mingfang / docker-mautic Goto Github PK

Whilst reviewing your excellent looking work on instancing Mautic within a Kubernetes container, I was looking in detail at your container mount paths, especially as you had posted on Issue #2 Documentation on how this should be used with volumes thread for mautic/docker-mautic.

The volume mount specified at in mautic.yml line 55:

      pod:
        containers:
        - name: mautic
          image: registry.rebelsoft.com/mautic:latest
          volumeMounts:
          - name: configmap
            mountPath: /var/www/html/app/local/config/local.php
            subPath: local.php
            readOnly: false

Has this readOnly: false attribute applied, which under the Kubernetes hood, has been patched in a security fix. This apparently:

• Makes all configMap volumes read-only (ro) at the moment of mount;
• Silently fails to reject the readOnly: false configuration;
• Leaves kubectl describe pod listing the volume as read-write (rw);
• Can be controlled by a feature-gate in Kubernetes called ReadOnlyAPIVolumes.

The most troublesome inconsistency regarding these volumes is that:

Previously, applications were allowed to make changes to these volumes, but those changes were reverted at an arbitrary interval by the system.

In reference to @mbabker comment, he says:

Those variables, if set, are prefilled into a stub local.php configuration file so that when you run Mautic's installer on a new deployment then the database credentials are pre-filled (you'd just need to re-enter the password). There is also logic in place so that a new deployment doesn't overwrite the local.php file if it already exists which lets the configuration persist if you've attached everything to an external volume.

@wittwerch also comments regarding local.php:

The configuration file is updated every time you change settings in the web UI. That means that you write state into your container, unless you somehow mount it using a volume.

I raise this issue for discussion: why readOnly: false? is Mautic quite picky about writing to this file? Mautic and PHP is not my strongest suit so I ask, in your experience, is write access necessary truly necessary?

Looking forward to the discussion.

 cat /var/log/nginx/error.log 
2019/03/12 23:32:19 [error] 611#611: *1 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught UnexpectedValueException: The stream or file "/var/log/mautic/mautic_prod-2019-03-12.php" could not be opened: failed to open stream: Permission denied in /var/www/html/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php:107
Stack trace:
#0 /var/www/html/vendor/monolog/monolog/src/Monolog/Handler/RotatingFileHandler.php(107): Monolog\Handler\StreamHandler->write(Array)
#1 /var/www/html/vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php(37): Monolog\Handler\RotatingFileHandler->write(Array)
#2 /var/www/html/vendor/monolog/monolog/src/Monolog/Logger.php(337): Monolog\Handler\AbstractProcessingHandler->handle(Array)
#3 /var/www/html/vendor/monolog/monolog/src/Monolog/Logger.php(644): Monolog\Logger->addRecord(500, 'Uncaught PHP Ex...', Array)
#4 /var/www/html/vendor/symfony/http-kernel/EventListener/ExceptionListener.php(102): Monolog\Logger->critical('Uncaught PHP Ex...', Array)
#5 /var/www/html/app/bundles/CoreBundle/EventListener/Excep...
PHP message: PHP Fatal error:  Uncaught UnexpectedValueException: The stream or file "/var/log/mautic/mautic_prod-2019-03-12.php" could not be opened: failed to open stream: Permission denied in /var/www/html/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php:107
Stack trace:
#0 /var/www/html/vendor/monolog/monolog/src/Monolog/Handler/RotatingFileHandler.php(107): Monolog\Handler\StreamHandler->write(Array)
#1 /var/www/html/vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php(37): Monolog\Handler\RotatingFileHandler->write(Array)
#2 /var/www/html/vendor/monolog/monolog/src/Monolog/Logger.php(337): Monolog\Handler\AbstractProcessingHandler->handle(Array)
#3 /var/www/html/vendor/monolog/monolog/src/Monolog/Logger.php(518): Monolog\Logger->addRecord(400, 'PHP Error: Unca...', Array)
#4 /var/www/html/app/bundles/CoreBundle/ErrorHandler/ErrorHandler.php(432): Monolog\Logger->log(400, 'PHP Error: Unca...', Array)

Running the mautic-console in https://github.com/mingfang/docker-mautic/blob/master/sv/nginx/run#L17-L19 as www-data (instead of root) fixes the problem

Hi there, firstly thanks a lot for sharing this great work!

I'm new to mautic so please forgive me if this is a newbie question, but I was wondering if you could clarify why you decided to build your own docker-mautic? I appreciate that there are problems with the official https://github.com/mautic/docker-mautic/ (e.g. it is not properly stateless as described in mautic/docker-mautic#2) so I am wondering why you didn't try to fix the problems there? Or did you try to contribute to the official project but encountered problems getting your contributions accepted?

I am asking because each time the community provides a different approach to the same thing, it causes fragmentation in the community, where development effort gets split between the different but overlapping approaches. This results in multiple groups independently trying to fix the same problems, and this slows down the community as a whole.

I think it would be great if the community could try to converge on a single solution. Then each problem only needs to get fixed once in a single place, and newcomers aren't faced with confusion over which solution to pick.

Does this sound reasonable to you? Thanks again!

Hello 👋

I did not find any license mentioned in the repository, and sadly this make your works "all right reserved" in most of the countries of this world.

Can you clarify the license under which you published this work ?

If you want you can just give me the license name you wish to use and I'll create a PR with it.

Best regards.