README.md 2.57 KB
Newer Older
Steve Weber's avatar
save  
Steve Weber committed
1 2 3
Best pratices - environment variables
-------------------------------------

Steve Weber's avatar
save  
Steve Weber committed
4 5 6
Ensure `.env` is in your `.gitignore`.

Order docker-compose environment variables load
Steve Weber's avatar
save  
Steve Weber committed
7 8 9

    - Variable not defined
    - Dockerfile (ENV and ARG)
Steve Weber's avatar
save  
Steve Weber committed
10 11 12 13 14 15 16 17
    - docker-compose.yml (env_file:)
    - docker-compose.yml (environment:)

The `.env` file and local shell variables are only used when rendering the `docker-compose.yml` file and when a `environment:`has an unset value.

Use `env_file:` to load defaults however its best to just have them defined in the `Dockerfile` using `ENV`.

Use `environment:` to set customized values. We use `variable-substitution` here so `.env` and local shell variables can override the value.
Steve Weber's avatar
save  
Steve Weber committed
18 19 20 21 22 23 24 25
See: https://docs.docker.com/compose/compose-file/#variable-substitution for more details.
```
version: "3.3"
services:
    py:
        image: python_app
    py2:
        image: python_app2
Steve Weber's avatar
save  
Steve Weber committed
26 27
        env_file:
            - py_env_defaults
Steve Weber's avatar
save  
Steve Weber committed
28 29 30 31 32
        environment:
            - USER=${PY2_USER-a_default_user}
            - PASS=${PY2_PASS-a_default_pass}
            - PORT=${PY2_PORT-8080}
            - REQUIRED_SECRET=${REQUIRED_SECRET?error}
Steve Weber's avatar
save  
Steve Weber committed
33
            - UNSET_USES_SHELL_ENV
Steve Weber's avatar
save  
Steve Weber committed
34 35
```

Steve Weber's avatar
save  
Steve Weber committed
36 37
Try to only have one `docker-compose.yml` file and use variable-substitution to allow it to be used for development and produiction.

Steve Weber's avatar
save  
Steve Weber committed
38 39 40 41 42 43
Environment variables are a good place to keep secrets so long as they dont get passed to sub processes or debug output.

To protect secrets:

    - use env vars to render template config file(s) and then unset before running app.
    - and or in application after loading config unset secret environment variables.
Steve Weber's avatar
save  
Steve Weber committed
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98





Docker
------

packages
```
sudo apt install docker-compose
sudo usermod -a -G docker $USER
# reboot or use `su $USER` so `id` showes you in docker
```

config
```
# modify as needed (env)
cp .env_example .env
```

run
```
# start dockers and run in background
docker-compose up --detach
# tail logs in another window (optional)
docker-compose logs -f -t
# find port the webproxy is binded on:
docker-compose port nginx 443
echo "https://127.0.0.1:$(docker-compose port nginx 443 | cut -d: -f2)"
```

run extra (optional)
```
# if you want a shell in a docker
docker-compose run app /bin/bash
# this shell is a new container; it shares storage volumes but not system files
# from here you can use manage.py to update the database and static files
source ./env.sh
python manage.py createadmin
python manage.py migrate
python manage.py collectstatic --noinput
python manage.py makemigrations
```

rebuild
```
docker-compose up --build
```

clean
```
docker-compose down
sudo git clean -Xdf
```