(WIP) Priodically build amc backend docker image

[OmarIthawi]

We've been hosting our Docker images on grc.io which I don't like to have it there since it complicates our setup. I'd like to have all of our Docker images hosted on Docker Hub and public to make $ make pull actually work flawlessly. This PR continues over #284 for the backend.

What about AMC Backend?

I'd like to copy the following from AMC:

• The requirements file: https://github.com/appsembler/amc/tree/develop/requirements
• The Dockefile for backend

and put it in this repository.

What about security risks?

In my opinion there's no additional risk of opening up such requirements because most of our infrastructure is public anyway.

TODO

• [x] Get approvals from Maxi/Anders about potential security issues
• [ ] Build the backend docker image
• [ ] Ask for another review

[melvinsoft]

@OmarIthawi I'm sorry but I'm not qualified to approve this from the security stand point, do you have any doc to read to learn more about it?

[OmarIthawi]

@OmarIthawi I'm sorry but I'm not qualified to approve this from the security stand point, do you have any doc to read to learn more about it?

Thanks @melvinsoft. I'll try to explain in more details:

What I'm looking for can be summarized in this question:

• Do you think it risky to share the following files of AMC (now private) in the configuration (opensource) repository?:

• All requirement files in: https://github.com/appsembler/amc/tree/develop/requirements

• The Dockerfile content: https://github.com/appsembler/amc/blob/develop/Dockerfile

My opinion is that it's safe to share those files but not the code of AMC itself of course.

[OmarIthawi]

I don't see any security problems with this.

:+1:

Do we want the AMC image being built and uploaded from this repo though? Would it make more sense just to have that happen in the amc repo, when a change happens there? AMC shouldn't directly depend on anything in configuration and that would work better to ensure that the image gets updated whenever the requirements or Dockerfile changes.

You're right. I wasn't sure where to put it. I'll actually make it so in amc.

More of an aside, but I do also just find the AMC docker setup a bit weird since it creates an image that has the dependencies for AMC, but not AMC itself, which is not usually what people expect from a docker image (I generally expect to be able to do docker pull X && docker run X and have X running).

You're right. It's sort of a tech debt that we didn't really bother to address. The amc image doesn't include AMC in a runnable way which makes it unsuitable for production use if we planned to do that.

The reason why none of us bothered to fix it, is the fact that it's good enough for devstack use, and sometimes that works on the other way around.

We could create a separate project that just creates an amc-base image, which would be suitable for devstack as well as building a proper AMC docker image (via a FROM appsembler/amc-base).

Sounds like a reasonable approach. Thanks @thraxil!

[OmarIthawi]

Closing in favor of AMC's https://github.com/appsembler/amc/pull/304