Use well-maintained images and official repo instead of outdated stuff #9
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've changed the docker-compose file to use better maintained versions of the upstream dependencies and directly build the Nightscout NodeJS app instead of relying on an unmaintained fork.
Let's start with the dependencies:
I replaced the prologic Mosquitto build with the official Mosquitto build from the Eclipse Foundation.
This might not be so important as the only known security problem in Mosquitto was an authentication bypass, but no authentication is used in this setup anyways.
MongoDB by tutum was replaced by the official docker-community maintained version called mongo, which is also sponsored by Mongo Inc. (The developers of MongoDB)
The old MongoDB had several CVE security issues. Most of them can only be used in DoS attacks, but there were also 2 overflow errors which can potentially be used for reading sensitive information or modify memory.
Last but not least the main dish:
The compose file in this repo uses a prebuilt docker image for the nightscout NodeJS application that is based on a third party fork by user Fokko.
Said fork hasn't been updated in 2.5 years and is currently behind the master branch by about 1300 commits.
Why would anyone use a docker image explicitly marked for dev purposes only and use a verison that's outdated by 2.5 years?
So this PR updates the docker-compose.yml file to bring things into the year 2018.
I've changed the compose file to version 3 syntax (available in Docker 1.13.0 from January 2017 and newer) in order to use the build from external repositories feature instead of relying on a prebuilt docker-image for the main app.
The dependencies have been updated to use the official versions of the apps:
Mosquitto is now using the official eclipse-mosquitto image from the Eclipse foundation and should receive timely updates.
Same is true for the MongoDB version, which was replaced with the official mongo image.
I've also modified the comment inside this file about exposing the MongoDB port a bit, so that others who aren't that involved with development know when this is actually needed and that it's usually not neccessary in 2018 anymore.
Hope others can profit from this as well.
I didn't touch any of the cloud deployment guides as I never tried to deploy docker containers on servers not managed by myself or my company.