Allow configuring auto update

.github/workflows/docker.yml

@@ -96,10 +96,11 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           target: ${{ matrix.target }}
-          # tag image with current setuptools_scm generated version
+          # tag image with current setuptools_scm generated version, commit sha
           # and tag with PR source branch (eg: feature-x)
           tags: |
             ${{ env.registry }}/${{ matrix.image }}:${{ steps.get_version.outputs.internetnl_version }}
+            ${{ env.registry }}/${{ matrix.image }}:${{ github.event.pull_request.head.sha }}
             ${{ env.registry }}/${{ matrix.image }}:branch-${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.ref_name}}
           # use latest build from main, or image previously build by this PR for caching
           cache-from: |
@@ -123,10 +124,11 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           target: ${{ matrix.target }}
-          # tag image with current setuptools_scm generated version
+          # tag image with current setuptools_scm generated version, commit sha
           # and tag with current branch name (eg: main)
           tags: |
             ${{ env.registry }}/${{ matrix.image }}:${{ steps.get_version.outputs.internetnl_version }}
+            ${{ env.registry }}/${{ matrix.image }}:${{ github.event.pull_request.head.sha }}
             ${{ env.registry }}/${{ matrix.image }}:main
           # use latest build from main for caching
           cache-from: |
@@ -149,9 +151,10 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           target: ${{ matrix.target }}
-          # tag image with current setuptools_scm generated version and tag 'latest'
+          # tag image with current setuptools_scm generated version, commit sha and tag 'latest'
           tags: |
             ${{ env.registry }}/${{ matrix.image }}:${{ steps.get_version.outputs.internetnl_version }}
+            ${{ env.registry }}/${{ matrix.image }}:${{ github.event.pull_request.head.sha }}
             ${{ env.registry }}/${{ matrix.image }}:latest
           # use latest build from main for caching
           cache-from: |
@@ -219,7 +222,7 @@ jobs:
 
           To deploy this specific build to a existing deployment run the following update commands:
 
-              export BRANCH="${{ github.sha }}" && \\
+              export BRANCH="${{ github.event.pull_request.head.sha }}" && \\
               export RELEASE="${{ needs.build-docker.outputs.internetnl_version }}" && \\
               cd /opt/Internet.nl/ && \\
               curl -sSfO --output-dir docker https://raw.githubusercontent.com/internetstandards/Internet.nl/\$BRANCH/docker/defaults.env && \\

docker/cron.Dockerfile

@@ -1,7 +1,9 @@
 FROM alpine:3.18
 
-RUN apk add --no-cache curl postgresql15
+RUN apk add --no-cache curl postgresql15 jq docker-cli docker-cli-compose
 
 COPY docker/cron/periodic /etc/periodic/
+COPY docker/cron/update.sh /update.sh
 
-CMD crond -f -d7
+# run crond in foreground and log output of crons
+CMD crond -f -l2

docker/cron/periodic/15min/auto_update

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+if [ -z "$AUTO_UPDATE_BRANCH" ];then
+  # auto update not configured
+  exit 0
+fi
+
+cd /opt/Internet.nl/
+
+# shellcheck disable=SC1091
+. docker/local.env
+
+CURRENT_SHA="$RELEASE"
+UPSTREAM_SHA="$(curl -sSLf "https://api.github.com/repos/internetstandards/Internet.nl/branches/$AUTO_UPDATE_BRANCH"| jq -r .commit.sha)"
+
+if [ "$CURRENT_SHA" = "$UPSTREAM_SHA" ];then
+  # no update available
+  exit 0
+fi
+
+env -i RELEASE="$UPSTREAM_SHA" docker compose --env-file=docker/defaults.env --env-file=docker/host.env --env-file=docker/local.env --profile update up --no-build update

docker/cron/update.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+set -e
+
+cd /opt/Internet.nl/
+
+echo "Updating to release: $RELEASE"
+
+curl --silent --show-error --fail --remote-name --location --max-redirs 0 --output-dir docker \
+  "https://raw.githubusercontent.com/internetstandards/Internet.nl/${RELEASE}/docker/defaults.env"
+curl --silent --show-error --fail --remote-name --location --max-redirs 0 --output-dir docker \
+  "https://raw.githubusercontent.com/internetstandards/Internet.nl/${RELEASE}/docker/docker-compose.yml"
+env -i RELEASE="$RELEASE" docker compose --env-file=docker/defaults.env --env-file=docker/host.env --env-file=docker/local.env pull
+env -i RELEASE="$RELEASE" docker compose --env-file=docker/defaults.env --env-file=docker/host.env --env-file=docker/local.env up --remove-orphans --wait --no-build
+
+echo "RELEASE=$RELEASE # auto-update: '$AUTO_UPDATE_BRANCH' $(date)" >> docker/local.env
+
+echo "Update completed"

docker/defaults.env

@@ -202,4 +202,6 @@ INTERNETNL_BRANDING=False
 NGINX_PROXY_CACHE=default_cache
 
 # used to disable autoreload in CI
-DEVSERVER_ARGS=
+DEVSERVER_ARGS=
+# if configured will pull updates from this branch and automatically deploy them
+AUTO_UPDATE_BRANCH=

docker/docker-compose.yml

@@ -613,6 +613,7 @@ services:
       - DB_PASSWORD=password
       - CRON_DAILY_POSTGRESQL_BACKUP
       - CRON_WEEKLY_POSTGRESQL_BACKUP
+      - AUTO_UPDATE_BRANCH
 
     restart: unless-stopped
     logging:
@@ -632,6 +633,9 @@ services:
     volumes:
       - manual-hof:/app/manual-hall-of-fame/
       - postgres-backups:/var/lib/postgresql/backups
+      # for auto update
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/Internet.nl:/opt/Internet.nl
 
     healthcheck:
       test: ["CMD", "pgrep", "crond"]
@@ -641,6 +645,38 @@ services:
       start_period: 1m
       retries: 10
 
+  update:
+    image: ${DOCKER_IMAGE_CRON:-ghcr.io/internetstandards/cron:${RELEASE:-latest}}
+    build:
+      context: ..
+      dockerfile: docker/cron.Dockerfile
+    environment:
+      - AUTO_UPDATE_BRANCH
+      - RELEASE
+    command: /update.sh
+    # this container runs to completion and exits with 0
+    restart: on-failure
+    logging:
+      driver: $LOGGING_DRIVER
+      options:
+        tag: '{{.Name}}'
+    networks:
+      internal: {}
+      public-internet: {}
+
+    # configure internal Unbound service for resolving as Docker internal DNS server can be unreliable
+    dns: $IPV4_IP_RESOLVER_INTERNAL_PERMISSIVE
+    # also disable search domains and force default resolv settings
+    dns_search: [.]
+    dns_opt: ["ndots:0", "timeout:5", "attempts:2"]
+
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/Internet.nl:/opt/Internet.nl
+
+    profiles:
+      - update
+
   grafana:
     image: ${DOCKER_IMAGE_GRAFANA:-ghcr.io/internetstandards/grafana:${RELEASE:-latest}}
     build:

documentation/Docker-deployment-batch.md

@@ -126,7 +126,7 @@ This command should complete without an error, indicating the application stack
 
 Create database indexes:
 
-    docker compose --project-name=internetnl-prodexec app ./manage.py api_create_db_indexes
+    docker compose --project-name=internetnl-prod exec app ./manage.py api_create_db_indexes
 
 ## Testing your installation
 

documentation/Docker-deployment.md

@@ -42,7 +42,7 @@ Run the following command to install required dependencies, setup Docker Apt rep
 
 
     apt update && \
-    apt install -yqq ca-certificates curl gnupg && \
+    apt install -yqq ca-certificates curl jq gnupg && \
     install -m 0755 -d /etc/apt/keyrings && \
     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
     chmod a+r /etc/apt/keyrings/docker.gpg && \
@@ -209,7 +209,7 @@ Or use this command to omit the `COMMAND` and `PORTS` columns for a more compact
 
     docker compose --project-name=internetnl-prod  ps -a --format "table {{.Name}}\t{{.Image}}\t{{.Service}}\t{{.RunningFor}}\t{{.Status}}"
 
-Containers/services should have a `STATUS` of `Up` and there should be no containers/services with `unhealthy`. The `db-migrate` service having status `Exited (0)` is expected. Containers/services with a short uptime (seconds/minutes) might indicate it restarted recently due to an error.
+Containers/services should have a `STATUS` of `Up` and there should be no containers/services with `unhealthy`. The `db-migrate` and `update` containers/services having status `Exited (0)` is expected. Containers/services with a short uptime (seconds/minutes) might indicate it restarted recently due to an error.
 
 If a container/service is not up and healthy the cause might be deduced by inspecting the container/service state, eg for the app container/service:
 
@@ -277,6 +277,19 @@ To update to the latest build of the Pull Request branch use:
 
 The `pull` command might sometimes fail with a timeout error. In that case just retry until it's working. Or check [Github Status](https://www.githubstatus.com) to see if Github is down again.
 
+### Auto update
+
+By setting the variable `AUTO_UPDATE_BRANCH` in the `/opt/Internet.nl/docker/local.env` to a branch, eg: `main`, auto upgrading will be enabled. The application will check every 15 minutes if there is a update available and deploy it automatically. This is useful for development/acceptance environments that want to stay up to date with a feature or the `main` branch. It is not recommended for production environments!
+
+Auto upgrades are performed by the `cron` container/service. Which triggers a container/service named `update` which will perform the update itself. Progress/errors can be viewed by inspecting the container's logs:
+
+    docker logs --follow internetnl-prod-update-1
+
+To manually kick off the update process use the following command:
+
+    docker compose --project-name=internetnl-prod exec cron /etc/periodic/15min/auto_update
+
+**notice**: the update logging will be cut-off at the end because the `cron` container/service will be restarted in the process. For the full logs see the `update` container/service logs, see above.
 ## Downgrading/rollback
 
 In essence downgrading is the same procedure as upgrading: determine the branch and release version, download those versions of the configuration files and pull in those versions of the images, after which everything is restarted to that version. For example, to roll back to version `1.7.0` run: