Comments (20)
Hi @frafra the socket is used internally by python docker sdk, i.e. here
from geonode-project.
Hi @francbartoli, thank you for your reply.
So it looks to me that setting GEONODE_LB_HOST_IP
and avoid mounting /var/run/docker.sock
is the only viable solution in a production environment. I think that should be the default, as mounting docker.sock
inside geonode would be like giving root access to geonode to the entire machine.
from geonode-project.
@frafra I understand your concern about security. There could be cases where we cannot get rid of DinD. Do you think there is space to moderate the issue?
from geonode-project.
Maybe this workaround below can be applied for production:
- https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/
- https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/
from geonode-project.
@francbartoli I personally see no reason to give to GeoNode access to Docker in the first place. It is not a service which should interact with other containers (like Traefik, Portainer, and so on) and it would be better to obtain the IP as a variable: it is both a security issue and an anti-pattern. Eventual future proposals for using docker.sock
should be discussed independently. But that is just my opinion of course.
You can mitigate the security risk using AuthZ and setting up additional security measures on the server, but that defies the concept of using containers in the first place, and that would be even harder to digest for a sysadmin.
You could expose just the machine network to the container instead of sharing the socket, but this is also a bad idea imho.
There are other issues with this approach: many PaaS solutions do not allow you to do to this kind of operations, nor it would be compatible with systems that do not expose the socket or they do not have one (like podman).
As the public IP of a server should not change overtime (not very often at least), picking the variable from the environment seems reasonable to me, so I will proceed in this direction, but other users could be not aware of this security risk if this code remains unchanged.
from geonode-project.
A lot of good points @frafra indeed! That was thought for non sysadmin users who want to try the stack and are not even able to know and understand docker networking and get the docker0
ip address in native environments for setting up GEONODE_LB_HOST_IP
. We have to still give them an utility to do that automagically imho. Something like:
geonode-docker-compose up
which can read the address and override the yml file for the above variable
from geonode-project.
It seems a very nice solution to me :-)
Maybe there is an even simpler solution if localhost
is an acceptable default:
- Set
GEONODE_LB_HOST_IP
indocker-compose.yml
as an environmental variable like this:GEONODE_LB_HOST_IP:${GEONODE_LB_HOST_IP}
- Set a default value for
GEONODE_LB_HOST_IP
(would127.0.0.1
be ok?) - Add an example for setting
GEONODE_LB_HOST_IP
indocker-compose-override.yml
- Update the documentation
- Remove any code related to
docker.sock
Otherwise, we could both give a command line to set this environmental variable before using docker-compose up
, or have a geonode-docker-compose
script which sets this variable first and act as a wrapper.
from geonode-project.
I understand your concerns @frafra, they were also mine months ago.
I think it's time to take a decision on this. I'm in favour of removing this "magic" which simplifies the setup but, as you descibed, brings a list of issues (one is the hack to make the Docker socket work on Windows).
@francbartoli my vote is to remove it but I want to hear from you what problems it could bring from your side.
from geonode-project.
Agree with you guys to remove it but I believe there will be consequences in some cases, for instance multiple geonode stacks on rancher and also I need to figure out native linux when that variable GEONODE_LB_HOST_IP is not set. Maybe it would be better to understand how to accomodate them too before doing it
from geonode-project.
@giohappy the "hack" to make the Docker socket work on Windows is gone, as there is no need to use the Docker socket anymore.
@francbartoli localhost:80 seems a reasonable default to me. People who relies on that automatic host/port detection should use the documented environmental variables. GEONODE_LB_HOST_IP
and GEONODE_LB_HOST_PORT
. We could provide a script to get the same behavior without using docker.sock
, but that would be executed outside the container and I do not think anyone would use it in a production system with multiple instances: it would be ok just for testing, and in that case the defaults seems enough to me.
from geonode-project.
Seems a reasonable solution to me also.
@francbartoli if you have some time, could you please evaluate it more carefully and eventually merge it? Let me know if you need help to test different use cases.
Thanks all.
from geonode-project.
@afabiani let's play for a while with this and then merge
from geonode-project.
Similar change could be proposed for the main geonode repository, but it seems to me that copying the files and snippets of code around could be a bad idea. For example, in the official geonode repository tasks.py
has a function which tries to execute wait-for-databases.sh
, which does not exist in that repository: the code has probably been copied from geonode-project.
If this pull request get accepted I can create a new one for geonode, but it would be a good idea to think if there is a better non-redundant and simpler/safer way to manage geonode-project.
from geonode-project.
@frafra that file has been copied from the geonode-docker repository to being able to override it during development with the option --build
from geonode-project.
@frafra Yes, we definitely need one reference implementation for Docker in the central repo, from which the setup for geonode-project should somehow derive.
As a reminder, we now also have spcgeonode in the main repo (in the scripts folder), that has some advantages over the setup that lies in the root (e.g. already didn't have docker in docker, has proper versioning of the images, proper logging to stdout, additional features for deployment such as https and backups, cleaner settings in .env, etc...).
from geonode-project.
@olivierdalang Thanks; now that it has been merged in the main repository I will use it and continue to propose minor improvements on it, hoping it could become the preferred way to deal with Docker.
from geonode-project.
Remember to close this issue if it does not apply anymore.
Also, if possible and with respect to the available resources from everyone, let's try to improve the documentation also which is currently a bit messed and outdated.
from geonode-project.
I would still suggest to apply the proposed patch, because having docker.sock exposed means that the container has the full control of the machine, so if there is a security issue in geonode the server could be compromised. But feel free to reject it if you prefer to do otherwise.
I am currently testing oliver's solution and I think I will use it for production with some minor modifications (it is easier to work on it directly than trying to fix/improve how Docker is used by geonode/geonode-project in my opinion).
I will try to improve the doc step-by-step whenever I encounter issues or errors. It will take time.
from geonode-project.
@frafra very nice, thanks.
If the solution is better, more stable and well documented, we can envisage a GNIP (or just evaluating this during a PSC meeting) to substitute the current docker setup with the SPC one.
from geonode-project.
It seems a very nice solution to me :-)
@frafra please have a look at GNPIP #63
Maybe there is an even simpler solution if
localhost
is an acceptable default:
- Set
GEONODE_LB_HOST_IP
indocker-compose.yml
as an environmental variable like this:GEONODE_LB_HOST_IP:${GEONODE_LB_HOST_IP}
- Set a default value for
GEONODE_LB_HOST_IP
(would127.0.0.1
be ok?)- Add an example for setting
GEONODE_LB_HOST_IP
indocker-compose-override.yml
- Update the documentation
- Remove any code related to
docker.sock
Otherwise, we could both give a command line to set this environmental variable before using
docker-compose up
, or have ageonode-docker-compose
script which sets this variable first and act as a wrapper.
from geonode-project.
Related Issues (20)
- Editing the LANGUAGES value in the .env file results in an empty language menu HOT 1
- Cannot access jenkins (http 500), missing port in nginx config HOT 2
- Quick Docker Start references missing GitHub zip HOT 1
- Problem uploading metadata to an existing layer HOT 5
- [SSL: WRONG_VERSION_NUMBER] wrong version number
- Problem sharing with people and groups
- Upgrade Geoserver image with the fix for oauth2
- Cannot load layer attributes. Response is not valid
- Upgrade to GeoServer 2.24.2 HOT 1
- Problem with geonode-mapstore-client plugin in production HOT 1
- "Issue with Extra_Metadata (Optional Metadata) Functionality"
- "Unable to Disable/Hide WMS Links in GeoNode Environment"
- Integrating Extension into Geonode Mapstore Client HOT 2
- README instructions always point to GN_VERSION=master HOT 1
- Install GeoNode 4.1.x on Ubuntu 2004
- div.rdw-link-modal Obscured by Map
- home page went blank after restoring geonode project HOT 4
- Problem with sharing a geostory on a website using html code HOT 3
- Problem installation on Ubuntu 22.04 LTS HOT 14
- Problem in the option to update the metadata abstract field of a dataset in geonode version 4.2.4. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from geonode-project.