Dev - Herring Bank has Fineract 1.8 running in docker at the moment and is readying for 1.9.

We would offer our help if needed.

Campbell

On 5/2/2024 10:02 AM, James Dailey wrote:
Dev -  I had a conversation IRL with Todd recently, cc'd here - not on the project but willing to help out.  He has offered some advice for the project to get the Docker distro of Apache Fineract working again.  I would like to have either a push back or we should restore the docker file asap.

To recap:
 The DockerHub Image is two years old, and the process to pull from our Dev branch has been broken that entire time.  It broke when we removed the docker-build file with this ticket
https://issues.apache.org/jira/browse/FINERACT-1469.

With a Million downloads of fineract from DockerHUB, where that version has multiple CVEs (security issues), we should not be continuing to keep that there.

So, we need to fix the docker pipeline.  Credentials will be required from infra.

Todd's comments:

    Extended Summary

    The problem for the internal Fineract development pipeline is that
    changes were made to the build process that
    removed the expected Dockerfile
    added an external dependency to the code repo (mifos community-app
    web UI)
    does not publish a public Fineract Docker image to Docker Hub

    At first glance, the lack of a Dockerfile in the code might seem
    to be the reason that no containers have been pushed to Docker
    Hub. A Dockerfile is the standard way of creating images. This is
    very confusing for many people (including me), however this is not
    the actual problem because JIB (Java Image Builder) is set up to
    build the image during testing directly from java source code by
    Gradle in two places:

    build-docker-postgresql.yml
    build-docker-mariadb.yml

    The problem is that JIB does not seem to be configured to actually
    push the container image to Docker Hub. It only seems to be
    configured to build the image for testing.

    To solve this, two things need to be done:

      * It needs to be decided when to push the image (and possibly
        create a new GitHub Action to do it)
      * Code needs to be added to configure JIB to know where to push
        the image on Docker Hub (see this example)
      * Credentials need to be supplied to the GitHub Action to allow
        it actually push the image


    Additional Open Source Observations (Optics)

    Dockerfile

    The removal of the Dockerfile from the repo is confusing
    (especially coupled with the existence of a docker-compose.yml
    file) and also makes it harder for potential contributors to set
    up and run Fineract because now dependencies need to be installed
    locally, rather than running them all in containers.

    The lack of a Dockerfile in the repository is nonstandard from an
    Open Source perspective. Regardless of whether it is needed by the
    Fineract build process or not, most open source projects include a
    Dockerfile, and most open source users expect one to exist in the
    repo so they can easily build / run / test the project locally. 
    Adding the Dockerfile back to the repo should be trivial (and
    removes the need for JIB entirely).

    General Setup

    The current Fineract process for building and running using
    containers makes it significantly harder for developers to get
    started with Fineract because a local Java environment needs to be
    installed. More disappointing, a completely different public set
    of instructions exist on Docker Hub . These instructions do not
    work because they are out of date, but are significantly easier
    for developers to use. Having two sets of different install
    instructions is confusing, but having the simpler set of
    instructions that do not work is a very bad developer experience.




    On Sun, Feb 18, 2024 at 8:46 PM VICTOR MANUEL ROMERO RODRIGUEZ
    <victor.rom...@fintecheando.mx> wrote:

        Hello,

        Another way to have the Docker Hub image published (just like
        Apache Tomcat):

        https://github.com/docker-library/official-images

        https://github.com/docker-library/tomcat

        Regards



        El dom, 18 feb 2024 a las 10:05, James Dailey
        (<jdai...@apache.org>) escribió:

            Is there an easy thing to request?

            ---------- Forwarded message ---------
            From: *Gavin McDonald* <gmcdon...@apache.org>
            Date: Sun, Feb 18, 2024 at 12:24 AM
            Subject: Re: Docker help
            To: James Dailey <jdai...@apache.org>
            CC: Users <us...@infra.apache.org>


            Hi James.



            On Sun, Feb 18, 2024 at 3:00 AM James Dailey
            <jdai...@apache.org> wrote:

                Infra -

                Can you confirm that we can use other processes to
                push to apache DockerHUB?


            Current supported methods are via Github Actions or
            Jenkins or locally via your own credentials.

            For Github Actions we can use a role account and attach
            the secrets to your repository, or you
            can provide your own secrets for us to add to your repository

            For Jenkins we have a role account that we provide access
            to push to your repository.

            Committers could also use a settings.xml with this plugin
            and use their own credentials, we just need
            to ensure they have push access to Dockerhub.

            There may also be other methods not explored.

            See also:
            
https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#authentication-methods

            HTH


                When I opened a ticket about this, I was told we need
                a dockerfile at the root.

                Can we use "jib-maven-plugin to publish the image to
                Dockerhub".  ?  Can we get credentials ?

                James


                ---------- Forwarded message ---------
                From: *Arnold Galovics* <arn...@apache.org>
                Date: Sun, Feb 11, 2024 at 10:45 PM
                Subject: Re: Docker help
                To: <dev@fineract.apache.org>


                James,

                This is the out-of-the box solution from DockerHub
                which definitely won't work without a Dockerfile.
                Though that doesn't mean it's the only way to build a
                docker image; as I stated in my previous email.

                Best,
                Arnold

                On Mon, Feb 12, 2024 at 7:43 AM James Dailey
                <jamespdai...@gmail.com> wrote:

                    On DockerHUB the build fails because there is no
                    dockerfile. https://hub.docker.com/r/apache/fineract

                    2024-02-08T13:12:27Z Building in Docker Cloud's
                    infrastructure...
                    2024-02-08T13:12:28Z Cloning into '.'...
                    2024-02-08T13:12:28Z Warning: Permanently added
                    the RSA host key for IP address '140.82.114.4' to
                    the list of known hosts.
                    2024-02-08T13:12:48Z Reset branch 'develop'
                    2024-02-08T13:12:48Z Your branch is up to date
                    with 'origin/develop'.
                    2024-02-08T13:12:48Z Dockerfile not found at
                    ./Dockerfile


                    Let's discuss on slack and revert back here.

                    My intention is to either DELETE the DockerHUB
                    repo or to get this working.





                    On Sun, Feb 11, 2024 at 10:14 PM Arnold Galovics
                    <arn...@apache.org> wrote:

                        Hi Zoltan, James,

                        Just to reflect on your points:
                        1) Let's not do such a radical change unless
                        we absolutely need to
                        2) I'm not sure what's the issue here, please
                        explain. We already have docker builds in our
                        pipeline via GitHub Actions (using their
                        runners), the only missing piece is to do a
                        docker push.

                        We need the credentials to be able to do a
                        docker push, alter the pipeline and that's all.

                        If the only thing preventing us from doing
                        this is to keep asking the infra team for the
                        creds, let's pursue them instead of making
                        such an unnecessary change.

                        Arnold

                        On Mon, Feb 12, 2024 at 3:30 AM James Dailey
                        <jamespdai...@gmail.com> wrote:

                            Thanks Zoltan

                            Micheal - can you please comment on this
                            discussion?  As this relates to the Google
                            deployment that you put in place? Question!





                            On Sun, Feb 11, 2024 at 6:27 PM Zoltan
                            Mezei <zoltan.me...@zz-it.hu> wrote:

                                Hi,

                                I think the real issue here is that we
                                use GoogleContainerTools's Jib as the
                                build mechanism. It works entirely
                                without a Dockerfile. And
                                unfortunately Dockerhub's Automated
                                Builds doesn't support building
                                without a Dockerfile. :-(

                                We have two ways to move forward:

                                1. Replace the Jib build with a more
                                traditional, Dockerfile-based
                                approach. This would be a quite large
                                change of how Fineract is built and
                                the consequences need to be explored -
                                but it's definitely doable.
                                2. Stick with the Jib build, but don't
                                rely on Dockerhub's Automated Builds,
                                but some other build tools like
                                jib-maven-plugin to publish the image
                                to Dockerhub. This could also work,
                                but it requires a build server that
                                I'm not sure we have.

                                I can try to create a traditional
                                Dockerfile, but it will be different
                                from what Jib can produce, so this
                                might lead to regressions.

                                Want me to try this approach next week?

                                Kind regards,
                                Zoltan



                                On Sun, Feb 11, 2024 at 8:16 AM James
                                Dailey <jamespdai...@gmail.com> wrote:

                                    Victor - my read of the docs is
                                    that the default “build rule “
                                    points to master or main but we
                                    can also use dev. In fact that’s
                                    what is already there in dockerHUB
                                    for our project.

                                    I think a proper dockerfile in dev
                                    branch should be fine.

                                    Thanks
                                    James

                                    On Fri, Feb 9, 2024 at 7:47 PM
                                    VICTOR MANUEL ROMERO RODRIGUEZ
                                    <victor.rom...@fintecheando.mx> wrote:

                                        Reading the dockerhub docs, I
                                        think we can do the following:

                                        1. Create a master branch from
                                        develop branch
                                        2. Add the Dockerfile (and
                                        some scripting on it for
                                        handling the versions) on
                                        master branch
                                        3. Dockerhub will use the
                                        dockerfile (and its scripts)
                                        from the master branch
                                        4. Create github action for
                                        keeping in sync develop with
                                        master, so then it will push
                                        the changes to the master
                                        branch everytime the develop
                                        branch has a commit on it,
                                        then the dockerhub will
                                        publish it as the latest version.

                                        Or... we can be more standard

                                        1. Rename develop to master
                                        2. Add a Dockerfile template
                                        (and some scripting on it for
                                        handling the versions) on
                                        master branch
                                        3. Dockerhub will use the
                                        dockerfile (and its scripts)
                                        from the master branch
                                        4. Everytime a new commit or
                                        tag is created, the dockerhub
                                        will publish it as the
                                        latest/specific version.

                                        What do you think?

                                        Dockerhub automated builds
                                        info:
                                        
https://docs.docker.com/docker-hub/builds

                                        Regards



                                        El vie, 9 feb 2024 a las
                                        20:34, James Dailey
                                        (<jamespdai...@gmail.com>)
                                        escribió:

                                            Victor - I was trying to
                                            go down that path as well,
                                            as that is the error
                                            thrown and the suggestion
                                            at DockerHUB. However, to
                                            add the key to the git
                                            hub requires access and
                                            the git is controlled by
                                            Apache Infra. I asked
                                            infra@a.o. about that
                                            since, again, that is what
                                            DockerHUB had documented.
                                            Unfortunately, I think
                                            infra has it setup a
                                            specific way to allow all
                                            of the projects to publish
                                            to the Apache DockerHUB so
                                            that route would appear to
                                            be blocked.



                                            On Fri, Feb 9, 2024 at
                                            4:04 PM VICTOR MANUEL
                                            ROMERO RODRIGUEZ
                                            <victor.rom...@fintecheando.mx>
                                            wrote:

                                                For making it work
                                                without a Dockerfile
                                                the credentials of the
                                                docker hub account are
                                                requiered.

                                                If they are set in the
                                                git repository, a
                                                github action can be
                                                enabled for this task.

                                                Regards

                                                El vie., 9 de febrero
                                                de 2024 4:45 p. m.,
                                                <jamespdai...@gmail.com>
                                                escribió:

                                                    I've re-opened
                                                    
https://issues.apache.org/jira/browse/FINERACT-1164


                                                    This ticket is to
                                                    enable the build
                                                    at DockerHUB to
                                                    work.  For the
                                                    past two years ++
                                                    the Build has failed.

                                                    
https://hub.docker.com/r/apache/fineract
                                                    This docker
                                                    account is held by
                                                    Apache and the
                                                    Fineract project
                                                    is responsible for
                                                    the content.

                                                    The dockerHUB has
                                                    an "auto build"
                                                    concept so that
                                                    every committed
                                                    change on Dev
                                                    leads to a new
                                                    deployment.

                                                    The build is
                                                    actually failing
                                                    or not running
                                                    because we
                                                    have removed the
                                                    dockerbuild file
                                                    from the root.
                                                    That is as far as
                                                    I've gotten.  I
                                                    suspect we had
                                                    good reasons for
                                                    that at the time.

                                                    Anyway, I would
                                                    also say that if
                                                    we cannot get the
                                                    Docker build to
                                                    work THEN we
                                                    should take this
                                                    down. Our standard
                                                    is to only support
                                                    and distribute
                                                    publicly the last
                                                    two releases. This
                                                    build is really
                                                    old, has unfixed
                                                    CVEs, and is being
                                                    downloaded in
                                                    large numbers.
                                                     (no idea why)

                                                    Thanks
                                                    James



--
            *Gavin McDonald -
            *
            Systems Administrator, ASF Infrastructure Team
            V.P Travel Assistance Committee

            https://tac.apache.org - Applications now open for
            Community Over Code 2024
            in Bratislava, Slovakia. Don't delay, apply today!

--

Herring BANCORP®

*C. Campbell Burgess
*President/CEO
Office: (806) 373-3921 | Direct: (806) 242-3704

c...@herringbancorp.com


*Herring Bancorp*
2201 Civic Circle, Suite 1000
Amarillo, TX 79109

www.herringbank.com <http://www.herringbank.com>

CONFIDENTIALITY NOTE: This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this e-mail message is not the intended recipient, or the employee or agent responsible for delivery of the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify us immediately by telephone at (303) 565-7001 and also indicate the sender's name. Thank you.



Reply via email to