-
a oneshot s6 service called emoncms_pre to create the timeseries folders, fix permissions and run mysql_install_db if needed
-
a oneshot s6 service called sql_ready initializes the emoncms database if needed and waits for mariadb to be running, before the workers can start
Using environnement variables, emoncms_pre.sh generates at startup the following conf files :
- /etc/my.cnf
- emoncms settings.ini
- config.cfg for backup module
- backup.ini PHP extension
Even if mariadb tables initialisation is done when the first user is created, as we are going to use something like docker compose, we need the database structure to be created before, and so we still use emoncmsdbupdate.php
ARGS (ONLY) ARE :
- TARGETPLATFORM
- S6_OVERLAY_VERSION=3.1.6.2
- S6_SRC=https://github.com/just-containers/s6-overlay/releases/download
- S6_DIR=/etc/s6-overlay/s6-rc.d
- PRIMOS="apache2 redis mosquitto mariadb"
- SECONDOS="emoncms_mqtt service-runner feedwriter"
- REDIS_CONF=/etc/redis.conf
- USE_REDISPY_APK=1
- MOSQUITTO_PHP=https://github.com/openenergymonitor/Mosquitto-PHP
- EMONCMS_SRC=https://github.com/alexandrecuer/emoncms
- BRANCH=bios_master
| ENV | Dockerfile | makefile (used during build) | emoncms_pre | mysql_ready | ARG |
|---|---|---|---|---|---|
| DAEMON | 10 | 2 | |||
| WWW | 9 | X | 2 | ||
| OEM_DIR | 6 | 2 | 1 | ||
| EMONCMS_DIR | 5 | X | 3 | ||
| EMONCMS_LOG_LOCATION | 4 | ||||
| MQTT_CONF | 1 | 7 | |||
| PHP_VER | 2 | YES | |||
| PHP_CONF | 2 | 3 | YES |
| ENV | Dockerfile | makefile (used during build) | emoncms_pre | mysql_ready | ARG |
|---|---|---|---|---|---|
| TZ | 1 | ||||
| EMONCMS_DATADIR | 15 | ||||
| TS | 1 | ||||
| MYSQL_DATABASE | 1 | 3 | |||
| MYSQL_USER | 1 | 3 | |||
| MYSQL_PASSWORD | 1 | 1 | |||
| MQTT_USER | 2 | ||||
| MQTT_PASSWORD | 2 | ||||
| MQTT_HOST | 1 | ||||
| MQTT_LOG_LEVEL | 1 | ||||
| REDIS_BUFFER | 1 | ||||
| EMONCMS_LOG_LEVEL | 1 | ||||
| MQTT_BASETOPIC | 2 | ||||
| MQTT_CLIENT_ID | 2 | ||||
| HTTP_CONF | 5 | ||||
| CRT_FILE | 1 | ||||
| KEY_FILE | 1 | ||||
| CUSTOM_APACHE_CONF | 1 | ||||
| USE_HOSTNAME_FOR_MQTT_TOPIC_CLIENTID | 1 | ||||
| CNAME | 1 | ||||
| REVERSE_PROXY | 1 |
REVERSE_PROXY should be removed as it is not needed since emoncms can work in ingress mode
python has introduced the concept of EXTERNALLY-MANAGED packages
python3.11 on alpine3.19 is following Pep 668
for redis, using now apk package py3-redis instead of pip package
- X-Content-Type-Options
- Strict-Transport-Security
- X-Frame-Options, to defend against clickjacking
- Referrer-Policy
- X-XSS-Protection
- Permissions-Policy
could not managed to add Content-Security-Policy, as emoncms has got too much inline javascript !
You can activate ssl on the emoncms standalone docker image using the new ENV vars : CRT_FILE and KEY_FILE
sudo docker run --rm -p 8081:80 -p 8082:443 -p 7883:1883 -v /etc/ssl/certs/bios:/cert -e CRT_FILE=/cert/alexjunk.crt -e KEY_FILE=/cert/alexjunk.key -it emoncms:alpine3.18
If you want to access the service using the dns address on a computer of your local network and if your router doesn't support NAT loopback, you need to add an entry to the hosts file of each machine you want to use for browsing :
127.0.0.1 my.domain.nameif the browsing machine is just the same as the one running the service192.168.1.33 my.domain.nameif the machine running the service local IP is192.168.1.33, the browsing machine being a distinct one
This requires the container to be started with ssl enabled ! The reverse proxy mentioned just after has nothing to do with it.
Please note that if you only wish to encrypt transactions on a local network, you don't need a valid domain name and self-signed certificates generated by openssl will do the trick but the connexion will be considered as non trusted.
openssl req -x509 -out alexjunk.crt -keyout alexjunk.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=my.domain.name' -extensions EXT -config <( \
printf "[dn]\nCN=my.domain.name\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:my.domain.name\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
You should access to the service through https://my.domain.name
This is out of the scope of the docker changelog but you can secure your access from the outside
adding ARG BUILD_FROM
defining PHP_VER and PHP_CONF as ARG and no more as ENV, so we can modulate PHP_VER and PHP_CONF during build, in order to be able to build for alpine:3.18 without changing anything
docker build -t emoncms:alpine3.18 --build-arg="BUILD_FROM=alpine:3.18" --build-arg="TARGETPLATFORM=linux/amd64" --build-arg="PHP_VER=81" --build-arg="PHP_CONF=/etc/php81/conf.d" .
nota : PHP_CONF is also defined as an ENV at the end of the dockerfile as we use it in emoncms_pre
solving timezone problem with the command cp /usr/share/zoneinfo/$TZ /etc/localtime in emoncms_pre
possibility to modulate mqtt log level :
docker run --rm -it -p 8081:80 -p 7883:1883 -e MQTT_LOG_LEVEL="error warning information notice" themis:alpine3.16
docker run --rm -it -p 8081:80 -p 7883:1883 -e MQTT_LOG_LEVEL=notice themis:alpine3.16