Prebuilt Docker images (CI?)

[kliu128]

Hi! glitch-soc is pretty cool but maybe it'd be cooler to use with prebuilt Docker images xd

(As I run Mastodon on Kubernetes, having prebuilt images is kind of important for me. I could set up an auto-builder to build them myself if necessary though.)

---

• [x] I searched or browsed the repo’s other issues to ensure this is not a duplicate.

[hannahwhy]

Setting up your own build machine might be your best near-term solution; keep in mind that it'll have to have a few gigabytes of memory if you also plan to run the asset compilation step on the build machine. (The build procedure is identical to tootsuite's Mastodon, but glitch-soc contains two frontends, so webpack's space and time usage is much higher.)

[kliu128]

Ah, good to know. Do you know if there's a way to run asset precompilation without hardcoding SECRET_KEY_BASE / OTP_BASE in the image? I think I've tried to run rails assets:precompile before without that, but it fails.

[hannahwhy]

I've been looking for that myself -- I would like to run asset precompilation on a separate machine, but I don't want to have to have my .env.production on that separate machine.

Mastodon (and glitch-soc) read SECRET_KEY_BASE, OTP_SECRET, etc. from the process environment, so I think it ought to be possible to provide placeholder values when building the container and precompiling assets, and then supplying real values in your Kubernetes environment. I haven't yet tried this approach, but it seems like it should work.

[kliu128]

Well, I tried this strategy with a dockerfile at https://github.com/Pneumaticat/mastodon, and seems to work alright! Don't know if there's a gaping security vulnerability I'm missing, though :D

[hannahwhy]

Well, there was e.g. a version of Mastodon that baked the process environment into stats.json during asset compilation. (Oops.) However, using placeholder values during asset compilation would have reduced the impact of that vulnerability.

If image building and precompilation both use placeholders, and the only time real data and those images meet is in your Kubernetes environment, then:

1. anything involved in image or asset-building will never see those real data
2. neither the image nor the built assets can contain those real data

So I think it's okay.

[kliu128]

Cool! (Yeah, I remember that version - that was quite the hurried update on my end.)

In that case, I might try to submit a PR upstream with the Dockerfile changes to see people's opinions. I'm not exactly sure why asset precompilation isn't already done in build, but I guess I'll see what upstream thinks.

[kliu128]

To go back to the issue at hand, though, would it be possible for a maintainer of this repo to set up automated builds on Docker Hub?

That would automatically build Docker images on every push, I believe. The process doesn't appear to be too terrible.

[hannahwhy]

Seems like it'd be possible; we just need to work out who gets to own the Docker Hub account. I'll run that by @beatrix-bitrot.

[ladyisatis]

The environmental variables don't actually need anything set for them as it is only needed for Rails and not frontend JS, so precompiling doesn't actually need anything except CDN_HOST which is... somewhere in one of the JS files. (edit: recommended a solution) You can feasibly run:

USER mastodon

RUN SECRET_KEY_BASE=_ OTP_SECRET=_ bin/rails assets:precompile

Which will work just as well.