also adds to what you can do in terms of configuration via the docker-compose.yml
file. For example, you can use the options to the build
. You could add args
that apply at build time and are used in the Dockerfile
.
There is no need to add the entire Lite.pm
file or the ImageMagick-6/policy.xml
file.
For the Lite.pm
file, that change is always done, so just modify the file in the Dockerfile
. There are ways this can be done without including the entire Lite.pm
file in the repository. There is a much bigger issue here though. That is why is this being done at all? If there is an issue that need this change, then what is it? This is just thrown in here with no rationale. If this change is needed, then this will also need to be documented for those that are not using a docker install. The limits.conf, mariadb.cnf, and my.cnf files added here need explanation as well for those installing without the docker approach.
For the policy.xml
file the pdf read policy should be optional as we have already discussed. One way that this can be implemented without importing the entire linux distribution file that is convenient for the end user, and does not require anything added to the docker-entrypoint.sh
script is to utilize build
args
in the docker-compose.yml
file. Of course, this involves switching to using docker-compose build
. Build args can still be utilized even if that switch is not made, but can be passed on the command line. They would just need to be documented.
There is another issue with how the webwork.apache2.4-config file is added to the docker build. The way that is done in the Dockerfile does not allow for customization by the system administrator. That is necessary. Even with the docker build there is no one size fits all for that file.
Also, this pull request should not be merged until after #1160.
Although I tested on my local Docker setup with the Unfortunately, I will not have more time to work on / test this until next week. |
and resolve conflict in Dockerfile.
A simple Docker user can just use the file as is, and until now it has been distributed as
I think the goal at present was to make starting to use WW via Docker as simple as possible, and the https://github.com/openwebwork/webwork2/wiki/Docker-newbie-instructions assume that this is how things are. For now, I would prefer to leave things more or less as is, and consider how to change the Docker setup in the future.
Fixed. I've been doing this in practice for a long time, and did not recall that the documentation still had
Fixed.
I agree that a better approach would be good, but it should happen once at image build time, and at present I don't have time to work on creating code in the
Needed for UTF-8 support in XMLRPC. Covered elsewhere in GitHub discussions. This is just thrown in here with no rationale. If this change is needed, then this will also need to be documented for those that are not using a docker install. The limits.conf, mariadb.cnf, and my.cnf files added here need explanation as well for those installing without the docker approach.
If you can make a PR to my branch to do this, I'll test and merge it.
Before my time, and I think most real local modification is best done by creating fixed local config files and mounting them via |
A copy command or two is not complicated. Until this is done we are saying that the Docker approach is not ready for production yet. If that is our current status, then we can leave it the way it is. If the Docker approach is ready to be used in production though, then this needs to change now.
Can you provide a reference? I have not found any reference to this in any GitHub discussions.
I will try to put in a pull request that implements a mechanism for changing the
This is okay. You can mount via |
For I'm not sure how to conditionally change the
I'm running several WW "servers" via Docker, as apparently are a few other people (UBC and people who have corresponded with me). As far as I know, minor tuning via
Thanks.
Yes - and that is what I do. The many commented out sample lines in |
I was referring to copying
You and a few other people may be using it in this way. That doesn't change anything about production readiness. If there is widespread usage of Docker and this change is not made, there are going to be upgrade issues. My statement is still correct and applicable. Again, a simple copy command is not hard to add to the instructions.
Thanks. |
@drgrice1 I don't claim to be a huge Docker expert, but I do find it to make running several servers which all run somewhat modified versions of WW to be quite reasonable to handle. Please read @xcompass's post at #972 (comment) where he explains some of the original decisions for how the WW Docker support was set up, and the discussion thread there. For more historical perspective please also have a look at
About the file inclusion - carrying a few small "extra" files in the repository vs. the effort in coding a method to recreate the customized files is a matter of cost-benefit. From my perspective, several files totally a few KB of data is "cheaper" than the developer effort needed to avoid proving the ready customized files. I accept the other two points. I'll try to work on improving the https://github.com/openwebwork/webwork2/wiki/Docker-newbie-instructions and change to Deferred making such changes - see #1242 (comment) For production use - I relocate the "main" Docker config/control files (and all other local modifications) elsewhere, and set the
Accept this point and will implement some of the proposed changes soon. Deferred making such changes - see #1242 (comment) |
I also use a Docker files that are not in the webwork2 location when testing things. I modify the docker file to not pull anything from git, and to use the clones already available on my system among other things. I think that we can defer the I did some more research on the imagemagick policy issue. It seems that the reason for the policy was due to a bug in ghostscript, and that bug has been fixed as of version 9.24 (Ubuntu 20.04 has version 9.50 and Ubuntu 18.04 has version 9.26). So there is no real security issue with always enabling that pdf read policy. |
OK - thanks.
I looked there, also at https://www.kb.cert.org/vuls/search/?q=Ghostscript which is not showing newer issues with Ghostscript. I agree with your assessment that at present it seems safe to make the change to |
Dockerfile instead. Also a bit of tweaking of the Dockerfile. Set the args `WEBWORK2_GIT_URL`, `WEBWORK2_BRANCH`, `PG_GIT_URL`, and `PG_BRANCH` in docker-compose.yml instead of in the Dockerfile. Also, don't convert those to environment variables. That isn't needed. This requires that `docker-compose build` is used rather than `docker build .`.
Change Lite.pm and ImageMagick-6-policy.xml via patches in Dockerfile (and another small change)
I noticed that the Dockerfile is still installing CGI::Cookie via cpanm. It should now install the Ubuntu package libcgi-pm-perl. Edit: I see that the libcgi-pm-perl package is installed. So just delete the installation of GCI::Cookie via cpanm. And also the comment about it and Ubuntu 18.04. |
… so there is no need to install via CPAN. Also drop an old comment.
Just done. @drgrice1 - Thanks for noticing this omission. |
Also, it seems that the docker-entrypoint.sh handling of site.conf needs to be updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. This definitely needs to be merged before the release. The default docker build is broken without it.
I am going to go ahead and merge this. |
Update to using Ubuntu 20.04 as base OS image.
Additional Ubuntu packages:
libcgi-pm-perl
(forCGI::Cookie
)libdbd-mariadb-perl
(for alternate DB connector)iputils-ping
(prevents ping during startup from failing)imagemagick
(needed by Add options to add TeX libraries and add to the TeX preamble in the PGtikz.pl macro pg#541)docker-compose.yml
:Set fixed container names (so names will not depend on name of directory where docker-compose is being run.
Sample lines to use some new sample DB config files + brief comments.
Sample line to make host
/etc/localtime
read-only available to the DB container.Sample ulimits + timezone lines for the DB container.
Set the Docker container to mount the updated Lite.pm with the UTF-8 patch.
Sample lines to use either DB connector. Default remains the "old" DBD::mysql driver.
Modify the bottom "main" volumes section, so fixed persistent volumes are used for the OPL and the DB storage, regardless of the directory name where docker-compose is run.