May Security Update #610
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,6 @@ | ||
| # CGAP-Portal (Production) Dockerfile | ||
|
There was a problem hiding this comment. It seems like this note about bullseye is worth mentioning, though it would have been more helpful if dated. There was a problem hiding this comment. I don't believe this comment is accurate as it pre-dates the performance optimizations. I suspect if I were to build with bullseye, performance would be comparable. |
||
| # Take latest 3.8.13 Debian variant | ||
| FROM python:3.8.13-slim-buster | ||
|
|
||
| MAINTAINER William Ronchetti "[email protected]" | ||
|
|
||
|
|
@@ -35,7 +33,7 @@ WORKDIR /home/nginx/.nvm | |
| ENV NVM_DIR=/home/nginx/.nvm | ||
| COPY deploy/docker/production/install_nginx.sh /install_nginx.sh | ||
| RUN apt-get update && apt-get upgrade -y && \ | ||
| apt-get install -y --no-install-recommends vim emacs net-tools ca-certificates build-essential \ | ||
| gcc zlib1g-dev postgresql-client libpq-dev git make curl libmagic-dev && \ | ||
| pip install --upgrade pip && \ | ||
| curl -sSL https://install.python-poetry.org | POETRY_HOME=/opt/venv python - && \ | ||
|
|
@@ -114,24 +112,31 @@ RUN chown nginx:nginx development.ini | |
| RUN chmod +x entrypoint_local.sh | ||
|
|
||
| # Production setup | ||
| RUN chown nginx:nginx poetry.toml && \ | ||
| touch production.ini && \ | ||
| chown nginx:nginx production.ini && \ | ||
| touch session-secret.b64 && \ | ||
| chown nginx:nginx session-secret.b64 && \ | ||
| touch supervisord.log && \ | ||
| chown nginx:nginx supervisord.log && \ | ||
| touch supervisord.sock && \ | ||
| chown nginx:nginx supervisord.sock && \ | ||
| touch supervisord.pid && \ | ||
| chown nginx:nginx supervisord.pid | ||
| COPY deploy/docker/production/$INI_BASE deploy/ini_files/. | ||
| COPY deploy/docker/production/entrypoint.sh . | ||
| COPY deploy/docker/production/entrypoint_portal.sh . | ||
| COPY deploy/docker/production/entrypoint_deployment.sh . | ||
| COPY deploy/docker/production/entrypoint_indexer.sh . | ||
| COPY deploy/docker/production/entrypoint_ingester.sh . | ||
| COPY deploy/docker/production/supervisord.conf . | ||
| COPY deploy/docker/production/assume_identity.py . | ||
| RUN chmod +x entrypoint.sh && \ | ||
| chmod +x entrypoint_deployment.sh && \ | ||
| chmod +x entrypoint_deployment.sh && \ | ||
| chmod +x entrypoint_indexer.sh && \ | ||
| chmod +x entrypoint_ingester.sh && \ | ||
| chmod +x assume_identity.py | ||
| EXPOSE 8000 | ||
|
|
||
| # Container does not run as root | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -61,5 +61,4 @@ timeout = 60 | |
|
|
||
| [filter:memlimit] | ||
| use = egg:encoded#memlimit | ||
|
There was a problem hiding this comment. 20% of what? I'm not sure what's going on here but it feels like 20% is a very low limit. Is this because we've got 4 processes that are each taking 25%? Or 5 that this allows 100% of each? (That seems questionable, but maybe it is discounted to 80% of the specified amount elsewhere.) If it's weird math like that, it seriously calls for a comment explaining how the value was chosen. But really, I'd like such a comment regardless. There was a problem hiding this comment. The functionality that uses this is based on There was a problem hiding this comment. I just what that info in a comment in the code. |
||
| rss_limit = 450MB | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| [supervisord] | ||
| pidfile=%(here)s/supervisord.pid | ||
| logfile_maxbytes=50MB | ||
| logfile_backups=10 | ||
| loglevel=info | ||
| nodaemon=true | ||
| minfds=1024 | ||
| minprocs=200 | ||
| user=nginx | ||
|
|
||
| [program:cgap1] | ||
| autorestart=true | ||
| startsecs=6 | ||
| command=pserve production.ini http_port=6543 | ||
| stdout_logfile=/dev/stdout | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile_maxbytes=0 | ||
| redirect_stderr=true | ||
|
|
||
| [program:cgap2] | ||
| autorestart=true | ||
| startsecs=6 | ||
| command=pserve production.ini http_port=6544 | ||
| stdout_logfile=/dev/stdout | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile_maxbytes=0 | ||
| redirect_stderr=true | ||
|
|
||
| [program:cgap3] | ||
| autorestart=true | ||
| startsecs=6 | ||
| command=pserve production.ini http_port=6545 | ||
| stdout_logfile=/dev/stdout | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile_maxbytes=0 | ||
| redirect_stderr=true | ||
|
|
||
| [program:cgap4] | ||
| autorestart=true | ||
| startsecs=6 | ||
| command=pserve production.ini http_port=6546 | ||
| stdout_logfile=/dev/stdout | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile_maxbytes=0 | ||
| redirect_stderr=true | ||
|
|
||
| [program:cgap5] | ||
| autorestart=true | ||
| startsecs=6 | ||
| command=pserve production.ini http_port=6547 | ||
| stdout_logfile=/dev/stdout | ||
| stdout_logfile_maxbytes=0 | ||
| stderr_logfile_maxbytes=0 | ||
| redirect_stderr=true |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have we done a check to see if names can usefully have environment variables in them? It feels like that would save us a lot of little updates like this if it works. It might not, though.