Update django to 2.2

Add shared (z) container volume SELinux labels to the volumes created…

Dockerfile

@@ -25,7 +25,7 @@ RUN pip install \
 # pinning django to the version required by netbox
 # adding it here, to install the correct version of
 # django-rq
-      'Django>=2.1.5,<2.2' \
+      'Django>=2.2,<2.3' \
 # django-rq is used for webhooks
       django-rq
 

README.md

@@ -60,7 +60,7 @@ These are defined in `netbox.env`.
 Read [Environment Variables in Compose][compose-env] to understand about the various possibilities to overwrite these variables.
 (The easiest solution being simply adjusting that file.)
 
-To find all possible variables, have a look at the [configuration.docker.py][docker-config] and [docker-entrypoint.sh][entrypoint] files.
+To find all possible variables, have a look at the [configuration.py][docker-config] and [docker-entrypoint.sh][entrypoint] files.
 Generally, the environment variables are called the same as their respective Netbox configuration variables.
 Variables which are arrays are usually composed by putting all the values into the same environment variables with the values separated by a whitespace ("` `").
 For example defining `ALLOWED_HOSTS=localhost ::1 127.0.0.1` would allows access to Netbox through `http://localhost:8080`, `http://[::1]:8080` and `http://127.0.0.1:8080`.
@@ -85,7 +85,12 @@ You may run this image in a cluster such as Docker Swarm, Kubernetes or OpenShif
 
 In this case, we encourage you to statically configure Netbox by starting from [Netbox's example config file][default-config], and mounting it into your container in the directory `/etc/netbox/config/` using the mechanism provided by your container platform (i.e. [Docker Swarm configs][swarm-config], [Kubernetes ConfigMap][k8s-config], [OpenShift ConfigMaps][openshift-config]).
 
-But if you rather continue to configure your application through environment variables, you may continue to use [the built-in configuration file][docker-config].
+But if you rather continue to configure your application through environment variables, you may continue to use [the built-in configuration file][
+
+
+
+
+].
 We discourage storing secrets in environment variables, as environment variable are passed on to all sub-processes and may leak easily into other systems, e.g. error collecting tools that often collect all environment variables whenever an error occurs.
 
 Therefore we *strongly advise* to make use of the secrets mechanism provided by your container platform (i.e. [Docker Swarm secrets][swarm-secrets], [Kubernetes secrets][k8s-secrets], [OpenShift secrets][openshift-secrets]).
@@ -99,10 +104,11 @@ If a secret is defined by an environment variable and in the respective file at
 * `EMAIL_PASSWORD`: `/run/secrets/email_password`
 * `NAPALM_PASSWORD`: `/run/secrets/napalm_password`
 * `REDIS_PASSWORD`: `/run/secrets/redis_password`
+* `AUTH_LDAP_BIND_PASSWORD`: `/run/secrets/auth_ldap_bind_password`
 
 Please also consider [the advice about running Netbox in production](#production) above!
 
-[docker-config]: https://github.com/netbox-community/netbox-docker/blob/master/docker/configuration.docker.py
+[docker-config]: https://github.com/netbox-community/netbox-docker/blob/master/configuration/configuration.py
 [default-config]: https://github.com/digitalocean/netbox/blob/develop/netbox/netbox/configuration.example.py
 [entrypoint]: https://github.com/netbox-community/netbox-docker/blob/master/docker/docker-entrypoint.sh
 [swarm-config]: https://docs.docker.com/engine/swarm/configs/
@@ -144,6 +150,7 @@ You can also dynamically add any other report to this same directory and Netbox
 ### Custom Initialization Code (e.g. Automatically Setting Up Custom Fields)
 
 When using `docker-compose`, all the python scripts present in `/opt/netbox/startup_scripts` will automatically be executed after the application boots in the context of `./manage.py`.
+The execution of the startup scripts can be prevented by setting the environment variable `SKIP_STARTUP_SCRIPTS` to `true`, e.g. in the file `env/netbox.env`.
 
 That mechanism can be used for many things, e.g. to create Netbox custom fields:
 
@@ -368,7 +375,7 @@ docker-compose run --rm -T redis sh -c 'redis-cli -h redis -a $REDIS_PASSWORD mo
 
 If you don't see anything happening after you triggered a webhook, double-check the configuration of the `netbox` and the `netbox-worker` containers and also check the configuration of your webhook in the admin interface of Netbox.
 
-### Breaking Changes
+## Breaking Changes
 
 From time to time it might become necessary to re-engineer the structure of this setup.
 Things like the `docker-compose.yml` file or your Kubernetes or OpenShift configurations have to be adjusted as a consequence.
@@ -378,6 +385,9 @@ Compare the version with the list below to check whether a breaking change was i
 
 The following is a list of breaking changes of the `netbox-docker` project:
 
+* 0.13.0: `AUTH_LDAP_BIND_PASSWORD` can now be extracted into a secrets file. [#133][133]
+* 0.12.0: A new flag `REDIS_SSL=false` was added to the `env/netbox.env` file. [#129][129]
+* 0.11.0: The docker-compose file now marks volumes as shared (`:z`). This should prevent SELinux problems [#131][131]
 * 0.9.0: Upgrade to at least 2.1.5
 * 0.8.0: Alpine linux was upgraded to 3.9 [#126][126]
 * 0.7.0: The value of the `MAX_PAGE_SIZE` environment variable was changed to `1000`, which is the default of Netbox.
@@ -391,6 +401,9 @@ The following is a list of breaking changes of the `netbox-docker` project:
 
 [54]: https://github.com/netbox-community/netbox-docker/issues/54
 [126]: https://github.com/netbox-community/netbox-docker/pull/126
+[131]: https://github.com/netbox-community/netbox-docker/pull/131
+[129]: https://github.com/netbox-community/netbox-docker/pull/129
+[133]: https://github.com/netbox-community/netbox-docker/pull/133
 
 ## Rebuilding & Publishing images
 

VERSION

@@ -1 +1 @@
-0.8.0
+0.13.0

build.sh

@@ -34,6 +34,9 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
   echo "  DOCKER_TAG The name of the tag which is applied to the image."
   echo "           Useful for pushing into another registry than hub.docker.com."
   echo "           Default: <DOCKER_ORG>/<DOCKER_REPO>:<BRANCH>"
+  echo "  DOCKER_SHORT_TAG The name of the short tag which is applied to the image."
+  echo "           This is used to tag all patch releases to their containing version e.g. v2.5.1 -> v2.5"
+  echo "           Default: <DOCKER_ORG>/<DOCKER_REPO>:\$MAJOR.\$MINOR"
   echo "  SRC_ORG  Which fork of netbox to use (i.e. github.com/<SRC_ORG>/<SRC_REPO>)."
   echo "           Default: digitalocean"
   echo "  SRC_REPO The name of the netbox for to use (i.e. github.com/<SRC_ORG>/<SRC_REPO>)."
@@ -83,6 +86,25 @@ SRC_REPO="${SRC_REPO-netbox}"
 BRANCH="${1}"
 URL="${URL-https://github.com/${SRC_ORG}/${SRC_REPO}/archive/$BRANCH.tar.gz}"
 
+# Checking which VARIANT to build
+VARIANT="${VARIANT-main}"
+if [ "$VARIANT" == "main" ]; then
+  DOCKERFILE="Dockerfile"
+else
+  DOCKERFILE="Dockerfile.${VARIANT}"
+fi
+
+# Fail fast
+if [ ! -f "${DOCKERFILE}" ]; then
+  echo "🚨 The Dockerfile ${DOCKERFILE} for variant '${VARIANT}' doesn't exist."
+
+  if [ -z "$DEBUG" ]; then
+    exit 1
+  else
+    echo "⚠️ Would exit here with code '1', but DEBUG is enabled."
+  fi
+fi
+
 # variables for tagging the docker image
 DOCKER_ORG="${DOCKER_ORG-netboxcommunity}"
 DOCKER_REPO="${DOCKER_REPO-netbox}"
@@ -94,25 +116,20 @@ case "${BRANCH}" in
   *)
     TAG="${TAG-$BRANCH}";;
 esac
+
 DOCKER_TAG="${DOCKER_TAG-${DOCKER_ORG}/${DOCKER_REPO}:${TAG}}"
-
-# Checking which VARIANT to build
-VARIANT="${VARIANT-main}"
-if [ "$VARIANT" == "main" ]; then
-  DOCKERFILE="Dockerfile"
-else
-  DOCKERFILE="Dockerfile.${VARIANT}"
+if [ "$VARIANT" != "main" ]; then
   DOCKER_TAG="${DOCKER_TAG}-${VARIANT}"
+fi
 
-  # Fail fast
-  if [ ! -f "${DOCKERFILE}" ]; then
-    echo "🚨 The Dockerfile ${DOCKERFILE} for variant '${VARIANT}' doesn't exist."
+if [[ "${TAG}" =~ ^v([0-9]+)\.([0-9]+)\.[0-9]+$ ]]; then
+  MAJOR=${BASH_REMATCH[1]}
+  MINOR=${BASH_REMATCH[2]}
 
-    if [ -z "$DEBUG" ]; then
-      exit 1
-    else
-      echo "⚠️ Would exit here with code '1', but DEBUG is enabled."
-    fi
+  DOCKER_SHORT_TAG="${DOCKER_SHORT_TAG-${DOCKER_ORG}/${DOCKER_REPO}:v${MAJOR}.${MINOR}}"
+
+  if [ "$VARIANT" != "main" ]; then
+    DOCKER_SHORT_TAG="${DOCKER_SHORT_TAG}-${VARIANT}"
   fi
 fi
 
@@ -159,10 +176,22 @@ if [ "${2}" != "--push-only" ] ; then
   echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'."
   $DOCKER_CMD build -t "${DOCKER_TAG}" "${DOCKER_BUILD_ARGS[@]}" "${DOCKER_OPTS[@]}" -f "${DOCKERFILE}" .
   echo "✅ Finished building the Docker images '${DOCKER_TAG}'"
+
+  if [ -n "$DOCKER_SHORT_TAG" ]; then
+    echo "🐳 Tagging image '${DOCKER_SHORT_TAG}'."
+    $DOCKER_CMD tag "${DOCKER_TAG}" "${DOCKER_SHORT_TAG}"
+    echo "✅ Tagged image '${DOCKER_SHORT_TAG}'"
+  fi
 fi
 
 if [ "${2}" == "--push" ] || [ "${2}" == "--push-only" ] ; then
   echo "⏫ Pushing '${DOCKER_TAG}"
   $DOCKER_CMD push "${DOCKER_TAG}"
   echo "✅ Finished pushing the Docker image '${DOCKER_TAG}'."
+
+  if [ -n "$DOCKER_SHORT_TAG" ]; then
+    echo "⏫ Pushing '${DOCKER_SHORT_TAG}'"
+    $DOCKER_CMD push "${DOCKER_SHORT_TAG}"
+    echo "✅ Finished pushing the Docker image '${DOCKER_SHORT_TAG}'."
+  fi
 fi

configuration/configuration.py

@@ -146,6 +146,7 @@ REDIS = {
     'PASSWORD': os.environ.get('REDIS_PASSWORD', read_secret('redis_password')),
     'DATABASE': os.environ.get('REDIS_DATABASE', '0'),
     'DEFAULT_TIMEOUT': os.environ.get('REDIS_TIMEOUT', '300'),
+    'SSL': os.environ.get('REDIS_SSL', 'False').lower() == 'true',
 }
 
 # The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of

configuration/ldap_config.py

@@ -3,6 +3,16 @@ import os
 
 from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
 
+# Read secret from file
+def read_secret(secret_name):
+    try:
+        f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8')
+    except EnvironmentError:
+        return ''
+    else:
+        with f:
+            return f.readline().strip()
+
 # Server URI
 AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '')
 
@@ -13,7 +23,7 @@ AUTH_LDAP_CONNECTION_OPTIONS = {
 
 # Set the DN and password for the NetBox service account.
 AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
-AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
+AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', read_secret('auth_ldap_bind_password'))
 
 # Set a string template that describes any user’s distinguished name based on the username.
 AUTH_LDAP_USER_DN_TEMPLATE = os.environ.get('AUTH_LDAP_USER_DN_TEMPLATE', None)

docker-compose.yml

@@ -12,13 +12,13 @@ services:
     - netbox-worker
     env_file: env/netbox.env
     volumes:
-    - ./startup_scripts:/opt/netbox/startup_scripts:ro
-    - ./initializers:/opt/netbox/initializers:ro
-    - ./configuration:/etc/netbox/config:ro
-    - ./reports:/etc/netbox/reports:ro
-    - netbox-nginx-config:/etc/netbox-nginx/
-    - netbox-static-files:/opt/netbox/netbox/static
-    - netbox-media-files:/opt/netbox/netbox/media
+    - ./startup_scripts:/opt/netbox/startup_scripts:z,ro
+    - ./initializers:/opt/netbox/initializers:z,ro
+    - ./configuration:/etc/netbox/config:z,ro
+    - ./reports:/etc/netbox/reports:z,ro
+    - netbox-nginx-config:/etc/netbox-nginx:z
+    - netbox-static-files:/opt/netbox/netbox/static:z
+    - netbox-media-files:/opt/netbox/netbox/media:z
   netbox-worker:
     <<: *netbox
     depends_on:

docker/docker-entrypoint.sh

@@ -39,10 +39,14 @@ if not User.objects.filter(username='${SUPERUSER_NAME}'):
     Token.objects.create(user=u, key='${SUPERUSER_API_TOKEN}')
 END
 
-for script in /opt/netbox/startup_scripts/*.py; do
-  echo "⚙️ Executing '$script'"
-  ./manage.py shell --interface python < "${script}"
-done
+if [ "$SKIP_STARTUP_SCRIPTS" == "true" ]; then
+  echo "☇ Skipping startup scripts"
+else
+  for script in /opt/netbox/startup_scripts/*.py; do
+    echo "⚙️ Executing '$script'"
+    ./manage.py shell --interface python < "${script}"
+  done
+fi
 
 # copy static files
 ./manage.py collectstatic --no-input

env/netbox.env

@@ -15,6 +15,7 @@ NAPALM_TIMEOUT=10
 MAX_PAGE_SIZE=1000
 REDIS_HOST=redis
 REDIS_PASSWORD=H733Kdjndks81
+REDIS_SSL=false
 SECRET_KEY=r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj
 SUPERUSER_NAME=admin
 SUPERUSER_EMAIL=admin@example.com