-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2 - Fetch cert files from Internet and check validity #8
Conversation
30ed201
to
5173a88
Compare
@mrsarm - Nice work on this! I need to do some more testing, but I have confirmed it works, so the image and bash script look be working. As well, I see some language changes in the readme I'll suggest. I'll grab this later today! For migrating users over, how does docker normally handle upgrades like this? That is, right now you'll continue to use the old docker image (note that the new
Until you call something like
|
Yes @mrjones-plip , because we are syncing the project through git, there is no other way than rebuild the image each time we pull changes unless we know the changes don't affect the images, eg. the Nginx config is mounted in the docker container so changes there don't need to recreate the container. If we decide later to publish an official image at https://hub.docker.com/u/medicmobile, it would make easier the update process, the user would only need to change the docker image version in the docker-compose file or the script where it launches the container with the |
Gotcha - thanks! Given we're migrating away from alpine to a more full featured container, do we want to mount |
@mrjones-plip I moved the entrypoint as a mounted file as you suggest. Just note that if we publish an image later in the Docker Hub, it will require first to move both the Nginx config and the entrypoint.sh files to the image, because won't be available when the user pull the image. For now lets keep users to pull this git repository and make their own images, and in this case yes it's better to keep the files outside the image to avoid unnecessary rebuilds. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mrsarm - really good stuff here! no functional changes, just readme changes.
Otherwise, at a later date we may consider running a cron job to check for expired certificates. I can imagine a scenario where desktop users like me and @dianabarsan may have this container just up and running for daaaaaaaays, thus not checking for an expired cert.
downloads the certs again from source. | ||
|
||
So the certs are downloaded from Internet only the first time, and | ||
cached in the container until they expire. | ||
|
||
### Running with Medic-OS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not specific to this PR - but maybe consider making this section generic? That is, it is the default for most any web server to listen on port 80
or 443
, not just medic-os
container. So while we're Medic and there's lots of medic-os
users, generic might be a better way to frame this.
Also, I would imagine that instead of running yet another container, folks who are already running medic-os
should likely just install the cert in the existing container, as this is already supported per our self hosted docs. I think we should add a link this and a little information that you can do both (either add the cert to existing container or run this container and remap ports)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes agree, feel free to create another PR to reframe this section, and the name of the .env file.
Awesome - nice work!
Yup yup - sounds good! |
Co-authored-by: Ashley <8253488+mrjones-plip@users.noreply.github.com>
Co-authored-by: Ashley <8253488+mrjones-plip@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! I'll file some more tickets ;)
Added a script as entry point in the Docker container that downloads the cert files for the first time if they were not previously downloaded, and checks whether they are expired, if so the script downloads the certs again from source.
Issue: #2
So now the certs are downloaded from Internet only the first time, and cached in the container until they expire.
Note: I changed the Nginx docker image flavor alpine by the standard one because the script uses the
openssl
command to check the certificate, andcurl
to download, and both commands are not available in the alpine flavor.