nginx baked into the docker image

[edheliel]

Current State

The docker image comes with nginx reverse proxy baked in and opens container port 80.

Issue description

• binding to lower ports requires privileges and I assume this is why the container runs as root, which is not a good security practice
  and also breaks the container if you want to deploy it on kubernetes with runAsUser as you won't have those privileges
• On production like deployments or microservice based deployments you usually have an IngressController or a separate reverse proxy that would deal with SSL termination

Conclusion

• Removing nginx from the docker container would improve the state of the application in several ways
• The documentation already talks about reverse proxies and how to set them up for otterwiki

PS: Unless there is some other reason why nginx is inside of the docker image, for me seems reasonable to not ship the container with nginx and rather use smaller more secure container image like alpine or the likes

If this is on your radar I am also happy to help

[redimp]

Hey @edheliel, thank you for bringing this up.

The image has nginx bundled originally out of two reasons:

1. Serving static files, doing this with flask is highly inefficient and with uwsgi alone I did not manage to find a performant solution, but I have not tried this again and it maybe worth a shot.
2. For convinience with nginx bundled it's easy to deploy the image standalone. The 10MB of wasted memory are in my opinion bearable.

I agree with the point of running an unpriviliged user and an overall smaller image.

This might cause a problem that I want to avoid: breaking backwards compability. So that An Otterwiki user breaks an existing installation because of a change in ports.

Thinking about it: Maybe an extra released "slim" image, with a matching tag like otterwiki:2.x.y-slim would be a conceivable middle ground?

[edheliel]

Hi @redimp,

Sorry for the late reply, life happened.
I agree that maybe going for 2 different versions of the docker image is the way to go so everyone can choose what they feel is the right thing for them.

[redimp]

For testing the slim docker image is available as: redimp/otterwiki:dev-2.4.3-alpine-slim

The size of the compressed image for e.g. amd64 was (accoording to hub.docker.com) reduced from 167.04 MB to 67.69 MB.

The amount of memory consumed is reduced by approx. 25 MB for amd64, due to skipping both nginx and supervisord.

[redimp]

Did some testing, looks promising. Just switched otterwiki.com with the release of 2.4.4 to the slim image.

Open task: Update the documentation.

[jtru]

FWIW, I think the hard dependency on nginx-1.25.3 in

otterwiki/Dockerfile

Line 4 in 6726412

FROM nginx:1.25.3 AS compile-stage

and

otterwiki/Dockerfile

Line 51 in 6726412

FROM nginx:1.25.3

is what is "the most wrong" about the current approach, and you should depend on stable-bookworm instead.

[redimp]

The documentation howto use the slim image can be found here: https://otterwiki.com/Installation#the-slim-image-variant

I also addressed to base image used, as @jtru suggested in e8fb063