Prod docker containers #93
Conversation
There was a problem hiding this comment.
Nice work! Good to see that many concepts we discussed end up in this PR.
I've added some remarks in the code. I will also do some testing locally, to see if we can actually get something up & running.
php72 + FPM -> PHP 8.x + apache module is something we need yet to discuss
| build-push-docker-image: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| packages: write |
There was a problem hiding this comment.
Cool! I did not know this feature yet
There was a problem hiding this comment.
Glad you find it useful :)
| ghcr.io/openconext/stepup-webauthn/stepup-webauthn:prod | ||
| ghcr.io/openconext/stepup-webauthn/stepup-webauthn:${{ github.sha }} | ||
|
|
||
| - name: Build and push the Development image |
There was a problem hiding this comment.
For discussion: If all php dev images are the same (apache + php + xdebug) we might publish one container to rule them all in the basecontainers project
There was a problem hiding this comment.
Agreed! I like this proposal that we also discussed in today's meeting. I suggest we take a look at the end, if all the applications are very similar, this might be very useful.
docker/Dockerfile.prod
Outdated
| FROM ghcr.io/openconext/openconext-basecontainers/php72-fpm-apache2:latest | ||
| ENV SYMFONY_ENV=prod | ||
| RUN rm -rf /var/www/html/* | ||
| COPY --from=php-build /var/www/html/archive.tar /var/www/html |
There was a problem hiding this comment.
Nico optimization, this beats specifying all dirs from the build container
There was a problem hiding this comment.
\o/ Glad you like it!
| @@ -0,0 +1,31 @@ | |||
| <Virtualhost *:80> | |||
| ServerName webauthn | |||
There was a problem hiding this comment.
Thought for a later time: We could base the servername on a provided env_var
There was a problem hiding this comment.
Very true! Like we discussed, we might make a shared config template based on env vars. And for "hostname" specifically, it could be generic (I think it accepts "*" or something like that, need to remember and look it up).
docker/conf/webauthn-fpm-pool.conf
Outdated
| [www] | ||
| ;Logs can be sent to stdout / err or to a file | ||
| ;access.log = /proc/self/fd/2 | ||
| access.log = /usr/local/var/log/php-fpm-access.log |
There was a problem hiding this comment.
Let's leave it out. I don't like files in containers, they tend to be deleted.
Also, docker(-compose) logs provides a more standardized way to get your logs
There was a problem hiding this comment.
Hmmm, I added this specifically to make the tail -f command from the start script easier to read: it now follows both the apache and the php-fpm logs and it adds that nice header to tell you from which log (and daemon) the messages are coming from.
Check it out, try to use it and see how you like it. If you still think it is a bad idea after that, we can remove it and find another way.
quartje
force-pushed
the
prod-docker-containers
branch
2 times, most recently
from
d3ebca7 to
f4ccdda
Compare
|
I have rebased this branch on the docker_config branch so that we can test the build. |
MKodde
force-pushed
the
prod-docker-containers
branch
from
a50fa2a to
01bd6a0
Compare
|
Hi @danakim, I've taken the liberty to rebase your PR onto my JS/PHP dependency updates PR. That way, this PR should start getting some ✔️ |
quartje
force-pushed
the
prod-docker-containers
branch
from
c4452fe to
324dac6
Compare
|
@MKodde - thanks for this! I like seeing those green check marks :D |
phavekes
force-pushed
the
develop
branch
4 times, most recently
from
b817a6a to
4e936d9
Compare
release in stead of building it again.
The development environment is being ported to Docker. To allow different containers work seamless together, all apps will contain a default configuration that works with the configuration in other containers. Shared config and key material is fetched from the OpenConext-devconf repository.
Before with PHP-FPM we did not need to do a "require all granted" within <Location> tags. With Apache as a module we do need it.
…using all tools from with Docker
This duplicates what's happening in OpenConext-devconf
We utilize the Github Dependabot integration for security checking.
We utilize the Github Dependabot integration for security checking.
The gesture (buttonpress) is no longer required to start the WebAuthn session with the browser. This is a revert of the original behavior. But the button remained on the page for users of an old unsupportive browser. See https://www.pivotaltracker.com/story/show/184695105
This will let the logs go to stdout when running as a container, which is the Docker way to send logs
MKodde
force-pushed
the
prod-docker-containers
branch
from
f242a37 to
d1661fa
Compare
Based on the ticket here: https://www.pivotaltracker.com/story/show/184571497