Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update production setup #28

Merged
merged 56 commits into from
Sep 13, 2024
Merged

Update production setup #28

merged 56 commits into from
Sep 13, 2024

Conversation

tomasr8
Copy link
Member

@tomasr8 tomasr8 commented Mar 1, 2023
edited
Loading

  • Updated Python (3.12) & Postgres (15) versions
  • Updated CI
  • Removed unused container indico-static
  • Updated/fixed some config files
  • Updated readme/added comments
  • Added indico plugins to the getindico/indico image
  • Config is loaded directly from indico.conf rather than an env file (specified as a mount volume)

Haven't touched the openshift configs, but they will probably need updating as well.

@tomasr8 tomasr8 mentioned this pull request Mar 1, 2023
Open
ThiefMaster
ThiefMaster reviewed Mar 1, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
build_latest.sh Outdated Show resolved Hide resolved
indico/worker/indico.conf Show resolved Hide resolved
indico/worker/indico.conf Outdated Show resolved Hide resolved
@tomasr8 tomasr8 force-pushed the prod-container branch 3 times, most recently from 547b2f1 to b1ff4c2 Compare March 3, 2023 14:42
@ThiefMaster ThiefMaster mentioned this pull request Apr 12, 2023
Closed
@ThiefMaster
Copy link
Member

Haven't touched the openshift configs, but they will probably need updating as well.

I feel like just getting rid of them in a separate PR... I don't think anyone is using them anyway.

ThiefMaster
ThiefMaster reviewed Aug 28, 2023
View reviewed changes
indico-prod/.env Outdated Show resolved Hide resolved
@tomasr8 tomasr8 mentioned this pull request Sep 12, 2023
Open
@tomasr8
Copy link
Member Author

tomasr8 commented Nov 28, 2023

We should probably bump this to Python 3.12 as well

@ThiefMaster
Copy link
Member

indeed, good idea!

@stmichaelis
Copy link

Any plans on finalizing and merging this PR? I was looking for a compose-setup ready for production and this repository explicitly states it is not meant for production. A forum post led me to this PR, seems to work fine as long as you build the image locally and do not use the image provided on Docker hub.

Nevertheless, a few questions remain:

  • For a full Indico backup I found the recommendation to backup the postgres database and /opt/indico/archive. This compose file creates several more volumes (e.g. redis, customization) which hints at that these volumes should be backed up as well? Static-files appears to be only for mounting into nginx, which I do not need as Caddy is running as a reverse proxy in front.
  • How about upgrading? The upgrade documentation mentions running indico db upgrade and indico db --all-plugins upgrade after installation of the new version (seems like Indico itself could be kept running, only Celery worker should be stopped). But for the containerized version the new Indico instance would already have to be started before you could run the upgrade commands inside the container. Could this lead to problems on upgrading a running, new Indico instance or should the upgrade commands go into run_indico.sh before every startup? Running them when nothing needs to change does no harm according to documentation (with the exception of increasing startup time).

joepitt91
joepitt91 reviewed Apr 27, 2024
View reviewed changes
indico-prod/indico.conf Outdated Show resolved Hide resolved
@tomasr8
Copy link
Member Author

tomasr8 commented May 13, 2024

Any plans on finalizing and merging this PR? I was looking for a compose-setup ready for production and this repository explicitly states it is not meant for production. A forum post led me to this PR, seems to work fine as long as you build the image locally and do not use the image provided on Docker hub.

Nevertheless, a few questions remain:

* For a full Indico backup I found the recommendation to backup the postgres database and /opt/indico/archive. This compose file creates several more volumes (e.g. redis, customization) which hints at that these volumes should be backed up as well? Static-files appears to be only for mounting into nginx, which I do not need as Caddy is running as a reverse proxy in front.

* How about upgrading? The upgrade documentation mentions running `indico db upgrade` and `indico db --all-plugins upgrade` after installation of the new version (seems like Indico itself could be kept running, only Celery worker should be stopped). But for the containerized version the new Indico instance would already have to be started _before_ you could run the upgrade commands inside the container. Could this lead to problems on upgrading a running, new Indico instance or should the upgrade commands go into `run_indico.sh` before every startup? Running them when nothing needs to change does no harm according to documentation (with the exception of increasing startup time).

Apologies for the late reply

not meant for production in the sense that at CERN we use a different setup (regular VMs) so we can't guarantee that this setup will work out of the box. However, there have been many requests for a dockerized Indico setup so we wanted to provide this as an example for others to build on.

Static files come from the indico wheel so no need to back them up. Customization is provided by whoever is running the instance so it's presumably already backed up in GitHub/GitLab.. We only use redis for caching so in principle it might not need backing up either.

As for upgrading, I think it makes sense to include the upgrade commands in run_indico.sh @ThiefMaster What do you think?

@ThiefMaster
Copy link
Member

I'm not the biggest fan of running DB upgrades automatically on container startup, since it'd probably result in deadlocks when you run the container multiple times.

However, we could probably run it only in a single container (e.g. the one running celery beat, since that one must run only once anyway). For my own production setup I'd still prefer to explicitly execute DB updates, but I guess for a "simple" dockerized setup automating it is what people expect...

@stmichaelis
Copy link

I'm not the biggest fan of running DB upgrades automatically on container startup, since it'd probably result in deadlocks when you run the container multiple times.

However, we could probably run it only in a single container (e.g. the one running celery beat, since that one must run only once anyway). For my own production setup I'd still prefer to explicitly execute DB updates, but I guess for a "simple" dockerized setup automating it is what people expect...

Thanks for getting back and answering the questions. Both manual and automatic DB upgrades would be fine for me. I was just wondering how to do this without starting Indico itself. Starting the celery beat container only, execing into the container and performing manual upgrades there, is fine. I did not realize that this is in fact the same source and here the upgrade progress has to deviate a bit from the official documentation for a dedicated machine.

Another difference between the Dockerfile and the official install documentation: In the containerized setup there are way less packages installed into the image on build. Nevertheless, I did not find any functionality missing yet.

@GilOliveira
Copy link

@tomasr8 Been trying out your PRs setup and it's been working pretty well but every time I go docker compose down && docker compose up -d the data in the instance gets wiped. I don't know if this is its intended behaviour, but is unusual for Docker Compose setups with persistent data. Doing docker compose restart or docker compose stop && docker compose start doesn't yield that issue, though.

@tomasr8
Copy link
Member Author

tomasr8 commented Jun 3, 2024

@tomasr8 Been trying out your PRs setup and it's been working pretty well but every time I go docker compose down && docker compose up -d the data in the instance gets wiped. I don't know if this is its intended behaviour, but is unusual for Docker Compose setups with persistent data. Doing docker compose restart or docker compose stop && docker compose start doesn't yield that issue, though.

Thanks for the report! This was most likely because we were using an anonymous volume for the Postgres data. I switched to a named volume so the data should be persisted now :)

@ThiefMaster ThiefMaster mentioned this pull request Jun 5, 2024
Closed
@ThiefMaster ThiefMaster mentioned this pull request Jun 17, 2024
Closed
@ThiefMaster ThiefMaster mentioned this pull request Jul 1, 2024
Closed
ThiefMaster and others added 18 commits August 12, 2024 09:21
@ThiefMaster @tomasr8
Make indico logging config configurable
a8b83e9
@ThiefMaster @tomasr8
Do not write nginx logs to files
c5f36f2 
People should logging at the place where they terminate TLS, and for
temporary usae (debugging etc.) the logs already go to stdout/stderr
@ThiefMaster @tomasr8
Fix proxy/x-header config
d3eb5fe 
- Set USE_PROXY since we can safely assume we're behind a load balancer
  (that terminates TLS as well)
- Do not set our own X-headers, expect the external load balanacer to
  set them since indico always expect a single 'layer' of X-header
  values
- Get rid of NGINX_SERVER_NAME since we do not need this
@ThiefMaster @tomasr8
Simplify nginx setup
0bb3bd1
@ThiefMaster @tomasr8
Load virtualenv via docker entrypoint
e0aebfd 
That way `docker compose run` etc. also have the virtualenv loaded
@ThiefMaster @tomasr8
Generate default DB URI
c678a9d
@ThiefMaster @tomasr8
Use empty default SECRET_KEY
5aa33ad 
That's rejected by indico. the old default was accepted while being very
insecure if not changed
@tomasr8
Update readme
7ebdaaf
@tomasr8
Use a default BASE_URL that works
2804cb5
@tomasr8
Use Python 3.12
1d4af4e
@tomasr8 @joepitt91
Update indico-prod/indico.conf
dca4ffc 
Co-authored-by: Joe Pitt <joepitt91@users.noreply.github.com>
@tomasr8
Use a named volume for postgres data
4958c24
@OmeGak @tomasr8
Update README.md
4c4cba8
@OmeGak @tomasr8
Make http://localhost:8080 work
c78bef2
@OmeGak @tomasr8
Fix test step on release workflow
f5bd52d
@OmeGak @tomasr8
Remove obsolete version key
f5961c4
@OmeGak @tomasr8
Bump actions versions
514319f
@OmeGak @tomasr8
Push container to owner fork of Indico
73fa8f1
@tamasgal tamasgal mentioned this pull request Sep 12, 2024
Closed
@Kehino
Copy link

Kehino commented Sep 12, 2024

I´d be glad to contribute towards this, but I lack the understanding of what the OpenShift layer does. Besides, is it basically going through all the steps detailed at https://docs.getindico.io/en/stable/installation/production/deb/nginx/ ? What could be done to feature the SSL layer?

@tomasr8
Copy link
Member Author

tomasr8 commented Sep 13, 2024

Hi @Kehino! You could help us by testing that this setup works for you as is, or if there's something missing :)
As for TLS, we don't include that here because that is going to largely depend on where you deploy Indico. If you go with the same nginx setup as in this PR, you should configure TLS in your nginx.conf as shown in the docs page you linked.

@ThiefMaster ThiefMaster merged commit 4788dd1 into indico:master Sep 13, 2024
1 check passed
@Kehino
Copy link

Kehino commented Sep 16, 2024

The setup worked well locally for me! Any specific functionality to test? E.g. I didn't try the PDF generation from LaTeX.

I'll test a setup with my nginx reverse proxy and SSL.

@tomasr8 tomasr8 deleted the prod-container branch September 16, 2024 11:54
@tomasr8
Copy link
Member Author

tomasr8 commented Sep 16, 2024

The setup worked well locally for me! Any specific functionality to test? E.g. I didn't try the PDF generation from LaTeX.

I'll test a setup with my nginx reverse proxy and SSL.

Awesome! We're also interested to know if this setup works and is easy to deploy in a production setting i.e. on OpenShift/k8s so if you have a way to test that, we'd love to know :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joepitt91 joepitt91 joepitt91 left review comments

@ThiefMaster ThiefMaster ThiefMaster left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@tomasr8 @ThiefMaster @stmichaelis @GilOliveira @Kehino @joepitt91 @OmeGak