GeoNode v4.2.2 declares to use docker image geonode/geoserver:2.23.3-v2. However, that image was build via manual trigger and there is a missing tag to later reason on what commit was the source of it. The only way to find out at the moment is the action run to build and push the image. This, however, can be quite cumbersome, especially when people wants to check for older versions (in the future, of course, when more and more actions will exist).

/cc @giohappy I undestand it is quite handy to have such manual triggers, but in such cases (building a tagged version) this makes it harder to follow.

uwsgi reports this warning when booting:

*** WARNING: you have enabled harakiri without post buffering. Slow upload could be rejected on post-unbuffered webservers ***

nginx is usually a buffered webserver, unless otherwise configured.

The configuration indeed states:

By removing buffering, django is aware about how many bytes have been transferred, so that it can send some transfer stats to the client real time.
Anyway such buffering may cause uwsgi to terminate connections while uploading.

We need to find out a way to deal with this.

Reported from django-docker #5

reported from django-docker #8

Given GeoNode/geonode#11763 we must downgrade Geoserver to 2.23.1 until the problem has not been identified.

I find this wrong:
Traceback (most recent call last):
File "/usr/local/bin/django-admin.py", line 5, in
management.execute_from_command_line()
File "/usr/local/lib/python2.7/site-packages/django/core/management/init.py", line 364, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/site-packages/django/core/management/init.py", line 356, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/lib/python2.7/site-packages/django/core/management/base.py", line 283, in run_from_argv
self.execute(*args, **cmd_options)
File "/usr/local/lib/python2.7/site-packages/django/core/management/base.py", line 330, in execute
output = self.handle(*args, **options)
File "/usr/local/lib/python2.7/site-packages/modeltranslation/management/commands/loaddata.py", line 61, in handle
return super(Command, self).handle(*fixture_labels, **options)
File "/usr/local/lib/python2.7/site-packages/django/core/management/commands/loaddata.py", line 69, in handle
self.loaddata(fixture_labels)
File "/usr/local/lib/python2.7/site-packages/django/core/management/commands/loaddata.py", line 109, in loaddata
self.load_label(fixture_label)
File "/usr/local/lib/python2.7/site-packages/django/core/management/commands/loaddata.py", line 166, in load_label
for obj in objects:
File "/usr/local/lib/python2.7/site-packages/django/core/serializers/json.py", line 88, in Deserializer
six.reraise(DeserializationError, DeserializationError(e), sys.exc_info()[2])
File "/usr/local/lib/python2.7/site-packages/django/core/serializers/json.py", line 82, in Deserializer
for obj in PythonDeserializer(objects, **options):
File "/usr/local/lib/python2.7/site-packages/django/core/serializers/python.py", line 99, in Deserializer
Model = _get_model(d["model"])
File "/usr/local/lib/python2.7/site-packages/django/core/serializers/python.py", line 194, in _get_model
raise base.DeserializationError("Invalid model identifier: '%s'" % model_identifier)
django.core.serializers.base.DeserializationError: Problem installing fixture '/usr/src/app/geonode/base/fixtures/initial_data.json': Invalid model identifier: 'base.menuplaceholder'
I use this http://docs.geonode.org/en/2.10.x/install/core/index.html#docker
my os is centos7

The current (https://github.com/GeoNode/geonode-docker/blob/8f71ab7404e4384333f6c00b7543b6b2b3aff9bb/docker/nginx/nginx.https.available.conf.envsubst) nginx https conf file is a good start but lacks higher security standards.

This leads to subpar ratings in services like ssllabs. See https://www.ssllabs.com/ssltest/analyze.html?d=stable.demo.geonode.org

With some tweaks, the service can get an 'A' rating. I would propose the following changes:

diff --git a/docker/nginx/nginx.https.available.conf.envsubst b/docker/nginx/nginx.https.available.conf.envsubst
index b9baaf8aa501c52773d4a1cd7cb5fba8173c4713..f2da30df31b8d45c863d5072121148aa830ec7f3 100644
--- a/docker/nginx/nginx.https.available.conf.envsubst
+++ b/docker/nginx/nginx.https.available.conf.envsubst
@@ -2,19 +2,23 @@
 # not to be mistaken for nginx variables (also starting with $, but usually lowercase)
 
 # This file is to be included in the main nginx.conf configuration if HTTPS_HOST is set
-ssl_session_cache   shared:SSL:10m;
-ssl_session_timeout 10m;
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
 
 # this is the actual HTTPS host
 server {
     listen              $HTTPS_PORT ssl;
     server_name         $HTTPS_HOST;
+    server_tokens off;
+    add_header Strict-Transport-Security "max-age=63072000" always;
     keepalive_timeout   70;
 
     ssl_certificate     /certificate_symlink/fullchain.pem;
     ssl_certificate_key /certificate_symlink/privkey.pem;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_protocols       TLSv1.2;
+    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_stapling on;
+    ssl_stapling_verify on;
 
     include sites-enabled/*.conf;
 }
@@ -23,6 +27,7 @@ server {
 server {
     listen 80;
     server_name $HTTPS_HOST $HTTP_HOST; # TODO : once geoserver supports relative urls, we should allow access though both HTTP and HTTPS at the same time and hence remove HTTP_HOST from this line
+    server_tokens off;
     
     # Except for let's encrypt challenge
     location /.well-known {

jshah@Geo:~/geonode$ docker-compose -f docker-compose.yml -f docker-compose.override.localhost.yml up --build

Pulling db (geonode/postgis:10)...
ERROR: manifest for geonode/postgis:10 not found

Geonode's settings expects ALLOWED_HOSTS env variable to be provided when deploying with docker-compose. This variable can come from several places:

• directly from dockerfile
• from scripts/docker/env/ file
• from docker-compose.yml

However, none of those places will actually be in use, when using compose, because in the end it will be overriden by https://github.com/GeoNode/geonode-docker/blob/master/tasks.py#L40

We should check if variables are defined in env first, then change it to such defaults.

Hi,

we have some SPA apps that use oauth2 to auth against geonode. In past I've needed to update my local build

@@ -116,6 +116,7 @@ location / {
   set $upstream django:8000;

   if ($request_method = OPTIONS) {
+      add_header Access-Control-Allow-Origin "*";

To not run into a CORS error. I wonder how other devs deal with ACAO. I do not see a way to set Access-Control-Allow-Origin dynamicully but would try to avoid using a forked version of this image.

Thanks,

Toni

When using docker-compose the database instance has to be "db" because of:

def _update_db_connstring():
    user = os.getenv('GEONODE_DATABASE', 'geonode')
    pwd = os.getenv('GEONODE_DATABASE_PASSWORD', 'geonode')
    dbname = os.getenv('GEONODE_DATABASE', 'geonode')
    connstr = 'postgres://{0}:{1}@db:5432/{2}'.format(
        user,
        pwd,
        dbname
    )
    return connstr


def _update_geodb_connstring():
    geouser = os.getenv('GEONODE_GEODATABASE', 'geonode_data')
    geopwd = os.getenv('GEONODE_GEODATABASE_PASSWORD', 'geonode_data')
    geodbname = os.getenv('GEONODE_GEODATABASE', 'geonode_data')
    geoconnstr = 'postgis://{0}:{1}@db:5432/{2}'.format(
        geouser,
        geopwd,
        geodbname
    )
    return geoconnstr

Please change the code to some thing like this:

def _update_db_connstring():
    geoconnstr = os.getenv('GEONODE_DATABASE_URL', '')
    return geoconnstr


def _update_geodb_connstring():
    geoconnstr = os.getenv('GEONODE_GEODATABASE_URL', '')
    return geoconnstr

Where the environment variables are like:

GEONODE_DATABASE_URL=postgres://geonode:geonode@geoserver-db:5432/geonode
GEONODE_GEODATABASE_URL=postgres://geonode_data:geonode_data@geoserver-db:5432/geonode_data

Hi all,

After installing the 2.8 docker version of geonode on my mac, I get the following error:

db4geonode | ERROR: permission denied for relation django_migrations
db4geonode | STATEMENT: SELECT "django_migrations"."app", "django_migrations"."name" FROM "django_migrations"

Are there some specific configuration changes required before launching docker-compose up?

Thanks for your help,

Laurent

Currently, the geoserver data directory is downloaded when the geoserver_data container is being created:

The data dir is a zip hosted at https://artifacts.geonode.org/geoserver/:

Furthermore, for what I can see, the geoserver_data service's only job is to download that zip to provide it as shared volume to be available for other services, like django and geoserver.

This however, forces the container to be up and running. Otherwise, the volume is not available anymore.

I have several questions:

• Is there any reason (I cannot see), why we do not host the data dir in this repository?
• Do you have particular requirements which argue for a dedicated geoserver_data container?
• What do you think about
  • adding the data dir to the geoserver container
  • removing the geoserver_data image completely
  • move shared volume provisioning to geoserver container

Anything else, I miss?

/cc @mwallschlaeger

Since https://github.com/GeoNode/geonode-docker/blob/master/wait-for-databases.sh#L8-L11 does not use a password the connection will get refused and the container will not spin up correctly but looping inside this status.

As https://github.com/appropriate/docker-postgis states you could use -e POSTGRES_PASSWORD=mysecretpassword to set a password for the superuser.

how to reproduce

host ip: 172.29.179.108
postgres password: apa22

docker-compose.override.localhost.yml

version: '2.2'
services:

  django:
    build: .
    # Loading the app is defined here to allow for
    # autoreload on changes it is mounted on top of the
    # old copy that docker added when creating the image
    volumes:
      - '.:/usr/src/app'
    environment:
      - DEBUG=False
      - GEONODE_LB_HOST_IP=172.29.179.108
      - GEONODE_LB_PORT=80
      - SITEURL=http://172.29.179.108/
      - ALLOWED_HOSTS=['172.29.179.108', ]
      - GEOSERVER_PUBLIC_LOCATION=http://172.29.179.108/geoserver/
      - GEOSERVER_WEB_UI_LOCATION=http://172.29.179.108/geoserver/

  geoserver:
    environment:
      - GEONODE_LB_HOST_IP=172.29.179.108
      - GEONODE_LB_PORT=80

  db:
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_PASSWORD=apa22

in root folder: docker-compose -f docker-compose.yml -f docker-compose.override.localhost.yml up

errors

database is not able to establish connection, because the password is wrong. From docker-compose up log:

db4geonode       | 2019-07-17 09:11:35.882 UTC [394] FATAL:  password authentication failed for user "postgres"
db4geonode       | 2019-07-17 09:11:35.882 UTC [394] DETAIL:  Password does not match for user "postgres".
db4geonode       |      Connection matched pg_hba.conf line 95: "host all all all md5"

PR #16 pull GDAL 2.1.2, so GDAL bidings currently don't build.
I've solved in our forked geonode-docker repo changing this line to:

RUN gdal-config --version | cut -c 1-5 | xargs -I % pip install 'pygdal>=%.0,<=%.999'

I'm not aware of issues with GN master and GDAL 2.1.2. This command will automate the Python GDAL binsings retrieval and uses PyGDAL wheels, thus removing the need to build the bindings.

We want to upgrade Tomcat 9 to a more recent version to include bug and security fixes.

The selected image is tomcat:9.0.85-jdk11-temurin-focal

Geoserver 2.24.3 has been released. We want to upgrade GeoNode because this GS version contains important security patches and a fix to the JMS plugin.

A critical geoserver vulnerability has been reported and a patched version is available for versions: 2.24.4, 2.25.2, 2.23.6.
On docker hub the latest versions were built long ago, would it be possible to update them with the patched version?

File nginx/geonode.conf.envsubst contains hardcoded directories under /mnt/volumes/statics instead of MEDIA_ROOT and STATIC_ROOT:

When deployed, container provides output preview with docker logs. There's no point to log uwsgi process to file, as it's harder to diagnose problems. This line is not needed:

https://github.com/GeoNode/geonode-docker/blob/master/uwsgi.ini#L4

Reported from django-docker #7

Multiple workflows will be setup to automate the build and push of each Docker image contained in this repository:

• Geoserver
• Nginx
• PostGIS
• Letsencrypt
• Geoserver data dir conf

The "Build and push Docker images" Github Action will be adopted and configured appropriately.

I've tested a simple example for Geoserver here

We will need to setup a Docker "service" account for the GeoNode organization. Its credentials will be used to push the images.