Dev - I had a conversation IRL with Todd recently, cc'd here -
not on the project but willing to help out. He has offered some
advice for the project to get the Docker distro of Apache
Fineract working again. I would like to have either a push back
or we should restore the docker file asap.
To recap:
The DockerHub Image is two years old, and the process to pull
from our Dev branch has been broken that entire time. It broke
when we removed the docker-build file with this ticket
https://issues.apache.org/jira/browse/FINERACT-1469.
With a Million downloads of fineract from DockerHUB, where that
version has multiple CVEs (security issues), we should not be
continuing to keep that there.
So, we need to fix the docker pipeline. Credentials will be
required from infra.
Todd's comments:
Extended Summary
The problem for the internal Fineract development pipeline is
that changes were made to the build process that
removed the expected Dockerfile
added an external dependency to the code repo (mifos
community-app web UI)
does not publish a public Fineract Docker image to Docker Hub
At first glance, the lack of a Dockerfile in the code might
seem to be the reason that no containers have been pushed to
Docker Hub. A Dockerfile is the standard way of creating
images. This is very confusing for many people (including
me), however this is not the actual problem because JIB (Java
Image Builder) is set up to build the image during testing
directly from java source code by Gradle in two places:
build-docker-postgresql.yml
build-docker-mariadb.yml
The problem is that JIB does not seem to be configured to
actually push the container image to Docker Hub. It only
seems to be configured to build the image for testing.
To solve this, two things need to be done:
* It needs to be decided when to push the image (and
possibly create a new GitHub Action to do it)
* Code needs to be added to configure JIB to know where to
push the image on Docker Hub (see this example)
* Credentials need to be supplied to the GitHub Action to
allow it actually push the image
Additional Open Source Observations (Optics)
Dockerfile
The removal of the Dockerfile from the repo is confusing
(especially coupled with the existence of a
docker-compose.yml file) and also makes it harder for
potential contributors to set up and run Fineract because now
dependencies need to be installed locally, rather than
running them all in containers.
The lack of a Dockerfile in the repository is nonstandard
from an Open Source perspective. Regardless of whether it is
needed by the Fineract build process or not, most open source
projects include a Dockerfile, and most open source users
expect one to exist in the repo so they can easily build /
run / test the project locally. Adding the Dockerfile back
to the repo should be trivial (and removes the need for JIB
entirely).
General Setup
The current Fineract process for building and running using
containers makes it significantly harder for developers to
get started with Fineract because a local Java environment
needs to be installed. More disappointing, a completely
different public set of instructions exist on Docker Hub .
These instructions do not work because they are out of date,
but are significantly easier for developers to use. Having
two sets of different install instructions is confusing, but
having the simpler set of instructions that do not work is a
very bad developer experience.
On Sun, Feb 18, 2024 at 8:46 PM VICTOR MANUEL ROMERO
RODRIGUEZ <victor.rom...@fintecheando.mx> wrote:
Hello,
Another way to have the Docker Hub image published (just
like Apache Tomcat):
https://github.com/docker-library/official-images
https://github.com/docker-library/tomcat
Regards
El dom, 18 feb 2024 a las 10:05, James Dailey
(<jdai...@apache.org>) escribió:
Is there an easy thing to request?
---------- Forwarded message ---------
From: *Gavin McDonald* <gmcdon...@apache.org>
Date: Sun, Feb 18, 2024 at 12:24 AM
Subject: Re: Docker help
To: James Dailey <jdai...@apache.org>
CC: Users <us...@infra.apache.org>
Hi James.
On Sun, Feb 18, 2024 at 3:00 AM James Dailey
<jdai...@apache.org> wrote:
Infra -
Can you confirm that we can use other processes
to push to apache DockerHUB?
Current supported methods are via Github Actions or
Jenkins or locally via your own credentials.
For Github Actions we can use a role account and
attach the secrets to your repository, or you
can provide your own secrets for us to add to your
repository
For Jenkins we have a role account that we provide
access to push to your repository.
Committers could also use a settings.xml with this
plugin and use their own credentials, we just need
to ensure they have push access to Dockerhub.
There may also be other methods not explored.
See also:
https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#authentication-methods
HTH
When I opened a ticket about this, I was told we
need a dockerfile at the root.
Can we use "jib-maven-plugin to publish the image
to Dockerhub". ? Can we get credentials ?
James
---------- Forwarded message ---------
From: *Arnold Galovics* <arn...@apache.org>
Date: Sun, Feb 11, 2024 at 10:45 PM
Subject: Re: Docker help
To: <dev@fineract.apache.org>
James,
This is the out-of-the box solution from
DockerHub which definitely won't work without a
Dockerfile. Though that doesn't mean it's the
only way to build a docker image; as I stated in
my previous email.
Best,
Arnold
On Mon, Feb 12, 2024 at 7:43 AM James Dailey
<jamespdai...@gmail.com> wrote:
On DockerHUB the build fails because there is
no dockerfile.
https://hub.docker.com/r/apache/fineract
2024-02-08T13:12:27Z Building in Docker
Cloud's infrastructure...
2024-02-08T13:12:28Z Cloning into '.'...
2024-02-08T13:12:28Z Warning: Permanently
added the RSA host key for IP address
'140.82.114.4' to the list of known hosts.
2024-02-08T13:12:48Z Reset branch 'develop'
2024-02-08T13:12:48Z Your branch is up to
date with 'origin/develop'.
2024-02-08T13:12:48Z Dockerfile not found at
./Dockerfile
Let's discuss on slack and revert back here.
My intention is to either DELETE the
DockerHUB repo or to get this working.
On Sun, Feb 11, 2024 at 10:14 PM Arnold
Galovics <arn...@apache.org> wrote:
Hi Zoltan, James,
Just to reflect on your points:
1) Let's not do such a radical change
unless we absolutely need to
2) I'm not sure what's the issue
here, please explain. We already have
docker builds in our pipeline via GitHub
Actions (using their runners), the only
missing piece is to do a docker push.
We need the credentials to be able to do
a docker push, alter the pipeline and
that's all.
If the only thing preventing us from
doing this is to keep asking the infra
team for the creds, let's pursue them
instead of making such an unnecessary change.
Arnold
On Mon, Feb 12, 2024 at 3:30 AM James
Dailey <jamespdai...@gmail.com> wrote:
Thanks Zoltan
Micheal - can you please comment on
this discussion? As this relates to
the Google deployment that you put in
place? Question!
On Sun, Feb 11, 2024 at 6:27 PM
Zoltan Mezei <zoltan.me...@zz-it.hu>
wrote:
Hi,
I think the real issue here is
that we use
GoogleContainerTools's Jib as the
build mechanism. It works
entirely without a Dockerfile.
And unfortunately
Dockerhub's Automated Builds
doesn't support building without
a Dockerfile. :-(
We have two ways to move forward:
1. Replace the Jib build with a
more traditional,
Dockerfile-based approach. This
would be a quite large change of
how Fineract is built and the
consequences need to be explored
- but it's definitely doable.
2. Stick with the Jib build, but
don't rely on
Dockerhub's Automated Builds, but
some other build tools like
jib-maven-plugin to publish the
image to Dockerhub. This could
also work, but it requires a
build server that I'm not sure we
have.
I can try to create a traditional
Dockerfile, but it will be
different from what Jib can
produce, so this might lead to
regressions.
Want me to try this approach next
week?
Kind regards,
Zoltan
On Sun, Feb 11, 2024 at 8:16 AM
James Dailey
<jamespdai...@gmail.com> wrote:
Victor - my read of the docs
is that the default “build
rule “ points to master or
main but we can also use dev.
In fact that’s what is
already there in dockerHUB
for our project.
I think a proper dockerfile
in dev branch should be fine.
Thanks
James
On Fri, Feb 9, 2024 at
7:47 PM VICTOR MANUEL ROMERO
RODRIGUEZ
<victor.rom...@fintecheando.mx>
wrote:
Reading the
dockerhub docs, I think
we can do the following:
1. Create a master branch
from develop branch
2. Add the Dockerfile
(and some scripting on it
for handling the
versions) on master branch
3. Dockerhub will use the
dockerfile (and
its scripts) from the
master branch
4. Create github action
for keeping in sync
develop with master, so
then it will push the
changes to the master
branch everytime the
develop branch has a
commit on it, then the
dockerhub will publish it
as the latest version.
Or... we can be more standard
1. Rename develop to master
2. Add a Dockerfile
template (and some
scripting on it for
handling the versions) on
master branch
3. Dockerhub will use the
dockerfile (and
its scripts) from the
master branch
4. Everytime a new commit
or tag is created, the
dockerhub will publish it
as the latest/specific
version.
What do you think?
Dockerhub automated
builds info:
https://docs.docker.com/docker-hub/builds
Regards
El vie, 9 feb 2024 a las
20:34, James Dailey
(<jamespdai...@gmail.com>)
escribió:
Victor - I was trying
to go down that path
as well, as that is
the error thrown and
the suggestion at
DockerHUB. However,
to add the key to
the git hub requires
access and the git is
controlled by Apache
Infra. I asked
infra@a.o. about that
since, again, that is
what DockerHUB had
documented.
Unfortunately, I
think infra has it
setup a specific way
to allow all of the
projects to publish
to the Apache
DockerHUB so that
route would appear to
be blocked.
On Fri, Feb 9, 2024
at 4:04 PM VICTOR
MANUEL ROMERO
RODRIGUEZ
<victor.rom...@fintecheando.mx>
wrote:
For making it
work without a
Dockerfile the
credentials of
the docker hub
account are
requiered.
If they are set
in the git
repository, a
github action can
be enabled for
this task.
Regards
El vie., 9 de
febrero de 2024
4:45 p. m.,
<jamespdai...@gmail.com>
escribió:
I've
re-opened
https://issues.apache.org/jira/browse/FINERACT-1164
This ticket
is to enable
the build at
DockerHUB to
work. For
the past two
years ++ the
Build has
failed.
https://hub.docker.com/r/apache/fineract
This docker
account is
held by
Apache and
the Fineract
project is
responsible
for the content.
The dockerHUB
has an "auto
build"
concept so
that every
committed
change on Dev
leads to a
new deployment.
The build is
actually
failing or
not running
because we
have removed
the
dockerbuild
file
from the root.
That is as
far as I've
gotten. I
suspect we
had good
reasons for
that at the
time.
Anyway, I
would also
say that if
we cannot get
the Docker
build to work
THEN we
should take
this down.
Our standard
is to only
support and
distribute
publicly the
last two
releases.
This build is
really old,
has unfixed
CVEs, and is
being
downloaded in
large
numbers. (no
idea why)
Thanks
James
--
*Gavin McDonald -
*
Systems Administrator, ASF Infrastructure Team
V.P Travel Assistance Committee
https://tac.apache.org - Applications now open for
Community Over Code 2024
in Bratislava, Slovakia. Don't delay, apply today!
