Use well-maintained images and official repo instead of outdated stuff

[mastacheata]

I've changed the docker-compose file to use better maintained versions of the upstream dependencies and directly build the Nightscout NodeJS app instead of relying on an unmaintained fork.

Let's start with the dependencies:

1. I replaced the prologic Mosquitto build with the official Mosquitto build from the Eclipse Foundation. This might not be so important as the only known security problem in Mosquitto was an authentication bypass, but no authentication is used in this setup anyways.

2. MongoDB by tutum was replaced by the official docker-community maintained version called mongo, which is also sponsored by Mongo Inc. (The developers of MongoDB) The old MongoDB had several CVE security issues. Most of them can only be used in DoS attacks, but there were also 2 overflow errors which can potentially be used for reading sensitive information or modify memory.

3. Last but not least the main dish: The compose file in this repo uses a prebuilt docker image for the nightscout NodeJS application that is based on a third party fork by user Fokko. Said fork hasn't been updated in 2.5 years and is currently behind the master branch by about 1300 commits. Why would anyone use a docker image explicitly marked for dev purposes only and use a verison that's outdated by 2.5 years?

So this PR updates the docker-compose.yml file to bring things into the year 2018. I've changed the compose file to version 3 syntax (available in Docker 1.13.0 from January 2017 and newer) in order to use the build from external repositories feature instead of relying on a prebuilt docker-image for the main app. The dependencies have been updated to use the official versions of the apps: Mosquitto is now using the official eclipse-mosquitto image from the Eclipse foundation and should receive timely updates. Same is true for the MongoDB version, which was replaced with the official mongo image.

I've also modified the comment inside this file about exposing the MongoDB port a bit, so that others who aren't that involved with development know when this is actually needed and that it's usually not neccessary in 2018 anymore.

Hope others can profit from this as well. I didn't touch any of the cloud deployment guides as I never tried to deploy docker containers on servers not managed by myself or my company.

[mastacheata]

One more thing: I changed the links argument in the compose file to depends_on. Links is deprecated and did two things: It defined a dependency between the service with the links argument and the services mentioned there. The other thing was that it made the linked services available by an easy to remember hostname from inside the container. The latter isn't neccessary anymore as docker-compose will now provide DNS/hostname resolution for all containers within the same virtual network by default without the need to explicitly configure that.

[skandragon]

What's the status of this? Is your fork's branch stable for use?

[mastacheata]

Status of the MR: Ignored forever. => Noone feels responsible for this repo :(

Status of the docker-compose.yml => This should be safe for the foreseeable future. It takes the MQTT and MongoDB images from Eclipse and Mongo, which have a long record of maintaining their stuff and then takes the actual Nightscout application right from the main repo. (They maintain a Dockerfile for that, the compose file only takes care of plugging in the external services)

The only thing that could be improved was if the Nightscout Team would actually submit their Dockerfile to the Docker hub instead of having to build it from source every time.

[mastacheata]

Thanks for this. There appears to be a typo: "Dockerfile.example" doesn't exist.

Thanks, fixed that, but you're better off using the docker-compose.yml in the main repository anyway nowadays.

I created this MR 5 years ago, it seems like it would make more sense to remove this repository in it's entirety nowadays.