{"id":13725430,"url":"https://github.com/Netflix/lemur-docker","last_synced_at":"2025-05-07T20:32:17.706Z","repository":{"id":44641749,"uuid":"41923990","full_name":"Netflix/lemur-docker","owner":"Netflix","description":"Docker files for the Lemur certificate orchestration tool","archived":false,"fork":false,"pushed_at":"2022-02-02T18:12:10.000Z","size":79,"stargazers_count":170,"open_issues_count":9,"forks_count":83,"subscribers_count":388,"default_branch":"master","last_synced_at":"2024-11-14T15:40:27.705Z","etag":null,"topics":["security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Netflix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-09-04T15:41:30.000Z","updated_at":"2024-08-03T23:53:02.000Z","dependencies_parsed_at":"2022-09-05T12:51:34.945Z","dependency_job_id":null,"html_url":"https://github.com/Netflix/lemur-docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Flemur-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Flemur-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Flemur-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netflix%2Flemur-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Netflix","download_url":"https://codeload.github.com/Netflix/lemur-docker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252953715,"owners_count":21830890,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security"],"created_at":"2024-08-03T01:02:23.080Z","updated_at":"2025-05-07T20:32:17.249Z","avatar_url":"https://github.com/Netflix.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"Lemur Docker\n============\n\nFor full documentation on Lemur, please see the [docs](https://lemur.readthedocs.org).\n\nThis repo utilizes docker compose to launch a cluster of containers to support development of the Lemur project. \nThis is only meant for development and testing, not for production. See the [Issues](#Issues) section for information \nregarding productionalizing these containers.\n\nThis project builds the _current state_ of a checked out lemur repository subdirectory, meaning you may make changes and \nrebuild your container to pick them up. It also has the ability to dump and load another database, in case you want to  \ntest with a copy of a real Lemur DB. Alternatively, it has the option to initialize an empty database.  \nCelery tasks will also run, if you choose to enable them.\n\n\nRequirements\n------------\n\n- Latest version of [Docker Engine](https://docs.docker.com/engine/install/) - minimum version 20\n- Latest version of [Docker Compose](https://docs.docker.com/compose/install/) - minimum version 1.27\n- Make (optional)\n\nPrepare\n------------\n\nCheck out the current repo:\n```bash\ngit clone git@github.com:Netflix/lemur-docker.git\ncd lemur-docker\n```   \n\nStarting\n------------\n\nOne `magic` command for all things that you need:\n```bash\nmake\n``` \nNOTE: all containers running in background  by default\nNOTE: make automatically resolves access rights to the docker. If we haven't start containers with `sudo`.   \nNOTE: make commands tested on Linux and Mac. If you have any suggestion how it can be improved for Windows, feel free to \nmake [PR](https://github.com/Netflix/lemur-docker/pulls).\n\nStarting with more control\n--------\n\nCheck out the [lemur repo](https://github.com/Netflix/lemur) and make a local copy of the config files:\n\n```bash\ngit clone --depth=1 https://github.com/Netflix/lemur.git lemur-build-docker/lemur\ncp .lemur.env.dist .lemur.env\ncp .pgsql.env.dist .pgsql.env\n```    \n\nStart the containers:\n```bash\ndocker-compose up\n``` \n\nStopping\n--------\n```bash\ndocker-compose stop\n```     \n\nTry It Out\n----------\n\nLaunch web browser and connect to your docker container at https://localhost:447. The default credentials are `lemur/admin`.\n\nArchitecture\n-------------\n\nThis project launches four containers:\n\n1. nginx\n1. postgres\n1. redis\n1. lemur\n\nExternally, only `nginx` exposes any ports. This container exposes TCP 87 and 447. We use standard ports to avoid conflicts.\n\nThe `lemur` container is built on a local copy of the Lemur code. It runs two processes via `supervisord`:\n\n- lemur\n- lemur-celery\n\nThe file `entrypoint` is used to perform setup and initialization both for postgres and lemur within the `lemur` container.\n\nNote that then `lemur` subdirectory is git ignored, so you may make changes to the lemur repository without causing any changes to show up in `lemur-docker`.\n\nConfiguration\n-------------\n\n*Lemur configuration*\nLemur configuration can happen in two places:\n - `.lemur.env` can be used for a few basic configuration overrides\n - `lemur.conf.py` must be used for any configuration that requires Python execution, and any options not available in `.lemur.env`\n\nNote that by default, the Celery process is running, but all Celery tasks are disabled. If you wish to enable a Celery task, it should be done in `lemur.conf.py`.\n\n`lemur.conf.py` is mounted on the container, so all you need to do to update these settings is to make the desired changes and restart the containers:\n```bash\ndocker-compose stop\ndocker-compose start\n``` \n\nYour changes should now be reflected in Lemur.\n\n*Database configuration*\nDatabase configuration is located in:\n- `.pgsql.env`\n\nThis Docker configuration includes three ways to run the database, controlled via the option `POSTGRES_DB_MODE` in `.pgsql.env`:\n- `init` will create a brand new Lemur database, initialized with base data\n- `load-frum-dump` will use specified DB info to dump another database and load it into the container database (see `.pgsql.env` for config options)\n- blank/not set will reuse whatever data already exists in the volume `lemur-docker_pg_data`\n\nNote that the `init` and `load-from-dump` options will drop whatever data is already in the volume. Aside from those, \nexplicitly deleting the Docker volume will also delete all data. Otherwise, the volume is persistent and should contain \npersistent data across multiple runs of the Docker container.\n\nIssues\n------\n\n### Default credentials on the web UI\n\nThe username for the Lemur web UI is `lemur` and the default password is `admin` (unless overridden by environment \nvariable `LEMUR_ADMIN_PASSWORD`). You may create new users and disable this service account after the apps has been launched.  \n\n### Default Config\n\nThis comes with a default `lemur.conf.py`.\nThings like encryption keys and tokens have been randomized in these configs, and **should** instead be generated and \npersisted securely for anything other than experimentation.\n\n### Default credentials on the postgres database\n\nThe username for the postgres database is `lemur` and the default password is `12345` (located in `.pgsql.env`).\n\n### Untrusted web certificate\n\nThe certificate used by nginx to serve Lemur in the container is self-signed and untrusted. You would need to use a \ntrusted certificate if you were to run this for anything other than experimentation.\n\nAlternatively, for local development, [mkcert](https://github.com/FiloSottile/mkcert) can be used to generate a locally-trusted development certificate\nand key. For nginx to use these files they must be mounted into the nginx container to `/etc/nginx/ssl/server.crt`\nand `/etc/nginx/ssl/server-key.crt` respectively.\n\nExample:\n\n1. Generate a locally-trusted certificate and key for `localhost`\n\n   ```shell\n   mkcert localhost\n   ```\n\n2. Modify the nginx service in `docker-compose.yml` to mount the generated certificate and key\n\n   ```diff\n   --- a/docker-compose.yml\n   +++ b/docker-compose.yml\n   @@ -33,6 +33,8 @@ services:\n          - appnet\n        volumes:\n          - app_data:/opt/lemur/lemur/static/dist:ro\n   +      - ./localhost.pem:/etc/nginx/ssl/server.crt:ro\n   +      - ./localhost-key.pem:/etc/nginx/ssl/server.key:ro\n        restart: on-failure\n        depends_on:\n          - lemur\n   ```\n\n3. Restart the containers\n\n   ```shell\n   make restart_containers\n   ```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNetflix%2Flemur-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNetflix%2Flemur-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNetflix%2Flemur-docker/lists"}