refactor(docker): Adjust CouchDB configurations

Since new Docker approach to use upstream Tomcat container startup,
CouchDB is not anymore monitored by entry point script. This comes in
handy as original configuration was subpar to newest versions.

Now CouchDB container is started with proper process configuring itself
as single node and creating the necessary infra automatically.

Admin user is no longer set on the compose command, but from the
config/couchdb ini files.

Signed-off-by: Helio Chissini de Castro <[email protected]>

.github/testForLicenseHeaders.sh

@@ -47,7 +47,8 @@ done <<< "$(git ls-files \
     | grep -v 'default_secrets' \
     | grep -v 'requirements.txt' \
     | grep -Ev 'third-party/couchdb-lucene/*' \
-    | grep -Ev '*/asciidoc/*')"
+    | grep -Ev '*/asciidoc/*' \
+    | grep -Ev 'config/*')" \
 
 if [ "$failure" = true ]; then
     echo "test failed"

.github/workflows/docker_deploy.yml

@@ -110,7 +110,7 @@ jobs:
             THRIFT_VERSION=${{ env.THRIFT_VERSION }}
             SW360_VERSION=${{ env.SHORT_SHA }}
           secret-files: |
-            "sw360=./scripts/docker-config/default_secrets"
+            "couchdb=./config/couchdb/default_secrets"
           build-contexts: |
             thrift=docker-image://${{ env.REGISTRY }}/${{ github.repository }}/thrift:${{ env.THRIFT_VERSION }}
 

.gitignore

@@ -69,3 +69,6 @@ tmp/**/*
 .DS_Store
 
 .python-version
+
+# Local logs for dev runtime
+logs

Dockerfile

@@ -87,10 +87,10 @@ COPY --from=localthrift /usr/local/bin/thrift /usr/bin
 
 RUN --mount=type=bind,target=/build/sw360,rw \
     --mount=type=cache,target=/root/.m2 \
-    --mount=type=secret,id=sw360 \
+    --mount=type=secret,id=couchdb \
     cd /build/sw360 \
     && set -a \
-    && source /run/secrets/sw360 \
+    && source /run/secrets/couchdb \
     && envsubst < scripts/docker-config/couchdb.properties.template | tee scripts/docker-config/etc_sw360/couchdb.properties \
     && set +a \
     && cp scripts/docker-config/etc_sw360/couchdb.properties build-configuration/resources/ \

README_DOCKER.md

@@ -1,5 +1,7 @@
 # SW360 Docker
 
+> **WARNING**: This readme refers to main branch. [This is the Docker documentation for stable 18.x series](https://github.com/eclipse-sw360/sw360/blob/releases/18/README_DOCKER.md)
+
 ## Table of Contents
 
 [Building](#building)
@@ -8,7 +10,6 @@
 
 [Extra Configurations](#configurations)
 
-
 ## Building
 
 * Install Docker recent version
@@ -21,26 +22,28 @@
     ```
 
     If you want to specify [CVE-Search](https://github.com/cve-search/cve-search) host at build time, run as follows:
+
     ```sh
     ./docker_build.sh --cvesearch-host <HOST_URL>
     ```
-    The `<HOST_URL>` above should be `http://<YOUR_SERVER_HOST>:<PORT>` style, 
-    or it can be https://cvepremium.circl.lu for testing purposes only.
 
+    The `<HOST_URL>` above should be `http://<YOUR_SERVER_HOST>:<PORT>` style, 
+    or it can be [https://cvepremium.circl.lu](https://cvepremium.circl.lu) for testing purposes only.
 
     The script will build multiple intermediary images.
     Subsequent builds will only build the differences
 
     To configure couchdb, create a file containing the necessary credentials.
 
     A template of this file can be found in:
-    `scripts/docker_config/default_secrets`
+    `config/couchdb/default_secrets`
 
     Example:
+
     ```ini
     COUCHDB_URL=http://couchdb:5984
-    COUCHDB_USER=admin
-    COUCHDB_PASSWORD=password
+    COUCHDB_USER=sw360
+    COUCHDB_PASSWORD=sw360fossie
     ```
 
     To pass your file during build export a variable called **SECRETS** pointing to your file
@@ -51,56 +54,64 @@
 
     It's suggested though to configure docker system wide ( require super user privileges )
 
-    * systemd based
-      If you are using a regular systemd based docker:
-      * Create the following file **http_proxy.conf** on the directory `/etc/systemd/system/docker.service.d/`
+  * systemd based
+    If you are using a regular systemd based docker:
+    * Create the following file **http_proxy.conf** on the directory `/etc/systemd/system/docker.service.d/`
 
-      ```ini
-      [Service]
-      Environment="HTTP_PROXY=<your_proxy>"
-      Environment="HTTPS_PROXY=<your_proxy>"
-      Environment="NO_PROXY=<your_proxy>"
-      ```
+    ```ini
+    [Service]
+    Environment="HTTP_PROXY=<your_proxy>"
+    Environment="HTTPS_PROXY=<your_proxy>"
+    Environment="NO_PROXY=<your_proxy>"
+    ```
 
-       * Do a regular systemctl daemon-reload and systemctl restart docker
+    * Do a regular systemctl daemon-reload and systemctl restart docker
 
 * Volumes
 
-    By default couchdb, postgres and sw360 have their own storage volumes:
+  By default couchdb, postgres and sw360 have their own storage volumes:
 
-    **Postgres**
-    ```yml
-    - postgres:/var/lib/postgresql/data/
-    ```
+  **CouchDB**
 
-    **CouchDB**
-    ```yml
-    - couchdb:/opt/couchdb/data
-    ```
+  ```yml
+  - couchdb:/opt/couchdb/data
+  ```
 
-    **sw360**
-    ```yml
-    - etc:/etc/sw360
-    - webapps:/app/sw360/tomcat/webapps
-    - document_library:/app/sw360/data/document_library
-    ```
-    There is a local mounted as binded dir volume to add customizations
-    ```yml
-    - ./config:/app/sw360/config
-    ```
+  **sw360**
 
-    If you want to override all configs, create a docker env file  and alter for your needs.
+  ```yml
+  - etc:/etc/sw360
+  - webapps:/app/sw360/tomcat/webapps
+  - document_library:/app/sw360/data/document_library
+  ```
 
-    Then just rebuild the project with **-env env_file** option
+  There is a local mounted as binded dir volume to add customizations
 
+  **sw360**
+
+  ```yml
+  - ./config:/app/sw360/config
+  ```
+
+  **couchdb**
+
+  ```yml
+  - ./config/couchdb/sw360_setup.ini:/opt/couchdb/etc/local.d/sw360_setup.ini
+  - ./config/couchdb/sw360_log.ini:/opt/couchdb/etc/local.d/sw360_log.ini
+  - ./config/couchdb/sw360_sw360.ini:/opt/couchdb/etc/local.d/sw360_admins.ini
+  - ./logs/couchdb:/opt/couchdb/log
+  ```
+
+  If you want to override all configs, create a docker env file  and alter for your needs.
+
+  Then just rebuild the project with **-env env_file** option
 
 ## Networking
 
 This composed image runs under a single default network, called **sw360net**
 
 So any external docker image can connect to internal couchdb or postgresql through this network
 
-
 ## Running the image first time
 
 * Run the resulting image:
@@ -127,22 +138,20 @@ So any external docker image can connect to internal couchdb or postgresql throu
 [SW360 Initial Setup Configuration](https://eclipse.dev/sw360/docs/deployment/legacy/deploy-liferay7.4/)
 
 ## Fossology
+
 For docker based approach, is recommended use official [Fossology docker image](https://hub.docker.com/r/fossology/fossology/)
 
 This is the steps to quick perform this:
 
 ```sh
-# Create Fossology database on internal postgres
-docker exec -it sw360_postgresdb_1 createdb -U liferay -W fossology
-
 # Start Fossology container connected to sw360 env
 docker run \
     --network sw360net \
     -p 8081:80 \
     --name fossology \
-    -e FOSSOLOGY_DB_HOST=postgresdb \
-    -e FOSSOLOGY_DB_USER=liferay \
-    -e FOSSOLOGY_DB_PASSWORD=liferay \
+    -e FOSSOLOGY_DB_HOST=<your_db_host> \
+    -e FOSSOLOGY_DB_USER=<your_db_user> \
+    -e FOSSOLOGY_DB_PASSWORD=<your_db_password> \
     -d fossology/fossology
 ```
 
@@ -159,86 +168,21 @@ This will pull/start the fossology container and made it available on the host m
   * Add the id of folder. The default id is **1** (Software Repository). You can get the ID of the folder you want from the folder URL in Fossology
   * Add your obtained Token from Fossology
 
-
 ## Configurations
 
-By default, docker image of sw360 runs without internal web server and is assigned to be on port 8080. This is configured on *portal-ext.properties*
+By default, docker image of sw360 runs without internal web server and is assigned to be on port 8080.
 
 Here's some extra configurations that can be useful to fix some details.
 
-### Customize portal-ext
-
-The config file __portal-ext.properties__ overrides a second file that can be created to add a custom configuration with all data related to your necessities.
-
-This file is called __portal-sw360.properties__
-
-To add your custom configs, create this file under config dir on project root like this ( or with your favorite editor):
-
-```sh
-cd <sw360_source>
-mkdir config
-cat "company.default.name=MYCOMPANY" > config/sw360-portal-ext.properties
-```
-
-Docker compose will treat config as a bind volume dir and will expose to application.
-
-
-### Make **HTTPS** default
-
-Modify the following line on your custom __portal-sw360.properties__ to https:
-
-```ini
-web.server.protocol=https
-```
-
-### CSS layout looks wrong or using non standard ports
-
-If you do not use an external web server with redirection ( see below ), you may find the main CSS theme scrambled ( not properly loaded ) or you are using a different port
-
-This happens because current Liferay used version try to access the theme using only canonical hostname, without the port assigned, so leading to an invalid CSS url.
-
-To fix, you will need to change __portal-sw360.properties__ ( as described above ) with the following extra values:
-
-```ini
-# For different hostname redirection
-web.server.host=<your ip/host of docker>
-# For HTTP non standard 80 port
-web.server.http.port=<your_http_port>
-# For HTTPS non standard 443 port
-web.server.https.port=<your_https_port>
-```
-
-This will tell liferay where is your real host instead of trying to guess the wrong host.
-
-
-### Nginx config for reverse proxy and X-Frame issues on on host machine ( not docker )
-
-For nginx, assuming you are using default config for your sw360, this is a simple configuration for root web server under Ubuntu.
-
-```nginx
-     location / {
-         resolver 127.0.0.11 valid=30s;
-         proxy_pass http://localhost:8080/;
-         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-         proxy_set_header Host $http_host;
-         proxy_set_header X-Forwarded-Proto https;
-         proxy_redirect off;
-         proxy_read_timeout 3600s;
-         proxy_hide_header X-Frame-Options;
-         add_header X-Frame-Options "ALLOWALL";
-     }
-```
-
-***WARNING*** - X-frame is enabled wide open for development purposes. If you intend to use the above config in production, remember to properly secure the web server.
-
-### Liferay Redirects
+### CouchDB
 
-Liferay by default for security reasons do not allow redirect for unknown ips/domains, so is necessary to add your domain or ip to the redirect allowed lists in the Liferay Control Panel
+CouchDB in compose runs with one standard admin user in a single node setup, user **sw360** and password **sw360fossy**
 
-As admin, go to Control Panel -> Instance Settings -> Content Data -> Pages
+To modify the entries and setup, you have two possible options:
 
-Decide to use:
+* Modify `config/couchdb/docker.ini` in main source tree
+* Create a new `.ini` file, add to `config/couchdb/` folder and add as a mounted volume file in docker compose
 
-**IP based** - List of ips you want to allow tro redirect
+For logging, they are now file based on local source folder `logs/couchdb` and the base configuration is in `config/couchdb/log.ini`.
 
-**Domain based** - List of domains you want to allow redirect
+You can find [CouchDB configuration docs here](https://docs.couchdb.org/en/stable/config/index.html)

config/couchdb/default_secrets

@@ -0,0 +1,3 @@
+COUCHDB_URL=http://couchdb:5984
+COUCHDB_USER=sw360
+COUCHDB_PASSWORD=sw360fossie

config/couchdb/sw360_admins.ini

@@ -0,0 +1,2 @@
+[admins]
+sw360 = -pbkdf2-4f19e6656a3bf5007abf6992454a8b02d879f7a1,28ce0d2e70470c96fb8c4088e25b4a75,10

config/couchdb/sw360_log.ini

@@ -0,0 +1,3 @@
+[log]
+writer = file
+file = /opt/couchdb/log/couch.log

config/couchdb/sw360_setup.ini

@@ -0,0 +1,6 @@
+[couchdb]
+single_node=true
+uuid = cfe0623d0971253d94d2356a20b24a44
+
+[chttpd_auth]
+secret = 255383817d1a5df881e99cc995a2b200

docker-compose.yml

@@ -22,31 +22,30 @@ services:
     tty: true
     volumes:
       - etc:/etc/sw360
-      - document_library:/app/sw360/data/document_library
-      - ./config:/app/sw360/config
+      - ./config/sw360:/app/sw360/config
 
   couchdb:
     image: couchdb
     restart: unless-stopped
     environment:
-      - COUCHDB_USER=admin
-      - COUCHDB_PASSWORD=password
       - COUCHDB_CREATE_DATABASE=yes
     ports:
       - "5984:5984"
     volumes:
       - couchdb:/opt/couchdb/data
+      - ./config/couchdb/sw360_setup.ini:/opt/couchdb/etc/local.d/sw360_setup.ini
+      - ./config/couchdb/sw360_log.ini:/opt/couchdb/etc/local.d/sw360_log.ini
+      - ./config/couchdb/sw360_admins.ini:/opt/couchdb/etc/local.d/sw360_admins.ini
+      - ./logs/couchdb:/opt/couchdb/log
     healthcheck:
       test: ["CMD-SHELL", "curl --fail -s http://couchdb:5984/_up"]
       interval: 30s
       timeout: 5s
       retries: 5
 
 volumes:
-  postgres: null
   couchdb: null
   etc: null
-  document_library: null
 
 networks:
   default:

docker_build.sh

@@ -48,7 +48,7 @@ set -e -o pipefail
 . .versions
 
 DOCKER_IMAGE_ROOT="${DOCKER_IMAGE_ROOT:-ghcr.io/eclipse-sw360}"
-SECRETS=${SECRETS:-"$PWD/scripts/docker-config/default_secrets"}
+SECRETS=${SECRETS:-"$PWD/config/couchdb/default_secrets"}
 export DOCKER_PLATFORM DOCKER_IMAGE_ROOT GIT_REVISION SECRETS
 
 # ---------------------------
@@ -80,7 +80,7 @@ image_build localthrift sw360/thrift "$THRIFT_VERSION" --build-arg THRIFT_VERSIO
 image_build sw360test sw360/test "$SW360_VERSION" "$@"
 
 image_build binaries sw360/binaries "$SW360_VERSION" --build-arg MAVEN_VERSION="$MAVEN_VERSION" \
---secret id=sw360,src="$SECRETS" \
+--secret id=couchdb,src="$SECRETS" \
 --build-context "thrift=docker-image://${DOCKER_IMAGE_ROOT}/sw360/thrift:$THRIFT_VERSION" "$@"
 
 image_build sw360 sw360 "$SW360_VERSION" \