Hello Jon, I forked the repo and have started some examples on using docker. Here is where I am headed: https://github.com/scriptmonkey/tomee/tree/add_docker_examples/examples/docker-examples
Any comments would be welcome. Thanks, Rod. On 10/29/19, 10:08 AM, "Jonathan Gallimore" <[email protected]> wrote: Nationwide Information Security Warning: This is an external email. Do not click on links or open attachments unless you trust the sender. ------------------------------------------------------------------------------ On Tue, Oct 29, 2019 at 2:34 PM Jenkins, Rodney J (Rod) < [email protected]> wrote: > Here are my expanded thoughts on the 4 items: > > 1. Tomcat exposes 8080 out of the box, a user can always enable and > expose SSL in their config. I would recommend against this because not > everyone will enable SSL. For example many times SSL is terminated prior > to traffic being send to TomEE. While it not hurt to leave the port > exposed and unused, it does not really make sense either. I would > recommend against this and leaving port 8080 only exposed. > If its possible for someone to expose 8443 (or whichever port they want) by adding the config and using `-p` then personally, I'd be ok with that. > 2. I am glad to hear we are ready for JDK 11, I need to be better at > lurking. > Its fairly recent. If TomEE 8.0.0 (not the milestone releases) isn't working on Java 11 for something, we'd want to know, and fix it. Choice of JDK for the images might not be a bad thing though. > 3. I would recommend against this as well. Again, not everyone will want > it this way. I personally do not use the VOLUME tags in this way. This is > something that is easier to add by someone if they need it and more > difficult to remove it, if we ship it enabled. > I think I had probably missed the original point. I'd hook this up with `-v` if I were doing it, as opposed to VOLUME tags. > 4. Personally, I like the idea of running as a user 'tomee'. Tomcat runs > as root out of the box, which I think is less secure, but is easier to ship > and maintain. If we decide to run as tomee, I would do it this way: > RUN useradd tomee \ > && chown -R tomee:tomee /usr/local/tomee > Sounds reasonable. > As an overall viewpoint, I would make out TomEE images as minimal as > possible, something that works out of the box, and requires as little > undoing for our users. This is why I am against 1 and 3 above. This is > also why I could be against 4, but I would think everyone would want to run > as tomee, but that is arguable. > The PR is interesting, as it diverges quite a bit from the M3 images: https://github.com/tomitribe/docker-tomee/blob/master/11-jre-8.0.0-M3-plus/Dockerfile Taking the M3 dockerfile and adding the specific TomEE user as you illustrate above sounds reasonable to me, and is in keeping with the existing images, and sounds like it'll fit well with Tomcat. One thing that we lack is a page on the website with documentation on using the images. Probably doesn't need to be too wordy, but example commands for scenarios we've discussed here would be a good start. > Question on the general way we do things here, given that I am new: Do we > try to follow the Tomcat way to doing things given that we include tomcat > as base? I know TomEE is a complete stand-alone product, but I am not sure > how coupled we are with the Tomcat project. (maybe this question is better > asked in a separate email chain) > "Be Tomcat" is a good guiding principal, and one that appears to have been successful for a number of years, so lining up with how Tomcat does things is a good idea. But with respect to Docker images, it isn't a hard-and-fast rule. I think adding a specific TomEE user account in the image, for example, is a reasonable and justified change. Do you want to propose a different PR, and also see if you can send a PR for a page with some example Docker commands? Jon
