Update docker images

[kdp-cloud]

• Update the seek images to the latest debian release: 13-trixie
• Multi-stage building of the image, reducing the attack vector and the image size (<2GB)
• Use MySQL 8.4 instead of 8.0
• Patch python dependencies
• Simplify docker compose file by introducing shared service declarations
• Add health checks in docker compose file

[stuzart]

docker-compose-relative-root.yml and docker-compose-virtuoso.yml will also need updating. The docker-compose-with-email.yml one can probably be got rid of.

[kdp-cloud]

• Permissions have been hardened so that only these locations have write permissions for the app user:
  • filestore/
  • log/
  • nginx.conf (created by the app user in entrypoint script)
  • /var/www/ (used by bundler)
  • public/
  • public/api/
  • sqlite3-db/
  • tmp/
• The python packages are now read-only
• Versions of Github actions is updated
• Updated the .dockerignore file

[fbacall]

I did a global search for File.write and found some cases where SEEK will write to config/, so either those writes should be moved somewhere else, or it needs permission to write there.

(And quite possibly there are other places that write to the disk without explicitly using File.write)

[stuzart]

I did a global search for File.write and found some cases where SEEK will write to config/, so either those writes should be moved somewhere else, or it needs permission to write there.

(And quite possibly there are other places that write to the disk without explicitly using File.write)

config needs to be writable for a couple of cases during startup where it updates the config files for Mysql or for whether search is enabled:
https://github.com/seek4science/seek/blob/main/docker/shared_functions.sh#L27

https://github.com/seek4science/seek/blob/main/docker/shared_functions.sh#L50

Also looks like seek.crontab needs to be writable: https://github.com/seek4science/seek/blob/main/docker/shared_functions.sh#L66

[kdp-cloud]

I did a global search for File.write and found some cases where SEEK will write to config/, so either those writes should be moved somewhere else, or it needs permission to write there.
(And quite possibly there are other places that write to the disk without explicitly using File.write)

config needs to be writable for a couple of cases during startup where it updates the config files for Mysql or for whether search is enabled: https://github.com/seek4science/seek/blob/main/docker/shared_functions.sh#L27

https://github.com/seek4science/seek/blob/main/docker/shared_functions.sh#L50

Also looks like seek.crontab needs to be writable: https://github.com/seek4science/seek/blob/main/docker/shared_functions.sh#L66

The config folder is now writable again.

[fbacall]

See Stuart's comment about seek.crontab

[kdp-cloud]

See Stuart's comment about seek.crontab

seek.crontab is created during the execution of docker/entrypoint.sh by the www-data user, so that makes it writable. No? Or am I missing something else?
I can see it's created in the seek-workers container:

drwxr-xr-x.  1 www-data www-data   76 Dec  2 11:47 .
drwxr-xr-x.  1 root     root       18 Dec  2 11:46 ..
-rw-r--r--.  1 root     root       30 Feb 14  2025 .rspec
-rw-r--r--.  1 root     root      250 Mar 31  2025 .rubocop.yml
drwxr-xr-x.  2 root     root       85 Mar 13  2025 .ruby-lsp
-rw-r--r--.  1 root     root       11 Dec  2 11:38 .ruby-version
-rw-r--r--.  1 root     root     1.6K Feb 14  2025 BSD-LICENSE
-rw-r--r--.  1 root     root     2.8K Feb 14  2025 CITATION
-rw-r--r--.  1 root     root      184 Feb 14  2025 CONTRIBUTING.md
-rw-r--r--.  1 root     root     3.6K Dec  2 11:38 Gemfile
-rw-r--r--.  1 root     root      28K Dec  2 11:38 Gemfile.lock
-rw-r--r--.  1 root     root      158 Feb 14  2025 Guardfile
-rw-r--r--.  1 root     root     2.6K Sep 24 05:24 README.md
-rw-r--r--.  1 root     root      519 Feb 14  2025 Rakefile
drwxr-xr-x. 13 root     root      177 Sep 22 12:38 app
drwxr-xr-x.  2 root     root       58 Sep 24 05:24 bin
drwxr-xr-x.  1 www-data www-data   46 Dec  2 11:41 config
-rw-r--r--.  1 root     root      225 Feb 14  2025 config.ru
drwxr-xr-x.  4 root     root      129 Sep 24 05:24 db
drwxr-xr-x.  2 root     root     4.0K Dec  1 12:16 docker
drwxr-xr-x.  7 www-data www-data   86 Oct 24 13:46 filestore
drwxr-xr-x. 22 root     root     4.0K Sep 24 05:24 lib
drwxr-xr-x.  1 www-data www-data   48 Dec  2 11:49 log
drwxr-xr-x.  1 www-data www-data   17 Dec  2 11:43 public
-rw-r--r--.  1 root     root      146 Dec  2 11:38 requirements.txt
drwxr-xr-x.  3 root     root     4.0K Oct 24 13:51 script
-rw-r--r--.  1 www-data www-data 4.6K Dec  2 11:48 seek.crontab
drwxr-xr-x.  4 root     root       34 Feb 14  2025 solr
drwxr-xr-x.  9 root     root     4.0K Feb 14  2025 spec
drwxr-xr-x.  2 www-data www-data   32 Dec  2 11:46 sqlite3-db
drwxr-xr-x.  1 www-data www-data   18 Dec  2 11:48 tmp
drwxr-xr-x.  3 root     root       20 Feb 14  2025 vendor

I also don't see any error in the logs:

USING SOLR CONTAINER
GENERATING CRONTAB
STARTING SUPERCRONIC (QUIET)
STARTING WORKERS
delayed_job.1: process with pid 31 started.
delayed_job.2: process with pid 38 started.
delayed_job.3: process with pid 45 started.
delayed_job.4: process with pid 52 started.
delayed_job.5: process with pid 59 started.
delayed_job.6: process with pid 66 started.
delayed_job.7: process with pid 73 started.

[fbacall]

I see - the main app directory (/seek) is owned by www-data, where as all sub directories are owned by root

[stuzart]

I will build and deploy on the testing server after 1.17.2