Skip to content

Move django migrations to dokku release phase #2736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 18, 2025
Merged

Move django migrations to dokku release phase #2736

merged 6 commits into from
Jul 18, 2025

Conversation

@rw251
Copy link
Contributor

@rw251 rw251 commented Jul 17, 2025
edited
Loading

Fixes #2393.

This has been tested by using the functionality in #2738 - the dokku deployment test branch rw/dokku-deploy-test.

Steps were as follows:

  1. Get dokku deployment test branch
git checkout rw/dokku-deploy-test
  1. Reopen in dev container in VSCode
    • CTRL-SHIFT-P and select "Dev Containers: Rebuild and Reopen in Container"

This creates a dokku container and deploys opencodelists to it - available at localhost:7000

Note that we get:

-----> Releasing opencodelists...
-----> Checking for predeploy task
       No predeploy task found, skipping
-----> Checking for release task
       No release task found, skipping
=====> Processing deployment checks
-----> Deploying opencodelists via the docker-local scheduler...
-----> Deploying web (count=1)
       Attempting pre-flight checks (web.1)
-----> Executing 2 healthchecks                                                        
       Running healthcheck name='Web health check' delay=30 path='/health-check' retries=9 timeout=60 type='path'
       Running healthcheck name='port listening check' attempts=3 port=7000 retries=2 timeout=5 type='listening' wait=5
 !     Failure in name='port listening check': unable to enter the container to check that the process is bound to the correct port and interface: ensure runtime PID namespace is host
       Healthcheck succeeded name='Web health check'                                   
       All checks successful (web.1)
=====> Start of opencodelists container output (web.1)
       /opt/venv/lib/python3.12/site-packages/django/db/backends/utils.py:98: RuntimeWarning: Accessing the database during app initialization is discouraged. To fix this warning, avoid executing queries in AppConfig.ready() or when your app modules are imported.
         warnings.warn(self.APPS_NOT_READY_WARNING_MSG, category=RuntimeWarning)
       System check identified some issues:
       WARNINGS:
       ?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
       ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
       ?: (security.W009) Your SECRET_KEY has less than 50 characters, less than 5 unique characters, or it's prefixed with 'django-insecure-' indicating that it was generated automatically by Django. Please generate a long and random value, otherwise many of Django's security-critical features will be vulnerable to attack.
       ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
       ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
       System check identified 5 issues (0 silenced).
       /opt/venv/lib/python3.12/site-packages/django/db/backends/utils.py:98: RuntimeWarning: Accessing the database during app initialization is discouraged. To fix this warning, avoid executing queries in AppConfig.ready() or when your app modules are imported.
         warnings.warn(self.APPS_NOT_READY_WARNING_MSG, category=RuntimeWarning)
       Operations to perform:
         Apply all migrations: admin, auth, authtoken, bnf, bnfdmd, builder, codelists, contenttypes, ctv3, ctv3sctmap2, dmd, dmdvmpprevmap, icd10, opencodelists, readv2, sessions, snomedct, taggit, versioning
       Running migrations:
         No migrations to apply.
       [info     ] Starting gunicorn 23.0.0       [gunicorn.error]
       [info     ] Listening at: http://0.0.0.0:7000 (7) [gunicorn.error]

In particular note the lack of a dokku release task:

-----> Checking for release task
       No release task found, skipping

but that migrations are run because that's how the current docker file works.

  1. Redeploy the latest code from main
./local-redeploy.sh main

We still get the message about no release task, and the migrations are run just before gunicorn starts. The site is available at localhost:7000 and the changes in main but not in the test branch are visible - e.g. the "Development" banner and the better screenshots in the docs.

  1. Redeploy from this branch that moves the migrations to a release task
./local-redeploy.sh rw/dokku-migration-change

We now get the following logs:

-----> Releasing opencodelists...
-----> Checking for predeploy task
       No predeploy task found, skipping
-----> Checking for release task
-----> Executing release task from Procfile: /usr/bin/env bash /app/deploy/release.sh
=====> Start of opencodelists release task (6dc3a185f) output
 !     /opt/venv/lib/python3.12/site-packages/django/db/backends/utils.py:98: RuntimeWarning: Accessing the database during app initialization is discouraged. To fix this warning, avoid executing queries in AppConfig.ready() or when your app modules are imported.
 !       warnings.warn(self.APPS_NOT_READY_WARNING_MSG, category=RuntimeWarning)
 !     System check identified some issues:
 !     WARNINGS:
 !     ?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
 !     ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
 !     ?: (security.W009) Your SECRET_KEY has less than 50 characters, less than 5 unique characters, or it's prefixed with 'django-insecure-' indicating that it was generated automatically by Django. Please generate a long and random value, otherwise many of Django's security-critical features will be vulnerable to attack.
 !     ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
 !     ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
 !     System check identified 5 issues (0 silenced).
 !     /opt/venv/lib/python3.12/site-packages/django/db/backends/utils.py:98: RuntimeWarning: Accessing the database during app initialization is discouraged. To fix this warning, avoid executing queries in AppConfig.ready() or when your app modules are imported.
 !       warnings.warn(self.APPS_NOT_READY_WARNING_MSG, category=RuntimeWarning)
       Operations to perform:
         Apply all migrations: admin, auth, authtoken, bnf, bnfdmd, builder, codelists, contenttypes, ctv3, ctv3sctmap2, dmd, dmdvmpprevmap, icd10, opencodelists, readv2, sessions, snomedct, taggit, versioning
       Running migrations:
         No migrations to apply.
=====> End of opencodelists release task (6dc3a185f) output
=====> Processing deployment checks
-----> Deploying opencodelists via the docker-local scheduler...
-----> Deploying web (count=1)
       Attempting pre-flight checks (web.1)
-----> Executing 2 healthchecks                                                        
       Running healthcheck name='Web health check' delay=30 path='/health-check' retries=9 timeout=60 type='path'
       Running healthcheck name='port listening check' attempts=3 port=7000 retries=2 timeout=5 type='listening' wait=5
 !     Failure in name='port listening check': unable to enter the container to check that the process is bound to the correct port and interface: ensure runtime PID namespace is host
       Healthcheck succeeded name='Web health check'                                   
       All checks successful (web.1)
=====> Start of opencodelists container output (web.1)
       [info     ] Starting gunicorn 23.0.0       [gunicorn.error]
       [info     ] Listening at: http://0.0.0.0:7000 (7) [gunicorn.error]

This shows that the release task is run, and that the migrations are run as part of that task, rather than when the container starts

@rw251
Move migrations into dokku release phase
66e6228 
- Removed the existing `prod.sh` file which ran migrations and executed the gunicorn command as part of the `ENTRYPOINT` docker command. This caused the migrations to run every time the container was run.
- Created a shell script `release.sh` which currently just does the migrations, but could do anything we need during the dokku release phase
- Added a Procfile to run the release script in the release phase, and the gunicorn web application in the web phase
@rw251 rw251 force-pushed the rw/dokku-migration-change branch from a3d336a to 5d23f6b Compare July 17, 2025 13:18
rw251 added 3 commits July 17, 2025 15:20
@rw251
Fix CI yml files to output logs on failure
b27998e 
docker_prod_1 seems to now be docker-prod-1, so changed this to spit out all docker logs on smoke test failure. In practice this will just be the prod image created in the `just docker-serve prod -d` line.
@rw251
Fix the smoke test
91a3e9f 
- Now that migrations are not run when the container is created, but in dokku, if we ever use the container outside of dokku it fails.
- The only place this seems to be is in the smoke test which attempts to start the docker container, and check that the app is served correctly
- Updated the smoke test to call the migration (release) script
- Also parameterized it so you can run it with different environments (dev, prod)
@rw251
Fix docker/storage dir to always have correct owner
28c1e03 
-  previously if docker/storage already existed, but with a different owner, then the chown was never run and the db could not be accessed
@rw251 rw251 force-pushed the rw/dokku-migration-change branch from 5d23f6b to 28c1e03 Compare July 17, 2025 14:20
@rw251 rw251 changed the title Rw/dokku migration change Move django migrations to dokku release phase Jul 17, 2025
@rw251 rw251 marked this pull request as ready for review July 17, 2025 15:39
lucyb
lucyb approved these changes Jul 17, 2025
View reviewed changes
Copy link
Contributor

@lucyb lucyb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. Thanks again for picking it up. Please feel free to ignore the more pedantic comments if you'd prefer.

@rw251
Tidy up following review
569792b 
- Removed redundant comments (where there was also an `echo` message to the same effect
- Removed comment that likely to go out of date
- Clarified in the ADR the circumstances that led to us changing
@rw251 rw251 merged commit 247e0ba into main Jul 18, 2025
6 checks passed
@rw251 rw251 deleted the rw/dokku-migration-change branch July 18, 2025 07:49
@mikerkelly mikerkelly mentioned this pull request Sep 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucyb lucyb lucyb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dokku deployments: Improve database migrations reliability

3 participants

@rw251 @lucyb