- Simple and straightforward setup and operation using this guide
- Updates via swapping the Docker image
- Lowest possible operating costs
- Spot instance (Spot VMs may be terminated at any time)
- Default network
- Standard storage
- Time-controlled operation possible
- Operating in Central America (Iowa)
- Zammad instance on a VM instance with minimal requirements
- Database is on a separate disk
- The separate disk is backed up daily with a snapshot
- Close or secure previously known vulnerabilities
- Docker image running on the VM instance (Container-Optimized OS/COS)
- Image can be exchanged at any time with little downtime
- CentOS Stream 8 operating system
- Supervisor as Service Manager
- Elasticsearch with memory limit of 1GB
- Letsencrypt SSL certificate for https access to Zammad
- will be automatically renewed
- Only TLS 1.2 and TLS 1.3 and current cipher as recommended by the Mozilla Foundation
- Strong ec-521 encryption
- PostgreSQL database
- on external disk with 10 GB
- incremental daily snapshots
- on external disk with 10 GB
- Nginx reverse proxy
- Zammad Web instance over HTTPS
- HTTP with 301 on HTTPS
- Best elimination of known vulnerabilities in the image
- Trivy finds no vulnerabilities in the Docker image
- CentOS Stream 8
- Elasticsearch v7.17.17
- Nginx v1.14.1
- PostgreSQL v10.23
- Zammad v6.2.0-1705920690.db7738e0.centos8
- Runs every time the system boots
- Initializes the database if not already done
- Migrates the database if necessary (in the case of Docker image replacement or Zammad updates)
- SSL certificate management
- Contains the SSL configuration for Nginx
- Use of secure ciphers by Mozilla Foundation
- Defines content compression
- Defines reverse proxy
- Logging of access and errors
- SSL relevant parameters
- Local Docker Installation
- gcloud CLI Installation
Execute located in the project root directory:
docker build --build-arg BUILD_DATE="$(date --rfc-3339=seconds)" -t viselabs/zammad viselabs/zammad
The selection of the region and zone influences the costs incurred during operation. Probably is There is still a lot to think about when it comes to data protection.
gcloud config set project coloryzer
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a
The repository is needed as a storage location for the image we built. This is how the VM instance
can do it obtain later. Updates can also be stored here later.
gcloud artifacts repositories create viselabs --repository-format=docker
gcloud auth configure-docker us-docker.pkg.dev
docker tag viselabs/zammad us-docker.pkg.dev/"$(gcloud config get-value project)"/viselabs/zammad:6.2.0
We then upload the project to the Artifact Registry. We set version 6.2.0
here.
docker push us-docker.pkg.dev/"$(gcloud config get-value project)"/viselabs/zammad:6.2.0
- Image runs as Spot Instance.
- Machine type is
e2-medium
2 vCPU, 4 GB RAM - An additional 10 GB disk is created for the PostgreSQL database
- Backed up daily according to policy
default-schedule-1
- Will be automatically formatted with
ext4
bykonlet
, so this hasn't happened yet - Deployed to
/var/lib/pgsql/data
in the Docker container
- Backed up daily according to policy
- Configuration of SSL certificate properties and parameters
- Network configuration
gcloud compute instances create-with-container zammad-620-1 \
--container-image us-docker.pkg.dev/"$(gcloud config get-value project)"/viselabs/zammad:6.2.0 \
--container-mount-disk=mode=rw,mount-path=/var/lib/pgsql,name=zammad-data-1 \
--create-disk=device-name=zammad-data-1,auto-delete=false,disk-resource-policy=projects/"$(gcloud config get-value project)"/regions/us-central1/resourcePolicies/default-schedule-1,mode=rw,name=zammad-data-1,size=10,type=pd-balanced \
--instance-termination-action=STOP \
--machine-type=e2-medium \
--metadata=DOMAIN=support.coloryzer.com \
--network-tier=STANDARD \
--project="$(gcloud config get-value project)" \
--provisioning-model=SPOT \
--public-ptr \
--public-ptr-domain=support.coloryzer.com \
--shielded-integrity-monitoring \
--shielded-secure-boot \
--shielded-vtpm \
--tags=http-server,https-server
gcloud beta compute ssh zammad-620-1
gcloud compute firewall-rules list
Optionally allow SSH access.
gcloud compute firewall-rules create allow-ssh --network default --allow tcp:22
Access via HTTP, but is redirected directly to HTTPS via redirect.
gcloud compute firewall-rules create allow-http --network default --allow tcp:80
Absolutely necessary.
gcloud compute firewall-rules create allow-https --network default --allow tcp:443
Finding out the current IP address.
gcloud compute instances describe zammad-620-1 | grep natIP
Now we convert the IP address to a static one.
gcloud compute addresses create default --addresses=34.122.61.193 --region us-central1
TBD
Only security-relevant packages are updated. However, we exclude the zammad
and elasticsearch
package from the update.
dnf update --security --refresh --exclude=zammad,elasticsearch
In the Google Cloud Console edit the instance zammad-620-1
and under the Settings container
Store the new image e.g. us-docker.pkg.dev/coloryzer/viselabs/zammad:6.2.1
.
- Stop instance
zammad-620-1
- Detach additional disk
zammad-data-1
from instancezammad-620-1
- Additional create new instance, only adjusting the instance name in the call
- The external existing disc is reused
- Bind IP address to the new instance
- Delete the old instance only when the new one is running correctly
This can be skipped if the previous step has been completed. It is only intended to illustrate how a temporary update can be carried out.
dnf update zammad
zammad run rake db:migrate
zammad run rails r Rails.cache.clear
zammad run rails r Locale.sync
zammad run rails r Translation.sync
zammad run rake zammad:searchindex:rebuild[2]
- Boot disk must be 10GB (default)
- External disk is formatted with
ext4
initially - It can take up to 10 minutes for Zammad to be accessible via the browser after starting
- setuptools (CVE-2022-40897)
- pip (CVE-2019-20916, CVE-2021-3572, CVE-2023-5752)
It seems that this one is not really needed.
If it is still required, add the metadata user-data
when creating the instance.
gcloud compute instances add-metadata zammad-620-1 --metadata-from-file=user-data=cloud-init-production.yml