Question about sample ApacheDS Docker images

[Shawn McKinney <sm...@apache.org>]

Just read a blogpost:
https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/

That made a statement:

"Unfortunately there are no official images in the Docker Hub for ApacheDS.”

A True statement?  I know we’ve apacheDS (and OpenLDAP) docker images.  

https://hub.docker.com/u/apachedirectory/

There are few others there as well.  Not sure what they’re being used for.  

Why not add one with a basic config… perhaps with the canonical test ldap data?

—
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Re: Question about sample ApacheDS Docker images

[Emmanuel Lecharny <el...@apache.org>]

Le lun. 6 janv. 2020 à 14:57, Stefan Seelmann <ma...@stefan-seelmann.de> a
écrit :

> On 1/6/20 2:11 PM, Emmanuel Lécharny wrote:
> >
> > On 06/01/2020 10:54, Stefan Seelmann wrote:
> >> On 12/30/19 7:57 PM, Shawn McKinney wrote:
> >>> Just read a blogpost:
> >>> https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/
> >>>
> >>> That made a statement:
> >>>
> >>> "Unfortunately there are no official images in the Docker Hub for
> >>> ApacheDS.”
> >>>
> >>> A True statement?  I know we’ve apacheDS (and OpenLDAP) docker images.
> >> I'd say yes. And I assume (but please prove me wrong) that it's not
> >> possible at Apache to publish an "official" one, only a "convenience"
> >> image. But if we choose to go that way there are some open questions
> >> that need to be clarified, like:
> >> * The Docker images contain libraries that often are GPL licensed (GNU
> >> libs, OpenJDK, etc.). Is it allowed to publish such an "convenience"
> >> image?
> >
> > Clearly, no.
>
> Clear answer what was also expectation. However many projects publish
> Docker images at https://hub.docker.com/u/apache/, including Java based
> ones (like Nutch or Syncope) which include OpenJDK and other GPL libs.



They are not official ASF releases. Anyone of us can push an ApacheDS or
Fortress Dicker image on hub.docker.com, as soon as it’s not claiming to be
an official release.


>
> I'll check if I can find some policies around that..


Yes, that would be a good thing to check.
Thanks Stefan!
-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Question about sample ApacheDS Docker images

[Stefan Seelmann <ma...@stefan-seelmann.de>]

On 1/6/20 2:11 PM, Emmanuel Lécharny wrote:
> 
> On 06/01/2020 10:54, Stefan Seelmann wrote:
>> On 12/30/19 7:57 PM, Shawn McKinney wrote:
>>> Just read a blogpost:
>>> https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/
>>>
>>> That made a statement:
>>>
>>> "Unfortunately there are no official images in the Docker Hub for
>>> ApacheDS.”
>>>
>>> A True statement?  I know we’ve apacheDS (and OpenLDAP) docker images.
>> I'd say yes. And I assume (but please prove me wrong) that it's not
>> possible at Apache to publish an "official" one, only a "convenience"
>> image. But if we choose to go that way there are some open questions
>> that need to be clarified, like:
>> * The Docker images contain libraries that often are GPL licensed (GNU
>> libs, OpenJDK, etc.). Is it allowed to publish such an "convenience"
>> image?
> 
> Clearly, no.

Clear answer what was also expectation. However many projects publish
Docker images at https://hub.docker.com/u/apache/, including Java based
ones (like Nutch or Syncope) which include OpenJDK and other GPL libs.

I'll check if I can find some policies around that...

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Re: Question about sample ApacheDS Docker images

[Emmanuel Lécharny <el...@gmail.com>]

On 06/01/2020 10:54, Stefan Seelmann wrote:
> On 12/30/19 7:57 PM, Shawn McKinney wrote:
>> Just read a blogpost:
>> https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/
>>
>> That made a statement:
>>
>> "Unfortunately there are no official images in the Docker Hub for ApacheDS.”
>>
>> A True statement?  I know we’ve apacheDS (and OpenLDAP) docker images.
> I'd say yes. And I assume (but please prove me wrong) that it's not
> possible at Apache to publish an "official" one, only a "convenience"
> image. But if we choose to go that way there are some open questions
> that need to be clarified, like:
> * The Docker images contain libraries that often are GPL licensed (GNU
> libs, OpenJDK, etc.). Is it allowed to publish such an "convenience" image?

Clearly, no.

But we can provide a Dockerfile.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Re: Question about sample ApacheDS Docker images

[Stefan Seelmann <ma...@stefan-seelmann.de>]

On 12/30/19 7:57 PM, Shawn McKinney wrote:
> Just read a blogpost:
> https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/
> 
> That made a statement:
> 
> "Unfortunately there are no official images in the Docker Hub for ApacheDS.”
> 
> A True statement?  I know we’ve apacheDS (and OpenLDAP) docker images.  

I'd say yes. And I assume (but please prove me wrong) that it's not
possible at Apache to publish an "official" one, only a "convenience"
image. But if we choose to go that way there are some open questions
that need to be clarified, like:
* The Docker images contain libraries that often are GPL licensed (GNU
libs, OpenJDK, etc.). Is it allowed to publish such an "convenience" image?
* We need to define and decide on an update process. The base Docker
images are updated more frequently than we release (especially security
updates). Do we need to update the images (e.g. a security patch in
OpenJDK)? Is this a manual process with voting or can an automatic build
be setup?

> https://hub.docker.com/u/apachedirectory/

I created apachedirectory long time ago with the intention to use is for
testing only.

Meanwhile the ASF also allows to push Docker images to the "apache" repo
(https://hub.docker.com/u/apache/), but I don't know how that works and
what the preconditons are. If we consider to publish "convenience"
images I'd rather use that repo.

> There are few others there as well.  Not sure what they’re being used for.  

The openldap-for-apache-fortress-tests and
apacheds-for-apache-fortress-tests are made especially for Fortress
integration tests, source [1].

maven-build (source [2]) is used in Jenkins pipeline builds of LDAP API,
server, and studio. They contain all build and test tools required.

xvfb and studio-build are outdated, they were used for building and
testing Studio. I try to delete them.

Kind Regards,
Stefan

[1] https://github.com/apache/directory-fortress-core/tree/master/src/docker
[2]
https://github.com/apache/directory-buildtools/tree/master/docker/maven-build

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Re: Question about sample ApacheDS Docker images

[Stefan Seelmann <ma...@stefan-seelmann.de>]

On 12/31/19 5:49 PM, Marc Boorshtein wrote:
>> And this is open for discussion… my view, to be ‘official’, needs to be
>> under the ‘apachedirectory’ repository, i.e. ASF supported.
>>
> 
> I honestly find this isn't that important as long as you are getting the
> container from a reputable source.  I generally avoid personal repos but if
> a repo is from a company with experience in the space and some kind of
> support behind it (even if its just public open source) you're probably in
> good shape.  Some things to look for:
> 
> 1.  Company supported - even if its just open source
> 2.  How often is it updated?  How often do you patch your VMs?  You want
> something that has a similar caedence.
> 3.  Is the dockerfile opensource?  You should know what code is running in
> your environment.
> 4.  Is the build reproducible?  Can you recreate the container with just
> the dockerfile?
> 5.  Is the container running as root?  Too many "official" containers do
> this.
> 
> This is on top of doing your own scans to look for issues.
> 
> As an example of where I skip "official" builds is if red hat provides a
> container I go with that because they keep them up to date and don't run as
> root.

Well, those companies could join the Open Source project and contribute
their expertise and make the official/convenient Docker image better :-)

>> More questions, how much work is this to maintain?  Does it need to
>> updated once per release (apacheds), or more often? What else… should the
>> image be signed?
>>
> 
> Containers should be updated at least on a periodic cadence and better to
> be triggered by an event such as the from container being updated. We scan
> our containers using anchore.io and whenever a package is released to
> address a known cve, we rebuild.

+1



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Re: Question about sample ApacheDS Docker images

[Marc Boorshtein <mb...@gmail.com>]

>
>
> Thanks for weighing in.  This is cool.  I like that you separated the data
> from the image, and that you’ve externalized the keystore pw.  What kinds
> changes to make this suitable for production?
>
>
Since ApacheDS stores pretty much all of its configuration internally in
the directory its probably mostly a documentation project.  maybe injecting
additional environment variables to support replication?



> And this is open for discussion… my view, to be ‘official’, needs to be
> under the ‘apachedirectory’ repository, i.e. ASF supported.
>

I honestly find this isn't that important as long as you are getting the
container from a reputable source.  I generally avoid personal repos but if
a repo is from a company with experience in the space and some kind of
support behind it (even if its just public open source) you're probably in
good shape.  Some things to look for:

1.  Company supported - even if its just open source
2.  How often is it updated?  How often do you patch your VMs?  You want
something that has a similar caedence.
3.  Is the dockerfile opensource?  You should know what code is running in
your environment.
4.  Is the build reproducible?  Can you recreate the container with just
the dockerfile?
5.  Is the container running as root?  Too many "official" containers do
this.

This is on top of doing your own scans to look for issues.

As an example of where I skip "official" builds is if red hat provides a
container I go with that because they keep them up to date and don't run as
root.



>
> More questions, how much work is this to maintain?  Does it need to
> updated once per release (apacheds), or more often? What else… should the
> image be signed?
>

Containers should be updated at least on a periodic cadence and better to
be triggered by an event such as the from container being updated. We scan
our containers using anchore.io and whenever a package is released to
address a known cve, we rebuild.


> Thinking out loud here.  How about every release of apacheds includes
> publishing a docker image.
>
> And a disclaimer, only rudimentary docker skillset here, so feel free to
> tell me to RTFM.  ;-)
>
>
> —
> Shawn
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> For additional commands, e-mail: dev-help@directory.apache.org
>
>

Re: Question about sample ApacheDS Docker images

[Shawn McKinney <sm...@apache.org>]

> On Dec 30, 2019, at 3:36 PM, Marc Boorshtein <mb...@gmail.com> wrote:
> 
> On Mon, Dec 30, 2019, 1:57 PM Shawn McKinney <sm...@apache.org> wrote:
> Just read a blogpost:
> https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/
> That made a statement:
> "Unfortunately there are no official images in the Docker Hub for ApacheDS.”
> 
> Not an "official" image but we maintain https://hub.docker.com/repository/docker/tremolosecurity/apacheds primarily for testing purposes but could easily be adapted for production use. We push a rebuild whenever there's a patched package for the underlying Ubuntu os available so the container is updated at least monthly. Source for the build - https://github.com/TremoloSecurity/apacheds

Marc, 

Thanks for weighing in.  This is cool.  I like that you separated the data from the image, and that you’ve externalized the keystore pw.  What kinds changes to make this suitable for production?  

And this is open for discussion… my view, to be ‘official’, needs to be under the ‘apachedirectory’ repository, i.e. ASF supported.  

More questions, how much work is this to maintain?  Does it need to updated once per release (apacheds), or more often? What else… should the image be signed?

Thinking out loud here.  How about every release of apacheds includes publishing a docker image.

And a disclaimer, only rudimentary docker skillset here, so feel free to tell me to RTFM.  ;-)


—
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

Re: Question about sample ApacheDS Docker images

[Marc Boorshtein <mb...@gmail.com>]

On Mon, Dec 30, 2019, 1:57 PM Shawn McKinney <sm...@apache.org> wrote:

> Just read a blogpost:
> https://dumisblog.wordpress.com/2019/12/30/run-apacheds-on-docker/
>
> That made a statement:
>
> "Unfortunately there are no official images in the Docker Hub for
> ApacheDS.”
>


Not an "official" image but we maintain
https://hub.docker.com/repository/docker/tremolosecurity/apacheds primarily
for testing purposes but could easily be adapted for production use. We
push a rebuild whenever there's a patched package for the underlying Ubuntu
os available so the container is updated at least monthly. Source for the
build - https://github.com/TremoloSecurity/apacheds






> A True statement?  I know we’ve apacheDS (and OpenLDAP) docker images.
>
> https://hub.docker.com/u/apachedirectory/
>
> There are few others there as well.  Not sure what they’re being used
> for.
>
> Why not add one with a basic config… perhaps with the canonical test ldap
> data?
>
> —
> Shawn
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
> For additional commands, e-mail: dev-help@directory.apache.org
>
>