Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore: Place local MongoDB cluster key in /tmp instead of / (#26963)

Browse Source 
This is another step towards supporting running with readonly root FS,
and only making runtime changes in the container in `/tmp` or in
`/appsmith-stacks`, and nowhere else.
This commit is contained in:
Shrikant Sharat Kandula 2023-09-11 12:54:50 +05:30 committed by GitHub
parent 9f5cd47f0d
commit 55dea43b2d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -51,6 +51,8 @@ RUN rm -rf \
VOLUME [ "/appsmith-stacks" ]
# ------------------------------------------------------------------------
ENV TMP /tmp/appsmith
# Add backend server - Application Layer
ARG JAR_FILE=./app/server/dist/server-*.jar
ARG PLUGIN_JARS=./app/server/dist/plugins/*.jar

13
deploy/docker/fs/opt/appsmith/entrypoint.sh
View File

@ -4,6 +4,8 @@ set -e
stacks_path=/appsmith-stacks
export MONGODB_TMP_KEY_PATH="$TMP/mongodb-key" # export for use in supervisor process mongodb.conf
# ip is a reserved keyword for tracking events in Mixpanel. Instead of showing the ip as is Mixpanel provides derived properties.
# As we want derived props alongwith the ip address we are sharing the ip address in separate keys
# https://help.mixpanel.com/hc/en-us/articles/360001355266-Event-Properties
@ -206,7 +208,7 @@ init_replica_set() {
)"
echo "Enabling Replica Set"
mongod --dbpath "$MONGO_DB_PATH" --shutdown || true
mongod --fork --port 27017 --dbpath "$MONGO_DB_PATH" --logpath "$MONGO_LOG_PATH" --replSet mr1 --keyFile /mongodb-key --bind_ip localhost
mongod --fork --port 27017 --dbpath "$MONGO_DB_PATH" --logpath "$MONGO_LOG_PATH" --replSet mr1 --keyFile "$MONGODB_TMP_KEY_PATH" --bind_ip localhost
echo "Waiting 10s for MongoDB to start with Replica Set"
sleep 10
mongosh "$APPSMITH_MONGODB_URI" --eval 'rs.initiate()'
@ -229,11 +231,12 @@ init_replica_set() {
}
use-mongodb-key() {
# This is a little weird. We copy the MongoDB key file to `/mongodb-key`, so that we can reliably set its permissions to 600.
# What affects the reliability of this? When the host machine of this Docker container is Windows, file permissions cannot be set on files in volumes.
# We copy the MongoDB key file to `$MONGODB_TMP_KEY_PATH`, so that we can reliably set its permissions to 600.
# Why? When the host machine of this Docker container is Windows, file permissions cannot be set on files in volumes.
# So the key file should be somewhere inside the container, and not in a volume.
cp -v "$1" /mongodb-key
chmod 600 /mongodb-key
mkdir -pv "$(dirname "$MONGODB_TMP_KEY_PATH")"
cp -v "$1" "$MONGODB_TMP_KEY_PATH"
chmod 600 "$MONGODB_TMP_KEY_PATH"
}
# Keep Let's Encrypt directory persistent

2
deploy/docker/fs/opt/appsmith/templates/supervisord/mongodb.conf
View File

@ -1,6 +1,6 @@
[program:mongodb]
directory=/appsmith-stacks/data/mongodb
command=mongod --port 27017 --dbpath . --logpath /appsmith-stacks/logs/%(program_name)s/db.log --replSet mr1 --keyFile /mongodb-key --bind_ip localhost
command=mongod --port 27017 --dbpath . --logpath /appsmith-stacks/logs/%(program_name)s/db.log --replSet mr1 --keyFile %(ENV_MONGODB_TMP_KEY_PATH)s --bind_ip localhost
priority=10
autostart=true
autorestart=true