discourse_docker.git
4 years agoAdd hash checks to downloaded source files
Michael Brown [Thu, 9 Apr 2020 17:52:38 +0000 (13:52 -0400)]
Add hash checks to downloaded source files

* we had one in place for redis but nowhere else

4 years agoBump ImageMagick and nginx versions
Michael Brown [Thu, 9 Apr 2020 17:51:21 +0000 (13:51 -0400)]
Bump ImageMagick and nginx versions

4 years agoMove openssh-server from the base image to the sshd template
Michael Brown [Thu, 9 Apr 2020 01:47:50 +0000 (21:47 -0400)]
Move openssh-server from the base image to the sshd template

4 years agoPrevent unused packages from being pulled into the base image
Michael Brown [Thu, 9 Apr 2020 01:47:28 +0000 (21:47 -0400)]
Prevent unused packages from being pulled into the base image

* e.g. X11 libraries, mysql libraries, mailutils, NTLM libraries

4 years agoFEATURE: Give option to publish log file publicly (#459)
Justin DiRose [Wed, 11 Mar 2020 18:55:10 +0000 (13:55 -0500)]
FEATURE: Give option to publish log file publicly (#459)

4 years agoFEATURE: Don't use fully qualified path for bash in host (#458)
Mark Vainomaa [Wed, 11 Mar 2020 06:52:51 +0000 (08:52 +0200)]
FEATURE: Don't use fully qualified path for bash in host (#458)

4 years agoUnfreeze Gemfile in import templates
Gerhard Schlager [Mon, 2 Mar 2020 16:08:19 +0000 (17:08 +0100)]
Unfreeze Gemfile in import templates

Co-authored-by: Jay Pfaffman <pfaffman@gmail.com>
4 years agoDEV: Bump baseimage
Sam Saffron [Thu, 27 Feb 2020 04:53:38 +0000 (15:53 +1100)]
DEV: Bump baseimage

This includes updated dependencies required for the codereview plugin and
additional fixes

4 years agoAdd cmake as a base dependency
Daniel Waterworth [Thu, 20 Feb 2020 17:54:39 +0000 (17:54 +0000)]
Add cmake as a base dependency

4 years agoEarly hostname check (#456)
Rafael dos Santos Silva [Wed, 19 Feb 2020 19:27:34 +0000 (16:27 -0300)]
Early hostname check (#456)

* Move hostname check to earlier in the process

* Provide instruction on hostname check failure

* Fix instruction in case of hostname failure

4 years agoUpdate README.md (#455)
Ranjan Purbey [Mon, 20 Jan 2020 20:58:20 +0000 (02:28 +0530)]
Update README.md (#455)

Fix indentation at L56

4 years agoBump base image
Rafael dos Santos Silva [Mon, 23 Dec 2019 16:36:38 +0000 (13:36 -0300)]
Bump base image

4 years agoFEATURE: Default to HTTPS
Rafael dos Santos Silva [Mon, 2 Dec 2019 18:16:45 +0000 (15:16 -0300)]
FEATURE: Default to HTTPS

5 years agoupdate mail-receiver version
Blake Erickson [Fri, 15 Nov 2019 14:25:07 +0000 (07:25 -0700)]
update mail-receiver version

5 years agoTry to force certificate issuance on second try
Gerhard Schlager [Thu, 31 Oct 2019 20:32:49 +0000 (21:32 +0100)]
Try to force certificate issuance on second try

5 years agoChange check for linux memory (#452)
Todd Sharp [Mon, 28 Oct 2019 01:58:56 +0000 (21:58 -0400)]
Change check for linux memory (#452)

* Change check for linux memory

Some VMs clock in at *just under* 1GB, so checking for 1GB of RAM will miss these.  Instead, check for MB, divide by 1000 and round up.

* Refine the check_linux_memory function

Be a little more precise and only make an exception for VMs with >= 990MB RAM

5 years agoMake port check optional, add y/n prompt (#448)
Ruben Homs [Thu, 24 Oct 2019 00:40:36 +0000 (02:40 +0200)]
Make port check optional, add y/n prompt (#448)

5 years agoBump base image to update uglifyJS to v3
romanrizzi [Wed, 16 Oct 2019 18:28:57 +0000 (15:28 -0300)]
Bump base image to update uglifyJS to v3

5 years agoDEV: Bump uglifyjs
Roman Rizzi [Thu, 10 Oct 2019 05:17:46 +0000 (02:17 -0300)]
DEV: Bump uglifyjs

We now support uglifyjs version 3 in Discourse core, no need to hold back the upgrade.

5 years agoSECURITY: base image updates
Sam Saffron [Thu, 3 Oct 2019 23:59:17 +0000 (09:59 +1000)]
SECURITY: base image updates

- Ruby upgraded from 2.6.4 -> 2.6.5 to address CVEs
- Image Magick from 7.0.8-61 -> 66
- NGINX 1.17.3 -> 4 (bug fixes only)

5 years agoCheck that redis archive matches hash (#450)
Daniel Waterworth [Wed, 2 Oct 2019 00:29:19 +0000 (00:29 +0000)]
Check that redis archive matches hash (#450)

Redis is downloaded without TLS

5 years agoUpdate MySQL privileges when starting phpBB3 import
Gerhard Schlager [Tue, 1 Oct 2019 14:59:22 +0000 (10:59 -0400)]
Update MySQL privileges when starting phpBB3 import

MySQL isn't running in the init script yet, so updating the privileges doesn't work. Duh!

Follow-up to 3df237a6

5 years agoMake phpBB3 import template work with latest image (#449)
Gerhard Schlager [Tue, 1 Oct 2019 00:20:01 +0000 (20:20 -0400)]
Make phpBB3 import template work with latest image (#449)

5 years agoFIX: Pass through stdout when running interactively
Saj Goonatilleke [Fri, 20 Sep 2019 07:43:02 +0000 (17:43 +1000)]
FIX: Pass through stdout when running interactively

Follow up to commit 70aaf45.

5 years agoFIX: Never prune Docker volumes
Saj Goonatilleke [Wed, 18 Sep 2019 17:58:47 +0000 (03:58 +1000)]
FIX: Never prune Docker volumes

`system prune` on older Docker releases will remove volumes.  The
accidental removal of container volumes may result in user data loss.

This patch should ensure that any users on Docker CE <17.06.1 benefit
from the same, safer behaviour enjoyed by users on contemporary Docker
releases.

5 years agoFIX: Install mariadb lib instead of mysql
Jay Pfaffman [Wed, 11 Sep 2019 22:16:50 +0000 (15:16 -0700)]
FIX: Install mariadb lib instead of mysql

5 years agoCorrectly install ECDSA certificate
Gerhard Schlager [Tue, 10 Sep 2019 00:44:52 +0000 (02:44 +0200)]
Correctly install ECDSA certificate

Follow-up to f6ec21851dcf417c13333179a0f933d1dcc3faa1

5 years agoFEATURE: Elliptic Curve certificate (#444)
Gerhard Schlager [Mon, 9 Sep 2019 23:02:45 +0000 (01:02 +0200)]
FEATURE: Elliptic Curve certificate (#444)

[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends (P-256) as certificate type for intermediate compatibility.

> ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11

Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite.

5 years agoBump base image
Rafael dos Santos Silva [Fri, 6 Sep 2019 17:56:14 +0000 (14:56 -0300)]
Bump base image

5 years agoFIX: Backup Restore was broken because rsync was missing
Rafael dos Santos Silva [Fri, 6 Sep 2019 04:27:17 +0000 (01:27 -0300)]
FIX: Backup Restore was broken because rsync was missing

5 years agoMake sshd compatible with Debian image
Rafael dos Santos Silva [Tue, 3 Sep 2019 19:37:14 +0000 (16:37 -0300)]
Make sshd compatible with Debian image

5 years agoBump base image
Rafael dos Santos Silva [Mon, 2 Sep 2019 18:15:01 +0000 (15:15 -0300)]
Bump base image

5 years agoUpdate ruby to 2.6.4
Rafael dos Santos Silva [Fri, 30 Aug 2019 03:59:50 +0000 (00:59 -0300)]
Update ruby to 2.6.4

5 years agoFEATURE: launcher suggests discourse-doctor on fail
Jay Pfaffman [Wed, 1 Aug 2018 08:56:20 +0000 (10:56 +0200)]
FEATURE: launcher suggests discourse-doctor on fail

5 years agoAdd commented sections to enable incoming TLS
Jay Pfaffman [Fri, 12 Apr 2019 16:04:24 +0000 (09:04 -0700)]
Add commented sections to enable incoming TLS

Use Let's Encrypt certs from app to enable incoming TLS for mail-receiver.

5 years agofallocate swapfile instead of dd
Andrew Schleifer [Wed, 26 Jun 2019 06:24:46 +0000 (14:24 +0800)]
fallocate swapfile instead of dd

5 years agospacing
Joffrey JAFFEUX [Thu, 9 Aug 2018 21:09:16 +0000 (23:09 +0200)]
spacing

5 years agoFEATURE: discourse-doctor restart existing container if possible
Jay Pfaffman [Wed, 1 Aug 2018 08:40:36 +0000 (10:40 +0200)]
FEATURE: discourse-doctor restart existing container if possible

5 years agoUpdate SSL config using Mozilla SSL Intermediate config
Rafael dos Santos Silva [Fri, 16 Aug 2019 19:11:28 +0000 (16:11 -0300)]
Update SSL config using Mozilla SSL Intermediate config

5 years agoUpdate dependencies
Rafael dos Santos Silva [Thu, 22 Aug 2019 20:05:41 +0000 (17:05 -0300)]
Update dependencies

5 years agoRemove nginx modules from the package manager
Rafael dos Santos Silva [Mon, 19 Aug 2019 21:34:04 +0000 (18:34 -0300)]
Remove nginx modules from the package manager

5 years agoOn Debian rsyslog is running under root
Rafael dos Santos Silva [Mon, 19 Aug 2019 18:17:28 +0000 (15:17 -0300)]
On Debian rsyslog is running under root

5 years agoRevert "Revert "First pass in moving to debian""
Rafael dos Santos Silva [Mon, 19 Aug 2019 18:17:01 +0000 (15:17 -0300)]
Revert "Revert "First pass in moving to debian""

This reverts commit 29204e415846c121554d41c34f241f2291e7a587.

5 years agoRevert "First pass in moving to debian"
Rafael dos Santos Silva [Fri, 16 Aug 2019 21:03:14 +0000 (18:03 -0300)]
Revert "First pass in moving to debian"

This reverts commit 223b69e775c61a7fb05386262281f7fa2f0e9520.

5 years agoFirst pass in moving to debian
Rafael dos Santos Silva [Tue, 2 Jul 2019 04:40:26 +0000 (01:40 -0300)]
First pass in moving to debian

5 years agoUpdate nginx for HTTP2 related CVEs
Rafael dos Santos Silva [Tue, 13 Aug 2019 21:06:56 +0000 (18:06 -0300)]
Update nginx for HTTP2 related CVEs

5 years agoMake merge_user_args idempotent (#438)
Saj Goonatilleke [Tue, 6 Aug 2019 23:07:36 +0000 (09:07 +1000)]
Make merge_user_args idempotent (#438)

The `merge_user_args` function may be called more than once within a
single `launcher` process.  e.g.: on `launcher rebuild ...`:

```
[main] -> rebuild -> run_bootstrap -> set_template_info -> merge_user_args
[main] -> rebuild -> run_start     -> set_template_info -> merge_user_args
```

If the user had included a `docker_args` map key in their container
YAML, the `user_args` global would be incorrectly populated with
duplicate docker CLI flags.

https://meta.discourse.org/t/-/123696

Fixes a regression introduced in https://meta.discourse.org/t/-/49401/9

5 years agoremove unrelated comment
Andrew Schleifer [Thu, 1 Aug 2019 04:05:00 +0000 (12:05 +0800)]
remove unrelated comment

SSH was long ago moved into a different template

5 years agoBump base image
Gerhard Schlager [Thu, 27 Jun 2019 08:45:16 +0000 (10:45 +0200)]
Bump base image

5 years agoUpdate ImageMagick
Gerhard Schlager [Tue, 25 Jun 2019 08:53:51 +0000 (10:53 +0200)]
Update ImageMagick

5 years agoFIX: Make storage detection compatible with docker 19.x
Rafael dos Santos Silva [Wed, 19 Jun 2019 18:38:47 +0000 (15:38 -0300)]
FIX: Make storage detection compatible with docker 19.x

5 years agoDEV: bump dependencies
Sam Saffron [Tue, 18 Jun 2019 06:14:38 +0000 (16:14 +1000)]
DEV: bump dependencies

- new ImageMagick
- new NGINX moved to stable from mailine
- new Redis
- new PNG Quant
- updated libjemalloc

5 years agoRepo key should be downloaded securely (#432)
Matic Mežnar [Sun, 16 Jun 2019 23:47:03 +0000 (01:47 +0200)]
Repo key should be downloaded securely (#432)

5 years agoInclude official plugins and install their gems in discourse_test (#431)
Penar Musaraj [Fri, 14 Jun 2019 12:40:57 +0000 (08:40 -0400)]
Include official plugins and install their gems in discourse_test (#431)

5 years agoFIX: we cannot prompt for user input if we have no tty
Michael Brown [Mon, 10 Jun 2019 17:24:22 +0000 (13:24 -0400)]
FIX: we cannot prompt for user input if we have no tty

5 years agoUpdate to `discourse/base:2.0.20190505-2322`.
Guo Xiang Tan [Tue, 21 May 2019 05:38:28 +0000 (13:38 +0800)]
Update to `discourse/base:2.0.20190505-2322`.

Old base images carry test gems in the production env.

5 years agoCOPY: remove unsupported storage drivers from warning message
Régis Hanol [Wed, 15 May 2019 20:06:24 +0000 (22:06 +0200)]
COPY: remove unsupported storage drivers from warning message

5 years agoFIX: Correctly match when protocol-less CDN is used
Penar Musaraj [Tue, 14 May 2019 19:37:47 +0000 (15:37 -0400)]
FIX: Correctly match when protocol-less CDN is used

5 years agoremove btrfs and overlay from "safe" storage drivers
Jeff Atwood [Fri, 10 May 2019 21:08:46 +0000 (14:08 -0700)]
remove btrfs and overlay from "safe" storage drivers

5 years agoUpdate bash path (#430)
Stephen [Tue, 7 May 2019 11:45:22 +0000 (04:45 -0700)]
Update bash path (#430)

Call the default bash for the environment.

5 years agoUpdate base image
Gerhard Schlager [Mon, 6 May 2019 12:55:25 +0000 (14:55 +0200)]
Update base image

It updates Ruby, nginx, ImageMagick, libpng, gifsicle and Node.js

5 years agoSet the right RAILS_ENV for other base images.
Guo Xiang Tan [Fri, 3 May 2019 04:52:31 +0000 (12:52 +0800)]
Set the right RAILS_ENV for other base images.

Follow up to c2c7a3d8f3aad26b0b1aea30eb5bf475d910ebc2.

5 years agoSet RAILS_ENV for base image.
Guo Xiang Tan [Fri, 3 May 2019 01:44:09 +0000 (09:44 +0800)]
Set RAILS_ENV for base image.

We can't boot the Rails app if it tries to require development
dependencies.

5 years agoFIX: Don't install test gems in production.
Guo Xiang Tan [Thu, 2 May 2019 02:18:59 +0000 (10:18 +0800)]
FIX: Don't install test gems in production.

This fixes an incorrect usage of the `--without` option.
As per the documentation, it takes groups seperated by a space `--without=GROUP[ GROUP...]`. Specifying the option twice meant we were overriding the first which lead the this bug.

5 years agoUpdate dependencies (#429)
Gerhard Schlager [Sat, 27 Apr 2019 08:08:16 +0000 (10:08 +0200)]
Update dependencies (#429)

* Ruby 2.6.3 which has a couple of Unicode improvements

* nginx from 1.5.9 to 1.5.12 (http://nginx.org/en/CHANGES)

* ImageMagick 7.0.8-42 and switch it back to using GitHub, because only the latest release is available on the official site and this regularly breaks our build

* libpng from 1.6.36 to 1.6.37 (security fix)

* gifsicle from 1.91 to 1.92 (http://www.lcdf.org/gifsicle/changes.html)

* Node.js v10, the latest active LTS (https://nodejs.org/en/about/releases/)

5 years agoUse HEAD instead of @ shortcut for git in launcher (#428)
Geoff Reedy [Fri, 26 Apr 2019 08:25:27 +0000 (02:25 -0600)]
Use HEAD instead of @ shortcut for git in launcher (#428)

The abbreviation @ for HEAD was added in git 1.8.5. The launcher claims to be compatible with git version 1.8.0 but the use of this abbreviation breaks this compatibility. This change is needed to support RHEL 7.6 which has only git 1.8.3.1.

5 years agoUpdate imagemagick to 7.0.8-41.
Guo Xiang Tan [Mon, 22 Apr 2019 03:02:10 +0000 (11:02 +0800)]
Update imagemagick to 7.0.8-41.

5 years agoRun `bundle install` with 4 jobs.
Guo Xiang Tan [Sat, 20 Apr 2019 01:03:19 +0000 (09:03 +0800)]
Run `bundle install` with 4 jobs.

5 years agoBump patch for imagemagick again.
Guo Xiang Tan [Mon, 15 Apr 2019 01:23:58 +0000 (09:23 +0800)]
Bump patch for imagemagick again.

5 years agoFEATURE: brotli support is not conditional
Sam Saffron [Thu, 11 Apr 2019 02:43:55 +0000 (12:43 +1000)]
FEATURE: brotli support is not conditional

Due to changes in the core (backported to stable) all brotli support
is unconditional.

No need to carry any special logic here.

5 years agoBump imagemagick to 7.0.8-39.
Guo Xiang Tan [Mon, 8 Apr 2019 00:14:46 +0000 (08:14 +0800)]
Bump imagemagick to 7.0.8-39.

5 years agoFIX: no longer allow protocol-less CDN
Sam Saffron [Wed, 3 Apr 2019 06:01:48 +0000 (17:01 +1100)]
FIX: no longer allow protocol-less CDN

DISCOURSE_CDN_URL starting with `//` can lead to problems. Avoid allowing
people to enter it.

5 years agoAdd missing lines due to bad commit in 40fd876d1edb1a376a4eb592c9de4a178352a760.
Guo Xiang Tan [Tue, 2 Apr 2019 08:05:00 +0000 (16:05 +0800)]
Add missing lines due to bad commit in 40fd876d1edb1a376a4eb592c9de4a178352a760.

5 years agoSet `force_https` to true when Let's Encrypt cert checks out OK.
Guo Xiang Tan [Tue, 2 Apr 2019 07:57:30 +0000 (15:57 +0800)]
Set `force_https` to true when Let's Encrypt cert checks out OK.

5 years agoBump acme.sh to 2.8.0 (#425)
sau226 [Tue, 2 Apr 2019 07:04:21 +0000 (15:04 +0800)]
Bump acme.sh to 2.8.0 (#425)

Bump script for more API options, ACME v2 wildcard certs and bug fixes

5 years agoUpdate imagemagick patch version.
Guo Xiang Tan [Thu, 28 Mar 2019 06:30:14 +0000 (14:30 +0800)]
Update imagemagick patch version.

5 years agoUpdate base image to Ruby 2.6.2 based image
Sam Saffron [Thu, 28 Mar 2019 01:22:09 +0000 (12:22 +1100)]
Update base image to Ruby 2.6.2 based image

Following extensive internal testing it is time to update our common base
image to 2.6.2 based one.

This also update various libraries, nginx and so on.

5 years agoRemove chromedriver; import script installs latest version
Gerhard Schlager [Mon, 25 Mar 2019 14:24:58 +0000 (15:24 +0100)]
Remove chromedriver; import script installs latest version

5 years agoPull ImageMagick and libpng from official site
Sam Saffron [Thu, 21 Mar 2019 00:38:43 +0000 (11:38 +1100)]
Pull ImageMagick and libpng from official site

previously we were taking stuff from GitHub which is often out-of-date

5 years agooops, 1.6.37 is not tagged yet use 36
Sam Saffron [Thu, 21 Mar 2019 00:12:29 +0000 (11:12 +1100)]
oops, 1.6.37 is not tagged yet use 36

5 years agoUpdate dependencies
Sam Saffron [Wed, 20 Mar 2019 23:46:05 +0000 (10:46 +1100)]
Update dependencies

Including minor upgrades for redis,ruby,image magick, libpng

One notable thing here is that I removed the SHA check from redis

I am not against checking SHA but we need to explode if it fails and do
something far more consistent across our various downloads

5 years agoFEATURE: add missing hooks into web.yml template
Sam Saffron [Tue, 19 Mar 2019 08:42:12 +0000 (19:42 +1100)]
FEATURE: add missing hooks into web.yml template

Previously bundle+migrate+precompile were in 1 big chunk making it
impossible to add multisite:migrate cleanly.

This adds 2 more hooks db_migrate and assets_precompile which make it way
simple to inject multisite migrate (either before or after db_migrate)

5 years agoFEATURE: add start-cmd to provide the command line used to launch container
Sam Saffron [Tue, 19 Mar 2019 07:57:19 +0000 (18:57 +1100)]
FEATURE: add start-cmd to provide the command line used to launch container

This feature is only part done, this is a work in progress.

Sometimes it is handy to get the full docker command used to launch
a container, this allows us to cleanly amend it prior to starting.

This works like so:

```
sam@arch discourse_docker % ./launcher start-cmd redis
+ true run --shm-size=512m -d --restart=always -e LANG=en_US.UTF-8 -e 'test=I am a test' -h arch-redis -e DOCKER_HOST_IP=172.17.0.1 --name redis -t -p 63799:6379 --expose 33333 -v /home/sam/Source/discourse_docker/shared:/shared --mac-address 02:3e:e9:30:d5:32 local_discourse/redis /sbin/boot
```

Though we really want it to output `docker` instead of `+ true`.

It is tricky in bash cause we handle quoting of `-e` and so on which makes
a straight echo not work as expected.

That said this kludge does give me enough to actually run some tests so
I welcome the progress

Created this so I can run side-by-side tests on various containers

5 years agoDEV: clean up docker detection
Sam Saffron [Tue, 19 Mar 2019 07:52:23 +0000 (18:52 +1100)]
DEV: clean up docker detection

previously we would output stuff to console if docker.io was missing

5 years agoAdd a way to expose a port without publishing
Neil Lalonde [Thu, 7 Mar 2019 19:49:24 +0000 (14:49 -0500)]
Add a way to expose a port without publishing

Use the existing "expose" section of container yaml files, which has always been publishing ports.
Expose a port if a single port number is specified (`80`).
Publish if a port mapping is specified (`"80:80"`, `"127.0.0.1:20080:80"`).

5 years agoAdd sidekiq.log to web template
David Taylor [Wed, 6 Mar 2019 13:02:20 +0000 (13:02 +0000)]
Add sidekiq.log to web template

5 years agoFEATURE: disable protected mode in redis
Sam Saffron [Thu, 21 Feb 2019 03:14:13 +0000 (14:14 +1100)]
FEATURE: disable protected mode in redis

We do not require protected mode in redis cause it runs in a container
and is default protected.

Protected mode breaks running our template in a multi container setup or
certain users exposting redis from the container if they wish

5 years agoUpdate CDN URL in samples to have a protocol
Bhanu [Wed, 20 Feb 2019 07:01:03 +0000 (12:31 +0530)]
Update CDN URL in samples to have a protocol

* authored by Bhanu, reworded slightly by supermathie

5 years agoboot: if container initialization steps fail, exit
Michael Brown [Tue, 19 Feb 2019 21:04:20 +0000 (16:04 -0500)]
boot: if container initialization steps fail, exit

5 years agofix: ampersand with no quotes truncates echo output (#421)
Massimo Gorla [Tue, 19 Feb 2019 20:53:28 +0000 (21:53 +0100)]
fix: ampersand with no quotes truncates echo output (#421)

5 years agoUpdate image dependencies
Sam [Mon, 18 Feb 2019 04:17:21 +0000 (15:17 +1100)]
Update image dependencies

- Update NGINX to latest stable
- Update pngquant to latest stable
- Update ImageMagick to latest stable

Also, remove extra ruby install, it is no longer needed

5 years agoFEATURE: update base image to Ruby 2.6.1
Sam [Mon, 18 Feb 2019 02:27:38 +0000 (13:27 +1100)]
FEATURE: update base image to Ruby 2.6.1

Due to https://meta.discourse.org/t/logster-2-1-0-causes-segfault-running-unicorn-in-discourse-dev-docker-image/109265
we are stuck upgrading base image.

https://github.com/github/ruby/pull/40 by @tenderlove is backported to 2.5
but we are still waiting on 2.5.4

To avoid a custom patch in our image I opted to move base to 2.6.1 and pick
up the fix direct from 2.6

5 years agoUpdate docker base image
Sam Saffron [Sun, 17 Feb 2019 22:38:13 +0000 (09:38 +1100)]
Update docker base image

This covers quite a few important change

1. We updated maxmind db
2. We upgraded redis to version 5
3. It forces a rebuild for important nginx changes
4. It updates all gems, a ton got updated, this speeds up rebuild

5 years agoRedis is configured without pidfile.
Dan Ungureanu [Fri, 15 Feb 2019 13:46:32 +0000 (15:46 +0200)]
Redis is configured without pidfile.

5 years agoRemove Redis service from base.
Dan Ungureanu [Fri, 15 Feb 2019 13:41:24 +0000 (15:41 +0200)]
Remove Redis service from base.

5 years agochmod a+x ./redis
Dan Ungureanu [Fri, 15 Feb 2019 13:31:19 +0000 (15:31 +0200)]
chmod a+x ./redis

5 years agomerge docker_args with user_args for launcher file
Dave Eargle [Mon, 11 Feb 2019 21:27:23 +0000 (21:27 +0000)]
merge docker_args with user_args for launcher file

5 years agoDEV: cleanup docker prune pattern
Sam [Wed, 13 Feb 2019 22:18:38 +0000 (09:18 +1100)]
DEV: cleanup docker prune pattern

- When out of space don't prompt a second time to cleanup
- Remove docker gc script which is unused
- Use system prune -a consistently

5 years agoFEATURE: swap to using "docker system prune"
Sam [Tue, 12 Feb 2019 10:04:30 +0000 (21:04 +1100)]
FEATURE: swap to using "docker system prune"

Stop using `docker gc` by spotify for image cleanup, instead use:
`docker system prune`

The new method is maintained by docker, old mechanism is no longer really
needed

5 years agoEschew the rsyslogd PID file
Saj Goonatilleke [Mon, 11 Feb 2019 12:36:15 +0000 (23:36 +1100)]
Eschew the rsyslogd PID file

This PID file is not required, provides questionable operational value,
and can break logging in a Discourse application container.

On startup, rsyslogd will read `rsyslogd.pid` and self-terminate if it
finds another process on the system with the same PID as that which was
written to this file.  This behaviour is especially problematic when
running in a containerised environment:

- The processes that make up a container are more likely to be
  terminated without grace.  Any PID files persisted to the container's
  filesystem will become stale after an unclean shutdown.  (Separately,
  even when signalled with `SIGTERM` on graceful shutdown, rsyslogd will
  still fail to unlink this file.)

- PIDs on Linux are assigned sequentially.  When run in a unique `pid`
  namespace, a container's process table is subject to little entropy.
  Thus, PID 'collisions' across container instantiations are not
  unlikely.

Altogether, it is easy for rsyslogd to DoS itself on startup by
mistaking another process in the container (e.g.: nginx) for an existent
rsyslogd process.  Unlinking this file guarantees a clean startup.

Newer releases of rsyslog support `-iNONE`, but -- of course -- this
feature is not supported in the rsyslog distribution included as part of
Ubuntu 16.04:

https://github.com/rsyslog/rsyslog/blob/527f19c56a80fd30354f32ad03bdacc1275f4aa8/ChangeLog#L1618-L1623

Vixie crond and nginx also employ PID files, though neither is
vulnerable to this failure mode.  Vixie cron wraps the fd with a flock;
the flock is used for mutual exclusion, not the underlying file itself.
nginx does not appear to use its PID file for mutual exclusion.