docker-zulip
docker-zulip copied to clipboard
Passphrase rotation doesn't work
According to the readme, just changing the vars within docker-compose.yaml
should properly update all passphrases. Instead, the next container cluster boot ends abruptly with some unhappy services. So far, it looks like this is what's needed:
- [ ] Secret generation should always happen (https://github.com/zulip/docker-zulip/blob/master/entrypoint.sh#L205)
- [ ] Postgres' entrypoint needs to properly update when given a new passphrase
Making secret generation always run should be safe and easy; we actually do that in the non-Docker Zulip webapp upgrade script already (scripts/lib/upgrade-zulip-stage-2
in zulip/zulip), so I don't expect any issues with just changing the logic in entrypoint.sh
to just always run it.
The postgres issue is actually kinda annoying; here's the upstream docker-entrypoint.sh
. It just makes no attempt to do anything in the event that the database has already been created:
https://github.com/docker-library/postgres/blob/eff90effc6b5578be90bef93d96b3fceb1082a7c/10/docker-entrypoint.sh
So there are two options:
- Give instructions for how to do a
docker exec
into the postgres image to runpsql
to run the appropriateALTER USER
command. - Submit a PR upstream extending the postgres image to auto-change the password in its docker-entrypoint.sh, and modify
Dockerfile-postgresql
in zulip/zulip to copy the patched version of the file in place (so we don't need to wait for upstream to merge).
For the second option above, I just opened https://github.com/docker-library/postgres/issues/487.