Here are my expanded thoughts on the 4 items: 1. Tomcat exposes 8080 out of the box, a user can always enable and expose SSL in their config. I would recommend against this because not everyone will enable SSL. For example many times SSL is terminated prior to traffic being send to TomEE. While it not hurt to leave the port exposed and unused, it does not really make sense either. I would recommend against this and leaving port 8080 only exposed.
2. I am glad to hear we are ready for JDK 11, I need to be better at lurking. 3. I would recommend against this as well. Again, not everyone will want it this way. I personally do not use the VOLUME tags in this way. This is something that is easier to add by someone if they need it and more difficult to remove it, if we ship it enabled. 4. Personally, I like the idea of running as a user 'tomee'. Tomcat runs as root out of the box, which I think is less secure, but is easier to ship and maintain. If we decide to run as tomee, I would do it this way: RUN useradd tomee \ && chown -R tomee:tomee /usr/local/tomee As an overall viewpoint, I would make out TomEE images as minimal as possible, something that works out of the box, and requires as little undoing for our users. This is why I am against 1 and 3 above. This is also why I could be against 4, but I would think everyone would want to run as tomee, but that is arguable. Question on the general way we do things here, given that I am new: Do we try to follow the Tomcat way to doing things given that we include tomcat as base? I know TomEE is a complete stand-alone product, but I am not sure how coupled we are with the Tomcat project. (maybe this question is better asked in a separate email chain) Thanks, Rod. On 10/29/19, 5:01 AM, "Jonathan Gallimore" <[email protected]> wrote: Nationwide Information Security Warning: This is an external email. Do not click on links or open attachments unless you trust the sender. ------------------------------------------------------------------------------ My suggestion here would be to follow up with comments on the PR in the form of a review on Github, but also follow up here to enable the community that is not following the PR to be in the loop and participate. My specific response to your 4 points: 1. What does Tomcat do in this regard? Feel free to suggest a concrete alternative. I'm ok with a different approach, but wouldn't want to shut off https altogether, for example. Plenty of people require https on TomEE. 2. JDK11 should be fine with TomEE 8. I'd also be ok with TomEE 8 + JDK 8 *and* TomEE 8 + JDK 11 so users have a choice. 3. Sounds good. 4. Propose your alternative - I doubt anyone is particularly wedded to the current approach. It looks a little messy to me. > I would be happy to become responsible for the Docker releases. I don't know that's necessarily a thing that can be handed out :-). Anyone should be able to review PRs, and also mark them as approved (or ask for feedback). Be sure to post on the mailing list, even if it feels no-one is reading (they are reading!). There's a final step where a PR has to be opened here: https://github.com/docker-library/official-images/blob/master/library/tomee once changes are merged in the docker-tomee repository in order for official images to appear on Dockerhub. If you find that PR are not merged into that repo, do shout on the mailing list here. None of these things should require any special permission, only encouragement from the rest of us. If you do them, you'll basically be responsible for Docker releases, and I'm sure the community will greatly appreciate your help. Go for it!! Jon On Tue, Oct 29, 2019 at 4:05 AM Jenkins, Rodney J (Rod) < [email protected]> wrote: > All, > > I would like to work on getting the docker images updated. However, I see > that someone has already issued a pull request to do this work. In looking > at the pull request, I see some things that I would be concerned with. > > > 1. Added 8443 as an SSL exposed port. As far as I understand this is > not in line with how Tomcat is done in Docker. > 2. Added JDK11, which I did not think was fully working. > 3. Added `VOLUME` tags for webapps, logs, and, conf. > 4. Creates a tomee user to run as. (which I would support, just not the > way it was done) > > > Here is the link to the pull request that Casell created: > https://github.com/tomitribe/docker-tomee/pull/36/commits/ae8f3ac40a350915e0d77788d44b2b9466475e46 > > I would be happy to become responsible for the Docker releases. Given > that I have been a lurker for some time, I am sure you will want to oversee > my efforts as to not give the team a black eye. > > Please advise on how I can help here!! > > Thanks, > Rod. > >
