Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix certificate issues in Docker build #389

Merged
merged 2 commits into from
Apr 16, 2023
Merged

Fix certificate issues in Docker build #389

merged 2 commits into from
Apr 16, 2023

Conversation

hheimbuerger
Copy link
Contributor

@hheimbuerger hheimbuerger commented Mar 21, 2023
edited
Loading

In collaboration with: @cspaeth

Issues resolved:

  • Outdated CentOS 7 distro (philcollins/aurora-centos7 hasn't been rebuilt for seven years) is apparently missing some newer root certificates. In particular, certificates signed by Let's Encrypt were rejected (like the one for nodesource.com).

Improvements:

  • To properly fix the certificate issues, a new base image was needed. Switched from outdated CentOS 7 base image (philcollins/aurora-centos7) to a CentOS Stream 8 base image (quay.io/centos/centos:stream8). CentOS Linux is dead, so the less stable CentOS Stream was used (see here for why this might be bad choice).
  • The reason CentOS Stream 9 wasn't used just yet, is that no MongoDB 3.4 packages were readily available (compare https://repo.mongodb.org/yum/redhat/8/mongodb-org/ with https://repo.mongodb.org/yum/redhat/9/mongodb-org/), although no attempt has been made to simply upgrade MongoDB alongside.
  • The curl and wget calls were removed for simplification. Maven and NodeJS are now fetched straight from the distro's default package repository (the former as maven instead of apache-maven, both quite possibly in a newer versions). The one external package repository still needed (MongoDB is not available in the official CentOS repositories) is set up through Docker's ADD instruction.
  • The Dockerfile has been rearranged for build caching, specifically the distro repository is only accessed once and as early as possible. The codebase is injected as late as possible, right before first use.

Please note that I'm no Docker expert, and I'm not sure if any of my changes are following the best practices. Also, I haven't managed to get the container fully working yet, so I couldn't test whether these changes (e.g. version upgrade of NodeJS and Maven) might cause new compatibility issues.

Should you decide to merge this PR, I would recommend squashing the commits. I left the earlier one in for reference, because it illustrates the existing certificate issues, but I don't think it's worth preserving beyond this PR.

@hheimbuerger hheimbuerger changed the title Fix root certificate issues in Dockerfile Fix certificate issues in Docker build Mar 21, 2023
@hheimbuerger hheimbuerger mentioned this pull request Mar 21, 2023
Open
@frandallfarmer frandallfarmer merged commit c37e320 into frandallfarmer:master Apr 16, 2023
@frandallfarmer
Copy link
Owner

Thank you for this much overdue work cleaning up old dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frandallfarmer frandallfarmer frandallfarmer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hheimbuerger @frandallfarmer