docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon librenms

SAML Support for docker

Open LoveSkylark opened this issue 1 year ago • 5 comments

Added a new variable that allows the docker to install plugins that are needed for SAML.

"rebased"

LoveSkylark avatar Oct 16 '24 13:10 LoveSkylark

I have one issue with this... INSTALL_PLUGINS is set-up so installing plugins only happens after container is started because it's a service in root-fs. That means running lnms plugin:add will require internet to work. Not everyone has internet access after an image is built and will be running internally ;)

A better way would be to install the plugins in Dockerfile during image build, all though this requires more steps to ensure things are done in the right order.

dot-mike avatar Dec 04 '24 14:12 dot-mike

This is by design - installing third-party plugins in the Docker image has two major drawbacks:

  1. You'd need to maintain and regularly update all included plugins within the image
  2. You'd need to predict and include all possible plugins users might need

Note: If you don't have Internet access, you likely won't be using SAML auth anyway.

This approach is a compromise - plugins are installed during container startup if needed, rather than being pre-installed. While this adds some startup time, it keeps the image lean and flexible, allowing you to use plugins only when required. The installation only occurs when the "INSTALL_PLUGINS" variable is set, so it only affects those willing to accept that startup cost.

LoveSkylark avatar Dec 06 '24 10:12 LoveSkylark

bump

LoveSkylark avatar Mar 12 '25 15:03 LoveSkylark

Here's how to add plugins during container build... just an example. As mentioned, not everyone has internet access in prod, but images can be built with internet access (i.e proxy).

# install custom plugins
RUN set -eux; \
  PLUGINS="dot-mike/nmscustomfields"; \
  for PLUGIN in $PLUGINS; do \
  FORCE=1 ./scripts/composer_wrapper.php require --update-no-dev $PLUGIN; \
  COMPOSER=composer.plugins.json ./scripts/composer_wrapper.php require --no-update $PLUGIN; \
  done


# refresh env
RUN echo $'#!/usr/bin/with-contenv sh\n\
  set -e\n\
  if [ "$SIDECAR_DISPATCHER" = "1" ] || [ "$SIDECAR_SYSLOGNG" = "1" ] || [ "$SIDECAR_SNMPTRAPD" = "1" ]; then\n\
  exit 0\n\
  fi\n\
  php artisan route:clear\n\
  lnms migrate --force --no-ansi --no-interaction\n\
  artisan cache:clear --no-interaction\n\
  artisan config:cache --no-interaction\n\
  ' > /etc/cont-init.d/99-plugins.sh

dot-mike avatar Mar 20 '25 09:03 dot-mike

@dot-mike Just to be clear you want me to bake all the auth plugins into the docker image?

I spent some of time figuring out how not to do that because I did not want to add bloat to the image for niche users, but I can easily do that I just assumed that that would be rejected on the principle that you would not want to add a 3rd party Laravel plugin support into the image.

LoveSkylark avatar Apr 28 '25 12:04 LoveSkylark