fpush icon indicating copy to clipboard operation
fpush copied to clipboard
verified publisher icon monal-im

Dockerfile: Build fpush based on glibc instead of musl-libc

Open sando38 opened this issue 1 year ago • 2 comments

Follow up PR for the first Dockerfile.

  • Building Fpush based on Wolfi/OS instead of Alpine linux to use glibc instead of musl-libc
  • Add tini signal handling helper to improve container environment integration, e.g. Kubernetes
  • Update Docker Readme to include a hint about legacy ciphers used by Apple P12 files (this may be better located in the main README.md file)

Motivation:

  • Musl-libc may have some issues with Rust
  • Potentially improving the performance by switching to glibc linked binaries (not yes statistically evaluated, but too many positive examples exist, e.g. processone/ejabberd, istio/ztunnel, etc.)

The corresponding Docker image is used in a production environment.

NB: I opened the PR right away due to its simple nature, but feel free to provide any feedback, concerns etc. 👍

sando38 avatar Aug 06 '24 14:08 sando38

For those wondering: Although we did not review this PR on GitHub, it was reviewed and discussed out-of-band with the author of this PR. As a result, a new dockerfile has been pushed to master. The new Dockerfile reuses parts of the existing nix build description, hopefully reducing the number of build system types to maintain. Once @sando38 has had time to test the new Dockerfile, we will see if this PR is still needed, or if it has been superseded by the new Dockerfile.

FriedrichAltheide avatar Sep 11 '24 18:09 FriedrichAltheide

Hello @FriedrichAltheide

I finally got the chance to test the nix based file. If running with the provided Dockerfile, I have the following error:

root@xmpp:~/fpush# podman run --rm --init -v $PWD/settings.json:/etc/fpush/settings.json -v $PWD/apns.p12:/apns.p12 -v $PWD/google.json:/google.json localhost/fpush:nix
[2024-09-30T06:36:18Z INFO  fpush] Loading config file /etc/fpush/settings.json
[2024-09-30T06:36:18Z ERROR fpush_fcm::push] Could not load fcm DeviceFlowAuthenticator: failed to build hyper client: no valid native root CA certificates found (0 invalid)
thread 'main' panicked at /tmp/nix-build-cargo-package-0.0.1.drv-0/source/fpush-push/src/lib.rs:77:26:
called `Result::unwrap()` on an `Err` value: PushErrors(CertLoading)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The problem here is, that the scratch "image" does not serve any system certificates.

Suggestion: use cgr.dev/chainguard/static instead of scratch. The chainguard/static are widely used and well maintained images in the community. 👍

sando38 avatar Sep 30 '24 11:09 sando38

I'm not sure what the status of this PR etc. is, I'll close this now.

tmolitor-stud-tu avatar Oct 20 '24 11:10 tmolitor-stud-tu

Hi @tmolitor-stud-tu , I think this PR should have be superseded by this branch https://github.com/monal-im/fpush/tree/faltheide/disco2 which needs adjustments in respect to my comment from above. Let me know about the status of that branch and I can adjust the Dockerfile there with the required changes.

sando38 avatar Oct 21 '24 06:10 sando38

Yes, please create a pr to this branch fixing your cert issue. I'll merge that branch to master afterwards :)

tmolitor-stud-tu avatar Dec 18 '24 00:12 tmolitor-stud-tu

@tmolitor-stud-tu I updated the the changes in this branch 👍

sando38 avatar Dec 29 '24 18:12 sando38