[tsc-devel] Re: Discourse forum
Lauri Ojansivu |
Wed, 27 Mar 2019 13:11:46 UTC
Hi,
I do not know does Discourse use any problematic dependencies.
It could also be that all of those do work on arm64 just fine.
I just do not have time to test.
There is Docker for arm64. So it would be possible to:
1) Clone Discourse repo
2) Modify Dockerfile to use arm64 linux version base image, arm64
version of node.
3) Build Dockerfiles with `docker build -t discource .`
4) Start those containers with docker-compose.yml or similar.
Benefit of using Docker is, that all those dependencies are inside
Docker container, and don't affect other software that is installed at
the same server.
For example for Wekan, wekan-app container is built with this Dockerfile
https://github.com/wekan/wekan/blob/devel/Dockerfile
and then it is started with this docker-compose.yml:
https://github.com/wekan/wekan/blob/devel/docker-compose.yml
So in that docker-compose.yml are all settings as environment variables,
and it starts wekan-app container (previously built from Dockerfile, or
built from source)
and mongodb container from Docker Hub.
Docker Hub and Quay.io build new containers automatically after commit
to GitHub repo.
Updating to new version can be done with minimal downtime by starting
other Docker containers in other local ports, and then changing Apache
config
to proxy to those other local containers.
In docker-compose.yml is defined what ports from inside of Docker container
are exposed to outside of Docker container.
When building Docker containers and testing them, I do use start.sh
script from
https://github.com/wekan/docker-cleanup-volumes
to delete all Docker data, and then install prebuilt containers or build
new ones
from source.
For example for Wekan, to build from source wekan-app container that
contains Node.js
and all Javascript, these lines are uncommented:
https://github.com/wekan/wekan/blob/devel/docker-compose.yml#L132-L142
and this local port is changed:
https://github.com/wekan/wekan/blob/devel/docker-compose.yml#L132-L142
to be for example:
- 2000:80
so local port 2000 outside Docker container would be forwarded to port
80 inside Docker container.
File directories from outside of Docker containers can be mapped to be
visible
to inside of Docker container. This is used for permanent data like
databases,
settings files, images, etc. Then actual Docker container can be removed and
installed again, while still keeping all the data.
Using Docker does increase security, because code running inside Docker
container
can not access files outside of Docker container, all outside access
needs to be
specified separately to specific directories as Docker volume.
There has been some vulnerabilities and bugs in Docker in past, but
there has also
been fixes to those, I have not checked currently status.
I just know that Docker is used very widely and there is active support and
development for Docker, so I would presume current vulnerabilities
have been fixed.
Running software without Docker on server means that if there is
vulnerability in
Apache, then attacker has full access to all files at server.
Docker, Snap and Sandstorm grains do work by using Linux kernel feature
called cgroups, that are used to limit software inside container to see
only it's
own processes and files, and also limit CPU etc resource usage if needed.
Difference between Docker and Sandstorm grains is, that in Sandstorm
more cgroups features have been disabled, so vulnerabilities that have
affected Docker
have not affected Sandstorm grains. Docker containers are running all
the time,
but Sandstorm grains are running only when grain is being accessed by
some user.
This saves a lot of server CPU and RAM. There is Docker for many CPU
architectures,
but Sandstorm currently is only available for x64, because it would take
a lot of time
to build all the software for other architectures.
Summary:
Docker can be installed to alexandria, it's possible to test building
Discource,
and if it does not work, Docker and Docker data and can be uninstalled
from alexandria,
without affecting anything else on server.
The question is, who has time for this, and what is the problem we are
trying to solve with this.
BR,
xet7
_______________________________________________
tsc-devel mailing list -- …l@l…
To unsubscribe send an email to …e@l…