Hello James et al, This is the PR Github Action for DockerHub Publishing for your review:
https://github.com/apache/fineract/pull/3887/files Regards El mié, 8 may 2024 a las 19:53, VICTOR MANUEL ROMERO RODRIGUEZ (< victor.rom...@fintecheando.mx>) escribió: > Keep Jib. > > Let me share one PR for discussion/review. > > The docker compose file can point to Docker Hub image. Of course not build > from docker compose just download the latest version. (not building) > > > > El mié, 8 may 2024 a las 19:28, James Dailey (<jamespdai...@gmail.com>) > escribió: > >> Ok. So… Aleks - comment ? >> Zoltan , Victor - can we come to a decision on this? >> >> Keep Jib >> Add GitHub action >> Yes? >> >> >> >> >> On Mon, May 6, 2024 at 2:00 PM todd densmore <tdensm...@gmail.com> wrote: >> >>> James, >>> >>> (adding comments as requested - but from here it looks like there is >>> enough momentum from the team to resolve the core issue) >>> >>> Firstly, it looks like a custom role can be added to the repo to allow >>> GitHub Actions (ie Jib) to push new images to DockerHub. Some new GitHub >>> Action code will have to be added to do the "push", but that is trivial. >>> Both of these tasks can be done quickly and easily, and solves the short >>> term problem of getting current Fineract images to DockerHub. This is an >>> immediate win and resolves the most immediate issue. >>> >>> The second issue that Fineract may wish to address is whether or not to >>> include a Dockerfile in the public repo. >>> >>> The docker-compose file (pointing to DockerHub) that is currently >>> included in the Fineract repo *will work*, allowing new users to get >>> setup quickly. However users will have no way to create new local versions >>> of the Fineract container image locally without installing the complete >>> java (Jib) toolchain. This may not be an issue at all if most users already >>> have a local java environment. For casual users looking to contribute to >>> Fineract, this may present a bit of friction. >>> >>> Including a Dockerfile in the repo can be done *without replacing Jib*. >>> However, having a visible Dockerfile that is NOT used with the non-visible >>> Jib build process will be confusing. Keeping the Dockerfile up to date will >>> also be harder, since the file will not be the single source of truth. This >>> may or not be an issue for the team. >>> >>> Lastly (and probably the most contentious option) would be to replace >>> the Jib image build tooling with the more common Dockerfile build >>> mechanism. This represents more work from the team, but also increases the >>> transparency from the outside user. This may not be an issue for the team >>> (especially if the number of outside contributors is small). >>> >>> -Todd >>> >>> On Sun, May 5, 2024 at 1:51 PM James Dailey <jamespdai...@gmail.com> >>> wrote: >>> >>>> Victor - thank you for your PR and Zoltan for your comments. >>>> >>>> On Fri, May 3, 2024 at 10:31 AM VICTOR MANUEL ROMERO RODRIGUEZ < >>>> victor.rom...@fintecheando.mx> wrote: >>>> >>>>> James, >>>>> >>>>> I think that this option is also viable: >>>>> >>>>> "For Github Actions we can use a role account and attach the secrets >>>>> to your repository" >>>>> >>>>> At this point there are two options >>>>> >>>>> 1. Apache Infra has to add the secrets to the Apache Fineract >>>>> repository and then we can create/modify github actions for using the >>>>> existing Jib library. >>>>> >>>> This approach maintains the same consistent build but is a bit >>>> non-standard? The problem with option #2 is that there will be effectively >>>> two "builds" from the same source, and they won't match because the Jib >>>> library is in use by active dev teams on the project today. >>>> >>>> >>>>> 2. Merge the https://github.com/apache/fineract/pull/3879 to the >>>>> develop branch in order to allow Dockerhub to build/publish a new docker >>>>> image. >>>>> >>>> This approach returns the project to a more standard approach? It >>>> does not require special action by Infra but creates a separate and >>>> potentially inconsistent build. >>>> >>>>> >>>>> Any other option or discussion about the solution for having an >>>>> updated Apache Fineract image published on Dockerhub is welcome. >>>>> >>>> agreed - last call for comments on which of these. I'm leaning toward >>>> the second because it requires no action by Infra and is the shortest path >>>> to getting a new image at DockerHUB. >>>> >>>> Todd- can you comment? >>>> >>>> >>>>> >>>>> Best regards >>>>> >>>>> Victor >>>>> >>>>> Regards >>>>> >>>>> Víctor Romero >>>>> >>>>> El vie, 3 may 2024 a las 8:56, James Dailey (<jdai...@apache.org>) >>>>> escribió: >>>>> >>>>>> As this relates to this thread but was over on infra users... >>>>>> >>>>>> >>>>>> ---------- Forwarded message --------- >>>>>> From: Gavin McDonald <gmcdon...@apache.org> >>>>>> Date: Sun, Feb 18, 2024 at 12:24 AM >>>>>> Subject: Re: Docker help >>>>>> To: James Dailey <jdai...@apache.org> >>>>>> Cc: Users <us...@infra.apache.org> >>>>>> >>>>>> >>>>>> Hi James. >>>>>> >>>>>> >>>>>> >>>>>> On Sun, Feb 18, 2024 at 3:00 AM James Dailey <jdai...@apache.org> >>>>>> wrote: >>>>>> >>>>>>> Infra - >>>>>>> >>>>>>> Can you confirm that we can use other processes to push to >>>>>>> apache DockerHUB? >>>>>>> >>>>>> >>>>>> Current supported methods are via Github Actions or Jenkins or >>>>>> locally via your own credentials. >>>>>> >>>>>> For Github Actions we can use a role account and attach the secrets >>>>>> to your repository, or you >>>>>> can provide your own secrets for us to add to your repository >>>>>> >>>>>> For Jenkins we have a role account that we provide access to push to >>>>>> your repository. >>>>>> >>>>>> Committers could also use a settings.xml with this plugin and use >>>>>> their own credentials, we just need >>>>>> to ensure they have push access to Dockerhub. >>>>>> >>>>>> There may also be other methods not explored. >>>>>> >>>>>> See also: >>>>>> https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#authentication-methods >>>>>> >>>>>> HTH >>>>>> >>>>>>> >>>>>>> When I opened a ticket about this, I was told we need a dockerfile >>>>>>> at the root. >>>>>>> >>>>>>> Can we use "jib-maven-plugin to publish the image to Dockerhub". ? >>>>>>> Can we get credentials ? >>>>>>> >>>>>>> James >>>>>>> >>>>>>> >>>>>>> ---------- Forwarded message --------- >>>>>>> From: Arnold Galovics <arn...@apache.org> >>>>>>> Date: Sun, Feb 11, 2024 at 10:45 PM >>>>>>> Subject: Re: Docker help >>>>>>> To: <dev@fineract.apache.org> >>>>>>> >>>>>>> >>>>>>> James, >>>>>>> >>>>>>> This is the out-of-the box solution from DockerHub which definitely >>>>>>> won't work without a Dockerfile. Though that doesn't mean it's the only >>>>>>> way >>>>>>> to build a docker image; as I stated in my previous email. >>>>>>> >>>>>>> Best, >>>>>>> Arnold >>>>>>> >>>>>>> On Mon, Feb 12, 2024 at 7:43 AM James Dailey <jamespdai...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> On DockerHUB the build fails because there is no dockerfile. >>>>>>>> https://hub.docker.com/r/apache/fineract >>>>>>>> >>>>>>>> 2024-02-08T13:12:27Z Building in Docker Cloud's infrastructure... >>>>>>>> 2024-02-08T13:12:28Z Cloning into '.'... >>>>>>>> 2024-02-08T13:12:28Z Warning: Permanently added the RSA host key >>>>>>>> for IP address '140.82.114.4' to the list of known hosts. >>>>>>>> 2024-02-08T13:12:48Z Reset branch 'develop' >>>>>>>> 2024-02-08T13:12:48Z Your branch is up to date with >>>>>>>> 'origin/develop'. >>>>>>>> 2024-02-08T13:12:48Z Dockerfile not found at ./Dockerfile >>>>>>>> >>>>>>>> >>>>>>>> Let's discuss on slack and revert back here. >>>>>>>> >>>>>>>> My intention is to either DELETE the DockerHUB repo or to get this >>>>>>>> working. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sun, Feb 11, 2024 at 10:14 PM Arnold Galovics <arn...@apache.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Zoltan, James, >>>>>>>>> >>>>>>>>> Just to reflect on your points: >>>>>>>>> 1) Let's not do such a radical change unless we absolutely need to >>>>>>>>> 2) I'm not sure what's the issue here, please explain. We already >>>>>>>>> have docker builds in our pipeline via GitHub Actions (using their >>>>>>>>> runners), the only missing piece is to do a docker push. >>>>>>>>> >>>>>>>>> We need the credentials to be able to do a docker push, alter the >>>>>>>>> pipeline and that's all. >>>>>>>>> >>>>>>>>> If the only thing preventing us from doing this is to keep asking >>>>>>>>> the infra team for the creds, let's pursue them instead of making >>>>>>>>> such an >>>>>>>>> unnecessary change. >>>>>>>>> >>>>>>>>> Arnold >>>>>>>>> >>>>>>>>> On Mon, Feb 12, 2024 at 3:30 AM James Dailey < >>>>>>>>> jamespdai...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Thanks Zoltan >>>>>>>>>> >>>>>>>>>> Micheal - can you please comment on this discussion? As this >>>>>>>>>> relates to the Google deployment that you put in place? Question! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sun, Feb 11, 2024 at 6:27 PM Zoltan Mezei < >>>>>>>>>> zoltan.me...@zz-it.hu> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I think the real issue here is that we use >>>>>>>>>>> GoogleContainerTools's Jib as the build mechanism. It works entirely >>>>>>>>>>> without a Dockerfile. And unfortunately Dockerhub's Automated Builds >>>>>>>>>>> doesn't support building without a Dockerfile. :-( >>>>>>>>>>> >>>>>>>>>>> We have two ways to move forward: >>>>>>>>>>> >>>>>>>>>>> 1. Replace the Jib build with a more traditional, >>>>>>>>>>> Dockerfile-based approach. This would be a quite large change of how >>>>>>>>>>> Fineract is built and the consequences need to be explored - but >>>>>>>>>>> it's >>>>>>>>>>> definitely doable. >>>>>>>>>>> 2. Stick with the Jib build, but don't rely on >>>>>>>>>>> Dockerhub's Automated Builds, but some other build tools like >>>>>>>>>>> jib-maven-plugin to publish the image to Dockerhub. This could also >>>>>>>>>>> work, >>>>>>>>>>> but it requires a build server that I'm not sure we have. >>>>>>>>>>> >>>>>>>>>>> I can try to create a traditional Dockerfile, but it will be >>>>>>>>>>> different from what Jib can produce, so this might lead to >>>>>>>>>>> regressions. >>>>>>>>>>> >>>>>>>>>>> Want me to try this approach next week? >>>>>>>>>>> >>>>>>>>>>> Kind regards, >>>>>>>>>>> Zoltan >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Sun, Feb 11, 2024 at 8:16 AM James Dailey < >>>>>>>>>>> jamespdai...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Victor - my read of the docs is that the default “build rule “ >>>>>>>>>>>> points to master or main but we can also use dev. In fact that’s >>>>>>>>>>>> what is >>>>>>>>>>>> already there in dockerHUB for our project. >>>>>>>>>>>> >>>>>>>>>>>> I think a proper dockerfile in dev branch should be fine. >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> James >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 9, 2024 at 7:47 PM VICTOR MANUEL ROMERO RODRIGUEZ < >>>>>>>>>>>> victor.rom...@fintecheando.mx> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Reading the dockerhub docs, I think we can do the following: >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Create a master branch from develop branch >>>>>>>>>>>>> 2. Add the Dockerfile (and some scripting on it for handling >>>>>>>>>>>>> the versions) on master branch >>>>>>>>>>>>> 3. Dockerhub will use the dockerfile (and its scripts) from >>>>>>>>>>>>> the master branch >>>>>>>>>>>>> 4. Create github action for keeping in sync develop with >>>>>>>>>>>>> master, so then it will push the changes to the master branch >>>>>>>>>>>>> everytime the >>>>>>>>>>>>> develop branch has a commit on it, then the dockerhub will >>>>>>>>>>>>> publish it as >>>>>>>>>>>>> the latest version. >>>>>>>>>>>>> >>>>>>>>>>>>> Or... we can be more standard >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Rename develop to master >>>>>>>>>>>>> 2. Add a Dockerfile template (and some scripting on it for >>>>>>>>>>>>> handling the versions) on master branch >>>>>>>>>>>>> 3. Dockerhub will use the dockerfile (and its scripts) from >>>>>>>>>>>>> the master branch >>>>>>>>>>>>> 4. Everytime a new commit or tag is created, the dockerhub >>>>>>>>>>>>> will publish it as the latest/specific version. >>>>>>>>>>>>> >>>>>>>>>>>>> What do you think? >>>>>>>>>>>>> >>>>>>>>>>>>> Dockerhub automated builds info: >>>>>>>>>>>>> https://docs.docker.com/docker-hub/builds >>>>>>>>>>>>> >>>>>>>>>>>>> Regards >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> El vie, 9 feb 2024 a las 20:34, James Dailey (< >>>>>>>>>>>>> jamespdai...@gmail.com>) escribió: >>>>>>>>>>>>> >>>>>>>>>>>>>> Victor - I was trying to go down that path as well, as that >>>>>>>>>>>>>> is the error thrown and the suggestion at DockerHUB. However, >>>>>>>>>>>>>> to add the >>>>>>>>>>>>>> key to the git hub requires access and the git is controlled by >>>>>>>>>>>>>> Apache >>>>>>>>>>>>>> Infra. I asked infra@a.o. about that since, again, that is >>>>>>>>>>>>>> what DockerHUB had documented. Unfortunately, I think infra has >>>>>>>>>>>>>> it setup a >>>>>>>>>>>>>> specific way to allow all of the projects to publish to the >>>>>>>>>>>>>> Apache >>>>>>>>>>>>>> DockerHUB so that route would appear to be blocked. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Feb 9, 2024 at 4:04 PM VICTOR MANUEL ROMERO RODRIGUEZ >>>>>>>>>>>>>> <victor.rom...@fintecheando.mx> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> For making it work without a Dockerfile the credentials of >>>>>>>>>>>>>>> the docker hub account are requiered. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If they are set in the git repository, a github action can >>>>>>>>>>>>>>> be enabled for this task. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> El vie., 9 de febrero de 2024 4:45 p. m., < >>>>>>>>>>>>>>> jamespdai...@gmail.com> escribió: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I've re-opened >>>>>>>>>>>>>>>> https://issues.apache.org/jira/browse/FINERACT-1164 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This ticket is to enable the build at DockerHUB to work. >>>>>>>>>>>>>>>> For the past two years ++ the Build has failed. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://hub.docker.com/r/apache/fineract >>>>>>>>>>>>>>>> This docker account is held by Apache and the Fineract >>>>>>>>>>>>>>>> project is responsible for the content. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The dockerHUB has an "auto build" concept so that every >>>>>>>>>>>>>>>> committed change on Dev leads to a new deployment. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The build is actually failing or not running because we >>>>>>>>>>>>>>>> have removed the dockerbuild file from the root. That is as >>>>>>>>>>>>>>>> far as I've >>>>>>>>>>>>>>>> gotten. I suspect we had good reasons for that at the time. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Anyway, I would also say that if we cannot get the Docker >>>>>>>>>>>>>>>> build to work THEN we should take this down. Our standard is >>>>>>>>>>>>>>>> to only >>>>>>>>>>>>>>>> support and distribute publicly the last two releases. This >>>>>>>>>>>>>>>> build is really >>>>>>>>>>>>>>>> old, has unfixed CVEs, and is being downloaded in large >>>>>>>>>>>>>>>> numbers. (no idea >>>>>>>>>>>>>>>> why) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> James >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> >>>>>> *Gavin McDonald - * >>>>>> Systems Administrator, ASF Infrastructure Team >>>>>> V.P Travel Assistance Committee >>>>>> >>>>>> https://tac.apache.org - Applications now open for Community Over >>>>>> Code 2024 >>>>>> in Bratislava, Slovakia. Don't delay, apply today! >>>>>> >>>>>>
