[jira] [Commented] (OFBIZ-10407) create a docker image from the ofbiz system
[ https://issues.apache.org/jira/browse/OFBIZ-10407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17054398#comment-17054398 ] Pierre Smits commented on OFBIZ-10407: -- The provided Dockerfile may be derived from the version in another project, but is tailored to OFBiz testing and evaluation. You should let that argument go, [~mbrohl]. Having different images on docker hub for all OFBiz variants (based on choice of production grade RDBMS and with/without plugins) requires some serious parameterisation. The project is not there yet. > create a docker image from the ofbiz system > --- > > Key: OFBIZ-10407 > URL: https://issues.apache.org/jira/browse/OFBIZ-10407 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Hans Bakker >Priority: Major > Labels: DevOps > Attachments: docker.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Attached an initial docker version from OFBiz copied from our GrowERP > production system translated to svn repositories. > I propose to create a docker directory in the ofbiz framework root of which a > patch is attached. > The image result is stored in hub.docker.com under the name ofbiz/full-trunk. > It can be started in a docker environment with the following command: > docker run -p 80:8080 -p 443:8443 ofbiz/full-trunk > and after about 30 seconds it can be show in the browser under: > [https://0.0.0.0/catalog/control/main] > the image can be created by executing this command in the ofbiz root when > the patch is applied: > docker build -t ofbiz/full-trunk docker > the password to the ofbiz account at hub.docker.com will be supplied upon > request. > > see the discussion in the mailinglist at > https://markmail.org/message/n7wcgroslj7v3gfe?q=docker+ofbiz > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-10407) create a docker image from the ofbiz system
[ https://issues.apache.org/jira/browse/OFBIZ-10407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17054366#comment-17054366 ] Michael Brohl edited comment on OFBIZ-10407 at 3/8/20, 10:46 AM: - The recommended distro for Open JDK is Adopt Open JDK which is not just another download location. Maybe we should make it more clear in the README but it should not prevent us from using it in our official Repo/dists. Since the Docker image(s) are just for testing and evalution purposes as you stated, it should not matter that the code is installed in another directory (/opt, which is not so unusual for the installation of additional software packages). I don't see any reason to install additional software packages which are not needed so why not remove them to a minimum? It makes the build time shorter and maintenance easier. The current dockerfile seems to be a stripped down version from Yetus and is not tailored to fit our needs. I'll work on an alternative which will address my concerns so that we will have a selection to chose from. As for the location to provide them, we should hear what others have to say. I also imagine to provide the different images on the docker hub like many other Apache projects do so it might be reasonable to think that way. was (Author: mbrohl): The recommended distro for Open JDK is Adopt Open JDK which is not just another download location. Maybe we should make it more clear in the README but it should not prevent us from using it in our official Repo/dists. Since the Docker image(s) are just for testing and evalution purposes as you stated, it should not matter that the code is installed in another directory (/opt, which is not so unusual for the installation of additional software packages). I don't see any reason to install additional software packages which are not needed so why not remove them to a minimum? It makes the build time shorter and maintenance easier. I'll work on an alternative which will address my concerns so that we will have a selection to chose from. As for the location to provide them, we should hear what others have to say. I also imagine to provide the different images on the docker hub like many other Apache projects do so it might be reasonable to think that way. > create a docker image from the ofbiz system > --- > > Key: OFBIZ-10407 > URL: https://issues.apache.org/jira/browse/OFBIZ-10407 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Hans Bakker >Priority: Major > Labels: DevOps > Attachments: docker.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Attached an initial docker version from OFBiz copied from our GrowERP > production system translated to svn repositories. > I propose to create a docker directory in the ofbiz framework root of which a > patch is attached. > The image result is stored in hub.docker.com under the name ofbiz/full-trunk. > It can be started in a docker environment with the following command: > docker run -p 80:8080 -p 443:8443 ofbiz/full-trunk > and after about 30 seconds it can be show in the browser under: > [https://0.0.0.0/catalog/control/main] > the image can be created by executing this command in the ofbiz root when > the patch is applied: > docker build -t ofbiz/full-trunk docker > the password to the ofbiz account at hub.docker.com will be supplied upon > request. > > see the discussion in the mailinglist at > https://markmail.org/message/n7wcgroslj7v3gfe?q=docker+ofbiz > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-10407) create a docker image from the ofbiz system
[ https://issues.apache.org/jira/browse/OFBIZ-10407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17054366#comment-17054366 ] Michael Brohl commented on OFBIZ-10407: --- The recommended distro for Open JDK is Adopt Open JDK which is not just another download location. Maybe we should make it more clear in the README but it should not prevent us from using it in our official Repo/dists. Since the Docker image(s) are just for testing and evalution purposes as you stated, it should not matter that the code is installed in another directory (/opt, which is not so unusual for the installation of additional software packages). I don't see any reason to install additional software packages which are not needed so why not remove them to a minimum? It makes the build time shorter and maintenance easier. I'll work on an alternative which will address my concerns so that we will have a selection to chose from. As for the location to provide them, we should hear what others have to say. I also imagine to provide the different images on the docker hub like many other Apache projects do so it might be reasonable to think that way. > create a docker image from the ofbiz system > --- > > Key: OFBIZ-10407 > URL: https://issues.apache.org/jira/browse/OFBIZ-10407 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Hans Bakker >Priority: Major > Labels: DevOps > Attachments: docker.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Attached an initial docker version from OFBiz copied from our GrowERP > production system translated to svn repositories. > I propose to create a docker directory in the ofbiz framework root of which a > patch is attached. > The image result is stored in hub.docker.com under the name ofbiz/full-trunk. > It can be started in a docker environment with the following command: > docker run -p 80:8080 -p 443:8443 ofbiz/full-trunk > and after about 30 seconds it can be show in the browser under: > [https://0.0.0.0/catalog/control/main] > the image can be created by executing this command in the ofbiz root when > the patch is applied: > docker build -t ofbiz/full-trunk docker > the password to the ofbiz account at hub.docker.com will be supplied upon > request. > > see the discussion in the mailinglist at > https://markmail.org/message/n7wcgroslj7v3gfe?q=docker+ofbiz > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-10407) create a docker image from the ofbiz system
[ https://issues.apache.org/jira/browse/OFBIZ-10407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17054356#comment-17054356 ] Pierre Smits commented on OFBIZ-10407: -- Thank you, [~mbrohl], for your feedback. * Re "we should use the Adopt Open JDK as listed in the requirements" The readme.adoc in the repository on Github states ??The only requirement to run OFBiz is to have the Java Development Kit (JDK) version 8 installed on your system?? and provides a link to an advised download location. However, many Linux distros (including Ubuntu) provide OpenJDK binaries ready to use. So there is no need to do it differently; * Re "xplicit Java installation can be removed by directly selecting the right Adopt Open JDK Docker image" The Adopt Open JDK Docker image puts the OpenJDK code at a different location than what is grown a defacto standard in Linux distros. We should not follow this approach. * Re "he used Ubuntu is outdated, we should use the 18.04 LTS release" This has been corrected in an update to the PR * Re "what about the Apache Yetus comment, seems to belong to another Docker image?" This has been corrected in an update to the PR * Re "the setup seems to add/install more than is needed" Proposed Dockerfile is intended for testing and evaluation purposes, not for running a production setup where some of the added packages may not be desired. For now, I suggest to go with it as it is. Regarding your other thoughts on using Dockerfiles for releases and moving it outside of the codebase. A release where this is incorporated is still far into future. But you're correct: before we arrive on that moment this should be addressed. However, mature projects (visavis generating docker images) tend to have a CI process in play that ensures that images generated automatically use the code based on either branch or tag. We're not there yet. Having Dockerfile outside of the codebase has some negative side effects: * we add additional complexity which needs to be communicated and maintained * we add additional complexity in CI processes For now I suggest the projects goes with this as it is, and as it matures it can decide where the favourable location should be. > create a docker image from the ofbiz system > --- > > Key: OFBIZ-10407 > URL: https://issues.apache.org/jira/browse/OFBIZ-10407 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Hans Bakker >Priority: Major > Labels: DevOps > Attachments: docker.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Attached an initial docker version from OFBiz copied from our GrowERP > production system translated to svn repositories. > I propose to create a docker directory in the ofbiz framework root of which a > patch is attached. > The image result is stored in hub.docker.com under the name ofbiz/full-trunk. > It can be started in a docker environment with the following command: > docker run -p 80:8080 -p 443:8443 ofbiz/full-trunk > and after about 30 seconds it can be show in the browser under: > [https://0.0.0.0/catalog/control/main] > the image can be created by executing this command in the ofbiz root when > the patch is applied: > docker build -t ofbiz/full-trunk docker > the password to the ofbiz account at hub.docker.com will be supplied upon > request. > > see the discussion in the mailinglist at > https://markmail.org/message/n7wcgroslj7v3gfe?q=docker+ofbiz > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17054347#comment-17054347 ] Jacques Le Roux commented on OFBIZ-4361: W/o other comments I'll close in a week > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Release Branch 15.12, Release Branch 16.11, Release Branch > 17.12, Trunk > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Fix For: 18.12.01, Upcoming Branch > > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.4#803005)
