privacyIDEA Docker image - Discussion

[plettich]

Since this comes up more often lately we would like to discuss the outline of a new/improved docker image.
In my understanding there are two orthogonal concepts:

1. A Docker (-compose) image which just runs(tm) for testing the software
2. A minimal image to be included in a productive environment

In my experience if someone is using Docker in a productive environment, they build the images themselves to have better control over security and fixes.

So i would like to concentrate in this repository on the first concept, a docker-compose configuration which just runs:

• a privacyIDEA image with a virtualenv containing the code and a gunicorn application server (could also be the base of a production image)
• a database image (I'd go with mysql/mariadb but should be interchangeable)
• a preliminary setup (generate secrets/keys, configuration, etc.)

Please share Your thoughts so we can get this thing on the road.

[eritikass]

i write my option as infra structure engineer who dockerized privacyidea and running it in production with k8s/docker.

In my experience if someone is using Docker in a productive environment, they build the images themselves to have better control over security and fixes.

Not exactly, if projects provide official images, those are usually used. Setup things up quite often is complex and if you do yourself there is 100 ways you can go wrong. Plus using official images when/if possible is big time win also, it can take days to create/setup some more complex app into docker.

So i would like to concentrate in this repository on the first concept, a docker-compose configuration which just runs:

a privacyIDEA image with a virtualenv containing the code and a gunicorn application server (could also be the base of a production image)

it is not actually relevant how app is running inside docker image (so use whatever you as developer of the app feel is the bext), as long as everything works.

a database image (I'd go with mysql/mariadb but should be interchangeable)
a preliminary setup (generate secrets/keys, configuration, etc.)

For setup i would go with 2 things:

• docker compose setup for dev and some more simpel (prod) setup
• helm chart for k8s. Now-days in production docker images are mostly used with k8s, helm chart would be fastest way to get running + this can be used as reference to make your own setup when needed something more fancy. ( i can help with this one if needed )

[pradtke]

For the testing the software use case, is that geared to people to who want to run it and click around, or is it for developers that want something to run integration tests against? Would it also be preconfigured with some data/users/tokens? For me, the integration tests use case is something I was thinking of recently. Currently the SimpleSAMLPhp module has no tests, and needs updating to reflect changes in SSP (the move to namespaces, twig for templating, etc), to improve some error handling and to fix some assumption mismatches between the module and privacyidea. I was thinking that creating some integration tests between the SSP module and a privacyidea docker container would be a good place to start for improving test coverage in that module prior to broader code changes.

For the production image, we have some environmental reasons for building our own image, however it would be nice to align any common components with what you are doing.