PR#772: Fix docker-compose - copr/copr

		`@@ -8,7 +8,7 @@`

		`# default is http://coprs/rest/api`
		`#frontend_base_url=http://localhost:5000`
		`- frontend_base_url=http://frontend`
		`+ frontend_base_url=http://frontend:5000`

		`# must have same value as BACKEND_PASSWORD from have frontend in /etc/copr/copr.conf`
		`# default is PASSWORDHERE but you really should change it. really.`

docker/builder/Dockerfile

file modified

+1 -1

		`@@ -47,7 +47,7 @@`
		`rpkg --path /copr/rpmbuild spec --outdir /tmp/rpkg && \`
		`dnf builddep -y /tmp/rpkg/copr-rpmbuild.spec && \`
		`rpkg --path /copr/rpmbuild local --outdir /tmp/rpkg && \`
		`- dnf -y install /tmp/rpkg/noarch/copr-rpmbuild*.noarch.rpm`
		`+ dnf -y install /tmp/rpkg/x86_64/copr-rpmbuild*.x86_64.rpm`

		`RUN echo 'config_opts["use_nspawn"] = False' >> /etc/mock/site-defaults.cfg`

docker/builder/files/etc/copr-rpmbuild/main.ini

file modified

+1 -1

		`@@ -1,5 +1,5 @@`
		`[main]`
		`- frontend_url = http://frontend`
		`+ frontend_url = http://frontend:5000`
		`enabled_source_protocols = https ftps`

		`[distgit0]`

docker/distgit/Dockerfile

file modified

+3 -1

		`@@ -28,7 +28,7 @@`
		`RUN chown copr-dist-git:packager /tmp/copr-dist-git`

		`RUN echo "[dist-git]" > /etc/copr/copr-dist-git.conf && \`
		`- echo "frontend_base_url=http://frontend" >> /etc/copr/copr-dist-git.conf && \`
		`+ echo "frontend_base_url=http://frontend:5000" >> /etc/copr/copr-dist-git.conf && \`
		`echo "frontend_auth=1234" >> /etc/copr/copr-dist-git.conf && \`
		`chmod 644 /etc/copr/copr-dist-git.conf`

		`@@ -44,4 +44,6 @@`

		`RUN echo 'scan-path=/var/lib/dist-git/git/rpms' \| tee -a /etc/cgitrc`

		`+ RUN rm /etc/httpd/conf.d/ssl.conf`
		`+`
		`CMD ["/bin/run.sh"]`

docker/frontend/Dockerfile

file modified

+3 -2

		`@@ -10,6 +10,7 @@`
		`wget \`
		`vim \`
		`yum \`
		`+ sudo \`
		`supervisor \`
		`copr-selinux \`
		`python3-alembic \`
		`@@ -22,9 +23,9 @@`

		`# build and install copr-frontend`
		`RUN rm -rf /tmp/rpkg && \`
		`- rpkg --path /copr/frontend srpm --without doc --outdir /tmp/rpkg && \`
		`+ rpkg --path /copr/frontend srpm --without doc --without check --outdir /tmp/rpkg && \`
		`dnf -y builddep /tmp/rpkg/copr-frontend*.src.rpm && \`
		`- rpkg --path /copr/frontend local --without doc --outdir /tmp/rpkg && \`
		`+ rpkg --path /copr/frontend local --without doc --without check --outdir /tmp/rpkg && \`
		`dnf -y install /tmp/rpkg/noarch/copr-frontend*.noarch.rpm`

		`RUN echo 'nameserver 8.8.8.8' \| tee -a /etc/resolv.conf`

docker/frontend/files/etc/copr/copr.conf

file modified

+1 -1

		`@@ -81,7 +81,7 @@`
		`#}`

		`PUBLIC_COPR_HOSTNAME = 'localhost:5000'`
		`- PUBLIC_COPR_BASE_URL = 'http://frontend'`
		`+ PUBLIC_COPR_BASE_URL = 'http://frontend:5000'`

		`BACKEND_BASE_URL = 'http://localhost:5002'`
		`DIST_GIT_CLONE_URL = 'http://distgit/git/'`

docker/frontend/files/etc/httpd/conf.d/copr.conf

file modified

		`@@ -1,3 +1,5 @@`
		`+ Listen 5000`
		`+`
		`<VirtualHost 0.0.0.0>`
		`WSGIPassAuthorization On`
		`WSGIDaemonProcess 127.0.0.1 user=copr-fe group=copr-fe threads=5`

docker/frontend/files/usr/bin/run.sh

file modified

+5 -4

		`@@ -4,8 +4,11 @@`

		`/usr/bin/supervisord -c /etc/supervisord.conf`

		`- cd /usr/share/copr/coprs_frontend/ && python3 ./manage.py create_db --alembic alembic.ini`
		`- python3 /usr/share/copr/coprs_frontend/manage.py create_chroot fedora-{26,27,rawhide}-{i386,x86_64} epel-{6,7}-x86_64 epel-6-i386`
		`+ chown -R copr-fe:copr-fe /var/log/copr-frontend`
		`+ chown -R copr-fe:copr-fe /usr/share/copr`
praiskup commented 4 years ago I don't want to make some press here, I'm overall +1 to this PR; but correct thing to do would be to never run anything in docker as root (== root on host, unless user namespaces); usually is better practice to: call `RUN useradd` in Dockerfile, then call `USER copr-fe` (or something) in Dockerfile and do whatever you want (e.g. you don't have to take care of additional chowns) What I see suspicious is that we need to write anything into /usr/share ... /usr should be ideally read only. Edited 4 years ago by praiskup
		`+`
		`+ cd /usr/share/copr/coprs_frontend/ && sudo -u copr-fe copr-frontend create_db --alembic alembic.ini`
		`+ sudo -u copr-fe copr-frontend create_chroot fedora-{26,27,rawhide}-{i386,x86_64} epel-{6,7}-x86_64 epel-6-i386`


		`# selinux: make data dir writeable for httpd`
		`@@ -15,8 +18,6 @@`
		`# data under /usr/share/copr/. Discuss this with peers.`
		`chcon -R -t httpd_sys_rw_content_t /usr/share/copr/data`

		`- chown -R copr-fe:copr-fe /var/log/copr-frontend`
		`- chown -R copr-fe:copr-fe /usr/share/copr`


		`echo "#########################################################"`

frostyx commented 4 years ago

I've picked the noarch change from PR#770 and added several more fixes to get the docker-compose working again. Please see the particular commits descriptions for more information.

Shouldn't we actually have copr-bulder there?

It should but it was not that straightforward and caused some dependency issues. I can finish it in this PR or in some future one.

praiskup commented on line 8 of docker/frontend/files/usr/bin/run.sh 4 years ago

I don't want to make some press here, I'm overall +1 to this PR; but correct
thing to do would be to never run anything in docker as root (== root on host,
unless user namespaces); usually is better practice to:

call RUN useradd in Dockerfile, then
call USER copr-fe (or something) in Dockerfile
and do whatever you want (e.g. you don't have to take care of additional chowns)

What I see suspicious is that we need to write anything into /usr/share ...
/usr should be ideally read only.

Edited 4 years ago by praiskup

frostyx commented 4 years ago

What I see suspicious is that we need to write anything into /usr/share ...
/usr should be ideally read only.

I totally agree, that /usr should be read-only. We have for example /usr/share/copr/data/openid_store/ there. IIRC we were discussing this some time on a meeting and @msuchy won't block us from changing it, but warned us, that it is not going to be as easy as it seems.

call USER copr-fe (or something) in Dockerfile

This looks good, I would like to do that, but I don't know how. We can't run the whole CMD ["/bin/run.sh"] as copr-fe user. There are some superuser tasks in it, e.g. running supervisord. I know, that in ideal case, we should split the functionality and have small containers running just one service, but that's just not the case at the moment.

praiskup commented 4 years ago

I totally agree, that /usr should be read-only. We have for example
/usr/share/copr/data/openid_store/ there. IIRC we were discussing this some
time on a meeting and @msuchy won't block us from changing it, but warned us,
that it is not going to be as easy as it seems.

$ sudo dnf install /usr/share/copr/data/openid_store/
Last metadata expiration check: 0:00:14 ago on Mon 03 Jun 2019 10:34:29 AM CEST.
No match for argument: /usr/share/copr/data/openid_store/
Error: Unable to find a match

So no package really owns that directory. So if anything, in Dockerfile you can
make that directory symlink to some /var directory.

call USER copr-fe (or something) in Dockerfile

This looks good, I would like to do that, but I don't know how. We can't run
the whole CMD ["/bin/run.sh"] as copr-fe user. There are some superuser tasks
in it, e.g. running supervisord.

Ok, this turns out to be too heavy task for this PR. In ideal world, we should
not need supervisord -> and start e.g. postgres/redis/... etc in separate
containers (from supported sclorg images).

praiskup commented 4 years ago

There's +1 from me for some time, so let's merge.

rebased onto 7a90ccf

4 years ago