Refactor startup scripts, envvars for all omero parameter

[manics]

Refactor the startup-scripts for OMERO.server:

• All omero config properties can be set with environment variables
• Database setup is separate from starting OMERO.server
• Removed OMERO.grid support- this will be added back in a separate dependent repo
• Use dumb-init
  • @dpwrussell In theory this means you could start a backgrounded script which polls localhost to check whether the server is ready before creating a public user, before the final 99-run.sh script is run, avoiding the requirement to restart the server.

[dpwrussell]

What's the rationale for not just calling the run-exec.sh file run.sh? That seems to be the norm.

[dpwrussell]

Need not be in loop

[dpwrussell]

and probably should be caps

[manics]

Fixed

[manics]

I've renamed run-exec.sh to entrypoint.sh

[dpwrussell]

Works as expected.

[joshmoore]

ROOTPASS twice?

[joshmoore]

If we're using the main release version (i.e. 5.3.2) for tags of this repo, then I'm assuming:

• latest images are considered worst-practice
• on each OMERO release, we'll branch from master and bump this string to include the version (5.3.3)
• for bug fixes before an OMERO release, we'll suffix 5.3.3-1

Note: this doesn't yet give us a strategy for breaking changes in the image itself

[joshmoore]

I'm assuming this has everyone's implicit 👍 but now with 5.4 replacing 5.3

[joshmoore]

Does this need to be outside the if block?

[manics]

No, CONFIG_omero_db_host will already be converted into omero.db.host by 50-config.py- I'll update the comment at the top of the file. The only reason for special handling here is that the default of omero.db.host=localhost will never work, instead it defaults to db which should be set by docker run --link ....

[joshmoore]

Not particularly worried but there's obviously some danger of a __ conflict here.

[manics]

I know. Do you have another suggestion?

[joshmoore]

Not sure how evil this is but:

$ env "a.b=1" python -c "import os; print os.environ['a.b']"
1
$ docker run -ti --rm -e a.b=1 centos python -c "import os; print os.environ['a.b']"
1

[manics]

Unfortuntately it's also used in the bash script60-database.sh

[joshmoore]

Continuing discussion under #3

[joshmoore]

This example isn't working for me:

FATAL:  password authentication failed for user "omero"
DETAIL:  Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 md5"

[manics]

I didn't want to repeat all the -e CONFIG_omero_db_* params from the previous example, I'll try and make that clearer

[manics]

BTW, I've just realised https://github.com/openmicroscopy/omero-server-docker/blob/master/requirements.yml#L21 means this can't be tagged as production until ome/ansible-role-omero-server#12 is tagged

[manics]

oops...not sure what happened...

[manics]

I had a typo, accidently did git push ... -d.

[joshmoore]

I had a typo, accidently did git push ... -d.

That's kinda scary. Good to know.

[manics]

Updated in response to @joshmoore's comments.

In addition I've switched from loading .omero files from /config/ to /opt/omero/server/config/ as used in https://github.com/openmicroscopy/ansible-role-omero-server/tree/2.0.0-m1

One issue you may want to consider before ansible-role-omero-server is officially tagged 2.0.0: the configuration script /opt/omero/server/config/omero-server-config-update.sh is in the same directory that's used for .omero files /opt/omero/server/config so you can mount .omero files but not the entire directory.

[joshmoore]

Discussion now points to:

• merging in order:
  • Refactor --initdb --upgradedb arguments (IDR-0.4.0) omego#104
  • Add flag to disable database init/upgrades (IDR-0.4.0) ansible-role-omero-server#12
  • this PR
• and then considering omero-server the current candidate production image.

[manics]

--depends on ome/omego#108

• This needed to allow installations without a DB to proceed
• You can temporarily test this using manics@34b1b07

[dpwrussell]

If there could potentially be mounted filesystems that might want to be mounted as the same UID as the omero server, should this be made configurable? The host os is likely to have more restrictions on what uids they can use than the container one.

[joshmoore]

No objections from my side to having uid and gid be ARGs, but in general, then, you could also subclass the image and usermod. More critical from my POV is: what's the expectation when pulling the image from hub?

To your question in particular: I haven't run into a situation where I can't chown the directory with a particular UID before mounting but I could imagine not wanting to if that were to put something in particular at risk. (i.e. I don't trust the 1000 user on the host system in question)

[manics]

@dpwrussell I agree with you. The correct way to solve this is to treat the omero-server Docker filesystem as readonly with the exception of defined directories for logs and temp-files (which is our long-term goal) which will need to be mounted as volumes. Then you can simply use docker run --user UID ... to set the user OMERO runs as.

The purpose of the last commit is to make the default omero-server UID well-known as opposed to using whatever useradd picks as the UID.

[manics]

Though what would be even better is if all OMERO logs went to stdout/stderr, so just /tmp would need to be writeable (which it generally is by any user).

[joshmoore]

latest is now 5.4. Shall we go with the flow and this repo matches the milestones of the 5.4 series with the intent of releasing this as production with 5.4.0?

cc: @dpwrussell @manics @sbesson @jburel

[mtbc]

initializing

[manics]

Changed

[joshmoore]

Re-ran travis to get this green. Merging, untagged. I'd suggest when 5.4.0-m1 is tagged, that someone create a commit changing latest to v5.4.0-m1 and tag that commit which should then be built on hub.

cc: @mtbc