edgexfoundry / edgex-compose Goto Github PK

Kuiper 1.1.2 has been release which supports running as non-root.

Compose files need to be update to use this version which runs Kuiper under the kuiper user.

Once device services are using the latest go-mod-bootstrap of useSecretProvider, the compose builder need to enhance and integrate device related services to use Consul tokens

It seems to lost command on taf-compose file.

level=INFO ts=2021-04-16T07:04:40.509233472Z app=edgex-security-bootstrapper source=command.go:119 msg="Security bootstrapper running waitFor"
level=INFO ts=2021-04-16T07:04:40.509291991Z app=edgex-security-bootstrapper source=command.go:144 msg="Waiting for: [tcp://edgex-security-bootstrapper:54329] with timeout: [1m0s]"
level=INFO ts=2021-04-16T07:04:40.51292993Z app=edgex-security-bootstrapper source=command.go:214 msg="Connected to tcp://edgex-security-bootstrapper:54329"
Fri Apr 16 07:04:40 UTC 2021 Starting --registry --confdir=/custom-config ...
/edgex-init/ready_to_run_wait_install.sh: exec: line 41: illegal option --

Based on the app-service-configurable PR #203, needs to modify environment variable from MESSAGEBUS_SUBSCRIBEHOST_HOST
to TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST.

Proxy Setup route configuration now uses the services' service keys as the configuration map key.

The env overrides must be updated to use the new names.

once feature flag in edgex-go got removed, it also needs to be cleaned up from compose file.

I found there are quite many environment vairable such as CLIENTS_EDGEX-CORE-COMMAND_HOST,
CLIENTS_EDGEX-CORE-DATA_HOST, which contain the hypen(-) symbol.

As we know, hyphen(-) symbol is invalid for an environment variable name, especially for bash shell.

Why using such strange naming convention? It would be unfriendly when we are trying the edgex service on native Linux running system.

See relegated issue edgexfoundry/edgex-go#2537

Currently the TAF secure compose file has both the secure and non-secure App Service export services (http & mqtt)

With the new Secure Consul access tokens the app service have to be run as "Secure" so it doesn't make sense to have both versions. Secure compose should have just one app-service-export-http and just one app-service-export-mqtt

device-virtual should be included as a read-only container similar to the containers added from edgexfoundry/edgex-go#1921

Device Coap, Device GPIO, Device LLRP and App LLRP Inventory are all new device and app services that need option to add them to a custom compose file.

Add the Hanoi branch and copy over appropriate contents from hanoi branch on developer-scripts repo

Redis will be the default MessageBus for Ireland.

sys-mgmt-agent is currently running as non-root user:
https://github.com/edgexfoundry/developer-scripts/blob/381dcb903ca9af6a562466d18c9bb6460235bb6f/releases/nightly-build/compose-files/docker-compose-nexus-no-secty.yml#L363

but some of its APIs require underlying docker call, if running as non-root user there will be error. For example:

$ curl http://localhost:48090/api/v1/metrics/edgex-core-data
[
    {
        "Success": false,
        "errorMessage": "exit status 1",
        "executor": "docker",
        "operation": "metrics",
        "service": "edgex-core-metadata"
    }
]

detailed logs if you try to call operation API:

[
    {
        "Success": false,
        "errorMessage": "Error stopping service: exit status 1 (Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/edgex-core-data/stop: dial unix /var/run/docker.sock: connect: permission denied )",
        "executor": "docker",
        "operation": "stop",
        "service": "edgex-core-data"
    }
]

Do we need to remove the specified user here or there will be API change in the future which requires no root privilege?

thanks

The file should contained the follow:

• DATABASE_HOST=edgex-redis
• TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST=edgex-core-data

The latter should be removed from other asc env files.

After changes made from PR edgexfoundry/edgex-go#3391 merged into master, we need to update the docker compose files in order to make adding consul token header to Kong work.

Depends on issue edgexfoundry/edgex-go#3368

DBS is logging the following findings against the EdgeX stack.

[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: edgex-kuiper
[WARN]      * Running as root: edgex-core-consul
[WARN]      * Running as root: kong-db
[WARN]      * Running as root: edgex-secretstore-setup
[WARN]      * Running as root: edgex-vault
[WARN]      * Running as root: edgex-security-bootstrapper

What is actually happening here is that DBS is running a "docker inspect" on the running containers and looking at the config.user field to see if it is empty. If this field is empty, it means the container starts running as root. Not that this check does not ascertain whether or not any PROCESSES in the container are running as root or not. Just whether nor not THE USER IS EXPLICITY SPECIFIED either via the USER directive in the Dockerfile, or the "user" config in docker-compose, or via docker run command line.

Thus, for all containers that must start their execution as root, we should specify

user: 0:0

in the docker-compose and be explicit about it.

This will remove the above warnings.

Naturally, we want to go the extra mile and minimize the number of root PROCESSES in the container as well, especially eliminating any root processes that are listening on a network socket.

Per TSC 5/19/2021 decision the new ports assignments for Ireland will be:

North side services (app, rules, analytics, etc.): 597xx
Core and supporting services: 598xx (59880 for core data and 59881 for metadata for example)
South side services (device services): 599xx

Port assignments are as follows:

core-data: 59880
core-metadata: 59881
core-command: 59882
support-notifications: 59860
support-scheduler: 59861
sys-mgmt-agent: 58890

app-sample: 59700
app-rules-engine: 59701
app-push-to-core: 59702
app-mqtt-export: 59703
app-http-export: 59704
app-functional-tests: 59705

Kuiper: 59720

device-virtual: 59900
device-modbus: 59901
device-rest: 59986
device-camera: 59985
device-mqtt: 59982
device-random: 59988
device-snmp: 59993

device-grove: 59992
device-bacnet: 59980
device-coap: 59988

`common.env' can be removed from Setup Proxy and the following added:

•   ROUTES_COREDATA_HOST: edgex-core-data
  

•   ROUTES_NOTIFICATIONS_HOST: edgex-support-notifications
  

•   ROUTES_METADATA_HOST: edgex-core-metadata
  

•   ROUTES_SCHEDULER_HOST: edgex-support-scheduler
  

•   ROUTES_RULESENGINE_HOST: edgex-kuiper
  

•   ROUTES_VIRTUALDEVICE_HOST: edgex-device-virtual
  

The following old override can be removed from common.env:

• CLIENTS_RULESENGINE_HOST=edgex-kuiper
• CLIENTS_VIRTUALDEVICE_HOST=edgex-device-virtual

Since we modify the config.Clients to use service key, the docker-compose file needs to update the env to meet the changes.
see edgexfoundry/edgex-go#3196

Connect to device-modbus through Kong got the error no Route matched with those values.

I just run edgex with docker-compose-no-secty.yml.

edgex-app-service-configurable-rules | level=ERROR ts=2021-05-10T07:49:09.095635923Z app=app-rules-engine source=config.go:172 msg="configuration provider is not available"
edgex-sys-mgmt-agent | level=ERROR ts=2021-05-10T07:49:09.101871994Z app=edgex-sys-mgmt-agent source=config.go:172 msg="configuration provider is not available"
edgex-support-notifications | level=ERROR ts=2021-05-10T07:49:09.980450792Z app=edgex-support-notifications source=config.go:172 msg="configuration provider is not available"
edgex-core-command | level=ERROR ts=2021-05-10T07:49:09.989219863Z app=edgex-core-command source=config.go:172 msg="configuration provider is not available"
edgex-support-scheduler | level=ERROR ts=2021-05-10T07:49:09.989764062Z app=edgex-support-scheduler source=config.go:172 msg="configuration provider is not available"
edgex-core-data | level=ERROR ts=2021-05-10T07:49:09.990050668Z app=edgex-core-data source=config.go:172 msg="configuration provider is not available"
edgex-core-metadata | level=ERROR ts=2021-05-10T07:49:09.992159592Z app=edgex-core-metadata source=config.go:172 msg="configuration provider is not available"
edgex-device-rest | level=ERROR ts=2021-05-10T07:49:10.083562861Z app=edgex-device-rest source=config.go:172 msg="configuration provider is not available"
edgex-device-virtual | level=ERROR ts=2021-05-10T07:49:10.088153312Z app=device-virtual source=config.go:172 msg="configuration provider is not available"

Currently releases folder contains the compose files for each EdgeX release. With the introduction of the Compose Builderwith source compose files inHanoiareleasebranch is required so user change use the appropriate releaseCompose Builder` to generate custom compose files. This create issue with having the release compose files in the folders and in each branch.

The repos needs to be restructure so that each release's compose files are on that release's branch and no other release's compose files are on that branch. The result will be new branches for all the past release prior to Hanoi, which already has a branch. The master branch will only contain the current work-in-progress files and generated pre-release compose files.

Now Consul service container becomes the protagonist to generate the Consul tokens into the secrets folder and thus we need to make that folder to be writable.

got this error when i make run:

/bin/sh: 1: cannot create ../releases/hanoi/taf/docker-compose-taf.yml: Directory nonexistent

docker-compose-ui.yml no longer exists, so command fails.

The test with app-service-mqtt-export fails, because app-service-mqtt-export service can't connect to mqtt-broker .

It seems the default authentication setting of Mosquitto v2.0 different from v1.x. Base on the document https://mosquitto.org/documentation/migrating-to-2-0/.
The issue can be fixed by using mosquitto-no-auth.conf as default configuration.

Needs to add the following line on mqtt-broker service in TAF-related compose file.
command: ["/usr/sbin/mosquitto", "-c", "/mosquitto-no-auth.conf"]

Per Neil Cresswell (CEO of Portainer.io) the Portainer 1.24.x (image Portainer/Portainer) was actually deprecated mid 2020 and has been replaced it with Portainer CE 2.0 (portainer/portainer-ce).

The docker-compose-portainer.yml need to be update to use the newer portainer-ce image

Recent update of overrides to account for changes in Trigger configuration are not complete.

add-mqtt-messagebus.yml has a typo and two overrides still need changing.
docker-compose-base.yml has one missed for PublishTopic.

Currently users have to run the UI separately with make run ui and stop the UI with make ui-down

To allow the UI to be included in a custom compose file the following changes are needed:

• Add make run-ui to run the UI separately as make run ui does now.
• Change the ui option to add the UI to the generated compose file. Similar to how the most other options like ds-virtual work.
• Building of the committed UI composes files has to be updated to use different option to indicate stand-alone UI compose file.

The TAF smoke test need to be enabled for PRs on this repo. Copy Jenkinsfile from developer-scripts

Service keys core/support/security services no longer have the edgex- prefix

We need to have both services system management and app-service-rule-engine use the security-bootstrapper's waiting mechanism so that consul token is ready for them before service is starting up.

Repo is missing README and LICENSE files.

The function configuration for app service configurable has be consolidated. Any env overrides that change function configuration may need to be changed.

Now that the releases have been moved to their own branches, there is no longer a need to have the release in the compose file name.

Note that the TAF scripts that pull the compose files will need to be update for the change if file name.

Add the previous release compose files under the releases folder.

The dev ASC docker image version has recently changed from "master" to "0.0.0" to be consistent with all other dev images.

The make file needs to be updated to set the ASC image version when the app-dev option is used.

Some environment overrides and volumes need to be changed for setting up Consul's ACL to be working

VAULT_VERSION=1.5.3 --> 1.7.1
CONSUL_VERSION=1.9.1 --> 1.9.5
REDIS_VERSION=6.0.9-alpine --> 6.2.3-alpine
KONG_VERSION=2.3-alpine --> 2.4.0-alpine
MOSQUITTO_VERSION=1.6.3 --> 2.0.10

I use make run to run the image in the docker-compose.yml, and I don't how to see the data in the edgex-redis.
I have tried the "root:root" to log in but it didn't work.
Here is the message:
root@ubuntu:/edgex-compose# redis-cli
127.0.0.1:6379> auth "root" "root"
(error) WRONGPASS invalid username-password pair or user is disabled.
Or maybe is there any other way to see the data in database?
Thanks in advance.

Move the the compose builder over from developer-scripts and refactor as follows:

• Rename the nexus/nightly-build release to pre-release
• Drop the compose-files sub-folder
• Fix get-token in releases/pre-release/Makefile to call new script.

The Redis as the default MessageBus the following update and additions are needed.
Add common MessageQue.Host override so Device service also have the override
Update overrides for add-mqtt-messagebus appropriately
Add zmq-bus option, to swith to using ZMQ as the MessageBus

In the service proxy-setup, the environment section, there are two out-of-date envs:

 environment:
      KONGURL_SERVER: kong
      SECRETSERVICE_SERVER: edgex-vault
      SECRETSERVICE_TOKENPATH: /tmp/edgex/secrets/edgex-security-proxy-setup/secrets-token.json

Change SECRETSERVICE_SERVER to SECRETSTORE_HOST and
SECRETSERVICE_TOKENPATH to SECRETSTORE_TOKENPATH

All the edgex docker image names have been changed to drop the docker- prefix and -go or -c postfix

Services scalability-test-mqtt-export and app-service-mqtt-export both used port 59703 in TAF compose files.

security service proxy-setup is running with environment variable EDGEX_SECURITY_SECRET_STORE: "false", in which it should be running with "true".

  proxy-setup:
    environment:
  .......
      EDGEX_SECURITY_SECRET_STORE: "false"
      KONGURL_SERVER: kong
      PROXY_SETUP_HOST: edgex-proxy-setup
  ........

I'm unable to start the services correctly, steps to reproduce:

• Using Raspberry Pi 3 B with Ubuntu 20.10 x64
• Docker version 19.03.13 build 4484c46
• Docker-compose version: 1.25.0
• I cloned this repo
• ran: git checkout -b hanoi
• updated .env file parameters:

    - RELEASE: hanoi
    - RELEASE_FOLDER: ../hanoi

-ran make gen no-secty arm64
-ran make build no-secty arm64

• navigated to $REPO/hanoi
• ran docker-compose -f docker-compose-no-secty-arm64.yaml --verbose up

the tail of the logs look something like:

Attaching to edgex-redis, edgex-core-consul, edgex-support-notifications, edgex-support-scheduler, edgex-core-metadata, edgex-core-command, edgex-core-data, edgex-sys-mgmt-agent, edgex-app-service-configurable-rules, edgex-device-virtual, edgex-device-rest, edgex-kuiper
�[33medgex-core-command   |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[36medgex-app-service-configurable-rules |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[32medgex-core-consul    |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[35medgex-core-data      |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[34medgex-core-metadata  |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[36;1medgex-device-rest    |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[33;1medgex-device-virtual |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[33medgex-core-command exited with code 1
�[0m�[32;1medgex-kuiper         |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[35;1medgex-redis          |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[34;1medgex-support-notifications |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[36medgex-app-service-configurable-rules exited with code 1
�[0m�[36medgex-support-scheduler |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[33medgex-sys-mgmt-agent |�[0m standard_init_linux.go:211: exec user process caused "operation not permitted"
�[32medgex-core-consul exited with code 1
�[0m�[35medgex-core-data exited with code 1
�[0m�[34medgex-core-metadata exited with code 1
�[0m�[36;1medgex-device-rest exited with code 1
�[0m�[36medgex-support-scheduler exited with code 1
�[0m�[35;1medgex-redis exited with code 1
�[0m�[33;1medgex-device-virtual exited with code 1
�[0m�[33medgex-sys-mgmt-agent exited with code 1
�[0m�[34;1medgex-support-notifications exited with code 1
�[0m�[32;1medgex-kuiper exited with code 1
�[0m

Am i doing something wrong?

thanks

Dependent on this PR merged and changes propagated to all Go services
edgexfoundry/go-mod-bootstrap#216

The value of EDGEX__DEFAULT__SERVICESERVER should be http://edgex-core-metadata:48081.