change base image to ubuntu, add config options and docker-compose example file

Author: ronivay

Dockerfile

@@ -1,29 +1,25 @@
-FROM centos:8
+FROM ubuntu:focal
 
 MAINTAINER Roni Väyrynen <[email protected]>
 
 # Install set of dependencies to support running Xen-Orchestra
 
+# build dependencies, git for fetching source and redis server for storing data
+RUN apt update && \
+    apt install -y build-essential redis-server libpng-dev git libvhdi-utils python2-minimal lvm2 nfs-common cifs-utils curl python3-jinja2
+
 # Node v14
-RUN curl -s -L https://rpm.nodesource.com/setup_14.x | bash -
+RUN curl -s -L https://deb.nodesource.com/setup_14.x | bash -
 
 # yarn for installing node packages
-RUN curl -s -o /etc/yum.repos.d/yarn.repo https://dl.yarnpkg.com/rpm/yarn.repo
-RUN yum -y install yarn
-
-# epel-release for various packages not available from base repo
-RUN yum -y install epel-release
-
-# build dependencies, git for fetching source and redis server for storing data
-RUN yum -y install gcc gcc-c++ make openssl openssl-devel redis libpng-devel python3 git nfs-utils cifs-utils
-
-# libvhdi-tools for file-level restore
-RUN rpm -ivh https://forensics.cert.org/cert-forensics-tools-release-el7.rpm
-RUN yum --enablerepo=forensics install -y libvhdi-tools
+RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
+RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
+    apt update && \
+    apt install -y yarn
 
 # monit to keep an eye on processes
-RUN yum -y install monit
-ADD monit-services /etc/monit.d/services
+RUN apt -y install monit
+ADD conf/monit-services /etc/monit/conf.d/services
 
 # Fetch Xen-Orchestra sources from git stable branch
 RUN git clone -b master https://github.com/vatesfr/xen-orchestra /etc/xen-orchestra
@@ -35,29 +31,30 @@ RUN cd /etc/xen-orchestra && yarn && yarn build
 RUN find /etc/xen-orchestra/packages/ -maxdepth 1 -mindepth 1 -not -name "xo-server" -not -name "xo-web" -not -name "xo-server-cloud" -exec ln -s {} /etc/xen-orchestra/packages/xo-server/node_modules \;
 RUN cd /etc/xen-orchestra && yarn && yarn build
 
-# Fix path for xo-web content in xo-server configuration
-RUN sed -i "s/#'\/' = '\/path\/to\/xo-web\/dist\//'\/' = '..\/xo-web\/dist\//" /etc/xen-orchestra/packages/xo-server/sample.config.toml
-
-# Move edited config sample to place
-RUN mv /etc/xen-orchestra/packages/xo-server/sample.config.toml /etc/xen-orchestra/packages/xo-server/.xo-server.toml
-
 # Install forever for starting/stopping Xen-Orchestra
 RUN npm install forever -g
 
+# cleanup
+RUN yarn cache clean --all
+
 # Logging
-RUN ln -sf /proc/1/fd/1 /var/log/redis/redis.log
-RUN ln -sf /proc/1/fd/1 /var/log/xo-server.log
+RUN ln -sf /proc/1/fd/1 /var/log/redis/redis-server.log && \
+    ln -sf /proc/1/fd/1 /var/log/xo-server.log && \
+    ln -sf /proc/1/fd/1 /var/log/monit.log
 
 # Healthcheck
 ADD healthcheck.sh /healthcheck.sh
 RUN chmod +x /healthcheck.sh
 HEALTHCHECK --start-period=1m --interval=30s --timeout=5s --retries=2 CMD /healthcheck.sh
 
+# Copy xo-server configuration template
+ADD conf/xo-server.toml.j2 /xo-server.toml.j2
+
 # Copy startup script
 ADD run.sh /run.sh
 RUN chmod +x /run.sh
 
-WORKDIR /etc/xen-orchestra/xo-server
+WORKDIR /etc/xen-orchestra/packages/xo-server
 
 EXPOSE 80
 

README.md

@@ -1,5 +1,7 @@
 # Xen-Orchestra docker container
 
+Image has been refactored with Ubuntu as base image and quite a few changes starting 14th Jun 2021. It should be drop in replacement for old image, but in case needed, old image is found with tag centos.
+
 This repository contains files to build Xen-Orchestra community edition docker container with all features and plugins installed
 
 Latest tag is daily build from xen orchestra sources master branch. xen orchestra github project has stopped making versioned releases, therefore container is built only against master branch. All other container tags are old and only kept for compatibility.
@@ -53,7 +55,7 @@ In case your system is also using an application security framework AppArmor or
 
 For AppArmor you will have to add also `--security-opt apparmor:unconfined`. 
 
-Bellow is an example command for running the app in a docker container with:
+Below is an example command for running the app in a docker container with:
 
 * automatic container start on boot / crash 
 * enogh capabilities to mount nfs shares
@@ -72,3 +74,73 @@ docker run -itd \
 
 ```
 
+You may also use docker-compose. Copy configuration from below of example docker-compose.yml from github repository
+
+```
+version: '3'
+services:
+    xen-orchestra:
+        restart: unless-stopped
+        image: ronivay/xen-orchestra:latest
+        container_name: xen-orchestrea
+        stop_grace_period: 1m
+        ports:
+            - "80:80"
+            #- "443:443"
+        environment:
+            - HTTP_PORT=80
+            #- HTTPS_PORT=443
+
+            #redirect takes effect only if HTTPS_PORT is defined
+            #- REDIRECT_TO_HTTPS=true
+
+            #if HTTPS_PORT is defined and CERT/KEY paths are empty, a self-signed certificate will be generated
+            #- CERT_PATH='/cert.pem'
+            #- KEY_PATH='/cert.key'
+        # capabilities are needed for NFS mount
+        cap_add:
+          - SYS_ADMIN
+        # additional setting required for apparmor enabled systems. also needed for NFS mount
+        security_opt:
+          - apparmor:unconfined
+        volumes:
+          - xo-data:/var/lib/xo-server
+          # mount certificate files to container if HTTPS is set with cert/key paths
+          #- ./temp-cert.pem:/temp-cert.pem
+          #- ./temp-key.pem:/temp-key.pem
+        # logging
+        logging: &default_logging
+            driver: "json-file"
+            options:
+                max-size: "1M"
+                max-file: "2"
+
+volumes:
+  xo-data:
+```
+
+#### Variables
+
+`HTTP_PORT`
+
+Listening HTTP port inside container
+
+`HTTPS_PORT`
+
+Listening HTTPS port inside container
+
+`REDIRECT_TO_HTTPS`
+
+Boolean value true/false. If set to true, will redirect any HTTP traffic to HTTPS. Requires that HTTPS_PORT is set. Defaults to: false
+
+`CERT_PATH`
+
+Path inside container for user specified PEM certificate file. Example: '/path/to/cert'
+
+If HTTPS_PORT is set and CERT_PATH not given, a self-signed certificate and key will be generated automatically.
+
+`KEY_PATH`
+
+Path inside container for user specified key file. Example: '/path/to/key'
+
+if HTTPS_PORT is set and KEY_PATH not given, a self-signed certificate and key will be generated automatically.

conf/monit-services

@@ -0,0 +1,15 @@
+set httpd port 2812 and
+	use address localhost
+	allow localhost
+
+check process xo-server with pidfile /var/run/xo-server.pid
+	depends on redis
+	start program = "/usr/bin/forever start -a --pidFile /var/run/xo-server.pid --sourceDir /etc/xen-orchestra/packages/xo-server -l /var/log/xo-server.log dist/cli.mjs"
+	stop program = "/usr/bin/forever stop /etc/xen-orchestra/packages/xo-server/dist/cli.mjs"
+
+check process redis with pidfile /var/run/redis.pid
+	start program = "/usr/bin/redis-server --bind 127.0.0.1 --port 6379 --pidfile /var/run/redis.pid --daemonize yes"
+	stop program = "/usr/bin/redis-cli shutdown"
+
+check process rpcbind matching "rpcbind"
+	start program = "/usr/sbin/rpcbind"

conf/xo-server.toml.j2

@@ -0,0 +1,158 @@
+# Example XO-Server configuration.
+#
+# This file is automatically looking for at the following places:
+# - `$HOME/.config/xo-server/config.toml`
+# - `/etc/xo-server/config.toml`
+#
+# The first entries have priority.
+#
+# Note: paths are relative to the configuration file.
+
+#=====================================================================
+
+# HTTP proxy configuration used by xo-server to fetch resources on the Internet.
+#
+# See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations
+# httpProxy = 'http://jsmith:[email protected]:3128'
+
+#=====================================================================
+
+# It may be necessary to run XO-Server as a privileged user (e.g. `root`) for
+# instance to allow the HTTP server to listen on a
+# [privileged ports](http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html).
+#
+# To avoid security issues, XO-Server can drop its privileges by changing the
+# user and the group is running with.
+#
+# Note: XO-Server will change them just after reading the configuration.
+
+# User to run XO-Server as.
+#
+# Note: The user can be specified using either its name or its numeric
+# identifier.
+#
+# Default: undefined
+#user = 'nobody'
+
+# Group to run XO-Server as.
+#
+# Note: The group can be specified using either its name or its numeric
+# identifier.
+#
+# Default: undefined
+# group = 'nogroup'
+
+#=====================================================================
+
+# Directory containing the database of XO.
+# Currently used for logs.
+#
+# Default: '/var/lib/xo-server/data'
+#datadir = '/var/lib/xo-server/data'
+
+#=====================================================================
+
+# Configuration of the embedded HTTP server.
+[http]
+# If set to true, all HTTP traffic will be redirected to the first HTTPs
+# configuration.
+# redirectToHttps = true
+{% if env['REDIRECT_TO_HTTPS'] == 'true' and env['HTTPS_PORT'] %}
+redirectToHttps = true
+{% endif %}
+
+
+# Settings applied to cookies created by xo-server's embedded HTTP server.
+#
+# See https://www.npmjs.com/package/cookie#options-1
+[http.cookies]
+#sameSite = true
+#secure = true
+
+# Basic HTTP.
+[[http.listen]]
+# Address on which the server is listening on.
+#
+# Sets it to 'localhost' for IP to listen only on the local host.
+#
+# Default: all IPv6 addresses if available, otherwise all IPv4 addresses.
+# hostname = 'localhost'
+
+# Port on which the server is listening on.
+#
+# Default: undefined
+port = {{ env['HTTP_PORT'] }}
+
+# Instead of `host` and `port` a path to a UNIX socket may be specified
+# (overrides `host` and `port`).
+#
+# Default: undefined
+# socket = './http.sock'
+
+# # Basic HTTPS.
+# #
+# # You can find the list of possible options there
+# # https://nodejs.org/docs/latest/api/tls.html#tls.createServer
+# #
+# # The only difference is the presence of the certificate and the key.
+
+{% if env['HTTPS_PORT'] %}
+[[http.listen]]
+port = {{ env['HTTPS_PORT'] }}
+
+autoCert = true
+cert = {{ env['CERT_PATH'] }}
+key = {{ env['KEY_PATH'] }}
+{% endif %}
+
+# List of files/directories which will be served.
+[http.mounts]
+#'/any/url' = '/path/to/directory'
+
+# List of proxied URLs (HTTP & WebSockets).
+[http.proxies]
+#'/any/url' = 'http://localhost:54722'
+
+#=====================================================================
+
+# Connection to the Redis server.
+[redis]
+# Unix sockets can be used
+#
+# Default: undefined
+#socket = '/var/run/redis/redis.sock'
+
+# Syntax: redis://[db[:password]@]hostname[:port][/db-number]
+#
+# Default: redis://localhost:6379/0
+#uri = 'redis://redis.company.lan/42'
+
+# List of aliased commands.
+#
+# See http://redis.io/topics/security#disabling-of-specific-commands
+#renameCommands:
+#  del = '3dda29ad-3015-44f9-b13b-fa570de92489'
+#  srem = '3fd758c9-5610-4e9d-a058-dbf4cb6d8bf0'
+
+#=====================================================================
+
+# Configuration for remotes
+[remoteOptions]
+# Directory used to mount remotes
+#
+# Default: '/run/xo-server/mounts'
+#mountsDir = '/run/xo-server/mounts'
+
+# Use sudo for mount with non-root user
+#
+# Default: false
+#useSudo = false
+
+#=====================================================================
+
+# Configuration for plugins
+[plugins]
+# Each configuration is passed to the dedicated plugin instance
+#
+# Syntax: [plugins.<pluginName>]
+

docker-compose.yml

@@ -0,0 +1,42 @@
+version: '3'
+services:
+    xen-orchestra:
+        restart: unless-stopped
+        image: ronivay/xen-orchestra:latest
+        container_name: xen-orchestra
+        stop_grace_period: 1m
+        ports:
+            - "80:80"
+            #- "443:443"
+        environment:
+            - HTTP_PORT=80
+            #- HTTPS_PORT=443
+
+            #redirect takes effect only if HTTPS_PORT is defined
+            #- REDIRECT_TO_HTTPS=true
+
+            #if HTTPS_PORT is defined and CERT/KEY paths are empty, a self-signed certificate will be generated 
+            #- CERT_PATH='/cert.pem'
+            #- KEY_PATH='/cert.key'
+        # capabilities are needed for NFS mount
+        cap_add:
+          - SYS_ADMIN
+        # additional setting required for apparmor enabled systems. also needed for NFS mount
+        security_opt:
+          - apparmor:unconfined
+        volumes:
+          - xo-data:/var/lib/xo-server
+          - redis-data:/var/lib/redis
+          # mount certificate files to container if HTTPS is set with cert/key paths
+          #- ./temp-cert.pem:/temp-cert.pem
+          #- ./temp-key.pem:/temp-key.pem
+        # logging
+        logging: &default_logging
+            driver: "json-file"
+            options:
+                max-size: "1M"
+                max-file: "2"
+
+volumes:
+  xo-data:
+  redis-data:

healthcheck.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-/usr/bin/curl -s -I -m 3 http://127.0.0.1 >/dev/null
+/usr/bin/curl -s -k -L -I -m 3 http://127.0.0.1:${HTTP_PORT} >/dev/null
 
 if [[ "$?" == "0" ]]; then
 	webcheck_retval="0"