There isn't a good story around the serving of static files that are part of a Dockerflow app.

A pattern that has emerged is a container is good for more than just one thing, like the main web app and a background worker process. Often they share all the same libraries and differ in the way they are run.

I tested something out with a run.sh for mozilla/universal-search-recommendation. This shell script is the ENTRYPOINT and depending on the CMDs given to it can run a background worker, another task, etc.

Another example is Dockerflow itself. Where the ENTRYPOINT is npm and the CMD tells it what to do.

All of this should be captured in a recommendation document.

While running the Deploy to Dockerhub job, I get an unencrypted password warning:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json

Wondering if it's a credible vulnerability? Is there a better way to run this job/step, and should the Dockerflow repo be updated accordingly?

Should the application have a version prefix /v1 ? Or should the application serve on / and the prefix be set during the deployment?

Why not use .wellknown name space for health checks?

https://en.wikipedia.org/wiki/List_of_/.well-known/_services_offered_by_webservers

_{Sent with GitHawk}

The original doc was very much Mozilla CloudOps specific. These should be removed and the spec should focus on:

• simplifying deployment of a service
• simplifying identifying service version
• health checks for monitoring
• conventions for logging and metrics

As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:

1. Required Text - All text under the headings Community Participation Guidelines and How to Report, are required, and should not be altered.
2. Optional Text - The Project Specific Etiquette heading provides a space to speak more specifically about ways people can work effectively and inclusively together. Some examples of those can be found on the Firefox Debugger project, and Common Voice. (The optional part is commented out in the raw template file, and will not be visible until you modify and uncomment that part.)

If you have any questions about this file, or Code of Conduct policies and procedures, please reach out to [email protected].

(Message COC001)

I'm trying to understand the need for Login to Dockerhub in the build job. It doesn't appear that anything is posted to Dockerhub until the deploy job, where a second login is initiated. Is the first login a redundant step?

Modern apps require lots of services that typically require additional containers running alongside the application container: databases, message queues, etc. After discussion with @mostlygeek, I've gathered that:

• The intent is for the application container to exclude those services and only serve the app itself.
• In production deployments, ops will manage those services manually using CloudFormation templates.
• For local development, it's up to developers to determine the sanest way to manage those services.

Open questions:

• If there are services that require developer configuration, how should that be managed?

According to the pipeline team, we aren't able to nest object literals within the Fields object; just "values" and arrays. This documentation is wrong. See this mana article for the full schema.

In the README it says that any CI tool that meets certain requirements can be used for Dockerflow, but apparently builds from Travis CI are not supported (e.g., only Taskcluster and Circle?)

Might be good to include the supported list in the README, and maybe how support for others can be contributed?

For services that are not webapps, what does Dockerflow recommend we do for healthcheck endpoints?

For example, the Socorro processor is not a webapp and doesn't have anything to respond to HTTP, so there's nothing to implement healthchecks with.

Is it the case that all services must implement a webapp to handle Dockerflow healthcheck enpoints? Should we have something else for non-webapp services?

From mozilla/testpilot/issues/398, the usage of the app user in the container is a little ambiguous. It should be clarified that:

• root can be used in the container to install packages and other system level dependencies
  • the app user can also be used to run commands like npm
  • the /app directory in the container should be owned by app
• the app only needs to be used to actually run the service
• this can be accomplished with the USER command in the Dockerfile

This Mozilla repository has been identified as lacking a license. Consistent with Mozilla's Licensing Policy an open source license should be applied to the code in this repository.

Please add an appropriate LICENSE.md file to the root directory of the project. In general, Mozilla's licensing policies are as follows:

• Client-side products created by Mozilla employees or contributors should use the Mozilla Public License, Version 2.0 (MPL).

• Server-side products or utilities that support Mozilla products may use either the MPL or the Apache License 2.0 (Apache 2.0).

In special cases, another license might be appropriate. If the repository is a fork of another repository it must apply the license of the original. Similarly, another license might be appropriate to match that of a broader project (for example Rust crates that Firefox depends on are published under an Apache 2.0 / MIT dual license, as that is the dual license used by the Rust programming language and projects).

Please ensure that any license added to the LICENSE.md file matches other licensing information in the repository (for example, it should match any license indicated in a setup.py or package.json file).

Mozilla staff can access more information in our Software Licensing Runbook – search for “Licensing Runbook” in Confluence to find it.

If you have any questions you can contact Daniel Nazer who can be reached at dnazer on Mozilla email or Slack.

OPENLIC-2023-01

Dockerflow introduces the notion of a third party that takes source code, puts that into a container that we mostly treat as binary, and publishes it for us to use.

Assuming the third party is circleci (but it could be anyone really). We know that if circleci gets owned, someone can modify containers to inject bad code, which would be dramatic for us.

It's a bit different than trusting github, because modifying git history and source code without being detected by developers is very hard. It is similar to trusting AWS, but we justify that trust with contracts and years of proven security practices.

My question is: Do we, and should we, have a way to control what circleci produces, or do we blindly trust the service?

If your application isn't single threaded/process the optional recommendation will result
in corrupted log entries when there are frequent writes over 4k in size.

references

1. https://www.gnu.org/software/libc/manual/html_node/Pipe-Atomicity.html
2. https://www.notthewizard.com/2014/06/17/are-files-appends-really-atomic/
3. minimal gunicorn test case in https://gist.github.com/dylanwh/dbb7acc97151503ef061f0895ec0d137

work arounds

1. Prevent writes over 4k (or log additional warnings)
2. Use something to mux the input. Each worker thread/process should log to a socket and there should be a single process multiplexing over that socket and writing to the container's stdout
3. Run only a single process per container (viable for smaller services?)
4. Write your service in go, which seems to handle multiple goroutines writing to stdout just fine,

The 1.0 style configuration still used in this sample is supposedly retiring this August

https://circleci.com/blog/sunsetting-1-0/

In a few cases, we have implemented endpoints that expose the configuration of a running app. I think it would be useful to standardize how to do that, and document it as optional.

A few considerations:

• Expose ENV variables as key/value under an environment key ?
• Expose hard-coded config under configuration key ?
• Limit exposure to internal network and/or authenticated endpoints only (simple token should be enough)?
• Use the standard __config__ endpoint?

@ckolos volunteered to do this one.

Depending on the underlying distribution of the container, these options can be ambiguous. The options should use the full name format for readability.

• 500 ?
• Empty body?

As more of our services have been migrated to GCP, MozLog's severity levels are causing issues as they're different from those of GCP Cloud Logging. Dockerflow-compliant services need to remap SLs in order for GCL to render log records properly.

Is it time to update MozLog's SLs to match against GCL now?

@jasonthomas @mostlygeek @jbuck WDYT?

in mozilla-releng/services we are trying to become "dockerflow complient" (mozilla/release-services#1183) either we run services on dockerhub or elsewhere. Standards are good! :) We are not there yet but we are getting there.

Our docker images are build reproducible and the future we would like to continuously check for binary reproducibility.

The requirement JSON version object breaks the promise of reproducibility since you don't know at build time if the artifact is going to be released.

Sure we can rebuild docker image just before pushing dockerhub, but then this is not really the same artifact as we tested on staging environment.

I'm opening this ticket to get some advice how to proceed. In the worse case we can rebuild the docker image before pushing, but maybe there is a way to have this JSON version object be outside the docker image as a metadata of the running container.

Thank you in advance, Rok.

use port 8000. It's more of a convention in ops.

mozilla-services/buildhub#248 (comment)

The current recommendation is to build and test the container in Circle CI. The motivation for this is:

• transparency in viewing build logs
• no in-house testing infrastructure to run
• simple integration into github pull requests
• common scriptable builds (via .travis.yml or circle.yml)

However, some questions were brought up around:

• verification of the build
• knowing exactly what we are deploying
• ability to re-build a container without dev support

@oremj @ckolos @jvehent please add anything I've missed

I think I've made a dockerfile (and image) conforming to Dockerflow requirements. Where can I build/deploy it to test that it's working?

Adding a crashing endpoint to our services could help us make that the service monitoring (logging and graph of 5XX responses) and error reporting (Sentry, slack notifs) is configured correctly.

@app.route("/__crash__")
def crash():
    logger.error("about to boom")
    raise ValueError("boom")