Evaluation

[mlrcbsousa]

Subject

• [x] This project need to be done on a Virtual Machine.
• [x] All the files required for the configuration of your project must be placed in a srcs folder.
• [x] A Makefile is also required and must be located at the root of your directory. It must set up your entire application (i.e., it has to build the Docker images using docker-compose.yml).

Mandatory part

• [x] The whole project has to be done in a virtual machine. You have to use docker compose.
• [x] Each Docker image must have the same name as its corresponding service.
• [x] Each service has to run in a dedicated container.
• [x] For performance matters, the containers must be built either from the penultimate stable version of Alpine or Debian. The choice is yours.
• [x] You also have to write your own Dockerfiles, one per service. The Dockerfiles must be called in your docker-compose.yml by your Makefile.
• [x] It means you have to build yourself the Docker images of your project. It is then forbidden to pull ready-made Docker images, as well as using services such as DockerHub (Alpine/Debian being excluded from this rule).

You then have to set up:

• [x] A Docker container that contains NGINX with TLSv1.2 or TLSv1.3 only.
• [x] A Docker container that contains WordPress + php-fpm (it must be installed and configured) only without nginx.
• [x] A Docker container that contains MariaDB only without nginx.
• [x] A volume that contains your WordPress database.
• [x] A second volume that contains your WordPress website files.
• [x] A docker-network that establishes the connection between your containers
• [x] Your containers have to restart in case of a crash.
• [x] A Docker container is not a virtual machine. Thus, it is not recommended to use any hacky patch based on ’tail -f’ and so forth when trying to run it. Read about how daemons work and whether it’s a good idea to use them or not.
• [x] Of course, using network: host or --link or links: is forbidden.
• [x] The network line must be present in your docker-compose.yml file.
• [x] Your containers musn’t be started with a command running an infinite loop. Thus, this also applies to any command used as entrypoint, or used in entrypoint scripts. The following are a few prohibited hacky patches: tail -f, bash, sleep infinity, while true.
• [x] Read about PID 1 and the best practices for writing Dockerfiles.
• [x] In your WordPress database, there must be two users, one of them being the administrator. The administrator’s username can’t contain admin/Admin or administrator/Administrator (e.g., admin, administrator, Administrator, admin-123, and so forth).
• [x] Your volumes will be available in the /home/login/data folder of the host machine using Docker. Of course, you have to replace the login with yours.
• [x] To make things simpler, you have to configure your domain name so it points to your local IP address.
• [x] This domain name must be login.42.fr. Again, you have to use your own login. For example, if your login is wil, wil.42.fr will redirect to the IP address pointing to wil’s website.
• [x] The latest tag is prohibited.
• [x] No password must be present in your Dockerfiles.
• [x] It is mandatory to use environment variables.
• [x] Also, it is strongly recommended to use a .env file to store environment variables. The .env file should be located at the root of the srcs directory.
• [x] Your NGINX container must be the only entrypoint into your infrastructure via the port 443 only, using the TLSv1.2 or TLSv1.3 protocol.
• [x] For obvious security reasons, any credentials, API keys, env variables etc... must be saved locally in a .env file and ignored by git. Publicly stored credentials will lead you directly to a failure of the project.

Evaluation

General instructions

• [x] For the entire evaluation process, if you don't know how to check a requirement, or verify anything, the evaluated student has to help you.
• [x] Ensure that all the files required to configure the application are located inside a srcs folder. The srcs folder must be located at the root of the repository.
• [x] Ensure that a Makefile is located at the root of the repository.
• [x] Before starting the evaluation, run this command in the terminal: "docker stop $(docker ps -qa); docker rm $(docker ps -qa); docker rmi -f $(docker images -qa); docker volume rm $(docker volume ls -q); docker network rm $(docker network ls -q) 2>/dev/null"
• [x] Read the docker-compose.yml file. There musn't be 'network: host' in it or 'links:'. Otherwise, the evaluation ends now.
• [x] Read the docker-compose.yml file. There must be 'network(s)' in it. Otherwise, the evaluation ends now.
• [x] Examine the Makefile and all the scripts in which Docker is used. There musn't be '--link' in any of them. Otherwise, the evaluation ends now.
• [x] Examine the Dockerfiles. If you see 'tail -f' or any command run in background in any of them in the ENTRYPOINT section, the evaluation ends now. Same thing if 'bash' or 'sh' are used but not for running a script (e.g, 'nginx & bash' or 'bash').
• [x] If the entrypoint is a script (e.g., ENTRYPOINT ["sh", "my_entrypoint.sh"], ENTRYPOINT ["bash", "my_entrypoint.sh"]), ensure it runs no program in background (e.g, 'nginx & bash').
• [x] Examine all the scripts in the repository. Ensure none of them runs an infinite loop. The following are a few examples of prohibited commands: 'sleep infinity', 'tail -f /dev/null', 'tail -f /dev/random'
• [x] Run the Makefile.

Project overview

• [x] The evaluated person has to explain to you in simple terms:
• [ ] How Docker and docker-compose work
• [ ] The difference between a Docker image used with docker-compose and without docker-compose
• [ ] The benefit of Docker compared to VMs
• [x] The pertinence of the directory structure required for this project (an example is provided in the subject's PDF file).

Simple setup

• [ ] Ensure that NGINX can be accessed by port 443 only. Once done, open the page.
• [x] Ensure that a SSL/TLS certificate is used.
• [x] Ensure that the WordPress website is properly installed and configured (you shouldn't see the WordPress Installation page). To access it, open https://login.42.fr in your browser, where login is the login of the evaluated student. You shouldn't be able to access the site via http://login.42.fr. If something doesn't work as expected, the evaluation process ends now.

Docker Basics

• [x] Start by checking the Dockerfiles. There must be one Dockerfile per service. Ensure that the Dockerfiles are not empty files. If it's not the case or if a Dockerfile is missing, the evaluation process ends now.
• [x] Make sure the evaluated student has written their own Dockerfiles and built their own Docker images. Indeed, it is forbidden to use ready-made ones or to use services such as DockerHub.
• [x] Ensure that every container is built from the penultimate stable version of Alpine Linux or from Debian Buster. If a Dockerfile does not start with 'FROM alpine' or 'FROM debian:buster', or any other local image, the evaluation process ends now.
• [x] The Docker images must have the same name as their corresponding service. Otherwise, the evaluation process ends now.
• [x] Ensure that the Makefile has set up all the services via docker-compose. This means that the containers must have been built using docker-compose and that no crash happened. Otherwise, the evaluation process ends.

Docker Network

• [x] Ensure that docker-network is used by checking the docker-compose.yaml file. Then run the 'docker network ls' command to verify that a network is visible.
• [ ] The evaluated student has to give you a simple explanation of docker-network. If any of the above points is not correct, the evaluation process ends now.

NGINX with SSL/TLS

• [x] Ensure that there is a Dockerfile.
• [x] Using the 'docker-compose ps' command, ensure that the container was created (using the flag '-p' is authorized if necessary).
• [ ] Try to access the service via http (port 80) and verify that you cannot connect.
• [x] Open https://login.42.fr/ in your browser, where login is the login of the evaluated student. The displayed page must be the configured WordPress website (you shouldn't see the WordPress Installation page).
• [x] The use of a TLS v1.2/v1.3 certificate is mandatory and must be demonstrated. The SSL/TLS certificate doesn't have to be recognized.
• [x] A self-signed certificate warning may appear.

WordPress with php-fpm and its volume

• [x] Ensure that there is a Dockerfile.
• [x] Ensure that there is no NGINX in the Dockerfile.
• [x] Using the 'docker-compose ps' command, ensure that the container was created (using the flag '-p' is authorized if necessary).
• [x] Ensure that there is a Volume. To do so: Run the command 'docker volume ls' then 'docker volume inspect'.
• [x] Verify that the result in the standard output contains the path '/home/login/data/', where login is the login of the evaluated student.
• [x] Ensure that you can add a comment using the available WordPress user. - Sign in with the administrator account to access the Administration dashboard. The Admin username must not include 'admin' or 'Admin' (e.g., admin, administrator, Admin-login, admin-123, and so forth).
• [x] From the Administration dashboard, edit a page. Verify on the website that the page has been updated. If any of the above points is not correct, the evaluation process ends now.

MariaDB and its volume

• [x] Ensure that there is a Dockerfile.
• [x] Ensure that there is no NGINX in the Dockerfile.
• [x] Using the 'docker-compose ps' command, ensure that the container was created (using the flag '-p' is authorized if necessary).
• [x] Ensure that there is a Volume. To do so: Run the command 'docker volume ls' then 'docker volume inspect'.
• [x] Verify that the result in the standard output contains the path '/home/login/data/', where login is the login of the evaluated student.
• [ ] The evaluated student must be able to explain you how to login into the database. Try to login into the SQL database as root but with no password. If the login is successful, the evaluation process ends now.
• [x] Try to login into the SQL database with the user account and its password. Verify that the database is not empty. If any of the above points is not correct, the evaluation process ends now.

Persistence!

• [ ] This part is pretty straightforward. You have to reboot the virtual machine. Once it has restarted, launch docker-compose again. Then, verify that everything is functional, and that both WordPress and MariaDB are configured. The changes you made previously to the WordPress website should still be here.
• [x] If any of the above points is not correct, the evaluation process ends now.