chore: update docker-compose.yml #15286
Conversation
|
Kudos, SonarCloud Quality Gate passed!
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #15286 +/- ##
============================================
+ Coverage 65.83% 66.24% +0.40%
- Complexity 30925 31254 +329
============================================
Files 3483 3485 +2
Lines 129139 129791 +652
Branches 15046 15145 +99
============================================
+ Hits 85015 85975 +960
+ Misses 37076 36735 -341
- Partials 7048 7081 +33
Flags with carried forward coverage won't be shown. Click here to find out more. see 261 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
Philip-Larsen-Donnelly
requested review from
tonsV2
and removed request for
teleivo
|
I would recommend creating a copy of the original docker compose file and naming it docker-compose.production.yml and make that the target of your updates. Having both docker compose files in this PR make sense as we want to apply some of these changes to the original as well. |
There was a problem hiding this comment.
It might be beyond the scope of this PR but at some point we should probably supply some guide lines for log aggregation and backup.
https://docs.docker.com/storage/volumes/#back-up-restore-or-migrate-data-volumes
https://docs.docker.com/compose/compose-file/compose-file-v3/#logging
docker-compose.yml
Outdated
| @@ -2,32 +2,35 @@ version: "3.8" | |||
|
|
|||
| services: | |||
| web: | |||
| image: "${DHIS2_IMAGE:-dhis2/core-dev:local}" | |||
| image: "${DHIS2_IMAGE:-dhis2/core}" | |||
There was a problem hiding this comment.
A tag should be used here so we're not just pulling latest.
Perhaps use an environment variable, so we don't have to update the docker compose file, if we want to run a different version.
docker-compose.yml
Outdated
|
|
||
| db: | ||
| image: ghcr.io/baosystems/postgis:12-3.3 | ||
| image: postgis/postgis |
There was a problem hiding this comment.
Why use this image?
I would recommend this one which is also what we're using on Kubernetes.
Regardless of which image we're using. A tag should be present so we're not just using latest.
There was a problem hiding this comment.
Just a quick note here - the postgis/postgis image won't suffice, as it's only built for linux/amd64 and we want this Docker compose file to also be usable by developers with the new Mac M* chips.
The ghcr.io/baosystems/postgis one is built for linux/arm64 as well and it provides some convenience, as we don't need to install postgis separately (like we do here for the dhis2-db stack in the IM), but it might actually be better to streamline this for consistency. 👍
There was a problem hiding this comment.
@radnov @Philip-Larsen-Donnelly, as per previous discussions and as far as I understand this task, we are going to prepare and secure a docker-compose setup for production. So we should not use any third-party components or custom images, nor target Macbooks.
An image for developers (or anything following dev, but not stable branch, can use any images).
There was a problem hiding this comment.
@michael-markevich Right, I should have been a bit more clear - the postgis/postgis image won't suffice for the developer docker compose file.
Still, it might be worth having the image we recommend for production use be the same one we use in the Instance Manager, as it has been tested the most. Technically, postgis/postgis is also a custom image, the "official" one is https://hub.docker.com/_/postgres.
docker-compose.yml
Outdated
| ports: | ||
| - 127.0.0.1:5432:5432 | ||
| volumes: | ||
| - db-dump:/docker-entrypoint-initdb.d/ | ||
| - postgresql:/var/lib/postgresql | ||
| environment: | ||
| POSTGRES_USER: dhis |
There was a problem hiding this comment.
I would recommend a stronger password here and the usage of a .env file.
The pattern we're using on the IM projects is to have a committed .env.example file in the root of the project which serves as an example. The readme and the file itself can contain some instructions if needed.
|
Kudos, SonarCloud Quality Gate passed!
|
|
@tonsV2 @radnov @Philip-Larsen-Donnelly
In a nutshell, if both files are present, calling |
|
This PR has not seen any activity in the last 5 months. The PR will be closed in 30 days if the stale label is not removed. Please note that this is an automated message and we might very well be the reason why there has not been any activity lately. Please remove the stale label if you would like to continue working on the PR. Make sure that you have requested a review by a dev or a team https://github.com/orgs/dhis2/teams. |
|
This PR has not seen any activity in the last 5 months. The PR will be closed in 30 days if the stale label is not removed. Please note that this is an automated message and we might very well be the reason why there has not been any activity lately. Please remove the stale label if you would like to continue working on the PR. Make sure that you have requested a review by a dev or a team https://github.com/orgs/dhis2/teams. |
Based on the security assessment results (https://dhis2.atlassian.net/browse/SEC-48), I suggest updating the docker-compose.yml to move the composer configuration to the production setup. This includes using the official Postgis repository, an additional health check and security options, and a clean setup without a demo database and debugging.
The current docker-compose.yml can still be used for development purposes.