(Collins & Campbell - please start new thread)

On Wed, May 8, 2024 at 1:28 PM Collins Chuwa <collinsch...@gmail.com> wrote:

> Hi Campbell,
>
> Please would you be able to share the steps on how to get Fineract 1.8
> deployed with Docker?
> I have tried, doing this and could not get it to work.
>
> Collins
>
> On Thu, May 2, 2024 at 4:45 PM CCB <c...@herringbancorp.com> wrote:
>
>> Dev - Herring Bank has Fineract 1.8 running in docker at the moment and
>> is readying for 1.9.
>>
>> We would offer our help if needed.
>>
>> Campbell
>> On 5/2/2024 10:02 AM, James Dailey wrote:
>>
>> Dev -  I had a conversation IRL with Todd recently, cc'd here - not on
>> the project but willing to help out.  He has offered some advice for the
>> project to get the Docker distro of Apache Fineract working again.  I would
>> like to have either a push back or we should restore the docker file asap.
>>
>> To recap:
>>  The DockerHub Image is two years old, and the process to pull from our
>> Dev branch has been broken that entire time.  It broke when we removed the
>> docker-build file with this ticket
>> https://issues.apache.org/jira/browse/FINERACT-1469.
>>
>> With a Million downloads of fineract from DockerHUB, where that version
>> has multiple CVEs (security issues), we should not be continuing to keep
>> that there.
>>
>> So, we need to fix the docker pipeline.  Credentials will be required
>> from infra.
>>
>> Todd's comments:
>>
>> Extended Summary
>>>
>>> The problem for the internal Fineract development pipeline is that
>>> changes were made to the build process that
>>> removed the expected Dockerfile
>>> added an external dependency to the code repo (mifos community-app web
>>> UI)
>>> does not publish a public Fineract Docker image to Docker Hub
>>>
>>> At first glance, the lack of a Dockerfile in the code might seem to be
>>> the reason that no containers have been pushed to Docker Hub. A Dockerfile
>>> is the standard way of creating images. This is very confusing for many
>>> people (including me), however this is not the actual problem because JIB
>>> (Java Image Builder) is set up to build the image during testing directly
>>> from java source code by Gradle in two places:
>>>
>>> build-docker-postgresql.yml
>>> build-docker-mariadb.yml
>>>
>>> The problem is that JIB does not seem to be configured to actually push
>>> the container image to Docker Hub. It only seems to be configured to build
>>> the image for testing.
>>>
>>> To solve this, two things need to be done:
>>>
>>>
>>>    - It needs to be decided when to push the image (and possibly create
>>>    a new GitHub Action to do it)
>>>    - Code needs to be added to configure JIB to know where to push the
>>>    image on Docker Hub (see this example)
>>>    - Credentials need to be supplied to the GitHub Action to allow it
>>>    actually push the image
>>>
>>>
>>> Additional Open Source Observations (Optics)
>>>
>>> Dockerfile
>>>
>>> The removal of the Dockerfile from the repo is confusing (especially
>>> coupled with the existence of a docker-compose.yml file) and also makes it
>>> harder for potential contributors to set up and run Fineract because now
>>> dependencies need to be installed locally, rather than running them all in
>>> containers.
>>>
>>> The lack of a Dockerfile in the repository is nonstandard from an Open
>>> Source perspective. Regardless of whether it is needed by the Fineract
>>> build process or not, most open source projects include a Dockerfile, and
>>> most open source users expect one to exist in the repo so they can easily
>>> build / run / test the project locally.  Adding the Dockerfile back to the
>>> repo should be trivial (and removes the need for JIB entirely).
>>>
>>> General Setup
>>>
>>> The current Fineract process for building and running using containers
>>> makes it significantly harder for developers to get started with Fineract
>>> because a local Java environment needs to be installed. More disappointing,
>>> a completely different public set of instructions exist on Docker Hub .
>>> These instructions do not work because they are out of date, but are
>>> significantly easier for developers to use. Having two sets of different
>>> install instructions is confusing, but having the simpler set of
>>> instructions that do not work is a very bad developer experience.
>>>
>>>
>>>
>>>
>>> On Sun, Feb 18, 2024 at 8:46 PM VICTOR MANUEL ROMERO RODRIGUEZ <
>>> victor.rom...@fintecheando.mx> wrote:
>>>
>>>> Hello,
>>>>
>>>> Another way to have the Docker Hub image published (just like Apache
>>>> Tomcat):
>>>>
>>>> https://github.com/docker-library/official-images
>>>>
>>>> https://github.com/docker-library/tomcat
>>>>
>>>> Regards
>>>>
>>>>
>>>>
>>>> El dom, 18 feb 2024 a las 10:05, James Dailey (<jdai...@apache.org>)
>>>> escribió:
>>>>
>>>>> Is there an easy thing to request?
>>>>>
>>>>> ---------- Forwarded message ---------
>>>>> From: Gavin McDonald <gmcdon...@apache.org>
>>>>> Date: Sun, Feb 18, 2024 at 12:24 AM
>>>>> Subject: Re: Docker help
>>>>> To: James Dailey <jdai...@apache.org>
>>>>> CC: Users <us...@infra.apache.org>
>>>>>
>>>>>
>>>>> Hi James.
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Feb 18, 2024 at 3:00 AM James Dailey <jdai...@apache.org>
>>>>> wrote:
>>>>>
>>>>>> Infra -
>>>>>>
>>>>>> Can you confirm that we can use other processes to push to
>>>>>> apache DockerHUB?
>>>>>>
>>>>>
>>>>> Current supported methods are via Github Actions or Jenkins or locally
>>>>> via your own credentials.
>>>>>
>>>>> For Github Actions we can use a role account and attach the secrets to
>>>>> your repository, or you
>>>>> can provide your own secrets for us to add to your repository
>>>>>
>>>>> For Jenkins we have a role account that we provide access to push to
>>>>> your repository.
>>>>>
>>>>> Committers could also use a settings.xml with this plugin and use
>>>>> their own credentials, we just need
>>>>> to ensure they have push access to Dockerhub.
>>>>>
>>>>> There may also be other methods not explored.
>>>>>
>>>>> See also:
>>>>> https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#authentication-methods
>>>>>
>>>>> HTH
>>>>>
>>>>>>
>>>>>> When I opened a ticket about this, I was told we need a dockerfile at
>>>>>> the root.
>>>>>>
>>>>>> Can we use "jib-maven-plugin to publish the image to Dockerhub".  ?
>>>>>> Can we get credentials ?
>>>>>>
>>>>>> James
>>>>>>
>>>>>>
>>>>>> ---------- Forwarded message ---------
>>>>>> From: Arnold Galovics <arn...@apache.org>
>>>>>> Date: Sun, Feb 11, 2024 at 10:45 PM
>>>>>> Subject: Re: Docker help
>>>>>> To: <dev@fineract.apache.org>
>>>>>>
>>>>>>
>>>>>> James,
>>>>>>
>>>>>> This is the out-of-the box solution from DockerHub which definitely
>>>>>> won't work without a Dockerfile. Though that doesn't mean it's the only 
>>>>>> way
>>>>>> to build a docker image; as I stated in my previous email.
>>>>>>
>>>>>> Best,
>>>>>> Arnold
>>>>>>
>>>>>> On Mon, Feb 12, 2024 at 7:43 AM James Dailey <jamespdai...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> On DockerHUB the build fails because there is no dockerfile.
>>>>>>> https://hub.docker.com/r/apache/fineract
>>>>>>>
>>>>>>> 2024-02-08T13:12:27Z Building in Docker Cloud's infrastructure...
>>>>>>> 2024-02-08T13:12:28Z Cloning into '.'...
>>>>>>> 2024-02-08T13:12:28Z Warning: Permanently added the RSA host key for
>>>>>>> IP address '140.82.114.4' to the list of known hosts.
>>>>>>> 2024-02-08T13:12:48Z Reset branch 'develop'
>>>>>>> 2024-02-08T13:12:48Z Your branch is up to date with 'origin/develop'.
>>>>>>> 2024-02-08T13:12:48Z Dockerfile not found at ./Dockerfile
>>>>>>>
>>>>>>>
>>>>>>> Let's discuss on slack and revert back here.
>>>>>>>
>>>>>>> My intention is to either DELETE the DockerHUB repo or to get this
>>>>>>> working.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sun, Feb 11, 2024 at 10:14 PM Arnold Galovics <arn...@apache.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Zoltan, James,
>>>>>>>>
>>>>>>>> Just to reflect on your points:
>>>>>>>> 1) Let's not do such a radical change unless we absolutely need to
>>>>>>>> 2) I'm not sure what's the issue here, please explain. We already
>>>>>>>> have docker builds in our pipeline via GitHub Actions (using their
>>>>>>>> runners), the only missing piece is to do a docker push.
>>>>>>>>
>>>>>>>> We need the credentials to be able to do a docker push, alter the
>>>>>>>> pipeline and that's all.
>>>>>>>>
>>>>>>>> If the only thing preventing us from doing this is to keep asking
>>>>>>>> the infra team for the creds, let's pursue them instead of making such 
>>>>>>>> an
>>>>>>>> unnecessary change.
>>>>>>>>
>>>>>>>> Arnold
>>>>>>>>
>>>>>>>> On Mon, Feb 12, 2024 at 3:30 AM James Dailey <
>>>>>>>> jamespdai...@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Thanks Zoltan
>>>>>>>>>
>>>>>>>>> Micheal - can you please comment on this discussion?  As this
>>>>>>>>> relates to the Google deployment that you put in place?  Question!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sun, Feb 11, 2024 at 6:27 PM Zoltan Mezei <
>>>>>>>>> zoltan.me...@zz-it.hu> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I think the real issue here is that we use GoogleContainerTools's
>>>>>>>>>> Jib as the build mechanism. It works entirely without a Dockerfile. 
>>>>>>>>>> And
>>>>>>>>>> unfortunately Dockerhub's Automated Builds doesn't support building 
>>>>>>>>>> without
>>>>>>>>>> a Dockerfile. :-(
>>>>>>>>>>
>>>>>>>>>> We have two ways to move forward:
>>>>>>>>>>
>>>>>>>>>> 1. Replace the Jib build with a more traditional,
>>>>>>>>>> Dockerfile-based approach. This would be a quite large change of how
>>>>>>>>>> Fineract is built and the consequences need to be explored - but it's
>>>>>>>>>> definitely doable.
>>>>>>>>>> 2. Stick with the Jib build, but don't rely on
>>>>>>>>>> Dockerhub's Automated Builds, but some other build tools like
>>>>>>>>>> jib-maven-plugin to publish the image to Dockerhub. This could also 
>>>>>>>>>> work,
>>>>>>>>>> but it requires a build server that I'm not sure we have.
>>>>>>>>>>
>>>>>>>>>> I can try to create a traditional Dockerfile, but it will be
>>>>>>>>>> different from what Jib can produce, so this might lead to 
>>>>>>>>>> regressions.
>>>>>>>>>>
>>>>>>>>>> Want me to try this approach next week?
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Zoltan
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Sun, Feb 11, 2024 at 8:16 AM James Dailey <
>>>>>>>>>> jamespdai...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Victor - my read of the docs is that the default “build rule “
>>>>>>>>>>> points to master or main but we can also use dev. In fact that’s 
>>>>>>>>>>> what is
>>>>>>>>>>> already there in dockerHUB for our project.
>>>>>>>>>>>
>>>>>>>>>>> I think a proper dockerfile in dev branch should be fine.
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> James
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Feb 9, 2024 at 7:47 PM VICTOR MANUEL ROMERO RODRIGUEZ <
>>>>>>>>>>> victor.rom...@fintecheando.mx> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Reading the dockerhub docs, I think we can do the following:
>>>>>>>>>>>>
>>>>>>>>>>>> 1. Create a master branch from develop branch
>>>>>>>>>>>> 2. Add the Dockerfile (and some scripting on it for handling
>>>>>>>>>>>> the versions) on master branch
>>>>>>>>>>>> 3. Dockerhub will use the dockerfile (and its scripts) from the
>>>>>>>>>>>> master branch
>>>>>>>>>>>> 4. Create github action for keeping in sync develop with
>>>>>>>>>>>> master, so then it will push the changes to the master branch 
>>>>>>>>>>>> everytime the
>>>>>>>>>>>> develop branch has a commit on it, then the dockerhub will publish 
>>>>>>>>>>>> it as
>>>>>>>>>>>> the latest version.
>>>>>>>>>>>>
>>>>>>>>>>>> Or... we can be more standard
>>>>>>>>>>>>
>>>>>>>>>>>> 1. Rename develop to master
>>>>>>>>>>>> 2. Add a Dockerfile template (and some scripting on it for
>>>>>>>>>>>> handling the versions) on master branch
>>>>>>>>>>>> 3. Dockerhub will use the dockerfile (and its scripts) from the
>>>>>>>>>>>> master branch
>>>>>>>>>>>> 4. Everytime a new commit or tag is created, the dockerhub will
>>>>>>>>>>>> publish it as the latest/specific version.
>>>>>>>>>>>>
>>>>>>>>>>>> What do you think?
>>>>>>>>>>>>
>>>>>>>>>>>> Dockerhub automated builds info:
>>>>>>>>>>>> https://docs.docker.com/docker-hub/builds
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> El vie, 9 feb 2024 a las 20:34, James Dailey (<
>>>>>>>>>>>> jamespdai...@gmail.com>) escribió:
>>>>>>>>>>>>
>>>>>>>>>>>>> Victor - I was trying to go down that path as well, as that is
>>>>>>>>>>>>> the error thrown and the suggestion at DockerHUB.  However, to 
>>>>>>>>>>>>> add the key
>>>>>>>>>>>>> to the git hub requires access and  the git is controlled by 
>>>>>>>>>>>>> Apache Infra.
>>>>>>>>>>>>> I asked infra@a.o. about that since, again, that is what
>>>>>>>>>>>>> DockerHUB had documented.  Unfortunately, I think infra has it 
>>>>>>>>>>>>> setup a
>>>>>>>>>>>>> specific way to allow all of the projects to publish to the Apache
>>>>>>>>>>>>> DockerHUB so that route would appear to be blocked.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Feb 9, 2024 at 4:04 PM VICTOR MANUEL ROMERO RODRIGUEZ <
>>>>>>>>>>>>> victor.rom...@fintecheando.mx> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> For making it work without a Dockerfile the credentials of
>>>>>>>>>>>>>> the docker hub account are requiered.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If they are set in the git repository, a github action can be
>>>>>>>>>>>>>> enabled for this task.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> El vie., 9 de febrero de 2024 4:45 p. m., <
>>>>>>>>>>>>>> jamespdai...@gmail.com> escribió:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I've re-opened
>>>>>>>>>>>>>>> https://issues.apache.org/jira/browse/FINERACT-1164
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This ticket is to enable the build at DockerHUB to work.
>>>>>>>>>>>>>>> For the past two years ++ the Build has failed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://hub.docker.com/r/apache/fineract
>>>>>>>>>>>>>>> This docker account is held by Apache and the Fineract
>>>>>>>>>>>>>>> project is responsible for the content.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The dockerHUB has an "auto build" concept so that every
>>>>>>>>>>>>>>> committed change on Dev leads to a new deployment.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The build is actually failing or not running because we
>>>>>>>>>>>>>>> have removed the dockerbuild file from the root.  That is as 
>>>>>>>>>>>>>>> far as I've
>>>>>>>>>>>>>>> gotten.  I suspect we had good reasons for that at the time.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Anyway, I would also say that if we cannot get the Docker
>>>>>>>>>>>>>>> build to work THEN we should take this down.  Our standard is 
>>>>>>>>>>>>>>> to only
>>>>>>>>>>>>>>> support and distribute publicly the last two releases. This 
>>>>>>>>>>>>>>> build is really
>>>>>>>>>>>>>>> old, has unfixed CVEs, and is being downloaded in large 
>>>>>>>>>>>>>>> numbers.  (no idea
>>>>>>>>>>>>>>> why)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>> James
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> *Gavin McDonald - *
>>>>> Systems Administrator, ASF Infrastructure Team
>>>>> V.P Travel Assistance Committee
>>>>>
>>>>> https://tac.apache.org - Applications now open for Community Over
>>>>> Code 2024
>>>>> in Bratislava, Slovakia. Don't delay, apply today!
>>>>>
>>>>> --
>>
>> Herring BANCORP ®
>>
>>
>> *C. Campbell Burgess *President/CEO
>> Office: (806) 373-3921 | Direct: (806) 242-3704
>>
>> c...@herringbancorp.com
>>
>>
>> *Herring Bancorp*
>> 2201 Civic Circle, Suite 1000
>> <https://www.google.com/maps/search/2201+Civic+Circle,+Suite+1000+%0D%0A++++++++++++Amarillo,+TX+79109?entry=gmail&source=g>
>> Amarillo, TX 79109
>> <https://www.google.com/maps/search/2201+Civic+Circle,+Suite+1000+%0D%0A++++++++++++Amarillo,+TX+79109?entry=gmail&source=g>
>>
>> www.herringbank.com
>>
>> CONFIDENTIALITY NOTE: This e-mail is intended only for the use of the
>> individual or entity to which it is addressed and may contain information
>> that is privileged, confidential and exempt from disclosure under
>> applicable law. If the reader of this e-mail message is not the intended
>> recipient, or the employee or agent responsible for delivery of the message
>> to the intended recipient, you are hereby notified that any dissemination,
>> distribution or copying of this communication is prohibited. If you have
>> received this e-mail in error, please notify us immediately by telephone at
>> (303) 565-7001 and also indicate the sender's name. Thank you.
>>
>>
>>
>>
>>
>>
>>
>>
>

Reply via email to