Update program versions and remodel Dockerfile#54
Update program versions and remodel Dockerfile#54thomasjpfan merged 7 commits intodocker-flow:masterfrom aisbergg:master
Conversation
Notable Changes: * Update HAProxy and Golang version * Use Alpine version of Golang to prevent problems with linking * Reduce number of Docker image layers and also overall size * Replace deprecated 'MAINTAINER' command with label scheme from opencontainers.org * Use more secure TLS ciphers as default
|
Thank you for the PR! It looks like changing docker-flow-proxy/logging/logging_test.go Line 44 in 7d0b38b |
thomasjpfan
left a comment
thomasjpfan
left a comment
There was a problem hiding this comment.
The label spec is nice to have. Overall a good PR!
| @@ -1,16 +1,24 @@ | |||
| FROM golang:1.9.6 AS build | |||
| FROM golang:1.10-alpine AS build | |||
There was a problem hiding this comment.
For the build to be reproducible, please include the patch number: 1.10.3-alpine3.8.
|
|
||
| FROM haproxy:1.8.8-alpine | ||
| MAINTAINER Viktor Farcic <viktor@farcic.com> | ||
| FROM haproxy:1.8-alpine |
There was a problem hiding this comment.
For reproducibility, please include the patch number: 1.8.13-alpine.
| MAINTAINER Viktor Farcic <viktor@farcic.com> | ||
| FROM haproxy:1.8-alpine | ||
| LABEL org.opencontainers.image.title="Docker Flow Proxy" \ | ||
| org.opencontainers.image.version="18.08.26" \ |
There was a problem hiding this comment.
The jenkins CI server generates the version depending on the date. Hard coding the version into the Dockerfile would most likely lead the mismatching of the tag and this version label.
|
#54 (comment) to fix the CI issue. |
|
I hope this will do |
| RUN go get -d -v -t | ||
| RUN go test --cover ./... --run UnitTest | ||
| RUN go build -v -o docker-flow-proxy | ||
| RUN set -x \ |
There was a problem hiding this comment.
Because the commands are chained together into one large command it is somtimes hard to figure which of those provoked an error occurred in the build process. The set -x turns the tracing functionality on so before execution of each individual command the command will be printed as text. This is also common practise in a lot of official Dockerfiles, for example: MariaDB or Nextcloud
|
@aisbergg Can you do a empty commit to trigger the CI by running the following and pushing? It is strange how the CI did not run on the latest commit. |
|
Well, 10s should be fairly enough for syslog to start. Is this maybe not a timing problem? |
|
I ran into this issue when trying to use golang 1.10.* before. The logging code is found here: https://github.com/docker-flow/docker-flow-proxy/blob/master/logging/logging.go It has a dependency on https://github.com/ziutek/syslog. We would need to do some debugging to figure out what is causing the issue. |
|
Using the latest 1.11.0 version works |
|
@vfarcic Are you okay with using the |
|
That sounds great. As a matter of fact, I have it on my TODO list but I never managed to get time. |
|
@aisbergg The docs needs to be updated to reflect the change in SSL bind ciphers/options: https://github.com/docker-flow/docker-flow-proxy/blob/master/docs/config.md |
|
The other TLS related options for example in https://github.com/docker-flow/docker-flow-proxy/blob/master/proxy/ha_proxy.go#L331-L332 could also be changed. But then you have to make sure the ARM version also uses an up to date version of HAProxy and OpenSSL. I can take on the ARM Dockerfile and remodel this one as well if you like. |
|
I will be expecting some backwards compatibility issues with changing the default SSL bind/ciphers. There are some that need to support Win XP browers/clients. We would need to direct them to set the SSL options themselves. @vfarcic Do you have any thoughts on this matter? @aisbergg The ARM version can be done with another PR. |
|
For configurations for backward compatibility a reference link to this Mozilla wiki page might helpful to the end user. There are three profiles listed for different compatibility levels: ‘Modern’, ‘Intermediate’ and ‘Old’. An example Docker-Compose file for the Intermediate one would be: proxy:
image: dockerflow/docker-flow-proxy
...
environment:
- SSL_BIND_OPTIONS=ssl-min-ver TLSv1.0 no-tls-tickets
- SSL_BIND_CIPHERS=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
...But as for the Old standard I would highly suggest not to enable SSLv3. |
|
@aisbergg I'll merge this PR with the change in defaults. Thank you for the PR! |
4 participants
Notable Changes: