New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker example update #85
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know much about docker-specific issues, but I've added some comments regarding minor generic packaging, dependency, and scripting issues.
mkdir -p /timely/bin | ||
yum -y install java-1.8.0-openjdk-devel maven openssl apr wget && \ | ||
mkdir -p /timely/bin && \ | ||
wget -O /usr/lib/jvm/jre/lib/ext/bcprov-jdk15on-155.jar https://www.bouncycastle.org/download/bcprov-jdk15on-155.jar && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not just add EPEL repo and do yum install bouncycastle
?
Also, the standard location for jars is in /usr/share/java
, with symlinks pointing to this location if necessary. That way, the /usr/bin/build-classpath
tool works properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added EPEL, installed via yum, and created symlink.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there's a base image out there with this already in it, I'd prefer to use that
yum -y install java-1.8.0-openjdk-devel maven openssl apr wget && \ | ||
mkdir -p /timely/bin && \ | ||
wget -O /usr/lib/jvm/jre/lib/ext/bcprov-jdk15on-155.jar https://www.bouncycastle.org/download/bcprov-jdk15on-155.jar && \ | ||
echo "security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider" >> /usr/lib/jvm/jre/lib/security/java.security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additional, user-configured providers should go in /etc/java/security/security.d
. /usr
doesn't typically hold user-edited configs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/etc/java/security/security.d/2000-org.bouncycastle.jce.provider.BouncyCastleProvider is created as part of the bouncy castle install, but timely still throws unless I add the provider to java.security. I only did it this way originally because it is how the bouncy castle wiki says to add statically. I'm noob at these bits so just following instructions I find.
|
||
ENV JAVA_HOME /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.el7_2.x86_64 | ||
ENV JAVA_HOME /usr/lib/jvm/java |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If Java 8 is specifically desired, it'd be better to use: /usr/lib/jvm/java-1.8.0-openjdk
I'm also partial to using $(dirname $(dirname $(readlink -e $(which java))))
(or javac
, if JDK is required for JAVA_HOME)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed JAVA_HOME to /usr/lib/jvm/java-1.8.0-openjdk. I might not be Dockerfile savvy enough, but subshell in the ENV statement seemed to be problematic.
@@ -1,6 +1,11 @@ | |||
#!/bin/sh | |||
|
|||
WORKING="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |||
|
|||
. ${WORKING}/deploy-env.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
paths should be quoted when used, in case they have spaces
I recommend passing script through shellcheck (shellcheck.net or CLI version)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran through shellcheck. Quoted dirs.
/timely/bin/timely-standalone.sh | ||
${SRC_DIR}/bin/docker/genCerts.sh | ||
${SRC_DIR}/bin/docker/deploy-timely-build.sh | ||
${TIMELY_DIR}/bin/timely-standalone.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More unquoted path variables. Lots more in other scripts, but I've stopped noting them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran through shellcheck. Quoted dirs.
|
||
#Create a private key | ||
|
||
openssl genrsa -des3 -out CA.key -passout ${PASSWORD} 4096 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
password variable should be quoted (suggest passing whole script through shellcheck)
Also, it's generally safer to use the env: prefix for passwords, and put the password in the environment. That way, it's not visible to other users who can list processes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It appears that this is copied from our documentation. We should update that too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran through shellcheck. Quoted dirs. Switched to env:PASSWORD
|
||
#Create a private key | ||
|
||
openssl genrsa -des3 -out CA.key -passout ${PASSWORD} 4096 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use -aes256
instead of -des3
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…uotes, env: prefix for pass.
In general, this was more of a way for me to develop the Grafana plugin against and I modify it to handle whatever I'm working on. You can already create your own certs and mount them in the image, which is what I do when I want to run with certs. #58 is there to generate an official docker image capable of handling production use. Perhaps I should just move this out into a repo of my own and we can point the docs to an official Docker image. |
The main goal of this PR was to have a working thing with fewer steps than were currently required. When I first tried (and failed) to get timely running I was happy to see the Dockerfile and docker-compose.yml containing all of the bits necessary to get started. I saw that it was already configured to use whatever was compiled, thought that was pretty useful, and thought it would be neat if docker-compose up was all that was necessary after compilation. I saw #58 and having the official image would be awesome. I also thought that having these bits might still be handy for development. |
+1 I was able to get the example running much more easily using this, thanks @trucemop |
# star the dashboard | ||
curl -k -X POST https://admin:admin@grafana:3000/api/user/stars/dashboard/1 | ||
|
||
"${TIMELY_DIR}/bin/insert-test-data.sh" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The timely grafana app has a standalone dashboard in it now. Is this post importing that one or uploading a separate one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The curls I added:
-Enable the app
-Configure the datasource
-Import the existing dashboard
-Star the dashboard (just to highlight it a bit more)
The docker-compose wasn't modified much. It still adds local grafana/timely-app as a volume mounted to the grafana container's /var/lib/grafana/plugins/timely-app
@@ -173,7 +173,7 @@ | |||
"downsampleAggregator": "max", | |||
"downsampleFillPolicy": "none", | |||
"downsampleInterval": "1s", | |||
"metric": "sys.cpu0.user", | |||
"metric": "sys.cpu.user", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has all been fixed and added as a standard dashboard to the timely app. see grafana/timely-app/src/datasource/dashboards/standalone_test.json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After I got the docker bits working I noticed that sys.cpu0.user wasn't being inserted by timely.util.InsertTestData so I just changed all of the standalone_test.json sys.cpu0.user to sys.cpu.user where I found it under the assumption they were both intended to be used together.
I didn't change the volume use in the docker-compose so it still uses grafana/timely-app/src/datasource/dashboards/standalone_test.json.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just saw that I haven't pushed this fix from my local box yet (you're welcome) Anyways, this file should be deleted and these changes should be made to grafana/timely-app/src/datasource/dashboards/standalone_test.json The curl POST you added imports that file, not this one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the file. I already made the changes to grafana/timely-app/src/datasource/dashboards/standalone_test.json
I pulled this branch and ran into a few issues. The timely app is enabled but the menu doesn't appear under the grafana menu/sidebar. This prevents people from logging in to the datasource and viewing the available metrics. Also, queries produced this error: |
Cannot support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is the exception I was getting before I included the bouncycastle jar and added it as a security provider. Are there existing images on your box getting run or timely builds that are getting used by the volume config/standalone deploy scripts? I tested the bits for this by checking out to a new location and cleaning all of my existing docker containers/images on fedora and then later a fresh checkout->build->"docker-compose build" on a macos box that had never built timely and needed docker installed. I definitely ran into some weirdness depending on the state of the images and timely build. I will check stuff out again tonight. |
Ok, I'll wipe my images and give it another go. On Tue, Oct 4, 2016 at 6:08 PM, John Highcock notifications@github.com
|
Just got a chance to validate again. Using the below steps I was able to login to grafana, select data sources, select timely, and click browser cert check. The timely dashboard was populated with data at that point. I realize the docker cleaning is a bit heavy handed, but wanted to make sure I wasn't using any existing image contents. git clone https://github.com/trucemop/timely.git |
Its still not working for me. Timely isn't showing up in the Grafana menu still and https://localhost:54322/api/metrics returns "ResponseCode: 404 Message: Returning HTTP Strict Transport Security response" |
Found two issues. Needed to do this: export PASSWORD=blargh Also, "pinned":true to the enable app curl makes Timely appear in the menu
However, I have to go into the datasource and click test&save to get the datasources visible in the timely app pages (Login/Metrics) My guess is there's a parameter missing from the create datasource post. I'll look into it more later. |
I merged this, then added my fix and have been working with it for the accumulo summit talk, so it seems to be going fine. |
The docker example wasn't working for me in master so I made some tweaks to get it running and added some of the setup steps (cert creations, grafana datasource/dashboard configs, etc) to the scripts to decrease manual config time.
Steps should now be:
mvn package
cd ./server;docker-compose up
login to grafana and click browser-cert check in the timely datasource.