From bf32c5c923b32a87efb52fd937e347c3907edf01 Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Thu, 16 Oct 2025 16:28:00 -0400 Subject: [PATCH 1/8] Overhaul the Docker setup This patch rewrites the Docker setup used to create a deployable container running a production LNT server. - Split the Docker image into two, a basic image with LNT installed and an image with the actual production server as an entry point. - Relocate all of the Docker-related files under docker/. - Document the various Docker-related files. - Improve input validation in the docker entrypoint. - Using proper Docker secrets to transmit sensitive information to the LNT webserver entry point and the Postgres database. - Update to Postgres 18. We might as well use the latest version available since we're standing this up from scratch. With this setup, I am able to spin up a local LNT server instance with: docker compose --file docker/compose.yaml --env-file up An example of a secrets file would be LNT_DB_PASSWORD=foo LNT_AUTH_TOKEN=bar --- .github/workflows/build-docker.yaml | 2 + Dockerfile | 23 ----------- docker-compose.yaml | 35 ---------------- docker/compose.yaml | 64 +++++++++++++++++++++++++++++ docker/docker-entrypoint.sh | 45 +++++++++++++++----- docker/{wait_db => lnt-wait-db} | 10 +++-- docker/lnt.dockerfile | 52 +++++++++++++++++++++++ docs/intro.rst | 11 +++++ 8 files changed, 170 insertions(+), 72 deletions(-) delete mode 100644 Dockerfile delete mode 100644 docker-compose.yaml create mode 100644 docker/compose.yaml rename docker/{wait_db => lnt-wait-db} (53%) create mode 100644 docker/lnt.dockerfile diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml index 4b7221a4..26c25fce 100644 --- a/.github/workflows/build-docker.yaml +++ b/.github/workflows/build-docker.yaml @@ -32,4 +32,6 @@ jobs: with: push: ${{ startsWith(github.ref, 'refs/tags/') }} # only push to ghcr.io on tags tags: ghcr.io/${{github.repository}}:latest + file: docker/lnt.dockerfile + target: llvm-lnt context: . # use the current directory as context, as checked out by actions/checkout -- needed for setuptools_scm diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 78b36546..00000000 --- a/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -FROM python:3.10-alpine - -RUN apk update \ - && apk add --no-cache --virtual .build-deps git g++ postgresql-dev yaml-dev \ - && apk add --no-cache libpq - -COPY . /var/src/lnt - -WORKDIR /var/src/lnt - -RUN pip3 install -r requirements.server.txt \ - && apk --purge del .build-deps \ - && mkdir /var/log/lnt - -COPY docker/docker-entrypoint.sh docker/wait_db /usr/local/bin/ - -VOLUME /var/log - -EXPOSE 8000 - -ENV DB_ENGINE= DB_HOST= DB_USER= DB_PWD= DB_BASE= - -ENTRYPOINT docker-entrypoint.sh diff --git a/docker-compose.yaml b/docker-compose.yaml deleted file mode 100644 index 8f139f6f..00000000 --- a/docker-compose.yaml +++ /dev/null @@ -1,35 +0,0 @@ -version: '3' - -services: - lnt: - build: - context: . - container_name: lnt - image: lnt - environment: - - DB_ENGINE=postgres - - DB_HOST=lnt-postgres - - DB_PWD - - LNT_AUTH_TOKEN - depends_on: - - db - deploy: - restart_policy: - condition: on-failure - ports: - - "8000:8000" - volumes: - - lnt_data:/var/lib/lnt - - lnt_config:/etc/lnt - - db: - container_name: lnt-postgres - image: docker.io/postgres:13-alpine - environment: - - POSTGRES_PASSWORD=${DB_PWD} - - POSTGRES_USER=${DB_USER:-lntuser} - - POSTGRES_DB=${DB_BASE:-lnt} - -volumes: - lnt_data: - lnt_config: diff --git a/docker/compose.yaml b/docker/compose.yaml new file mode 100644 index 00000000..f05eefd4 --- /dev/null +++ b/docker/compose.yaml @@ -0,0 +1,64 @@ +# This file composes a full service running LNT. A LNT service is comprised +# of a container running a Postgres database and a container running a +# production LNT webserver. +# +# In order to build the full service, some secrets are required. They are taken +# as environment variables, which means they can be stored in a file and included +# via `--env-file `. These environment variables are: +# +# LNT_DB_PASSWORD +# The password to use for logging into the database. +# +# LNT_AUTH_TOKEN +# The authentication token used to require authentication to +# perform destructive actions. + +name: llvm-lnt-prod + +services: + webserver: + container_name: webserver + build: + context: ../ + dockerfile: docker/lnt.dockerfile + target: llvm-lnt-prod + args: + DB_USER: lntuser + DB_HOST: dbserver + DB_NAME: lnt.db + secrets: + - lnt-db-password + - lnt-auth-token + depends_on: + - db + deploy: + restart_policy: + condition: on-failure + ports: + - "8000:8000" + volumes: + - instance:/var/lib/lnt + - logs:/var/log/lnt + + db: + container_name: dbserver + image: docker.io/postgres:18-alpine + environment: + - POSTGRES_PASSWORD_FILE=/run/secrets/lnt-db-password + - POSTGRES_USER=lntuser + - POSTGRES_DB=lnt.db + secrets: + - lnt-db-password + volumes: + - database:/var/lib/postgresql + +volumes: + instance: + logs: + database: + +secrets: + lnt-db-password: + environment: "LNT_DB_PASSWORD" + lnt-auth-token: + environment: "LNT_AUTH_TOKEN" diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 372acc71..c24d54a7 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -1,21 +1,46 @@ #!/bin/sh -DB_PATH=${DB_ENGINE:-postgresql}://${DB_USER:-lntuser}:${DB_PWD:?}@${DB_HOST:?} -DB_BASE=${DB_BASE:-lnt} +if [ -z ${DB_USER+x} ]; then + echo "Missing DB_USER environment variable" + exit 1 +fi + +if [ -z ${DB_HOST+x} ]; then + echo "Missing DB_HOST environment variable" + exit 1 +fi + +if [ -z ${DB_NAME+x} ]; then + echo "Missing DB_NAME environment variable" + exit 1 +fi + +if [ ! -f /run/secrets/lnt-db-password ]; then + echo "Missing secret lnt-db-password" + exit 1 +fi +DB_PASSWORD="$(cat /run/secrets/lnt-db-password)" + +if [ ! -f /run/secrets/lnt-auth-token ]; then + echo "Missing secret lnt-auth-token" + exit 1 +fi +AUTH_TOKEN="$(cat /run/secrets/lnt-auth-token)" + +DB_PATH="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}" -if [ ! -r /etc/lnt/lnt.cfg ]; then - DB_BASE_PATH="${DB_PATH}/${DB_BASE}" wait_db +# Set up the instance the first time this gets run. +if [ ! -e /var/lib/lnt/instance/lnt.cfg ]; then + lnt-wait-db "${DB_PATH}/${DB_NAME}" lnt create /var/lib/lnt/instance \ - --config /etc/lnt/lnt.cfg \ --wsgi lnt_wsgi.py \ --tmp-dir /tmp/lnt \ --db-dir "${DB_PATH}" \ - --default-db "${DB_BASE}" - if [ -n "${LNT_AUTH_TOKEN:-}" ]; then - sed -i "s/# \(api_auth_token =\).*/\1 '${LNT_AUTH_TOKEN}'/" /etc/lnt/lnt.cfg - fi + --default-db "${DB_NAME}" + sed -i "s/# \(api_auth_token =\).*/\1 '${AUTH_TOKEN}'/" /var/lib/lnt/instance/lnt.cfg fi +# Run the server under gunicorn. cd /var/lib/lnt/instance exec gunicorn lnt_wsgi:application \ --bind 0.0.0.0:8000 \ @@ -24,4 +49,4 @@ exec gunicorn lnt_wsgi:application \ --name lnt_server \ --log-file /var/log/lnt/lnt.log \ --access-logfile /var/log/lnt/gunicorn_access.log \ - --max-requests 250000 "$@" + --max-requests 250000 diff --git a/docker/wait_db b/docker/lnt-wait-db similarity index 53% rename from docker/wait_db rename to docker/lnt-wait-db index 6a5e087f..f29e4218 100755 --- a/docker/wait_db +++ b/docker/lnt-wait-db @@ -1,11 +1,13 @@ #!/usr/bin/env python -import os -from sqlalchemy import create_engine +import sys +import sqlalchemy -db_base_path = os.environ['DB_BASE_PATH'] +if len(sys.argv) != 2: + raise "Missing db path for lnt-wait-db" -engine = create_engine(db_base_path) +db = sys.argv[1] +engine = sqlalchemy.create_engine(db) started = False while not started: diff --git a/docker/lnt.dockerfile b/docker/lnt.dockerfile new file mode 100644 index 00000000..3cf10c02 --- /dev/null +++ b/docker/lnt.dockerfile @@ -0,0 +1,52 @@ +# This Dockerfile defines a basic 'llvm-lnt' image that contains an installed +# copy of LNT. That image can be built and run with: +# +# $ docker build --file docker/lnt.dockerfile --target llvm-lnt . +# $ docker run -it /bin/sh +# +# It also defines a 'llvm-lnt-prod' image which is set up to run a production +# LNT server. This image is intended to be built from a Docker Compose file, +# as it requires additional information like secrets and build arguments: +# +# ARG DB_USER +# The username to use for logging into the database. +# +# ARG DB_HOST +# The hostname to use to access the database. +# +# ARG DB_NAME +# The name of the database on the server. +# +# secret: lnt-db-password +# The password to use for logging into the database. +# +# secret: lnt-auth-token +# The authentication token used to require authentication to +# perform destructive actions. + +FROM python:3.10-alpine AS llvm-lnt + +# Install dependencies +RUN apk update \ + && apk add --no-cache --virtual .build-deps git g++ postgresql-dev yaml-dev \ + && apk add --no-cache libpq + +# Install LNT itself +COPY . /var/tmp/lnt +WORKDIR /var/tmp/lnt +RUN pip3 install -r requirements.server.txt && apk --purge del .build-deps + + +FROM llvm-lnt AS llvm-lnt-prod + +# Prepare volumes that will be used by the server +VOLUME /var/lib/lnt /var/log/lnt + +# Set up the actual entrypoint that gets run when the container starts. +COPY docker/docker-entrypoint.sh docker/lnt-wait-db /usr/local/bin/ +ARG DB_USER DB_HOST DB_NAME +ENV DB_USER=${DB_USER} +ENV DB_HOST=${DB_HOST} +ENV DB_NAME=${DB_NAME} +ENTRYPOINT ["docker-entrypoint.sh"] +EXPOSE 8000 diff --git a/docs/intro.rst b/docs/intro.rst index 7a938305..342c0699 100644 --- a/docs/intro.rst +++ b/docs/intro.rst @@ -110,3 +110,14 @@ To install the extra packages for the server config:: gunicorn app_wrapper:app --bind 0.0.0.0:8000 --workers 8 --timeout 300 --name lnt_server --log-file /var/log/lnt/lnt.log --access-logfile /var/log/lnt/gunicorn_access.log --max-requests 250000 +Running a LNT Server via Docker +------------------------------- + +We provide a Docker Compose setup with Docker containers that can be used to +easily bring up a fully working production server within minutes. The container +can be built and run with:: + + docker compose --file docker/compose.yaml --env-file up + +```` should be the path to a file containing environment variables +required by the containers. Please refer to the Docker Compose file for details. From 428e8274abc44af2f7b129d15542469d99bbe23f Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Fri, 24 Oct 2025 11:09:01 -0400 Subject: [PATCH 2/8] Try using a mount instead of copying sources --- docker/lnt.dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docker/lnt.dockerfile b/docker/lnt.dockerfile index 3cf10c02..3fd40803 100644 --- a/docker/lnt.dockerfile +++ b/docker/lnt.dockerfile @@ -32,9 +32,10 @@ RUN apk update \ && apk add --no-cache libpq # Install LNT itself -COPY . /var/tmp/lnt -WORKDIR /var/tmp/lnt -RUN pip3 install -r requirements.server.txt && apk --purge del .build-deps +RUN --mount=type=bind,source=.,target=./lnt-source \ + cd lnt-source && \ + pip3 install -r requirements.server.txt && \ + apk --purge del .build-deps FROM llvm-lnt AS llvm-lnt-prod From 45e71f984ad856d73553d9d9417110ca20bc6e3f Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Fri, 24 Oct 2025 11:12:19 -0400 Subject: [PATCH 3/8] Use set -u to simplify docker entrypoint --- docker/docker-entrypoint.sh | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index c24d54a7..a544f8d8 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -1,19 +1,6 @@ #!/bin/sh -if [ -z ${DB_USER+x} ]; then - echo "Missing DB_USER environment variable" - exit 1 -fi - -if [ -z ${DB_HOST+x} ]; then - echo "Missing DB_HOST environment variable" - exit 1 -fi - -if [ -z ${DB_NAME+x} ]; then - echo "Missing DB_NAME environment variable" - exit 1 -fi +set -u if [ ! -f /run/secrets/lnt-db-password ]; then echo "Missing secret lnt-db-password" From 1bd2b5d3aff34a80ed8b70d537d913f3c3c31b5d Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Fri, 24 Oct 2025 11:35:31 -0400 Subject: [PATCH 4/8] Try installing with mount, take 2 --- docker/lnt.dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docker/lnt.dockerfile b/docker/lnt.dockerfile index 3fd40803..1825dcb9 100644 --- a/docker/lnt.dockerfile +++ b/docker/lnt.dockerfile @@ -31,11 +31,12 @@ RUN apk update \ && apk add --no-cache --virtual .build-deps git g++ postgresql-dev yaml-dev \ && apk add --no-cache libpq -# Install LNT itself +# Install LNT itself, without leaving behind any sources inside the image. RUN --mount=type=bind,source=.,target=./lnt-source \ - cd lnt-source && \ - pip3 install -r requirements.server.txt && \ - apk --purge del .build-deps + cp -R lnt-source /tmp/lnt-src && \ + cd /tmp/lnt-src && \ + pip3 install -r requirements.server.txt && apk --purge del .build-deps && \ + rm -rf /tmp/lnt-src FROM llvm-lnt AS llvm-lnt-prod From 8d4cce165704720739ba85f8893780d5f12708be Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Tue, 28 Oct 2025 13:57:13 -0700 Subject: [PATCH 5/8] Undo secrets changes --- .github/workflows/build-docker.yaml | 1 - docker/compose.yaml | 18 ++++-------------- docker/docker-entrypoint.sh | 12 ------------ docker/lnt.dockerfile | 29 +++++++++++------------------ 4 files changed, 15 insertions(+), 45 deletions(-) diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml index 26c25fce..8b42f61d 100644 --- a/.github/workflows/build-docker.yaml +++ b/.github/workflows/build-docker.yaml @@ -33,5 +33,4 @@ jobs: push: ${{ startsWith(github.ref, 'refs/tags/') }} # only push to ghcr.io on tags tags: ghcr.io/${{github.repository}}:latest file: docker/lnt.dockerfile - target: llvm-lnt context: . # use the current directory as context, as checked out by actions/checkout -- needed for setuptools_scm diff --git a/docker/compose.yaml b/docker/compose.yaml index f05eefd4..7d30fe1c 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -13,7 +13,7 @@ # The authentication token used to require authentication to # perform destructive actions. -name: llvm-lnt-prod +name: llvm-lnt services: webserver: @@ -21,14 +21,12 @@ services: build: context: ../ dockerfile: docker/lnt.dockerfile - target: llvm-lnt-prod args: DB_USER: lntuser DB_HOST: dbserver DB_NAME: lnt.db - secrets: - - lnt-db-password - - lnt-auth-token + DB_PASSWORD: ${LNT_DB_PASSWORD} + AUTH_TOKEN: ${LNT_AUTH_TOKEN} depends_on: - db deploy: @@ -44,11 +42,9 @@ services: container_name: dbserver image: docker.io/postgres:18-alpine environment: - - POSTGRES_PASSWORD_FILE=/run/secrets/lnt-db-password + - POSTGRES_PASSWORD=${LNT_DB_PASSWORD} - POSTGRES_USER=lntuser - POSTGRES_DB=lnt.db - secrets: - - lnt-db-password volumes: - database:/var/lib/postgresql @@ -56,9 +52,3 @@ volumes: instance: logs: database: - -secrets: - lnt-db-password: - environment: "LNT_DB_PASSWORD" - lnt-auth-token: - environment: "LNT_AUTH_TOKEN" diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index a544f8d8..be7d0094 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -2,18 +2,6 @@ set -u -if [ ! -f /run/secrets/lnt-db-password ]; then - echo "Missing secret lnt-db-password" - exit 1 -fi -DB_PASSWORD="$(cat /run/secrets/lnt-db-password)" - -if [ ! -f /run/secrets/lnt-auth-token ]; then - echo "Missing secret lnt-auth-token" - exit 1 -fi -AUTH_TOKEN="$(cat /run/secrets/lnt-auth-token)" - DB_PATH="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}" # Set up the instance the first time this gets run. diff --git a/docker/lnt.dockerfile b/docker/lnt.dockerfile index 1825dcb9..863b3a85 100644 --- a/docker/lnt.dockerfile +++ b/docker/lnt.dockerfile @@ -1,12 +1,6 @@ -# This Dockerfile defines a basic 'llvm-lnt' image that contains an installed -# copy of LNT. That image can be built and run with: -# -# $ docker build --file docker/lnt.dockerfile --target llvm-lnt . -# $ docker run -it /bin/sh -# -# It also defines a 'llvm-lnt-prod' image which is set up to run a production -# LNT server. This image is intended to be built from a Docker Compose file, -# as it requires additional information like secrets and build arguments: +# This Dockerfile defines an image that contains a production LNT server. +# This image is intended to be built from a Docker Compose file, as it +# requires additional information passed as build arguments: # # ARG DB_USER # The username to use for logging into the database. @@ -17,14 +11,14 @@ # ARG DB_NAME # The name of the database on the server. # -# secret: lnt-db-password +# ARG DB_PASSWORD # The password to use for logging into the database. # -# secret: lnt-auth-token -# The authentication token used to require authentication to -# perform destructive actions. +# ARG AUTH_TOKEN +# The authentication token used to require authentication +# to perform destructive actions. -FROM python:3.10-alpine AS llvm-lnt +FROM python:3.10-alpine # Install dependencies RUN apk update \ @@ -38,17 +32,16 @@ RUN --mount=type=bind,source=.,target=./lnt-source \ pip3 install -r requirements.server.txt && apk --purge del .build-deps && \ rm -rf /tmp/lnt-src - -FROM llvm-lnt AS llvm-lnt-prod - # Prepare volumes that will be used by the server VOLUME /var/lib/lnt /var/log/lnt # Set up the actual entrypoint that gets run when the container starts. COPY docker/docker-entrypoint.sh docker/lnt-wait-db /usr/local/bin/ -ARG DB_USER DB_HOST DB_NAME +ARG DB_USER DB_HOST DB_NAME DB_PASSWORD AUTH_TOKEN ENV DB_USER=${DB_USER} ENV DB_HOST=${DB_HOST} ENV DB_NAME=${DB_NAME} +ENV DB_PASSWORD=${DB_PASSWORD} +ENV AUTH_TOKEN=${AUTH_TOKEN} ENTRYPOINT ["docker-entrypoint.sh"] EXPOSE 8000 From eea12a88e9e625faa4abddbc68eb64c8e0ce12e5 Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Tue, 28 Oct 2025 17:57:38 -0700 Subject: [PATCH 6/8] Downgrade everything to environment variables --- docker/compose.yaml | 12 ++++++------ docker/lnt.dockerfile | 19 +++++++------------ 2 files changed, 13 insertions(+), 18 deletions(-) diff --git a/docker/compose.yaml b/docker/compose.yaml index 7d30fe1c..08f182f1 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -21,12 +21,12 @@ services: build: context: ../ dockerfile: docker/lnt.dockerfile - args: - DB_USER: lntuser - DB_HOST: dbserver - DB_NAME: lnt.db - DB_PASSWORD: ${LNT_DB_PASSWORD} - AUTH_TOKEN: ${LNT_AUTH_TOKEN} + environment: + - DB_USER=lntuser + - DB_HOST=dbserver + - DB_NAME=lnt.db + - DB_PASSWORD=${LNT_DB_PASSWORD} + - AUTH_TOKEN=${LNT_AUTH_TOKEN} depends_on: - db deploy: diff --git a/docker/lnt.dockerfile b/docker/lnt.dockerfile index 863b3a85..49eda7ce 100644 --- a/docker/lnt.dockerfile +++ b/docker/lnt.dockerfile @@ -1,20 +1,20 @@ # This Dockerfile defines an image that contains a production LNT server. # This image is intended to be built from a Docker Compose file, as it -# requires additional information passed as build arguments: +# requires additional information passed as environment variables: # -# ARG DB_USER +# ENV DB_USER # The username to use for logging into the database. # -# ARG DB_HOST +# ENV DB_HOST # The hostname to use to access the database. # -# ARG DB_NAME +# ENV DB_NAME # The name of the database on the server. # -# ARG DB_PASSWORD +# ENV DB_PASSWORD # The password to use for logging into the database. # -# ARG AUTH_TOKEN +# ENV AUTH_TOKEN # The authentication token used to require authentication # to perform destructive actions. @@ -37,11 +37,6 @@ VOLUME /var/lib/lnt /var/log/lnt # Set up the actual entrypoint that gets run when the container starts. COPY docker/docker-entrypoint.sh docker/lnt-wait-db /usr/local/bin/ -ARG DB_USER DB_HOST DB_NAME DB_PASSWORD AUTH_TOKEN -ENV DB_USER=${DB_USER} -ENV DB_HOST=${DB_HOST} -ENV DB_NAME=${DB_NAME} -ENV DB_PASSWORD=${DB_PASSWORD} -ENV AUTH_TOKEN=${AUTH_TOKEN} +ENV DB_USER= DB_HOST= DB_NAME= DB_PASSWORD= AUTH_TOKEN= ENTRYPOINT ["docker-entrypoint.sh"] EXPOSE 8000 From 0761f904ed66f9498443a056e7e97e17a9655f1e Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Tue, 28 Oct 2025 18:31:30 -0700 Subject: [PATCH 7/8] Use secrets, again --- docker/compose.yaml | 17 ++++++++++++++--- docker/docker-entrypoint.sh | 6 ++++-- docker/lnt.dockerfile | 15 +++++++-------- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/docker/compose.yaml b/docker/compose.yaml index 08f182f1..7799de1b 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -25,8 +25,11 @@ services: - DB_USER=lntuser - DB_HOST=dbserver - DB_NAME=lnt.db - - DB_PASSWORD=${LNT_DB_PASSWORD} - - AUTH_TOKEN=${LNT_AUTH_TOKEN} + - DB_PASSWORD_FILE=/run/secrets/lnt-db-password + - AUTH_TOKEN_FILE=/run/secrets/lnt-auth-token + secrets: + - lnt-db-password + - lnt-auth-token depends_on: - db deploy: @@ -42,9 +45,11 @@ services: container_name: dbserver image: docker.io/postgres:18-alpine environment: - - POSTGRES_PASSWORD=${LNT_DB_PASSWORD} + - POSTGRES_PASSWORD_FILE=/run/secrets/lnt-db-password - POSTGRES_USER=lntuser - POSTGRES_DB=lnt.db + secrets: + - lnt-db-password volumes: - database:/var/lib/postgresql @@ -52,3 +57,9 @@ volumes: instance: logs: database: + +secrets: + lnt-db-password: + environment: "LNT_DB_PASSWORD" + lnt-auth-token: + environment: "LNT_AUTH_TOKEN" diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index be7d0094..58fe7abc 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -2,7 +2,9 @@ set -u -DB_PATH="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}" +password="$(cat ${DB_PASSWORD_FILE})" +token="$(cat ${AUTH_TOKEN_FILE})" +DB_PATH="postgres://${DB_USER}:${password}@${DB_HOST}" # Set up the instance the first time this gets run. if [ ! -e /var/lib/lnt/instance/lnt.cfg ]; then @@ -12,7 +14,7 @@ if [ ! -e /var/lib/lnt/instance/lnt.cfg ]; then --tmp-dir /tmp/lnt \ --db-dir "${DB_PATH}" \ --default-db "${DB_NAME}" - sed -i "s/# \(api_auth_token =\).*/\1 '${AUTH_TOKEN}'/" /var/lib/lnt/instance/lnt.cfg + sed -i "s/# \(api_auth_token =\).*/\1 '${token}'/" /var/lib/lnt/instance/lnt.cfg fi # Run the server under gunicorn. diff --git a/docker/lnt.dockerfile b/docker/lnt.dockerfile index 49eda7ce..f24d0d04 100644 --- a/docker/lnt.dockerfile +++ b/docker/lnt.dockerfile @@ -2,20 +2,20 @@ # This image is intended to be built from a Docker Compose file, as it # requires additional information passed as environment variables: # -# ENV DB_USER +# DB_USER # The username to use for logging into the database. # -# ENV DB_HOST +# DB_HOST # The hostname to use to access the database. # -# ENV DB_NAME +# DB_NAME # The name of the database on the server. # -# ENV DB_PASSWORD -# The password to use for logging into the database. +# DB_PASSWORD_FILE +# File containing the password to use for logging into the database. # -# ENV AUTH_TOKEN -# The authentication token used to require authentication +# AUTH_TOKEN_FILE +# File containing the authentication token used to require authentication # to perform destructive actions. FROM python:3.10-alpine @@ -37,6 +37,5 @@ VOLUME /var/lib/lnt /var/log/lnt # Set up the actual entrypoint that gets run when the container starts. COPY docker/docker-entrypoint.sh docker/lnt-wait-db /usr/local/bin/ -ENV DB_USER= DB_HOST= DB_NAME= DB_PASSWORD= AUTH_TOKEN= ENTRYPOINT ["docker-entrypoint.sh"] EXPOSE 8000 From 62109fd83eeb0eefcc1840a7b73a711b12ea7db5 Mon Sep 17 00:00:00 2001 From: Louis Dionne Date: Thu, 30 Oct 2025 08:57:00 -0700 Subject: [PATCH 8/8] Undo postgres bump in container --- docker/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/compose.yaml b/docker/compose.yaml index 7799de1b..80635340 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -43,7 +43,7 @@ services: db: container_name: dbserver - image: docker.io/postgres:18-alpine + image: docker.io/postgres:13-alpine environment: - POSTGRES_PASSWORD_FILE=/run/secrets/lnt-db-password - POSTGRES_USER=lntuser