SP14-item02: VPN/container env better packaging
WIP task list packaging:
-
[MV] optional: docker smaller image size (node, researcher) => minimal version: build from fresh tree, do not copy envs/development
-
misc: more selective copy of fedbiomed to container
-
-
fedbiomed_clean
better cleaning-
[MV] development
files from restful -
[JLS] cleaning for vpn
environment (container, config, image) -
optional: tags for cleaning partly (eg: (1) clean level or (2) clean type (dev, env) (3) clean component (containers, images, config files, tempfiles, all)
-
-
misc docker
-
[ ] misc: keep restful/mqtt logs files outside of containernot needed for now, delayed -
[MV] misc: set hostname in containers -
[MV] misc: add EXPOSE
tags for ports in Dockerfiles (good practice) -
[MV] make tensorboard available outside researcher container -
[MV] make notebook not reachable from another host by default -
[MV] no config.env
under git tracking (requires changing the way we pass parameters to containers), eg create emptyconfig.env
when needed if none exist
-
-
[MV] complete support for running containers with privilege drop (especially: dont write files as root on host machine filesystem)
-
remains to be done: configure_peer.py
on vpnserver -
more testing of using non privileged (CONTAINER_USER) or privileged (root) user
-
-
[JLS] scripts for cleaning (fedbiomed_environment clean or equivalent) container images, configs -
[MV] config_peer.py
script extension for support for removing a peer, updating a peer key, etc. -
[JLS] scripts for running (fedbiomed_run or equivalent) - how much can we simplify (eg automatically add vpn keys in vpnserver & make copies of vpn config file)
-
[MV] investigate instabilities in launching vpn in containers (sometimes fails) - save wireguard config at container startup + investigate saving issues at stop
- optional: test connection to vpnserver (ping -c 3 10.220.0.1), stop and restart container x2 if not working (happens sometimes) => handled in container launch scripts
-
optional: add command for easily removing/redeclaring peer in containersame asconfig_peer.py
item above
-
[MV] optional: investigate add support for selecting the user id for running node/researcher at runtime not at build time -
[ ] optional: add support for default configuration ready-to-run from the clone ? (eg: vpn already setup but with default keys)do we really want this ? not done for now -
[ ] optional: add support for more than 1 node on a computerdo we really want this ? not done now -
[ ] optional: investigate docker network config (scenario : observed sometimes using docker default network for reaching localhost vpnserver, use this for default config ?)delayed. Current step is to test/assess global stability in real use with new version. -
[ ] real user documentation (gitlabpages) also explaining the architecture and securityIssue already created for that task -
[ ] to be discussed, depending on portability: images on docker hubnot needed for now