Add Docker setup

[teohhanhui]

Q	A
Branch?	master
Bug fix?	no
New feature?	yes
BC breaks?	no
Deprecations?	no
Related tickets	Sylius/Sylius#9414
License	MIT

Replaces #232

[pamil]

Why not keep that parameter?

[teohhanhui]

Because it cannot be used in any meaningful way. 😄

[pamil]

Reverted this change for now.

[pamil]

Could we extract this change to another PR?

[teohhanhui]

Sure. But we need it here...

[pamil]

Could we extract this change?

[teohhanhui]

Sure. But we need it here...

[pamil]

No idea how to solve that better, just leaving a comment so it's more visible

[teohhanhui]

I'm sure there are more fancy ways, but this is the simplest way that works. 😆

[pamil]

These two different files for dev and prod would be hard to keep in sync (eg. this version differs).

@jacquesbh mentioned this on Slack on Friday:

yes. And it's just a step away to create a docker-compose.traefik.yml and explain that docker-compose -f docker-compose.yml -f docker-compose.traefik.yml can be use

Can we use an architecture like this for those extra containers (eg. mailhog, nodejs)?

[teohhanhui]

It's not just about additional services...

[pamil]

Opcache in CLI might cause some issues during development

[teohhanhui]

Such as? :D

[pamil]

Once we had an issue when phpspec was running unexisting spec which had been removed before, the issue vanished after we disabled opcache.

[teohhanhui]

To be honest, that sounds like a misconfiguration of OpCache, so we should be fine here.

[nietzscheson]

The Docker configurations for the Sylius project should not be included in the standard version. The reasons that I consider main are:

• There are many out there who do not even use Docker. They do not even use virtual machines.
• The learning curve with Docker is quite complex. So its use should not be mandatory. Not all cloud payment systems allow the use of root to install certain packages on the virtual machine.
• There are other containerization projects such as:
     - Docker Container for Windows (https://github.com/docker/for-win)
     - RKT (https://github.com/rkt/rkt)

If Docker is included in the Standard version, the configurations of the Vagrant configured for Sylius are also included.

In Sylius/Sylius#9414 @stefandoorn adds the following: "can it still be a separate repo? I prefer to have my infra stuff in separate repo, instead of combined with the application itself (SRP). Besides that, not everyone likes or is using Docker, so for these it's not needed to have it in the same repo."

Matter of which I totally agree.

So, all efforts to achieve a good configuration of Docker for Sylius (https://github.com/Sylius/docker) should focus on the repository that already exists and keep it separate.

[teohhanhui]

@nietzscheson We've already had that discussion in Sylius/Sylius#9414 and on Slack. I don't see the need to bring it up again here...

[nietzscheson]

So is. But this is where the code merges and I see that you want to reiterate what precisely was already discussed on the channel. I just want to make clear my position...

[gabiudrescu]

Personally, I have no preference between having the Docker setup in Sylius/Sylius-Standard or as a separate repository.

Though I have a question: how can one re-use this setup when trying to contribute to Sylius/Sylius? through copy-paste of the docker and docker compose files?

Also, certain services are missing:

• Selenium
• Chrome headless
• Redis or Memcache (for production environment, especially on multi-node setup, I find it mandatory)

Shouldn't we include these too?

[teohhanhui]

how can one re-use this setup when trying to contribute to Sylius/Sylius? through copy-paste of the docker and docker compose files?

One way is to mount the host directory into, say, /src/Sylius/Sylius

Also, certain services are missing

Could be added in other PR(s)

[gabiudrescu]

Second thing I want to bring under your attention: running commands under the root user inside containers is going to mess up permissions on the files on the host.

Especially on development mode, I find it better to use another user inside the container that has UID and GID mapped with the one from the host. On the setup I generally use, I have the following in the docker file:

groupadd -g "$APPLICATION_GID" "$APPLICATION_GROUP"
useradd -u "$APPLICATION_UID" --home "/home/$APPLICATION_USER" --create-home --shell /bin/bash --no-user-group "$APPLICATION_GROUP" -g "$APPLICATION_GID"

This way, whenever entering the container, I make sure I use the $APPLICATION_USER and everything is OK.

Also, my understanding is that running commands inside docker containers as root may imply a security risk:

• https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
• http://blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html
• Run as non-root user inside Docker container minio/minio#5742
• https://www.reddit.com/r/docker/comments/7c51qn/stop_running_application_as_root_user_inside/
• Variable substitution  docker/compose#2380 (comment)
• Support --user option in "docker-compose up" docker/compose#1532 (comment)
• Interpolate environment variables in docker-compose.yml docker/compose#1377
• Add the ability to map containers to a user host-side moby/moby#22415

[gabiudrescu]

@teohhanhui

One way is to mount the host directory into, say, /src/Sylius/Sylius

can you offer me an example on how one can use this docker setup to test a modification it brought to the Sylius/Sylius vendor file?

[teohhanhui]

@gabiudrescu

can you offer me an example on how one can use this docker setup to test a modification it brought to the Sylius/Sylius vendor file?

It's basically on its own, not as a vendor package. Just cd to that directory and do what you need to do.

[teohhanhui]

As for running as root in the container, it's as we've discussed on Slack: there is no good solution that I'm aware of. But we could perhaps add support for running with a different uid/gid in the entrypoint.

[teohhanhui]

Switching user in the Dockerfile cannot work, because the built image has to be portable (and redistributable).

[jacquesbh]

User rights

For the user rights we have this:

Makefile:

export USER_UID=$(shell id -u)
example:
	docker-compose ps

In our Dockerfiles:

# Use www-data user
ARG USER_UID=1000
RUN usermod -u $USER_UID www-data

By default www-data has uid 1000.
On macOS the user id is 501 usually.

In our docker-compose.yml:

services:
  my-container:
    build:
      context: my-container/
      args:
        USER_UID: ${USER_UID}

This way, by using a simple variable, we avoid a lot of problems.

We don't have a makefile yet. Why not adding one? It's a good way to improve the developers flow.

Missing containers

The missing containers are for testing purpose.

This is why I propose to use a docker-compose.testing.yml. We don't need to run all the containers all the time, specially Selenium and headless browsers since they are consuming a lot.

[teohhanhui]

@jacquesbh Anything that involves setting uid/gid in the Dockerfile is not a solution, because it'd result in an image that's not portable / redistributable.

[jacquesbh]

This is portable, working on Windows, Linux and macOS. We use it everyday for many projects. So…

[teohhanhui]

Missing containers

Let's keep this first PR small?

[teohhanhui]

No, I'm talking about the image being portable. It should be able to be used by any user regardless of their uid/gid on the host, without having to rebuild the image.

[teohhanhui]

We should support running with arbitrary uid/gid (via the --user flag of docker run and its equivalent in docker-compose.yml), but otherwise step down from root if necessary:

docker-library/mysql#397 (comment)
docker-library/php#70 (comment)

[teohhanhui]

I hope we could have this PR merged soon, then others could help to make things better.

[pamil]

Thank you, Teoh, let's make it the best Docker ever for 1.3 release 🎉