search

zodern / meteor-up

Production Quality Meteor Deployment to Anywhere
http://meteor-up.com/
MIT License
1.27k stars 281 forks source link

Procedure for updating Nginx Docker image #1228

Open conorstrejcek opened 3 years ago

conorstrejcek commented 3 years ago

Regarding the docker image which meteor-up uses for the proxy; is it possible to update to a newer version of this image using the mup CLI, or is there an accepted way to do this? This is necessary to keep nginx up to date, but I want to do so without interfering with the normal mup process, so I've been avoiding manually updating the image.

conorstrejcek commented 3 years ago

@zodern I just wanted to ping you to see if there is an easy answer to this question, as it is impacting us in production right now (we need to upgrade our version of nginx to address security vulnerabilities). We've been using this deployment tool for a few years now, and I wanted to take the chance to thank you for all of the effort which has been put into this project. I don't want to waste your time, so please let me know if there is a more appropriate place to post this question (I tried in the gitter, but it doesn't seem very active).

dumski commented 2 years ago

It would be a nice option to customize proxy docker image (we have to stick with zodern:nginx-proxy for now). For me, it's only thing stopping me from deploying on my rpi4 server. Is it possible to config other proxy docker image? (e.g. jwilder/nginx-proxy is for arm64). Thanks

dumski commented 2 years ago

Hi, @conorstrejcek, I've managed to run jwilder/nginx-proxy:latest as an alternative to the default nginx-proxy image. Just wanetd to share my solution with you.

I used this file as a guide to run jwilder's image. Just log into your server (as root if you need this to manage docker container). This script is does this:

#!/bin/bash

# set env variables
APPNAME=mup-nginx-proxy
APP_PATH=/opt/$APPNAME
NGINX_PROXY_VERSION="latest"
ENV_FILE=$APP_PATH/config/env.list
NGINX_CONFIG_PATH="/opt/$APPNAME/config/nginx-default.conf"
TEMPLATE_PATH=/opt/$APPNAME/config/nginx.tmpl
HTTP_PORT=80
HTTPS_PORT=443

# stop & remove zodern's container
echo 'Stopping & removing old container'
docker stop $APPNAME
docker rm $APPNAME

# run container using custom image (jwilder/nginx-proxy)

echo 'Running the new one'
sudo docker run \
  -d \
  -p $HTTP_PORT:80 \
  -p $HTTPS_PORT:443 \
  --name $APPNAME \
  --env-file=$ENV_FILE \
  --restart=always \
  --log-opt max-size=100m \
  --log-opt max-file=7 \
  --network bridge \
  -v $TEMPLATE_PATH:/app/nginx.tmpl:ro \
  -v /opt/$APPNAME/mounted-certs:/etc/nginx/certs \
  -v /opt/$APPNAME/config/vhost.d:/etc/nginx/vhost.d \
  -v /opt/$APPNAME/config/html:/usr/share/nginx/html \
  -v /opt/$APPNAME/config/htpasswd:/etc/nginx/htpasswd  \
  -v /opt/$APPNAME/config/nginx-default.conf:/etc/nginx/conf.d/my_proxy.conf:ro \
  -v /var/run/docker.sock:/tmp/docker.sock:ro \
  -v /opt/$APPNAME/upstream:/etc/nginx/upstream \
  jwilder/nginx-proxy:$NGINX_PROXY_VERSION

# same with a companion container

docker stop $APPNAME-letsencrypt
docker rm $APPNAME-letsencrypt

LETSENCRYPT_COMPANION_VERSION="v1.13.1"
ENV_FILE_LETSENCRYPT=$APP_PATH/config/env_letsencrypt.list

sudo docker run \
  -d \
  --name $APPNAME-letsencrypt \
  --env-file=$ENV_FILE_LETSENCRYPT \
  --restart=always \
  --volumes-from $APPNAME \
  --log-opt max-size=100m \
  --log-opt max-file=3 \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  jrcs/letsencrypt-nginx-proxy-companion:$LETSENCRYPT_COMPANION_VERSION

echo 'Current containers running:'
docker ps

Also @zodern, since we have this simple workaround, could you, please, consider to add ability to use custom nginx-proxy docker image? I don't have skills to fork and build npm package to add this option to mup. I think a proxy.image option in mup.js would be awesome!

Cheers, Teo

Batistleman commented 2 years ago

I agree, the current nginx version for this package is: 1.19.3, and has the following security concerns: https://nvd.nist.gov/vuln/detail/CVE-2021-23017

I think it would be possible just to replace:

FROM jwilder/nginx-proxy:0.8.0

with:

FROM nginxproxy/nginx-proxy:0.9

in the repo: https://github.com/zodern/nginx-proxy/blob/master/Dockerfile

references:

Batistleman commented 2 years ago

@zodern is there a way we can help move this forward? Should we open a PR for this?

Perhaps we can make this an optional configuration, so there will be no change for existing installations?

productiveme commented 2 years ago

I would love to use jwilder/nginx-proxy or a fork like braingamer/nginx-proxy-arm as this will allow me to deploy to Oracle Cloud's ARM servers. If we could have an advanced configuration for the proxy to specify the docker image that would be super helpful.

Alternatively, if zodern/nginx-proxy could also have an ARM architecture version, that would automatically solve my problem. I read about a seemingly good solution for building docker images for multiple architectures with github actions here

For now @dumski script is working for me, just have to remember to run it after mup setup.