frontend icon indicating copy to clipboard operation
frontend copied to clipboard
verified publisher icon SciCatProject

fix: dockerfile: use unprivileged nginx

Open cfelder opened this issue 1 year ago • 6 comments

This allows running this container w/ arbitrary uid support

Description

Short description of the pull request

Motivation

running SciCat in an OpenShift environment w/ arbitrary uids

Fixes:

  • nginx unprivileged

Changes:

  • unprivileged port 8080

Summary by Sourcery

Use the unprivileged nginx image to support running the container with arbitrary user IDs, and update the exposed port to 8080.

Build:

  • Switch to using the nginxinc/nginx-unprivileged base image in the Dockerfile.

CI:

  • Update the docker-compose configuration to expose port 8080 instead of 80.

cfelder avatar Nov 12 '24 15:11 cfelder

the e2e tests require the nginx.conf file, don't delete it

bpedersen2 avatar Nov 12 '24 16:11 bpedersen2

The mapping change in docker-compose was correct. But preserve the nginx.conf file and the cleanups in the docker file.

Note that this Dockerfile not meant for direct production use, as it contains lots of default passwords.

bpedersen2 avatar Nov 14 '24 10:11 bpedersen2

needs a rebase to get the restructred e2e tests ( the docker composefiel touched is then correct

bpedersen2 avatar Nov 29 '24 09:11 bpedersen2

I added a few more reviewers, as this also requires all downstream consumers of the image to adjust the port mapping.

Probably needs updates in the docs and in scicatlive.

BE e2e tests should work automatically, as the frontend container only exposes one port, so that traefik will pick it up correctly (https://doc.traefik.io/traefik/providers/docker/#port-detection).

bpedersen2 avatar Dec 27 '24 12:12 bpedersen2

Probably needs updates in the docs and in scicatlive.

Scicatlive is also fine as it also uses traefik

bpedersen2 avatar Dec 27 '24 12:12 bpedersen2

@bpedersen2 could you please review and approved, if possible?

nitrosx avatar Apr 30 '25 10:04 nitrosx

Apparently one test is failing after merging master into this PR. Unfortunately, I cannot judge if this is a glitch or a reasonable failure. I would really appreciate if we can move this PR forward to get rid of manually patching our own fork for an unprivileged deployment. ptal @bpedersen2.

cfelder avatar Jun 06 '25 07:06 cfelder

https://github.com/SciCatProject/frontend/commit/d7bfbbb95f74548151f40683e47d0ac5ddb8814f#r162312535

This change breaks SciCat Live's config.json-merging feature in merge.json.sh, specifically the line apk update && apk add jq gettext, because apk does not exist on this image.

https://github.com/SciCatProject/scicatlive/blob/57731e4bf81dd902f395dbe47a24a9039e2576cd/entrypoints/merge_json.sh#L5

https://github.com/SciCatProject/scicatlive/blob/57731e4bf81dd902f395dbe47a24a9039e2576cd/services/frontend/compose.base.yaml#L12

SciCat live's front end can no longer find its back end, partly because it doesn't know the URL, and partly because the proxy is not forwarding to the correct port (needs to be 8080 now).

GBirkel avatar Jul 17 '25 21:07 GBirkel