It fails with

❯ docker run -i --rm -e ZSERVER_HOST=0.0.0.0 -e ZSERVER_PORT=55001 -p 55001:55001 -e ADDONS="plone.app.robotframework plone.restapi" -e PROFILES="plone.app.contenttypes:plone-content plone.volto:default-homepage" plone-backend:6 ./bin/robot-server plone.app.robotframework.testing.PLONE_ROBOT_TESTING
=======================================================================================
Installing ADDONS plone.app.robotframework plone.restapi
THIS IS NOT MEANT TO BE USED IN PRODUCTION
Read about it: https://github.com/plone/plone-backend/#extending-from-this-image
=======================================================================================
ERROR: Invalid requirement: 'plone.app.robotframework plone.restapi'
WARNING: You are using pip version 21.3; however, version 21.3.1 is available.
You should consider upgrading via the '/app/bin/python -m pip install --upgrade pip' command.

Can be useful this configuration in relstorage.conf?
This is optional, so i don't know what's the best way to add it into the relstorage.conf file.

i have been working connecting apache solr via the plone-backend. i still couldnot figure it out. most of the examples are using the the buildout.cfg for connecting the solr. thus, how can we make use of the plone-backed image to integrate apache solr.

Not sure this is the right place.
Our jenkins ppelines perform automatic securitiny vulnerability checks and when I tried to build a docker image based on plone-backend 6.0.2, it gives the following warning:

09:32:14  [2023-03-08T08:32:14.876Z] CVE-2022-40899 (HIGH) for future:0.18.2:/app/lib/python3.11/site-packages/future-0.18.2.dist-info/METADATA - python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server: (https://avd.aquasec.com/nvd/cve-2022-40899)
09:32:14  [2023-03-08T08:32:14.876Z]     An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
09:32:14  [2023-03-08T08:32:14.876Z] 
09:32:14  [2023-03-08T08:32:14.876Z] Fixed in 0.18.3
09:32:14  [2023-03-08T08:32:14.876Z] -----

I guess we should update future in https://dist.plone.org/release/6.0.2/constraints.txt
If anyone directs me to where I can do that, I'll make a PR

My container has a bunch of add-ons which I have added using the sanctioned method (not the ADDONS variable although I suspect this affects them too).

When these add-ons start, I see permission denied errors in the log about their compilation.

What could it be and how can we fix this structurally? Do we expect the Zope server to write to directories that contain code?

Hello!

Our Plone servers use ZEO to run multiple backends within the same Kubernetes pod.

We noticed upon upgrade that the ZEO client libraries are missing from the latest stable published container image (we derive our container images from this one). The traceback reported it cannot import the ZEO module.

Is there a reason why this is missing?

The workaround I have implemented in our container file goes like this:

# Add ZEO
RUN /app/bin/pip install -U ZEO -c /app/constraints.txt

Tests for the containers using the ZEO library should be added so this does not happen in the future again.

I already use this approach in my customer projects and it makes the configuration way more flexible, read: allows any configuration option supported by cookiecutter-zope-instance and this are almost all.

Using NFS or Amazon EBS driver for volumes will end-up with a permission denied error:

11/5/2021 1:56:28 PMmkdir: cannot create directory ‘/data/filestorage’: Permission denied
11/5/2021 1:56:28 PMmkdir: cannot create directory ‘/data/blobstorage’: Permission denied
11/5/2021 1:56:28 PMmkdir: cannot create directory ‘/data/cache’: Permission denied
11/5/2021 1:56:28 PMmkdir: cannot create directory ‘/data/log’: Permission denied
11/5/2021 1:56:44 PMmkdir: cannot create directory ‘/data/filestorage’: Permission denied
11/5/2021 1:56:44 PMmkdir: cannot create directory ‘/data/blobstorage’: Permission denied
11/5/2021 1:56:44 PMmkdir: cannot create directory ‘/data/cache’: Permission denied
11/5/2021 1:56:44 PMmkdir: cannot create directory ‘/data/log’: Permission denied

Thus, I propose to remove USER plone from Dockerfile and gosu via docker-entrypoint.sh.

I'll prepare a PR.

see https://community.plone.org/t/plone-6-backend-with-classic-ui-apt-requirements/15821

(check for x86 and ARM if there are always wheels).

inside the docker files (standard and nightly) the project is setup as you would in a local dev-environment.

why? the container already gives that level of encapsulation we need.

am I missing a point here?

Pass Python version in as ARG. see #85
cc @davisagli

Is there a way to run this image in fg to debug addons?

I'm developing an add-on with plone-backend image and i need to put some pdb into its code but i don't know how to start the instance in fg.

I tried to bypass the entrypoint with command=bash but after that i don't know which script run and how.

Am i missing something or this isn't available yet? If not, how do you develop with plone6/pip?

There is no need for any volume if i.e. run with Relstorage and Postgresql.
Caches can live non-persistent.
Log should go to console. Accesslog configured different.
Same with VOLUME /data - this is not needed.

This cookie-cutter were made for this task, here we have everything twice in several skeleton files.
I think this could be much more streamlined using the cookiecutter-zope-instance - and while at it improve it (I can move it to plone or collective).

The cookie-cutter would need to be installed in the build step together with cookiecutter script.
At startup it can generate the configuration (it takes only some millis).
It is documented (vs. the current READMe has many bugs and is consfusing)

This could probably also help using the image for development.

at the moment its docker hub and GHCR is supposed to be faster with GH

Branches:

• main (6.0.x)
• 5.2.x

Tags for every release

Update README.md on Docker hub on changes to main

There's no script to add an emergency user.

https://canonical.com/blog/chiselled-ubuntu-ga

@mauritsvanrees @davisagli @pbauer

I want to make a new release of our plone-backend images for Plone 5.2 now that Maurits has released 5.2.13. But I notice in the Dockerfile we install/add some extra packages that are really outdated.

Also pip is still pinned ad 22.0.4 when the constraints.txt for Plone 5.2.13 now has pip 23.2.

The image is 'officially' not support, as in: we started promoting the container images for Plone 6. But what to do here?

If dockerfiles based on our image are really picky they repin their packages, but if they are depending on what is in the package.... We can update:

pip == 23.2
relstorage == 3.5.0
psycopg2 == 2.9.6
python-ldap == 3.4.3
plone.volto==3.1.0a9

In comparison with the previous images:

Running rc1:

docker run -i --rm -e ZSERVER_HOST=0.0.0.0 -e ZSERVER_PORT=55001 -p 55001:55001 -e 'ADDONS= plone.app.robotframework==2.0.0b2 plone.app.testing==7.0.0b2' -e APPLY_PROFILES=plone.app.contenttypes:plone-content,plone.restapi:default,plone.volto:default-homepage -e CONFIGURE_PACKAGES=plone.app.contenttypes,plone.restapi,plone.volto,plone.volto.cors plone/plone-backend:6.0.0rc1 ./bin/robot-server plone.app.robotframework.testing.VOLTO_ROBOT_TESTING

Running 6.0.0 final:

docker run -i --rm -e ZSERVER_HOST=0.0.0.0 -e ZSERVER_PORT=55001 -p 55001:55001 -e 'ADDONS= plone.app.robotframework==2.0.0b2 plone.app.testing==7.0.0b2' -e APPLY_PROFILES=plone.app.contenttypes:plone-content,plone.restapi:default,plone.volto:default-homepage -e CONFIGURE_PACKAGES=plone.app.contenttypes,plone.restapi,plone.volto,plone.volto.cors plone/plone-backend:6.0.0 ./bin/robot-server plone.app.robotframework.testing.VOLTO_ROBOT_TESTING

For me, M1Max first command runs in 8s, the latter in 47s... No clue why, it seems that pip takes much more "Requirement already satisfied:" checks than before.

/cc @jensens @ericof we did update pip to latest and Python 3.11, right? Any idea if that could be the reason?

tested the plone backend without tls, All the css is working fine. but after using the tls on the test domain, i am having css issue. i couldnot figure out the where to make changes. i couldnot find the env relating to this.

used image plone/plone-backend:6.0.0b1

uploaded the screenshot of the issue.

This should work in GH Actions too. I use it in my projects, so would be good for our images as well.
https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml

It's a best practice to not use the root user in containers (see https://pythonspeed.com/articles/root-capabilities-docker-security/)

This image currently adds a plone user but should also set it as the active user with https://docs.docker.com/engine/reference/builder/#user

READMEs should have only minimal information and not duplicate that which is already published in Plone 6 docs. This README currently has some non-duplicated information that should be moved into the docs, and replaced with a link to the docs.

See #67 (comment) for discussion, and suggested changes in https://github.com/plone/plone-backend/pull/67/files.

While testing the cookiecutter-plone-starter docker compose setup today I noticed that when I stop the compose setup, the backend container takes 10-11 seconds to stop. This is the 10 second timeout when the application in side the container doesn't respond correclty to the 'nice' way of asking to stop (I think SIGTERM) and then a SIGKILL follows.

This might have to do something with our entrypoint script that starts the instancne and somewhere along the process chain the signals are not correctly passed along. Any takers? ;-)

actually we have two options:

1. small images size, slower startup (like now)
2. larger image size with pre-compiled python files and faster startup.

I would precompile in first stage already and have all on one layer on copy.

Hint: python -m compileall .

In docker-entrypoint.sh, 6.x branch

We'd like to be able to tune Waitress with command line parameters (does not seem like it takes variables), so it would be good if the start verb located near the end of the entrypoint script actually supported "$@" so that we may pass parameters to it.

The README here lands on Docker Hub, so it should contain basic about the image and Plone.
In depth information has to be moved to docs.plone.org (6-dev branch)
@stevepiercy knows better where to put it there. Lets keep this issue open until this is finished.

Currently they work different and should be aligned again to the more efficient way of current Dockerfile.

followup to #60

after investigating deeper into docker multistage I came across the topic of wheels vs venv.
we use both and I would like to understand why.

according to this article https://pythonspeed.com/articles/multi-stage-docker-python/ a venv is perfectly capable of being passed from one stage to the other - as we do using the wheels directory.

this made me lift my eyebrow:

"Another solution to the problem is to build all the packages as wheels—binary packages with the compiled code—and then copy the wheel files over to the build stage and install them there. This works, but doesn’t really add much."

a second source I found: https://testdriven.io/blog/docker-best-practices/#using-python-virtual-environments indicates even more concrete:

"you may want to use a virtual environment in a multi-stage build rather than building wheel files."

is there any other benefit of using wheels over venv?

We should always deliver most recent software using apt-get upgrade in both stages.

currently we are on 3.9.

Since we build all on make we should install it, so a derived container dont.

https://docs.docker.com/engine/security/trust/

Packing is done with different commands depending on whether ZEO or Relstorage is used. For Relstorage it needs a modified conf file that only includes the relstorage section. It would be nice for the image to include the necessary configuration and an entrypoint which runs the right command.

(Or are there good reasons to create a separate image for this?)

Using a GH Actions schedule we should build fresh images, i.e. like weekly.

Since we made the 6.0.x branch default, nightly images are not created anymore.

I propose to use our /ok check here:

HEALTHCHECK --interval=10s --timeout=5s --start-period=30s CMD  wget -q -T 5 http://127.0.0.1:8080/ok -O - | grep OK || exit 1

Opinions?

Dockerfile uses python:${PYTHON_VERSION}-slim-bullseye as base image:

This image has a vulnerable module: expat/libexpat:

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

How to fix?
Upgrade Debian:11 expat to version 2.2.10-2+deb11u5 or higher.

This affects all "python:3.x-slim-bullseye" images:

https://snyk.io/test/docker/python%3A3.7-slim-bullseye
https://snyk.io/test/docker/python%3A3.8-slim-bullseye
https://snyk.io/test/docker/python%3A3.9-slim-bullseye
https://snyk.io/test/docker/python%3A3.10-slim-bullseye

When creating a venv with python3 -m venv the packages pip and setuptools are installed in specific versions (e.g. pip-20.3.4 and setuptools-44.1.1).

The command /app/bin/pip install -U "pip==${PIP_VERSION}" wheel updates pip to the version specified in ${PIP_VERSION} and installs wheel to the current version (i.e. pip-22.3.1 and wheel-0.38.4) but setuptools remains installed (i.e. in version setuptools-44.1.1)

This version (i.e. setuptools-44.1.1) is used later to build the wheels (e.g. for plone.volto, Chameleon, repoze.xmliter, Zope2, ZODB3, future, sgmllib3k) when installing Plone with /app/bin/pip install Plone ${EXTRA_PACKAGES} -c /app/constraints.txt.

Only after the wheels are build, the installed version setuptools-44.1.1 is uninstalled and setuptools-65.7.0 is installed according to the version specified in /app/constraints.txt

Im not sure if there might be any problems when building the wheels with setuptools in a differnt version as later installed.

Should that be the case I'd suggest to install setuptools in the version specified in /app/constraints.txt before installing Plone.

Furthermore and since /app/constraints.txt already specifies the versions of pip, setuptools, and wheel (i.e. pip-22.3.1, setuptools-65.7.0, wheel-0.38.4) I'd also suggest to update pip and installing wheel and setuptools using -c /app/constraints.txt. This would make the use of the variable ${PIP_VERSION} redundant.

Consider replacing the following line #18 in Dockerfile.builder:

/app/bin/pip install -U "pip==${PIP_VERSION}" wheel

with

/app/bin/pip install -U pip wheel setuptools -c /app/constraints.txt

and removing the variable declaration PIP_VERSION=22.3.1 in line #7 in Dockerfile.builder:

If we assume I have multiple addons specified:

DEVELOP="src/addon1 src/addon2"

then the pip install -e should be called like:

bin/pip install -e src/add1 -e src/addon2

Same as with psycopg2 which we already have included python-ldap has no binary wheels and needs compilation.

If we're in a RelStorage environment Postgresql needs time for it initial dbinit.

Docker unfortunately removed to wait for a healthcheck, it only checks if a container is up, so we can not wait for it.

Now, Plone is starting up, because before postgres states its running before dbinit and while dbinit RelStorage tries to create the tables and stored procedures needed.
Postgres, after finished with dbinit, restarts itself. In Plone/RelStorage now the initialization is eventually only half done. Then Plone tries to connect to a partly created structure and fails.
dbinit is fast as well, mostly under 2-5s.

I propose to delay startup of Plone in case if Relstorage is used based on an environment variable. default 5s.
dinit runs once, so after initialization the variable can be set to 0s for the cluster.

Or are better ideas around?

When running the backend container an invalid URL is being printed to the console. In 95246aa the whole section about "Extending from this image" was removed.

Maybe, (a) point to the official documentation, or (b) remove the link from the entrypoint script.

We need to support ARM64 build as well, given the awful performance of emulated images in M1 chips.

Would it be hard? Didn't find a good source of knowledge on the accepted way to achieve this. We are building locally, so no auto build in dockerhub, right? Of course, I can build and push them if needed.

I tried to build the images, and I had to do an amendment, so the install of relstorage do not happen in the base image, but on the builder, and stored in the wheelhouse as well, since it needs compilation in M1s. Is there any reason for installing relstorage at a later point?

/cc @jensens @ericof @silviot @avoinea

Busybox wget has limited features and does not support timeouts. Check is we need the real one or better use curl or if w/o timeout works in all situations.

I would do an apt-get upgrade -y here. Any reason why we don't?