Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop creating secrets.yml and just use SECRET_KEY_BASE env #365

Merged
merged 2 commits into from
Jan 22, 2025
Merged

Drop creating secrets.yml and just use SECRET_KEY_BASE env #365

merged 2 commits into from
Jan 22, 2025

Conversation

yosifkit
Copy link
Member

Rails 7.1-7.2 deprecated/removed config/secrets.yml usage and instead use credentials, so our generated secrets.yml is no longer used (which is the cause of #349).

Rails 7.2 is used in Redmine 6.0+. Rails 6.1 is used in Redmine 5.0 and 5.1. Rails 7.2 and 6.1 both support the SECRET_KEY_BASE environment variable, so let's use that instead. Users can continue to use the REDMINE_SECRET_KEY_BASE or REDMINE_SECRET_KEY_BASE_FILE variables or swap to SECRET_KEY_BASE.

Fixes #349

See removals and deprecations:
https://guides.rubyonrails.org/7_1_release_notes.html
https://guides.rubyonrails.org/7_2_release_notes.html

@yosifkit
Copy link
Member Author

😢 looks like 5.0 and 5.1 are running into rails/rails#54260 and likely won't get any Rails fix since 6.1 is end of life. Perhaps the Redmine Gemfile needs to pin the concurrent-ruby gem to less than 1.3.5?

@yosifkit
Copy link
Member Author

🤔 It looks like our redmine-basics test is relying on the automatic generated secret token from the elseif. Should I add it back since it is a breaking change that would affect new installs that don't set REDMINE_SECRET_KEY_BASE?

		elif [ ! -f config/initializers/secret_token.rb ]; then
			rake generate_secret_token
		fi

@tianon
Copy link
Member

tianon commented Jan 17, 2025

Hmm, if that command still works and does the right thing, that seems sane.

yosifkit
yosifkit commented Jan 17, 2025
View reviewed changes
docker-entrypoint.sh
fi
: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concretely, adding this to fix the 6.0 test failure (and maybe also a warning that they should save their config/initializers/secret_token.rb file?):

Suggested change
if [ -n "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
rake generate_secret_token
fi

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean -z there, right? (not -n)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, do we need to explicitly unset SECRET_KEY_BASE if it's empty, or does it get ignored properly? (We need to export SECRET_KEY_BASE otherwise as well, right?)

if [ -n "$SECRET_KEY_BASE" ]; then
	export SECRET_KEY_BASE
else
	unset SECRET_KEY_BASE
	if [ ! -f config/initializers/secret_token.rb ]; then
		# TODO warning?
		rake generate_secret_token
	fi
fi

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added so 6.0 is working now.

@tianon
Copy link
Member

tianon commented Jan 21, 2025

😢 looks like 5.0 and 5.1 are running into rails/rails#54260 and likely won't get any Rails fix since 6.1 is end of life. Perhaps the Redmine Gemfile needs to pin the concurrent-ruby gem to less than 1.3.5?

@marius-balteanu is this something that's already on your radar? 😅

(fresh installs of Redmine 5.x fail to start thanks to dependency updates 🙈)

@tianon tianon mentioned this pull request Jan 21, 2025
Closed
@yosifkit
Copy link
Member Author

👀 Oh, there are fixes applied for 5.x (https://www.redmine.org/issues/42113), but they are not in releases yet.

@tianon
Copy link
Member

tianon commented Jan 22, 2025

That looks pretty reasonable to apply in our builds 👀

tianon
tianon approved these changes Jan 22, 2025
View reviewed changes
Dockerfile-debian.template
apt-get install -y --no-install-recommends patch; \
wget -O 42113.patch 'https://github.com/redmine/redmine/commit/c7b1f00fc1b42fd9f77b8e6574dae453ced642b4.patch?full_index=1'; \
echo 'e352699be3995ff6e3b0066a478e377922fa95ce9fe4729240cd98dcee3c8575 *42113.patch' | sha256sum -c -; \
patch -p1 < 42113.patch; \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can technically be patch -p1 --input=42113.patch, but I don't think it's that important. 👍

Dockerfile-alpine.template
echo 'e352699be3995ff6e3b0066a478e377922fa95ce9fe4729240cd98dcee3c8575 *42113.patch' | sha256sum -c -; \
patch -p1 < 42113.patch; \
rm 42113.patch; \
apk del --no-network patch; \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's possible BusyBox's patch is enough, but it's not that important (esp. as it's temporary) 👍

@tianon tianon merged commit 087f78a into docker-library:master Jan 22, 2025
11 checks passed
@tianon tianon deleted the better-keybase branch January 22, 2025 22:01
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Jan 22, 2025
@docker-library-bot
Update redmine
3faabc7 
Changes:

- docker-library/redmine@087f78a: Merge pull request docker-library/redmine#365 from infosiftr/better-keybase
- docker-library/redmine@922b31e: Backport https://www.redmine.org/issues/42113 patch for 5.x
- docker-library/redmine@a57cd24: Drop secrets.yml and just use `SECRET_KEY_BASE`
@tianon tianon mentioned this pull request Jan 22, 2025
Merged
@yosifkit yosifkit mentioned this pull request Jan 22, 2025
Merged
tianon
tianon reviewed Jan 22, 2025
View reviewed changes
docker-entrypoint.sh
# just use the rails variable rather than trying to put it into a yml file
# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh, this will error out if SECRET_KEY_BASE isn't set, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh:

# TODO add "-u"

@yosifkit yosifkit mentioned this pull request Jan 22, 2025
Merged
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Jan 23, 2025
@docker-library-bot
Update redmine
b020b35 
Changes:

- docker-library/redmine@8d36a1a: Merge pull request docker-library/redmine#366 from infosiftr/single-template
- docker-library/redmine@b160f7a: Move to a single template for Debian and Alpine
- docker-library/redmine@087f78a: Merge pull request docker-library/redmine#365 from infosiftr/better-keybase
- docker-library/redmine@922b31e: Backport https://www.redmine.org/issues/42113 patch for 5.x
- docker-library/redmine@a57cd24: Drop secrets.yml and just use `SECRET_KEY_BASE`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Container (Redmine 6.0.1) not starting when using the REDMINE_SECRET_KEY_BASE environment variable
2 participants
@yosifkit @tianon