-
Notifications
You must be signed in to change notification settings - Fork 576
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this great PR !
Your changes introduce features (read_only
on docker-compose or HEALTHCHECK
on Dockerfile) only available on Docker 1.12+
and docker-compose 3.0+
.
I'm ok to move on with our current requirements, but you should update the Requirement part on README file
docker-compose.yml
Outdated
@@ -24,6 +25,7 @@ services: | |||
# comment out 2 following lines for team edition | |||
# args: | |||
# - edition=team | |||
#read_only: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you can remove this commented line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, I tryied to make it woks with read only but not mounted (ie: plugin folder) volumes were created with random UID/GID in the container.
I also add @xcompass as reviewer, I think it could be better to have double checks on that kind of changes. |
Add PUID/PGID in docker-compose args
Thanks for the feedback. Indeed, those changes depend on newer versions of docker products. Let me know what do you think about that. |
In fact there is already a stale PR (#195) about moving to docker-compose v3. We have a lot of discussions about this subject, but I think we cannot maintain "legacy" Docker versions. We need to move on and users who need to use old Docker versions should modify image to match their needs themselves; So I think this PR is OK like that. |
@xcompass Hello, any news on this PR ? |
I made some tests on new and existing installations. Everything is working fine as long as you remember to change file permission for Thanks for your contribution :) |
Is it possible that it breaks deployments behind reverse proxys? I always get connection refused, no matter what ports I try |
@Kiina As explained in the Changelog the port use by Mattermost app changed from |
Yeah my config ist changed to port 8000. The app container runs fine:
docker-compose:
Was working fine before and the only thing that should change is the connection between app and web if I understand the PR right. So why is it failing? |
Weird... I have the same configuration but without troubles, you might have something different on your Web or App container configuration. Is your application container loop-restarting ? |
Oh you are right. The health check is failing for some reason so it keeps rebooting.
|
Yes, in fact the health check if failing probably for the same reason (the check try to curl on port |
Hello,
Running a containerized application with a root user is not a best practice as if the container is breached out, the attacker is able to get a root access on your Docker host.
I make sure that the app run with non-root user. The user UID and GID is configurable via ARG during the build process. As a non root user is not able to bind port less than 1024, I modified the web container to use the 8000 port instead of 80.
For web and db container, it is not possible to switch to non-root user:
postgres
userI make sure those process start with read-only so even if the attacker is able to be inside the container, it won't be possible to modify the container except declared volumes in Dockerfiles
For every container, I also added a health check. It is used by Docker daemon to know the status of the process in the container.
Regards,