Production Use Of Unfetter
UNFETTER has been deployed in several corporate environments. The following are notes related to building and deploying. This includes configuring UNFETTER to pull from custom mirrors and proxies.
At build time, UNFETTER requires a connection to base Docker images, Alpine Linux packages and NPM packages.
UNFETTER Docker images are configured in every projects respective Dockerfile. Several of the images extend from the official Node distribution. This distribution uses Alpine Linux for a small image footprint. Additionally the images use the Node 9.x releases. Node 8.9+ LTS should also work. Note Node 6.10.+ LTS has also worked, but not been tested in some time. We did expect to begin using the async and ES6 module imports natively in the Node 9.x and 8.9+ LTS series. In other words, the first line FROM node:9.2-alpine in Dockerfile can be changed to better fit your organization.
UNFETTER Docker images are configured in every projects respective Dockerfile. UNFETTER extends Alpine Linux for a small image footprint. Note that Alpine Linux uses binaries built with musl libc. To configure your corporations Alpine Linux packages repository, custom mirror or proxy, go to the respective projects docker folder and edit the set-linux-repo.sh script. This script will be read when building the Docker image.
In other words, open set-linux-repo.sh and remove the comment for the following lines. And set the urls to your organizations mirrors or proxy. This needs to be done for every project with a Dockerfile at its root.
# ALPINE_MAIN=http://dl-cdn.alpinelinux.org/alpine/v3.6/main
# ALPINE_COMMUNITY=http://dl-cdn.alpinelinux.org/alpine/v3.6/community
# mv $REPO_FILE $REPO_FILE.orig
# touch $REPO_FILE
# echo $ALPINE_MAIN >> $REPO_FILE
# echo $ALPINE_COMMUNITY >> $REPO_FILE
Please note, that a similar technique will work if your preference is to use a different Linux distribution. Simply extend our preferred distro in the Dockerfile and set the package repo in set-linux-repo.sh Note package repos are not compatible across distros ie. Alpine Linux musl libc binaries will not work with a CentOS distro.
UNFETTER Docker images are configured in every projects respective Dockerfile. Several of the images extend from the official Node distribution. Therefore the image will have installed the npm or node package manager command. This command is used to build several of the backend and front end projects. To configure your npm command to use your organizations custom mirror or proxy for npm edit any reference to a docker/set-npm-repo.sh file. Once you find the file, uncomment and set your url in the following lines.
# NPM_REPO=https://registry.npmjs.org/
# npm config set registry $NPM_REPO
A note on package-lock.json. Package lock is a file generated by the npm install command. It recommends projects to check this file into the git repo. I have found package-lock.json changes across mirrored npm repos causing a great deal of work. Including the UNABLE_TO_VERIFY_LEAF_SIGNATURE error. Therefore we have not included package lock into our git repo or the docker builds. If your organization fully vets a package lock and all of its dependencies and versions you may consider adding the file back into your builds. Currently UNFETTER changes packages frequently and does not vets the packages other than the github package security vuln announcements.
UNFETTER-UI is an Angular project. It makes use of Angular CLI, in addition to sass. Angular CLI and a sass binary are installed via the npm install command. When installing npm will either look for a precompiled sass binary or will fetch and build a new binary. It is possible to prefetch the sass binary of your choice. It is also possible to configure node to fetch node headers need to build a binary for your specific arch and node version.
TODO: add env settings needed to achieve the above
TODO: list known compatible node sass binary versions to node versions. The install process will report a version mismatch for the patient
When running the UNFETTER docker stack consider running with the cap options. We will add more information here as we learn more. See https://rhelblog.redhat.com/2016/10/17/secure-your-containers-with-this-one-weird-trick/ for more information.
Docker Edge now comes with Kubernetes support. Kubernetes does not seem to like our docker compose version 2.0 file format, and will not run the UNFETTER containers. The version 2.0 format is used to support older corporate environments. Hopefully we can discontinue the 2.0 support and move to a higher version soon as we do plan to support Kubernetes.
Made by NSA Information Assurance