Michael Brown [Thu, 9 Apr 2020 17:52:38 +0000 (13:52 -0400)]
Add hash checks to downloaded source files
* we had one in place for redis but nowhere else
Michael Brown [Thu, 9 Apr 2020 17:51:21 +0000 (13:51 -0400)]
Bump ImageMagick and nginx versions
Michael Brown [Thu, 9 Apr 2020 01:47:50 +0000 (21:47 -0400)]
Move openssh-server from the base image to the sshd template
Michael Brown [Thu, 9 Apr 2020 01:47:28 +0000 (21:47 -0400)]
Prevent unused packages from being pulled into the base image
* e.g. X11 libraries, mysql libraries, mailutils, NTLM libraries
Justin DiRose [Wed, 11 Mar 2020 18:55:10 +0000 (13:55 -0500)]
FEATURE: Give option to publish log file publicly (#459)
Mark Vainomaa [Wed, 11 Mar 2020 06:52:51 +0000 (08:52 +0200)]
FEATURE: Don't use fully qualified path for bash in host (#458)
Gerhard Schlager [Mon, 2 Mar 2020 16:08:19 +0000 (17:08 +0100)]
Unfreeze Gemfile in import templates
Co-authored-by: Jay Pfaffman <pfaffman@gmail.com>
Sam Saffron [Thu, 27 Feb 2020 04:53:38 +0000 (15:53 +1100)]
DEV: Bump baseimage
This includes updated dependencies required for the codereview plugin and
additional fixes
Daniel Waterworth [Thu, 20 Feb 2020 17:54:39 +0000 (17:54 +0000)]
Add cmake as a base dependency
Rafael dos Santos Silva [Wed, 19 Feb 2020 19:27:34 +0000 (16:27 -0300)]
Early hostname check (#456)
* Move hostname check to earlier in the process
* Provide instruction on hostname check failure
* Fix instruction in case of hostname failure
Ranjan Purbey [Mon, 20 Jan 2020 20:58:20 +0000 (02:28 +0530)]
Update README.md (#455)
Fix indentation at L56
Rafael dos Santos Silva [Mon, 23 Dec 2019 16:36:38 +0000 (13:36 -0300)]
Bump base image
Rafael dos Santos Silva [Mon, 2 Dec 2019 18:16:45 +0000 (15:16 -0300)]
FEATURE: Default to HTTPS
Blake Erickson [Fri, 15 Nov 2019 14:25:07 +0000 (07:25 -0700)]
update mail-receiver version
Gerhard Schlager [Thu, 31 Oct 2019 20:32:49 +0000 (21:32 +0100)]
Try to force certificate issuance on second try
Todd Sharp [Mon, 28 Oct 2019 01:58:56 +0000 (21:58 -0400)]
Change check for linux memory (#452)
* Change check for linux memory
Some VMs clock in at *just under* 1GB, so checking for 1GB of RAM will miss these. Instead, check for MB, divide by 1000 and round up.
* Refine the check_linux_memory function
Be a little more precise and only make an exception for VMs with >= 990MB RAM
Ruben Homs [Thu, 24 Oct 2019 00:40:36 +0000 (02:40 +0200)]
Make port check optional, add y/n prompt (#448)
romanrizzi [Wed, 16 Oct 2019 18:28:57 +0000 (15:28 -0300)]
Bump base image to update uglifyJS to v3
Roman Rizzi [Thu, 10 Oct 2019 05:17:46 +0000 (02:17 -0300)]
DEV: Bump uglifyjs
We now support uglifyjs version 3 in Discourse core, no need to hold back the upgrade.
Sam Saffron [Thu, 3 Oct 2019 23:59:17 +0000 (09:59 +1000)]
SECURITY: base image updates
- Ruby upgraded from 2.6.4 -> 2.6.5 to address CVEs
- Image Magick from 7.0.8-61 -> 66
- NGINX 1.17.3 -> 4 (bug fixes only)
Daniel Waterworth [Wed, 2 Oct 2019 00:29:19 +0000 (00:29 +0000)]
Check that redis archive matches hash (#450)
Redis is downloaded without TLS
Gerhard Schlager [Tue, 1 Oct 2019 14:59:22 +0000 (10:59 -0400)]
Update MySQL privileges when starting phpBB3 import
MySQL isn't running in the init script yet, so updating the privileges doesn't work. Duh!
Follow-up to
3df237a6
Gerhard Schlager [Tue, 1 Oct 2019 00:20:01 +0000 (20:20 -0400)]
Make phpBB3 import template work with latest image (#449)
Saj Goonatilleke [Fri, 20 Sep 2019 07:43:02 +0000 (17:43 +1000)]
FIX: Pass through stdout when running interactively
Follow up to commit
70aaf45.
Saj Goonatilleke [Wed, 18 Sep 2019 17:58:47 +0000 (03:58 +1000)]
FIX: Never prune Docker volumes
`system prune` on older Docker releases will remove volumes. The
accidental removal of container volumes may result in user data loss.
This patch should ensure that any users on Docker CE <17.06.1 benefit
from the same, safer behaviour enjoyed by users on contemporary Docker
releases.
Jay Pfaffman [Wed, 11 Sep 2019 22:16:50 +0000 (15:16 -0700)]
FIX: Install mariadb lib instead of mysql
Gerhard Schlager [Tue, 10 Sep 2019 00:44:52 +0000 (02:44 +0200)]
Correctly install ECDSA certificate
Follow-up to
f6ec21851dcf417c13333179a0f933d1dcc3faa1
Gerhard Schlager [Mon, 9 Sep 2019 23:02:45 +0000 (01:02 +0200)]
FEATURE: Elliptic Curve certificate (#444)
[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends (P-256) as certificate type for intermediate compatibility.
> ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11
Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite.
Rafael dos Santos Silva [Fri, 6 Sep 2019 17:56:14 +0000 (14:56 -0300)]
Bump base image
Rafael dos Santos Silva [Fri, 6 Sep 2019 04:27:17 +0000 (01:27 -0300)]
FIX: Backup Restore was broken because rsync was missing
Rafael dos Santos Silva [Tue, 3 Sep 2019 19:37:14 +0000 (16:37 -0300)]
Make sshd compatible with Debian image
Rafael dos Santos Silva [Mon, 2 Sep 2019 18:15:01 +0000 (15:15 -0300)]
Bump base image
Rafael dos Santos Silva [Fri, 30 Aug 2019 03:59:50 +0000 (00:59 -0300)]
Update ruby to 2.6.4
Jay Pfaffman [Wed, 1 Aug 2018 08:56:20 +0000 (10:56 +0200)]
FEATURE: launcher suggests discourse-doctor on fail
Jay Pfaffman [Fri, 12 Apr 2019 16:04:24 +0000 (09:04 -0700)]
Add commented sections to enable incoming TLS
Use Let's Encrypt certs from app to enable incoming TLS for mail-receiver.
Andrew Schleifer [Wed, 26 Jun 2019 06:24:46 +0000 (14:24 +0800)]
fallocate swapfile instead of dd
Joffrey JAFFEUX [Thu, 9 Aug 2018 21:09:16 +0000 (23:09 +0200)]
spacing
Jay Pfaffman [Wed, 1 Aug 2018 08:40:36 +0000 (10:40 +0200)]
FEATURE: discourse-doctor restart existing container if possible
Rafael dos Santos Silva [Fri, 16 Aug 2019 19:11:28 +0000 (16:11 -0300)]
Update SSL config using Mozilla SSL Intermediate config
Rafael dos Santos Silva [Thu, 22 Aug 2019 20:05:41 +0000 (17:05 -0300)]
Update dependencies
Rafael dos Santos Silva [Mon, 19 Aug 2019 21:34:04 +0000 (18:34 -0300)]
Remove nginx modules from the package manager
Rafael dos Santos Silva [Mon, 19 Aug 2019 18:17:28 +0000 (15:17 -0300)]
On Debian rsyslog is running under root
Rafael dos Santos Silva [Mon, 19 Aug 2019 18:17:01 +0000 (15:17 -0300)]
Revert "Revert "First pass in moving to debian""
This reverts commit
29204e415846c121554d41c34f241f2291e7a587.
Rafael dos Santos Silva [Fri, 16 Aug 2019 21:03:14 +0000 (18:03 -0300)]
Revert "First pass in moving to debian"
This reverts commit
223b69e775c61a7fb05386262281f7fa2f0e9520.
Rafael dos Santos Silva [Tue, 2 Jul 2019 04:40:26 +0000 (01:40 -0300)]
First pass in moving to debian
Rafael dos Santos Silva [Tue, 13 Aug 2019 21:06:56 +0000 (18:06 -0300)]
Update nginx for HTTP2 related CVEs
Saj Goonatilleke [Tue, 6 Aug 2019 23:07:36 +0000 (09:07 +1000)]
Make merge_user_args idempotent (#438)
The `merge_user_args` function may be called more than once within a
single `launcher` process. e.g.: on `launcher rebuild ...`:
```
[main] -> rebuild -> run_bootstrap -> set_template_info -> merge_user_args
[main] -> rebuild -> run_start -> set_template_info -> merge_user_args
```
If the user had included a `docker_args` map key in their container
YAML, the `user_args` global would be incorrectly populated with
duplicate docker CLI flags.
https://meta.discourse.org/t/-/123696
Fixes a regression introduced in https://meta.discourse.org/t/-/49401/9
Andrew Schleifer [Thu, 1 Aug 2019 04:05:00 +0000 (12:05 +0800)]
remove unrelated comment
SSH was long ago moved into a different template
Gerhard Schlager [Thu, 27 Jun 2019 08:45:16 +0000 (10:45 +0200)]
Bump base image
Gerhard Schlager [Tue, 25 Jun 2019 08:53:51 +0000 (10:53 +0200)]
Update ImageMagick
Rafael dos Santos Silva [Wed, 19 Jun 2019 18:38:47 +0000 (15:38 -0300)]
FIX: Make storage detection compatible with docker 19.x
Sam Saffron [Tue, 18 Jun 2019 06:14:38 +0000 (16:14 +1000)]
DEV: bump dependencies
- new ImageMagick
- new NGINX moved to stable from mailine
- new Redis
- new PNG Quant
- updated libjemalloc
Matic Mežnar [Sun, 16 Jun 2019 23:47:03 +0000 (01:47 +0200)]
Repo key should be downloaded securely (#432)
Penar Musaraj [Fri, 14 Jun 2019 12:40:57 +0000 (08:40 -0400)]
Include official plugins and install their gems in discourse_test (#431)
Michael Brown [Mon, 10 Jun 2019 17:24:22 +0000 (13:24 -0400)]
FIX: we cannot prompt for user input if we have no tty
Guo Xiang Tan [Tue, 21 May 2019 05:38:28 +0000 (13:38 +0800)]
Update to `discourse/base:2.0.
20190505-2322`.
Old base images carry test gems in the production env.
Régis Hanol [Wed, 15 May 2019 20:06:24 +0000 (22:06 +0200)]
COPY: remove unsupported storage drivers from warning message
Penar Musaraj [Tue, 14 May 2019 19:37:47 +0000 (15:37 -0400)]
FIX: Correctly match when protocol-less CDN is used
Jeff Atwood [Fri, 10 May 2019 21:08:46 +0000 (14:08 -0700)]
remove btrfs and overlay from "safe" storage drivers
Stephen [Tue, 7 May 2019 11:45:22 +0000 (04:45 -0700)]
Update bash path (#430)
Call the default bash for the environment.
Gerhard Schlager [Mon, 6 May 2019 12:55:25 +0000 (14:55 +0200)]
Update base image
It updates Ruby, nginx, ImageMagick, libpng, gifsicle and Node.js
Guo Xiang Tan [Fri, 3 May 2019 04:52:31 +0000 (12:52 +0800)]
Set the right RAILS_ENV for other base images.
Follow up to
c2c7a3d8f3aad26b0b1aea30eb5bf475d910ebc2.
Guo Xiang Tan [Fri, 3 May 2019 01:44:09 +0000 (09:44 +0800)]
Set RAILS_ENV for base image.
We can't boot the Rails app if it tries to require development
dependencies.
Guo Xiang Tan [Thu, 2 May 2019 02:18:59 +0000 (10:18 +0800)]
FIX: Don't install test gems in production.
This fixes an incorrect usage of the `--without` option.
As per the documentation, it takes groups seperated by a space `--without=GROUP[ GROUP...]`. Specifying the option twice meant we were overriding the first which lead the this bug.
Gerhard Schlager [Sat, 27 Apr 2019 08:08:16 +0000 (10:08 +0200)]
Update dependencies (#429)
* Ruby 2.6.3 which has a couple of Unicode improvements
* nginx from 1.5.9 to 1.5.12 (http://nginx.org/en/CHANGES)
* ImageMagick 7.0.8-42 and switch it back to using GitHub, because only the latest release is available on the official site and this regularly breaks our build
* libpng from 1.6.36 to 1.6.37 (security fix)
* gifsicle from 1.91 to 1.92 (http://www.lcdf.org/gifsicle/changes.html)
* Node.js v10, the latest active LTS (https://nodejs.org/en/about/releases/)
Geoff Reedy [Fri, 26 Apr 2019 08:25:27 +0000 (02:25 -0600)]
Use HEAD instead of @ shortcut for git in launcher (#428)
The abbreviation @ for HEAD was added in git 1.8.5. The launcher claims to be compatible with git version 1.8.0 but the use of this abbreviation breaks this compatibility. This change is needed to support RHEL 7.6 which has only git 1.8.3.1.
Guo Xiang Tan [Mon, 22 Apr 2019 03:02:10 +0000 (11:02 +0800)]
Update imagemagick to 7.0.8-41.
Guo Xiang Tan [Sat, 20 Apr 2019 01:03:19 +0000 (09:03 +0800)]
Run `bundle install` with 4 jobs.
Guo Xiang Tan [Mon, 15 Apr 2019 01:23:58 +0000 (09:23 +0800)]
Bump patch for imagemagick again.
Sam Saffron [Thu, 11 Apr 2019 02:43:55 +0000 (12:43 +1000)]
FEATURE: brotli support is not conditional
Due to changes in the core (backported to stable) all brotli support
is unconditional.
No need to carry any special logic here.
Guo Xiang Tan [Mon, 8 Apr 2019 00:14:46 +0000 (08:14 +0800)]
Bump imagemagick to 7.0.8-39.
Sam Saffron [Wed, 3 Apr 2019 06:01:48 +0000 (17:01 +1100)]
FIX: no longer allow protocol-less CDN
DISCOURSE_CDN_URL starting with `//` can lead to problems. Avoid allowing
people to enter it.
Guo Xiang Tan [Tue, 2 Apr 2019 08:05:00 +0000 (16:05 +0800)]
Add missing lines due to bad commit in
40fd876d1edb1a376a4eb592c9de4a178352a760.
Guo Xiang Tan [Tue, 2 Apr 2019 07:57:30 +0000 (15:57 +0800)]
Set `force_https` to true when Let's Encrypt cert checks out OK.
sau226 [Tue, 2 Apr 2019 07:04:21 +0000 (15:04 +0800)]
Bump acme.sh to 2.8.0 (#425)
Bump script for more API options, ACME v2 wildcard certs and bug fixes
Guo Xiang Tan [Thu, 28 Mar 2019 06:30:14 +0000 (14:30 +0800)]
Update imagemagick patch version.
Sam Saffron [Thu, 28 Mar 2019 01:22:09 +0000 (12:22 +1100)]
Update base image to Ruby 2.6.2 based image
Following extensive internal testing it is time to update our common base
image to 2.6.2 based one.
This also update various libraries, nginx and so on.
Gerhard Schlager [Mon, 25 Mar 2019 14:24:58 +0000 (15:24 +0100)]
Remove chromedriver; import script installs latest version
Sam Saffron [Thu, 21 Mar 2019 00:38:43 +0000 (11:38 +1100)]
Pull ImageMagick and libpng from official site
previously we were taking stuff from GitHub which is often out-of-date
Sam Saffron [Thu, 21 Mar 2019 00:12:29 +0000 (11:12 +1100)]
oops, 1.6.37 is not tagged yet use 36
Sam Saffron [Wed, 20 Mar 2019 23:46:05 +0000 (10:46 +1100)]
Update dependencies
Including minor upgrades for redis,ruby,image magick, libpng
One notable thing here is that I removed the SHA check from redis
I am not against checking SHA but we need to explode if it fails and do
something far more consistent across our various downloads
Sam Saffron [Tue, 19 Mar 2019 08:42:12 +0000 (19:42 +1100)]
FEATURE: add missing hooks into web.yml template
Previously bundle+migrate+precompile were in 1 big chunk making it
impossible to add multisite:migrate cleanly.
This adds 2 more hooks db_migrate and assets_precompile which make it way
simple to inject multisite migrate (either before or after db_migrate)
Sam Saffron [Tue, 19 Mar 2019 07:57:19 +0000 (18:57 +1100)]
FEATURE: add start-cmd to provide the command line used to launch container
This feature is only part done, this is a work in progress.
Sometimes it is handy to get the full docker command used to launch
a container, this allows us to cleanly amend it prior to starting.
This works like so:
```
sam@arch discourse_docker % ./launcher start-cmd redis
+ true run --shm-size=512m -d --restart=always -e LANG=en_US.UTF-8 -e 'test=I am a test' -h arch-redis -e DOCKER_HOST_IP=172.17.0.1 --name redis -t -p 63799:6379 --expose 33333 -v /home/sam/Source/discourse_docker/shared:/shared --mac-address 02:3e:e9:30:d5:32 local_discourse/redis /sbin/boot
```
Though we really want it to output `docker` instead of `+ true`.
It is tricky in bash cause we handle quoting of `-e` and so on which makes
a straight echo not work as expected.
That said this kludge does give me enough to actually run some tests so
I welcome the progress
Created this so I can run side-by-side tests on various containers
Sam Saffron [Tue, 19 Mar 2019 07:52:23 +0000 (18:52 +1100)]
DEV: clean up docker detection
previously we would output stuff to console if docker.io was missing
Neil Lalonde [Thu, 7 Mar 2019 19:49:24 +0000 (14:49 -0500)]
Add a way to expose a port without publishing
Use the existing "expose" section of container yaml files, which has always been publishing ports.
Expose a port if a single port number is specified (`80`).
Publish if a port mapping is specified (`"80:80"`, `"127.0.0.1:20080:80"`).
David Taylor [Wed, 6 Mar 2019 13:02:20 +0000 (13:02 +0000)]
Add sidekiq.log to web template
Sam Saffron [Thu, 21 Feb 2019 03:14:13 +0000 (14:14 +1100)]
FEATURE: disable protected mode in redis
We do not require protected mode in redis cause it runs in a container
and is default protected.
Protected mode breaks running our template in a multi container setup or
certain users exposting redis from the container if they wish
Bhanu [Wed, 20 Feb 2019 07:01:03 +0000 (12:31 +0530)]
Update CDN URL in samples to have a protocol
* authored by Bhanu, reworded slightly by supermathie
Michael Brown [Tue, 19 Feb 2019 21:04:20 +0000 (16:04 -0500)]
boot: if container initialization steps fail, exit
Massimo Gorla [Tue, 19 Feb 2019 20:53:28 +0000 (21:53 +0100)]
fix: ampersand with no quotes truncates echo output (#421)
Sam [Mon, 18 Feb 2019 04:17:21 +0000 (15:17 +1100)]
Update image dependencies
- Update NGINX to latest stable
- Update pngquant to latest stable
- Update ImageMagick to latest stable
Also, remove extra ruby install, it is no longer needed
Sam [Mon, 18 Feb 2019 02:27:38 +0000 (13:27 +1100)]
FEATURE: update base image to Ruby 2.6.1
Due to https://meta.discourse.org/t/logster-2-1-0-causes-segfault-running-unicorn-in-discourse-dev-docker-image/109265
we are stuck upgrading base image.
https://github.com/github/ruby/pull/40 by @tenderlove is backported to 2.5
but we are still waiting on 2.5.4
To avoid a custom patch in our image I opted to move base to 2.6.1 and pick
up the fix direct from 2.6
Sam Saffron [Sun, 17 Feb 2019 22:38:13 +0000 (09:38 +1100)]
Update docker base image
This covers quite a few important change
1. We updated maxmind db
2. We upgraded redis to version 5
3. It forces a rebuild for important nginx changes
4. It updates all gems, a ton got updated, this speeds up rebuild
Dan Ungureanu [Fri, 15 Feb 2019 13:46:32 +0000 (15:46 +0200)]
Redis is configured without pidfile.
Dan Ungureanu [Fri, 15 Feb 2019 13:41:24 +0000 (15:41 +0200)]
Remove Redis service from base.
Dan Ungureanu [Fri, 15 Feb 2019 13:31:19 +0000 (15:31 +0200)]
chmod a+x ./redis
Dave Eargle [Mon, 11 Feb 2019 21:27:23 +0000 (21:27 +0000)]
merge docker_args with user_args for launcher file
Sam [Wed, 13 Feb 2019 22:18:38 +0000 (09:18 +1100)]
DEV: cleanup docker prune pattern
- When out of space don't prompt a second time to cleanup
- Remove docker gc script which is unused
- Use system prune -a consistently
Sam [Tue, 12 Feb 2019 10:04:30 +0000 (21:04 +1100)]
FEATURE: swap to using "docker system prune"
Stop using `docker gc` by spotify for image cleanup, instead use:
`docker system prune`
The new method is maintained by docker, old mechanism is no longer really
needed
Saj Goonatilleke [Mon, 11 Feb 2019 12:36:15 +0000 (23:36 +1100)]
Eschew the rsyslogd PID file
This PID file is not required, provides questionable operational value,
and can break logging in a Discourse application container.
On startup, rsyslogd will read `rsyslogd.pid` and self-terminate if it
finds another process on the system with the same PID as that which was
written to this file. This behaviour is especially problematic when
running in a containerised environment:
- The processes that make up a container are more likely to be
terminated without grace. Any PID files persisted to the container's
filesystem will become stale after an unclean shutdown. (Separately,
even when signalled with `SIGTERM` on graceful shutdown, rsyslogd will
still fail to unlink this file.)
- PIDs on Linux are assigned sequentially. When run in a unique `pid`
namespace, a container's process table is subject to little entropy.
Thus, PID 'collisions' across container instantiations are not
unlikely.
Altogether, it is easy for rsyslogd to DoS itself on startup by
mistaking another process in the container (e.g.: nginx) for an existent
rsyslogd process. Unlinking this file guarantees a clean startup.
Newer releases of rsyslog support `-iNONE`, but -- of course -- this
feature is not supported in the rsyslog distribution included as part of
Ubuntu 16.04:
https://github.com/rsyslog/rsyslog/blob/
527f19c56a80fd30354f32ad03bdacc1275f4aa8/ChangeLog#L1618-L1623
Vixie crond and nginx also employ PID files, though neither is
vulnerable to this failure mode. Vixie cron wraps the fd with a flock;
the flock is used for mutual exclusion, not the underlying file itself.
nginx does not appear to use its PID file for mutual exclusion.