Open cjoecker opened 7 months ago
Hey @cjoecker - you're right that we need to improve onboarding here and provide more docs. I'm going to move this to the docs repo and backlog, but PRs are welcome if you would like to help contribute!
Assigning to @getsentry/support for routing ⏲️
Routing to @getsentry/product-owners-sdks-web-frontend for triage ⏲️
Setting SENTRY_AUTH_TOKEN
like this in the docker file will mean that the docker image will contain this token. is this not a security risk?
I am trying to add sentry io with next js app and deploying as container into aws.
@yuvi-pc Correct. I would advise against using the any build arguments for auth tokens as that will bake the auth tokens into the image. Instead I recommend using build secrets: https://docs.docker.com/build/building/secrets/
Thank you for the reply on my previous question.
Here is my docker file which runs on Azure pipeline however I keep getting 401 when mounting the secret. If i hardcode the SENTRY_AUTH_TOKEN, it works okay. The SENTRY_AUTH_TOKEN is an organisation token.
# 1. Install dependencies only when needed
FROM node:20-alpine AS base
# 2. Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY . .
RUN yarn install --frozen-lockfile
ENV NODE_ENV=production
ENV NEXT_PUBLIC_SENTRY_DSN="{{NEXT_PUBLIC_SENTRY_DSN}}"
ENV NEXT_PUBLIC_SENTRY_LOGGING_ENABLED="{{NEXT_PUBLIC_SENTRY_LOGGING_ENABLED}}"
ENV SENTRY_LOG_LEVEL=debug
RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN \
SENTRY_AUTH_TOKEN=$(cat /run/secrets/SENTRY_AUTH_TOKEN) \
yarn build
# 3. Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
ENV USE_HTTPS=true
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001
COPY --from=builder /app/public ./public
COPY --from=builder /app/package.json ./package.json
# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder --chown=nextjs:nodejs /app/entrypoint.sh ./entrypoint.sh
COPY --from=builder --chown=nextjs:nodejs /app/next.config.js ./next.config.js
COPY --from=builder --chown=nextjs:nodejs /app/next-i18next.config.js ./next-i18next.config.js
RUN ["chmod", "755", "/app/entrypoint.sh"]
USER nextjs
EXPOSE 3000
ENV PORT 3000
ENTRYPOINT ["/app/entrypoint.sh"]
CMD ["node", "server.js"]
Am i right here thinking it is ideal to upload source maps during the build process?
Here is the error logs from the build machine
#16 77.71 DEBUG 2024-04-23 17:59:00.270711658 +00:00 using token authentication
#16 77.71 DEBUG 2024-04-23 17:59:00.270730345 +00:00 json body: {"version":"19z3UtQp22XhGVbJCRu6V","projects":["nfap-ui"],"dateStarted":"2024-04-23T17:59:00.270660373Z"}
#16 77.71 DEBUG 2024-04-23 17:59:00.270738264 +00:00 retry number 0, max retries: 0
#16 77.71 DEBUG 2024-04-23 17:59:00.294474220 +00:00 > POST /api/0/projects/novafori-v9/nfap-ui/releases/ HTTP/1.1
#16 77.71 DEBUG 2024-04-23 17:59:00.294510133 +00:00 > Host: sentry.io
#16 77.71 DEBUG 2024-04-23 17:59:00.294517157 +00:00 > Accept: */*
#16 77.71 DEBUG 2024-04-23 17:59:00.294523945 +00:00 > Connection: TE
#16 77.71 DEBUG 2024-04-23 17:59:00.294530206 +00:00 > TE: gzip
#16 77.71 DEBUG 2024-04-23 17:59:00.294536180 +00:00 > User-Agent: sentry-cli/1.77.3 webpack-plugin/1.21.0
#16 77.71 DEBUG 2024-04-23 17:59:00.294888985 +00:00 > Authorization: Bearer SENTRY_A***
#16 77.71 DEBUG 2024-04-23 17:59:00.294902315 +00:00 > Content-Type: application/json
#16 77.71 DEBUG 2024-04-23 17:59:00.294909283 +00:00 > Content-Length: 105
#16 77.71 DEBUG 2024-04-23 17:59:00.450901513 +00:00 < HTTP/1.1 401 Unauthorized
#16 77.71 DEBUG 2024-04-23 17:59:00.450938129 +00:00 < server: nginx
#16 77.71 DEBUG 2024-04-23 17:59:00.450948638 +00:00 < date: Tue, 23 Apr 2024 17:59:00 GMT
#16 77.71 DEBUG 2024-04-23 17:59:00.450957937 +00:00 < content-type: application/json
#16 77.71 DEBUG 2024-04-23 17:59:00.450967269 +00:00 < www-authenticate: xBasic realm="api"
#16 77.71 DEBUG 2024-04-23 17:59:00.450975021 +00:00 < allow: GET, POST, HEAD, OPTIONS
#16 77.71 DEBUG 2024-04-23 17:59:00.450982174 +00:00 < access-control-allow-methods: GET, POST, HEAD, OPTIONS
#16 77.71 DEBUG 2024-04-23 17:59:00.450992266 +00:00 < access-control-allow-headers: X-Sentry-Auth, X-Requested-With, Origin, Accept, Content-Type, Authentication, Authorization, Content-Encoding, sentry-trace, baggage, X-CSRFToken
#16 77.71 DEBUG 2024-04-23 17:59:00.451000423 +00:00 < access-control-expose-headers: X-Sentry-Error, X-Sentry-Direct-Hit, X-Hits, X-Max-Hits, Endpoint, Retry-After, Link
#16 77.71 DEBUG 2024-04-23 17:59:00.451010166 +00:00 < access-control-allow-origin: *
#16 77.71 DEBUG 2024-04-23 17:59:00.451018188 +00:00 < x-sentry-rate-limit-remaining: 39
#16 77.71 DEBUG 2024-04-23 17:59:00.451025263 +00:00 < x-sentry-rate-limit-limit: 40
#16 77.71 DEBUG 2024-04-23 17:59:00.451031924 +00:00 < x-sentry-rate-limit-reset: 1713895141
#16 77.71 DEBUG 2024-04-23 17:59:00.451038667 +00:00 < x-sentry-rate-limit-concurrentremaining: 24
#16 77.71 DEBUG 2024-04-23 17:59:00.451045270 +00:00 < x-sentry-rate-limit-concurrentlimit: 25
#16 77.71 DEBUG 2024-04-23 17:59:00.451052233 +00:00 < vary: Accept-Language, Cookie
#16 77.71 DEBUG 2024-04-23 17:59:00.451059401 +00:00 < content-language: en
#16 77.71 DEBUG 2024-04-23 17:59:00.451066543 +00:00 < x-frame-options: deny
#16 77.71 DEBUG 2024-04-23 17:59:00.451074576 +00:00 < x-content-type-options: nosniff
#16 77.71 DEBUG 2024-04-23 17:59:00.451081749 +00:00 < x-xss-protection: 1; mode=block
#16 77.71 DEBUG 2024-04-23 17:59:00.451089507 +00:00 < content-security-policy: object-src 'none'; frame-ancestors 'self' *.sentry.io; connect-src 'self' *.algolia.net *.algolianet.com *.algolia.io sentry.io *.sentry.io s1.sentry-cdn.com o1.ingest.sentry.io api2.amplitude.com app.pendo.io data.pendo.io reload.getsentry.net t687h3m0nh65.statuspage.io sentry.zendesk.com ekr.zdassets.com maps.googleapis.com; base-uri 'none'; default-src 'none'; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'report-sample' s1.sentry-cdn.com js.sentry-cdn.com browser.sentry-cdn.com statuspage-production.s3.amazonaws.com static.zdassets.com aui-cdn.atlassian.com connect-cdn.atl-paas.net js.stripe.com 'strict-dynamic' cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-5634074999128064.storage.googleapis.com; font-src * data:; frame-src app.pendo.io demo.arcade.software js.stripe.com sentry.io; media-src *; img-src * blob: data:; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/54785/security/?sentry_key=f724a8a027db45f5b21507e7142ff78e&sentry_release=734d397e49f3f0ca40c955cc879da88d5f99b6f6
#16 77.71 DEBUG 2024-04-23 17:59:00.451098598 +00:00 < x-envoy-attempt-count: 1
#16 77.71 DEBUG 2024-04-23 17:59:00.451105380 +00:00 < x-envoy-upstream-service-time: 42
#16 77.71 DEBUG 2024-04-23 17:59:00.451112038 +00:00 < x-served-by: getsentry-web-rpc-production-canary-599cfb48c4-6sxc5
#16 77.71 DEBUG 2024-04-23 17:59:00.451119014 +00:00 < x-sentry-proxy-url: http://10.2.0.67:8999/api/0/projects/novafori-v9/nfap-ui/releases/
#16 77.71 DEBUG 2024-04-23 17:59:00.451125738 +00:00 < x-served-by: getsentry-control-web-default-common-production-65c45ff7f475vqz
#16 77.71 DEBUG 2024-04-23 17:59:00.451132881 +00:00 < x-served-by: frontend-default-57fc75c5c4-7qkkn
#16 77.71 DEBUG 2024-04-23 17:59:00.451140719 +00:00 < strict-transport-security: max-age=31536000; includeSubDomains; preload
#16 77.71 DEBUG 2024-04-23 17:59:00.451147637 +00:00 < via: 1.1 google
#16 77.71 DEBUG 2024-04-23 17:59:00.451154638 +00:00 < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
#16 77.71 DEBUG 2024-04-23 17:59:00.451161878 +00:00 < Transfer-Encoding: chunked
#16 77.71 DEBUG 2024-04-23 17:59:00.453177061 +00:00 response status: 401
#16 77.71 DEBUG 2024-04-23 17:59:00.453199651 +00:00 body: {"detail":"Invalid token"}
#16 77.71 error: API request failed
#16 77.71 caused by: sentry reported an error: Invalid token (http status: 401)
#16 77.71 DEBUG 2024-04-23 17:59:00.453266820 +00:00 skipping update nagger because session is not attended
#16 77.71
Can you check that the token file you're writing is not containing any sort of other characters like newlines or smth? "Invalid token" makes me think that the token got messed up in some way. Maybe also print it out and look at it delimited by some characters for good measure?
It was azure pipeline issue. Once that is resolved, my source map is being uploaded to the sentry release
@yuvi-pc does this mean we can close the issue?
@Lms24 I am not the original author for this issue. But you can use my docker file example in your documentation or I can raise a PR if you could point where i need to set it.
Problem Statement
I'm using
@sentry/remix
with Remix and deploying it with a docker container to AWS. I couldn't find in the documentation that I need to add theARG SENTRY_AUTH_TOKEN
during the docker build to make Sentry work duringnpm run build
.Solution Brainstorm
It would be nice to have a small example on how to run the
npm run build
inside of a docker file safely in order to build the app authenticating Sentry.For example:
Build on docker
If your are using docker to deploy your application, you will need to authenticate Sentry during
npm run build
. For that, you need to do the following:ARG SENTRY_AUTH_TOKEN
at the beginning of your fileDockerfile
ENV SENTRY_AUTH_TOKEN=${SENTRY_AUTH_TOKEN}
before theRUN npm run build
command in yourDockerfile