From b3e7de763b130afc4c92db0f4acca4b9000de19b Mon Sep 17 00:00:00 2001 From: Ivan Skachkov Date: Sun, 27 Sep 2020 19:33:25 +0200 Subject: [PATCH] Fix social login using vk when run in production * by specifying good dns for backend service; * specify/upgrade versions of base docker images (java 12 -> 14, postgres 12, node 12 -> 14); * specify "expose" to see which port(s) are relevant for specific image; * track efforts put into configuring and using Tor proxy (for possible future reference); * update cpu limits. --- better-dating-backend/Dockerfile | 4 +- better-dating-backend/build.gradle.kts | 4 +- .../backend/BackendApplication.kt | 1 - .../backend/configuration/security.kt | 4 +- better-dating-caching/Dockerfile | 2 +- better-dating-database/Dockerfile | 2 +- better-dating-frontend/Dockerfile | 5 ++- better-dating-proxy/Dockerfile | 2 +- better-dating-tor/Dockerfile | 27 +++++++++++++ better-dating-tor/healthcheck.sh | 9 +++++ better-dating-tor/tor-notes.md | 39 +++++++++++++++++++ better-dating-tor/torrc | 1 + docker-compose.yml | 15 +++---- docs/prod-setup.md | 1 + docs/tasks.md | 11 +++--- scripts/dev-aliases.sh | 4 +- scripts/status-check.sh | 2 +- scripts/troubleshooting.sh | 2 +- 18 files changed, 107 insertions(+), 28 deletions(-) create mode 100644 better-dating-tor/Dockerfile create mode 100644 better-dating-tor/healthcheck.sh create mode 100644 better-dating-tor/tor-notes.md create mode 100644 better-dating-tor/torrc diff --git a/better-dating-backend/Dockerfile b/better-dating-backend/Dockerfile index a49239a..47c2959 100755 --- a/better-dating-backend/Dockerfile +++ b/better-dating-backend/Dockerfile @@ -1,11 +1,12 @@ # https://unix.stackexchange.com/questions/127076/into-which-directory-should-i-install-programs-in-linux -FROM openjdk:12-alpine +FROM openjdk:14-jdk-alpine # https://hub.docker.com/_/alpine/ # https://wiki.alpinelinux.org/wiki/How_to_get_regular_stuff_working RUN apk add --no-cache curl # https://docs.docker.com/engine/reference/builder/#healthcheck COPY ./build/libs/backend-0.0.1-SNAPSHOT.jar /opt/backend.jar + CMD ["sh", "-c", "java -XX:+UnlockExperimentalVMOptions \ -XX:+UseContainerSupport -XX:InitialRAMPercentage=50.0 \ -XX:MinRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0 -Dreactor.netty.http.server.accessLogEnabled \ @@ -19,5 +20,6 @@ CMD ["sh", "-c", "java -XX:+UnlockExperimentalVMOptions \ --datasource.url=\"r2dbc:postgresql://$DB_HOST/$DB_NAME\" \ --datasource.username=$DB_USER --passwordfiles.db=$DB_PASSWORD_FILE"] +EXPOSE 8080 HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=15s \ CMD curl -f http://localhost:8080/actuator/health || exit 1 diff --git a/better-dating-backend/build.gradle.kts b/better-dating-backend/build.gradle.kts index 2a9fcf0..43d5fcf 100755 --- a/better-dating-backend/build.gradle.kts +++ b/better-dating-backend/build.gradle.kts @@ -19,7 +19,7 @@ plugins { group = "ua.betterdating" version = "0.0.1-SNAPSHOT" -java.sourceCompatibility = JavaVersion.VERSION_12 +java.sourceCompatibility = JavaVersion.VERSION_14 repositories { mavenLocal() @@ -88,7 +88,7 @@ dependencies { tasks.withType { kotlinOptions { - jvmTarget = "12" + jvmTarget = "14" freeCompilerArgs = listOf("-Xjsr305=strict", "-Xjvm-default=enable") } } diff --git a/better-dating-backend/src/main/kotlin/ua/betterdating/backend/BackendApplication.kt b/better-dating-backend/src/main/kotlin/ua/betterdating/backend/BackendApplication.kt index e619d8e..62b24a6 100644 --- a/better-dating-backend/src/main/kotlin/ua/betterdating/backend/BackendApplication.kt +++ b/better-dating-backend/src/main/kotlin/ua/betterdating/backend/BackendApplication.kt @@ -2,7 +2,6 @@ package ua.betterdating.backend import org.springframework.data.r2dbc.core.R2dbcEntityTemplate import org.springframework.fu.kofu.reactiveWebApplication -import org.springframework.r2dbc.core.DatabaseClient import ua.betterdating.backend.configuration.dataConfig import ua.betterdating.backend.configuration.mailConfig import ua.betterdating.backend.configuration.webConfig diff --git a/better-dating-backend/src/main/kotlin/ua/betterdating/backend/configuration/security.kt b/better-dating-backend/src/main/kotlin/ua/betterdating/backend/configuration/security.kt index ff919df..770f770 100644 --- a/better-dating-backend/src/main/kotlin/ua/betterdating/backend/configuration/security.kt +++ b/better-dating-backend/src/main/kotlin/ua/betterdating/backend/configuration/security.kt @@ -235,8 +235,8 @@ class OAuth2SimpleAuthenticationManager( emailRepository.updateMono(profile) } else { Mono.empty() - }.then(roleRepository.findAllMono(profile.id).map { - roles -> createAuth(profile.id.toString(), roles) + }.then(roleRepository.findAllMono(profile.id).map { roles -> + createAuth(profile.id.toString(), roles) }) }.switchIfEmpty(Mono.error(EmailNotRegisteredException(email))) } diff --git a/better-dating-caching/Dockerfile b/better-dating-caching/Dockerfile index 68c9799..e6f5162 100644 --- a/better-dating-caching/Dockerfile +++ b/better-dating-caching/Dockerfile @@ -1,4 +1,4 @@ -FROM redis:alpine +FROM redis:6.0.8-alpine COPY redis.conf /usr/local/etc/redis/redis.conf CMD [ "redis-server", "/usr/local/etc/redis/redis.conf" ] HEALTHCHECK --interval=30s --timeout=15s --retries=3 \ diff --git a/better-dating-database/Dockerfile b/better-dating-database/Dockerfile index cf677c4..16e8bd2 100644 --- a/better-dating-database/Dockerfile +++ b/better-dating-database/Dockerfile @@ -1,4 +1,4 @@ -FROM postgres:alpine +FROM postgres:12.4-alpine COPY healthcheck.sh /scripts/healthcheck.sh HEALTHCHECK --interval=30s --timeout=15s --retries=3 \ CMD bash /scripts/healthcheck.sh || exit 1 diff --git a/better-dating-frontend/Dockerfile b/better-dating-frontend/Dockerfile index ed58807..ae33a04 100644 --- a/better-dating-frontend/Dockerfile +++ b/better-dating-frontend/Dockerfile @@ -1,4 +1,4 @@ -FROM node:12-slim AS builder +FROM node:14.11.0-slim AS builder # https://stackoverflow.com/questions/50126741/how-to-remove-intermediate-images-from-a-build-after-the-build LABEL stage=builder @@ -12,11 +12,12 @@ COPY ./src /app/src RUN cd /app && npm i && NEXT_APP_UPDATED="$(date -u --iso-8601=seconds)" npm run build -FROM node:12-alpine +FROM node:14.11.0-alpine RUN apk add --no-cache curl COPY --from=builder /app /app WORKDIR /app CMD ["sh", "-c", "BACKEND_HOST=http://bd-backend:8080 PORT=8080 npm run prod"] +EXPOSE 8080 HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=10s \ CMD curl -f http://localhost:8080/healthcheck || exit 1 diff --git a/better-dating-proxy/Dockerfile b/better-dating-proxy/Dockerfile index 26a17f8..a1ec245 100644 --- a/better-dating-proxy/Dockerfile +++ b/better-dating-proxy/Dockerfile @@ -1,5 +1,5 @@ # https://hub.docker.com/_/nginx -FROM nginx:alpine +FROM nginx:1.19.2-alpine RUN apk add --no-cache curl COPY nginx.conf /etc/nginx/nginx.conf diff --git a/better-dating-tor/Dockerfile b/better-dating-tor/Dockerfile new file mode 100644 index 0000000..aa71a45 --- /dev/null +++ b/better-dating-tor/Dockerfile @@ -0,0 +1,27 @@ +# [Running Tor Proxy with Docker](https://dev.to/nabarun/running-tor-proxy-with-docker-56n9) + +# set alpine as the base image of the Dockerfile +FROM alpine:3.12.0 + +# install Tor and curl +RUN apk add --no-cache tor curl + +# Copy over the torrc created above and set the owner to `tor` +COPY torrc /etc/tor/torrc +RUN chown -R tor /etc/tor + +# Set `tor` as the default user during the container runtime +USER tor + +# Set `tor` as the entrypoint for the image +ENTRYPOINT ["tor"] + +EXPOSE 9050 + +# Set the default container command +# This can be overridden later when running a container +CMD ["-f", "/etc/tor/torrc"] + +COPY healthcheck.sh /scripts/healthcheck.sh +HEALTHCHECK --interval=30s --timeout=15s --retries=3 --start-period=20s \ + CMD sh /scripts/healthcheck.sh || exit 1 diff --git a/better-dating-tor/healthcheck.sh b/better-dating-tor/healthcheck.sh new file mode 100644 index 0000000..111c3b0 --- /dev/null +++ b/better-dating-tor/healthcheck.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# [How to check if Tor is working and debug the problem on CLI?](https://tor.stackexchange.com/questions/12678/how-to-check-if-tor-is-working-and-debug-the-problem-on-cli) +status=$(curl --socks5 localhost:9050 --socks5-hostname localhost:9050 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | wc -l) + +if [ $status -eq 1 ]; then + exit 0 +fi; + +exit 1 \ No newline at end of file diff --git a/better-dating-tor/tor-notes.md b/better-dating-tor/tor-notes.md new file mode 100644 index 0000000..4f75081 --- /dev/null +++ b/better-dating-tor/tor-notes.md @@ -0,0 +1,39 @@ +# Tor (for development/test environment) +1. [Setting up Tor Proxy and Hidden Services in Linux](https://www.devdungeon.com/content/setting-tor-proxy-and-hidden-services-linux) +2. [Using CURL with TOR as a Proxy on CentOs](https://stackoverflow.com/questions/39257293/using-curl-with-tor-as-a-proxy-on-centos) + + +## docker-compose.yml +``` + bd-tor: + build: ./better-dating-tor + image: skivol/better-dating-tor:latest + container_name: "bd-prod-tor" + deploy: + resources: + limits: + cpus: '0.25' + memory: 50M + reservations: + cpus: '0.05' + memory: 20M + restart_policy: + condition: any + delay: 10s + max_attempts: 2 + window: 120s +``` + +## reactor-netty +``` +private fun proxyConnector(proxySettings: ProxySettings): ReactorClientHttpConnector { + // inspired by https://github.com/reactor/reactor-netty/issues/887 + val httpClient = HttpClient.create() + .proxy { + it.type(ProxyProvider.Proxy.SOCKS5) + .host(proxySettings.host) + .port(proxySettings.port) + } + return ReactorClientHttpConnector(httpClient) +} +``` diff --git a/better-dating-tor/torrc b/better-dating-tor/torrc new file mode 100644 index 0000000..eed2835 --- /dev/null +++ b/better-dating-tor/torrc @@ -0,0 +1 @@ +SocksPort 0.0.0.0:9050 \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index ad39212..7344f2c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ version: '3.6' services: bd-redis: - build: ./better-dating-cache + build: ./better-dating-caching image: skivol/better-dating-cache:latest container_name: "bd-prod-redis" volumes: @@ -14,7 +14,7 @@ services: deploy: resources: limits: - cpus: '0.25' + cpus: '0.75' memory: 200M reservations: cpus: '0.10' @@ -40,11 +40,11 @@ services: deploy: resources: limits: - cpus: '0.50' + cpus: '0.75' memory: 256M reservations: cpus: '0.25' - memory: 120M + memory: 128M restart_policy: condition: any delay: 5s @@ -68,6 +68,7 @@ services: FACEBOOK_CLIENT_SECRET: "${FACEBOOK_CLIENT_SECRET}" VK_CLIENT_ID: "${VK_CLIENT_ID}" VK_CLIENT_SECRET: "${VK_CLIENT_SECRET}" + dns: 8.8.8.8 depends_on: - bd-postgres volumes: @@ -98,7 +99,7 @@ services: deploy: resources: limits: - cpus: '0.50' + cpus: '0.75' memory: 250M reservations: cpus: '0.25' @@ -124,10 +125,10 @@ services: deploy: resources: limits: - cpus: '0.50' + cpus: '0.75' memory: 50M reservations: - cpus: '0.15' + cpus: '0.10' memory: 20M restart_policy: condition: any diff --git a/docs/prod-setup.md b/docs/prod-setup.md index 0d5923c..607f08c 100644 --- a/docs/prod-setup.md +++ b/docs/prod-setup.md @@ -73,3 +73,4 @@ * Maybe someday: * [Postfix HOWTO](https://wiki.centos.org/HowTos/postfix); * [How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability](https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability); + \ No newline at end of file diff --git a/docs/tasks.md b/docs/tasks.md index 35c8ee2..cf0c678 100755 --- a/docs/tasks.md +++ b/docs/tasks.md @@ -1,7 +1,6 @@ -* Обновить сайт -* Обновить настройки приложения в Facebook & Vk -* Зарегистрироваться, добавить себе роль админа -* сообщить об этом в соц. сетях (создать страницы для приложения ?) +* создать "релиз" в гите +* (создать страницы для приложения ?) +* сообщить об этом в соц. сетях * Второй этап Цель встреч (поиск второй половинки) @@ -30,7 +29,7 @@ * по приему никотина/алкоголя, внесемейным интимным отношениям / просмотру порно - у обоих должны соответствовать намерения (например, обое не намерены этими вещами заниматься в будущем, либо собираются продолжать это делать в той или иной мере). В случае с "неопределившимися" - они могут сочетаться со всеми вариантами. * единый тип внешности * либо один и тот же город, либо один из участников готов поехать в другой город для встречи - * язык + * единый родной язык(и), или готовность изучить родные языки друг друга ... * Просмотреть профиль другого учасника @@ -101,7 +100,7 @@ * consider using `redux-starter-kit` (https://redux-starter-kit.js.org) * consider reCAPCHA ? * Push notifications instead (or as an alternative?) of mail messages ? / Viber ? -* consider using Docker Registry +* consider using Docker Registry (https://hub.docker.com/) * consider registering Belarusian domain (.бел) * mail delivery service ? (e.g. https://pepipost.com/) diff --git a/scripts/dev-aliases.sh b/scripts/dev-aliases.sh index 314370c..da05520 100755 --- a/scripts/dev-aliases.sh +++ b/scripts/dev-aliases.sh @@ -110,13 +110,13 @@ prod-ssh-zsh() { } # https://stackoverflow.com/a/26226261 transfer-image() { - docker save skivol/better-dating-$1:latest | bzip2 | pv | prod-ssh 'bunzip2 | docker load' + docker save "skivol/better-dating-${1}:latest" | bzip2 | pv | prod-ssh 'bunzip2 | docker load' } alias bd-backend-transfer-image-to-prod="transfer-image backend" alias bd-ui-transfer-image-to-prod="transfer-image ui" alias bd-proxy-transfer-image-to-prod="transfer-image proxy" alias bd-database-transfer-image-to-prod="transfer-image database" -alias bd-transfer-images-to-prod='bd-backend-transfer-image-to-prod && bd-ui-transfer-image-to-prod && bd-proxy-transfer-image-to-prod' +alias bd-cache-transfer-image-to-prod="transfer-image cache" rsync-to-bd() { rsync $PROJECTS/better-dating/$1 $PROD_USER@$PROD:/home/$PROD_USER/bd/ diff --git a/scripts/status-check.sh b/scripts/status-check.sh index 22873f8..b9a44fd 100755 --- a/scripts/status-check.sh +++ b/scripts/status-check.sh @@ -5,7 +5,7 @@ healthyServices=$(docker ps --filter "health=healthy" --format "{{.ID}}" | wc -l) -if [ $healthyServices -ne 4 ]; then +if [ $healthyServices -ne 5 ]; then function now { echo $(date -u) } diff --git a/scripts/troubleshooting.sh b/scripts/troubleshooting.sh index 8ef208b..94eb177 100755 --- a/scripts/troubleshooting.sh +++ b/scripts/troubleshooting.sh @@ -13,7 +13,7 @@ # check number of healthy services healthyServices=$(docker ps --filter "health=healthy" --format "{{.ID}}" | wc -l) -if [ $healthyServices -eq 4 ]; then +if [ $healthyServices -eq 5 ]; then echo "Looks good!" else logFile=~/troubleshooting.log