Use well-maintained images and official repo instead of outdated stuff #9
Conversation
…ocker into compose-v3-2018
…ublished by default
|
One more thing: |
|
What's the status of this? Is your fork's branch stable for use? |
|
Status of the MR: Ignored forever. => Noone feels responsible for this repo :( Status of the docker-compose.yml => This should be safe for the foreseeable future. It takes the MQTT and MongoDB images from Eclipse and Mongo, which have a long record of maintaining their stuff and then takes the actual Nightscout application right from the main repo. (They maintain a Dockerfile for that, the compose file only takes care of plugging in the external services) The only thing that could be improved was if the Nightscout Team would actually submit their Dockerfile to the Docker hub instead of having to build it from source every time. |
Nightscout changed their dockerfile name, yay
Thanks, fixed that, but you're better off using the docker-compose.yml in the main repository anyway nowadays. I created this MR 5 years ago, it seems like it would make more sense to remove this repository in it's entirety nowadays. |
I've changed the docker-compose file to use better maintained versions of the upstream dependencies and directly build the Nightscout NodeJS app instead of relying on an unmaintained fork.
Let's start with the dependencies:
I replaced the prologic Mosquitto build with the official Mosquitto build from the Eclipse Foundation.
This might not be so important as the only known security problem in Mosquitto was an authentication bypass, but no authentication is used in this setup anyways.
MongoDB by tutum was replaced by the official docker-community maintained version called mongo, which is also sponsored by Mongo Inc. (The developers of MongoDB)
The old MongoDB had several CVE security issues. Most of them can only be used in DoS attacks, but there were also 2 overflow errors which can potentially be used for reading sensitive information or modify memory.
Last but not least the main dish:
The compose file in this repo uses a prebuilt docker image for the nightscout NodeJS application that is based on a third party fork by user Fokko.
Said fork hasn't been updated in 2.5 years and is currently behind the master branch by about 1300 commits.
Why would anyone use a docker image explicitly marked for dev purposes only and use a verison that's outdated by 2.5 years?
So this PR updates the docker-compose.yml file to bring things into the year 2018.
I've changed the compose file to version 3 syntax (available in Docker 1.13.0 from January 2017 and newer) in order to use the build from external repositories feature instead of relying on a prebuilt docker-image for the main app.
The dependencies have been updated to use the official versions of the apps:
Mosquitto is now using the official eclipse-mosquitto image from the Eclipse foundation and should receive timely updates.
Same is true for the MongoDB version, which was replaced with the official mongo image.
I've also modified the comment inside this file about exposing the MongoDB port a bit, so that others who aren't that involved with development know when this is actually needed and that it's usually not neccessary in 2018 anymore.
Hope others can profit from this as well.
I didn't touch any of the cloud deployment guides as I never tried to deploy docker containers on servers not managed by myself or my company.