-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adjust Dockerfile & entrypoint and add Dependabot, CI & docker release #51
base: main
Are you sure you want to change the base?
Conversation
0540c00
to
fe499cb
Compare
would be nice this could get a review and some feedback :) |
Hi @monotek thanks for the pull-request, and thanks for the reminder. Sorry about the delay. I will try to review it next week. |
do you had any chance to look into it? |
Friendly ping :) |
@monotek I'm sorry for dropping this and failing to notice the first major issue with this PR. There is an existing work in progress to add a Dockerfile to the project: #47 I intend to try to help finish cleanup on PR #47 and get it merged. After that, if you can base your work on that completed effort to extend the features you've added such as dependabot, CI, docker hub publishing - I think that would be best. One thing to note is that your Dockerfile runs I think running My recommendation when updating this PR is to make it so the |
On best practice for docker containers is to be immutable. |
And how often would you make a new container? The whole point of cvdupdate is to only update if an update is needed. If you're making a new container from scratch any time you want the latest definitions, you're misusing cvdupdate and evading the system we created intended to reduce data costs. |
You could still do it by using a writable volume in a container ;-) I would still prefer to rebuild my container (at least on a daily basis). This will also update all container dependencies like container image OS, all packages and libs. As every build get it's own version i also always know wich exact version of the container is running in my cluster. Such builds / pushes to the registry could be done automatically. This is supported by Github actions via: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule |
Yup! So that's how #47 does it. 👍
Rebuilding the image daily certainly makes it so you don't have to worry much about CVE's in the base image. That would be nice. 😄 |
Thanks for the hint. At least the user creation in the entrypoint is wrong and should be moved to the dockerfile itself, as user creation will fail anyway on readonly fs... |
Hello! I agree that this is not correct, I just tried to make the UserID dynamic so that I could adapt to any infrastructure. I would be happy to see the corrected Dockerfile and gain some more experience. |
I've adjusted the container (see updated pr description above). Can be tested via: Cron mode:
Serve mode:
The release actions docker repo has still to be adjusted. |
39bc749
to
0079e4e
Compare
@ismvru & @micahsnyder |
Signed-off-by: André Bauer <[email protected]>
i updated the pr to use ghcr.io, as no extra github secrets are needed for this. |
friendly ping :) |
tbh, a little problem exists with file "/root/.cvdupdate/state.json" |
Signed-off-by: André Bauer <[email protected]>
You mean "/cvdupdate/.cvdupdate/state.json"? |
Yes, mea culpa, "/cvdupdate/.cvdupdate/state.json" will be mounted from host system, when run in docker, so no problem, sorry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm really sorry I neglected this for so long. I don't have any excuse.
I have some concern with things in this PR.
I love adding .github/workflows/ci.yaml
. The dependabot change seems good to me and a positive change. If you made this a separate PR I'd be happy to merge that.
I don't wan to add the release drafter stuff. I'm happy enough doing manual release notes. I'll add them to each release going forward.
The change to create the user in the Dockerfile instead of the entrypoint seems like a mild improvement, though we still need sudo (or gosu). I don't know the benefit of switching from gosu to sudo other than reducing the image size(?). I'm not sure if there is any other technical benefit or drawback of dropping gosu.
I see the logic to not use sudo/gosu if USER_ID == 0 is gone. I assume that's ... fine?
The permission bit changes on .gitignore and .dockerignore files are fine.
I have mixed feelings about publishing a container for cvdupdate and using ghcr.io.
There are a couple merge conflicts now (pypi.yaml, README.md). Sorry.
.github/release-drafter.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the suggestion. It's neat tech. It shifts some work from release engineering over to grooming our PR titles, descriptions and labels... which I should probably do more of anyways.
But I'm not sure I can add Release Drafter to the org/repo. I'm not keen on trying to do this for a project that we update so infrequently. If we do go for it, then I'd want to add it to all of our projects in a consistent way. I'm not ready to commit to that.
At least for now, please remove this from this PR.
FROM python:3.12.0b1-slim |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am curious to know why you suggested this change. I believe it is better with python:3-slim
. Using a fine-grain image tag will be more work for maintenance, or else will leave people stuck on an unmaintained tag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, I am not ready to commit to Release Drafter for all our projects, and am not interested in adopting it just for cvdupdate, which we rarely update.
} | crontab - | ||
fi | ||
cron -f | ||
sudo cron -f |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a strong opinion on using gosu versus sudo. But it's the sort of change that someone (at least the person who added gosu to begin with) will be upset about.
It seems to me that sudo or gosu are necessary in order for cvdupdate to modify any user owned mounted directory. Sadly, we can't just strip them out and run without root privs.
I'm not comfortable with my current insight into how this works and sudo vs gosu in order to bless/merge this.
Can someone smarter than me please give me a breakdown on why I should/shouldn't accept the change to use sudo?
.github/dependabot.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dpendabot.yml Seems good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our existing CI to build/publish docker images is done from an internal Jenkins and publishes to the Docker Hub registry.
I have mixed feelings about publishing a cvdupdate container, let alone publishing to a different registry.
Then again, this appears to be really simple, and easy to maintain. I have very mixed feelings.
.github/workflows/ci.yaml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is nice. It would be very good to have CI.
If you're done with helping on this project, or otherwise unable -- I'll part it out to grab the CI and dependabot stuff which I know I want. Let me know. |
updated the branch. |
This PR adjusts the Dockerfile & adds Dependabot, CI and Docker release.
Dockerfile
Dependabot
CI
Docker release using official docker build push action
docker run -it --net host --rm ghcr.io/monotek/cvdupdate
curl http://localhost:8000
Our usecase of this image is to run a database mirror inside a kubernetes cluster.