Skip to content

Latest commit

 

History

History
130 lines (100 loc) · 8.25 KB

README.md

File metadata and controls

130 lines (100 loc) · 8.25 KB

Base

Base Docker image from which almost all others are derived. It is not meant to be run on its own.

It's based off off Alpine Linux, and includes s6 overlay and confd.

Dependencies

Requires alpine

Settings

Confd Settings

The following environment variables cannot be provided by confd as they drive it's configuration, they must be set on each container as environment variables.

Environment Variable Default Description
CONFD_BACKEND env The backend to use for confd only env, and etcd are supported at the moment
CONFD_ENABLE_SERVICE false If true confd will run continuously rather than just on startup.
CONFD_LOG_LEVEL error The log level to use when executing confd
CONFD_POLLING_INTERVAL 30 Time in seconds between runs of confd when enabled as a service
ETCD_CONNECTION_TIMEOUT 0 Timeout to wait for a connection to etcd
ETCD_HOST etcd The host where etcd, can be found
ETCD_PORT 2379 The port where etcd can be accessed

Users do not require etcd to run the containers, environment variables can be used instead for simplicity.

Certificate Settings

If using development certificates for local development, they can be made available within the containers using the following environment variables.

Environment Variable Default Description
CERT_PUBLIC_KEY Primarily used for development. If provided the certificate will be registered inside of the container such that curl, etc accepts the certificate as valid.
CERT_AUTHORITY Primarily used for development. If provided the authority is registered with the java, so that requests originating from Java accept the public certificate.

For example if generating certificates locally with mkcert for local development, and using islandora.dev as the primary domain.

N.B islandora.dev just redirects back to 127.0.0.1.

mkcert -install
mkcert \
  -cert-file cert.pem \
  -key-file privkey.pem \
  "*.islandora.dev" \
  "islandora.dev" \
  "localhost" \
  "127.0.0.1" \
  "::1"

This will generate cert.pem which can be use as CERT_PUBLIC_KEY and rootCA.pem can be used for CERT_AUTHORITY. rootCA.pem can be found at the path printed by using the command mkcert -CAROOT.

Now requests originating within the container will accept the development certificate as geniune.

N.B. This is not required for production sites or certificates that are publically available.

JWT Settings

Many services that connect to Drupal / Fedora authenticate via JWT. Please see the Islandora documentation for JWT Authentication, and the Syn project for more details. The base image includes these environment variables to reduce duplication.

Environment Variable Confd Key Default Description
JWT_ADMIN_TOKEN /jwt/admin/token islandora Used for bearer authentication (Only use with HTTPS or over private networks)
JWT_PRIVATE_KEY /jwt/private/key @see base/rootfs/etc/defaults/JWT_PRIVATE_KEY Private key for JWT authentication, RSA PEM Format is expected (should only be used in the Drupal container)
JWT_PUBLIC_KEY /jwt/public/key @see base/rootfs/etc/defaults/JWT_PUBLIC_KEY Public key for JWT authentication

To generate a private public / private key pair use the following.

ssh-keygen -q -t rsa -m pem -f /tmp/JWT -N ""

This produces two files /tmp/JWT and /tmp/JWT.pub. Which can be used for JWT_PRIVATE_KEY and JWT_PUBLIC_KEY respectively. The format is RSA PEM, without a password. Do not share these files keep their contents hidden.

The public/private key pair and Syn configuration are placed in /opt/keys and are only readable by the jwt group, if your service needs to read these files add jwt as a secondary group to your service user.

Database Settings

Many services can work with multiple backends, to this end the DB_DRIVER setting is used to determine which of the backend specific environment variables to use. For example if DB_DRIVER is equal to mysql then the DB_MYSQL_HOST and DB_MYSQL_PORT variables will be used when connecting to the backend.

Environment Variable Confd Key Default Description
DB_DRIVER /db/driver mysql The database driver to use by default, only mysql and postgresql are supported at this time
DB_HOST /db/host The database host to use. The default value is derived from DB_DRIVER if not specified
DB_MYSQL_HOST /db/mysql/host mariadb The default database host if DB_DRIVER is mysql
DB_MYSQL_PORT /db/mysql/port 3306 The default database port if DB_DRIVER is mysql
DB_NAME /db/name default The name of the default database if no other is specified
DB_PASSWORD /db/password password The password of the user used by the service (e.g. Drupal) to connect to the database
DB_PORT /db/port The database port to use. The default value is derived from DB_DRIVER if not specified
DB_POSTGRESQL_HOST /db/postgresql/host postgresql The default database host if DB_DRIVER is postgresql
DB_POSTGRESQL_PORT /db/postgresql/port 5432 The default database port if DB_DRIVER is postgresql
DB_ROOT_PASSWORD /db/root/password password The root user password
DB_ROOT_USER /db/root/user root The root user, which is used only on startup to create database / user in the chosen backend
DB_USER /db/user default The user used by the service (e.g. Drupal) to connect to the database

N.B. For all of the settings above, images that descend from this image can apply a prefix to every setting. So for example DB_NAME would become FCREPO_DB_NAME. This is to allow for different settings on a per-service basis when sharing the same confd backend.