fritzdavenport
commented
4 years ago Is there anyone I can pair with @b-meson - if I can make a docker-compose or ansible playbook, to test it going to a fresh box in production?
Open b-meson opened 4 years ago
fritzdavenport
commented
4 years ago Is there anyone I can pair with @b-meson - if I can make a docker-compose or ansible playbook, to test it going to a fresh box in production?
b-meson
commented
4 years ago @fritzdavenport absolutely! I can create as many testing / staging servers as you need in our cloud environment. I think there is one more thing to understand: do we want to create something like a k8 and use our containers in prod, or do we instead want to run the applications on bare metal (as we currently do, but not everyone is doing it this way)
fritzdavenport
commented
4 years ago Had a larger conversation about this in the monthly meeting. Want to outline a few possibilities in this issue's discussion to generally guide the conversation and what the group wants to do. We currently can or do support three different deployment methods - being 1) git+ssh, 2) ansible, 3) docker-compose. I want to outline the three approaches, hopefully consolidate to one (or two, one of which is used only for testing), and define what we are willing to support in terms of documentation and out-of-the-box deployments for forked copies of the repo
fritzdavenport
commented
4 years ago Probably the easiest solution in terms of infrastructure investment. A frequent combination for many developers and projects. A lightweight and common combination, but difficult to piece together after a certain point and potentially less-stable.
docker-compose to have a repeatable environment for testing, git+ssh doesn't offer any tooling to help local testing.fritzdavenport
commented
4 years ago Ansible is an established devops tool that primarily uses python over ssh to provision a host https://github.com/lucyparsons/OpenOversight-ansible
docker-compose to have a repeatable environment for testinghttps://github.com/lucyparsons/OpenOversight-ansible/blob/main/roles/openoversight/tasks/application.yml (note: from @dismantl and bpdwatch.com )
name: Create OpenOversight directory become: true file: state: directory path: "{{ environ.path }}" owner: "{{ openoversight_user }}" group: "{{ openoversight_user }}"
name: Checkout OpenOversight git repo git: repo: "{{ openoversight_git_repo }}" dest: "{{ environ.path }}/OpenOversight" version: "{{ environ.git_version }}" update: yes ...
Docker is a lightweight virtualization layer which allows process isolation and a solid API for deploying pre-built software bundles.
For reference: We are not looking to pursue Kubernetes or K3s - we do not want to support deployment and management of that orchestration platform, and the additional benefits are probably unneeded for our use cases (single deploys to single hosts). If there's enough interest for kubernetes manifests, they can be provided for those users. We may pursue docker-compose on a single host instead.
dismantl
commented
4 years ago For bpdwatch.com we've used Ansible to deploy docker-compose.yml files that are fully customized with all the relevant environment variables, so it has the benefits of both the Docker and Ansible options. I've found it makes administration pretty easy; no worries about dependency management or the host environment. I put that in https://github.com/lucyparsons/OpenOversight-ansible, but instead of deploying docker-compose.yml files it just manages the Docker containers and image directly since I thought that would be simpler and more direct.
Also while Nginx is great, I went for Traefik instead since we were deploying via Docker. It's really great since proxied endpoints are managed dynamically via Docker container labels so the process is pretty seamless. Plus it handles all the SSL via Let's Encrypt.
msaad7777
commented
1 year ago It's great to see that there are multiple options for deploying the application. Using Docker and Ansible can offer several benefits, such as easier dependency management, increased stability, and the ability to manage multiple environments more efficiently. Additionally, using Traefik as a reverse proxy can simplify the process of managing proxied endpoints and SSL with Let's Encrypt.
Regarding the issue at hand, I would be happy to help tackle this task. In particular, I could work on the following tasks: installing an nginx user and setting it up to run the application as a non-root user, configuring the reverse proxy to connect to the gunicorn app, installing Let's Encrypt and setting up the TLS certificates, deploying OO and connecting it to the reverse proxy, setting up a basic firewall and removing any unnecessary ports, and prompting the user for the necessary .env variables and writing them to a file. Additionally, I could work on implementing an upgrade or backup role from Amazon's S3 for bonus points.
Please let me know if you would like me to take on this issue, and if there are any additional details or requirements that I should be aware of.
abandoned-prototype
commented
1 year ago Hi @msaad7777, welcome and apologies for the late response! Help with this issue would be greatly appreciated. The steps you laid out make a lot of sense to me, this is very similar to what I just recently implemented, without using Ansible however. So having this put into code and therefore easily repeatable would be a great help to anyone trying to deploy a new OpenOversight server. Thanks for your willingness to help out! Please let us know here, if you run into any issues
We have been getting a lot of requests for deployment support. We should add support for the following, maybe in Aansible.
The install script should at minimum run the following
nginxuser and install the application running as the user (non-root)nginxas a reverse proxy for a gunicorn app to connect to.envvariables and write them to a file.