|
@@ -1,5 +1,53 @@
|
|
|
# Advanced Configuration
|
|
# Advanced Configuration
|
|
|
|
|
|
|
|
|
|
+## Best Practice: Use a docker network
|
|
|
|
|
+
|
|
|
|
|
+For those who have a few of their upstream services running in docker on the same docker
|
|
|
|
|
+host as NPM, here's a trick to secure things a bit better. By creating a custom docker network,
|
|
|
|
|
+you don't need to publish ports for your upstream services to all of the docker host's interfaces.
|
|
|
|
|
+
|
|
|
|
|
+Create a network, ie "scoobydoo":
|
|
|
|
|
+
|
|
|
|
|
+```bash
|
|
|
|
|
+docker network create scoobydoo
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+Then add the following to the `docker-compose.yml` file for both NPM and any other
|
|
|
|
|
+services running on this docker host:
|
|
|
|
|
+
|
|
|
|
|
+```yml
|
|
|
|
|
+networks:
|
|
|
|
|
+ default:
|
|
|
|
|
+ external:
|
|
|
|
|
+ name: scoobydoo
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+Let's look at a Portainer example:
|
|
|
|
|
+
|
|
|
|
|
+```yml
|
|
|
|
|
+version: '3'
|
|
|
|
|
+services:
|
|
|
|
|
+
|
|
|
|
|
+ portainer:
|
|
|
|
|
+ image: portainer/portainer
|
|
|
|
|
+ privileged: true
|
|
|
|
|
+ volumes:
|
|
|
|
|
+ - './data:/data'
|
|
|
|
|
+ - '/var/run/docker.sock:/var/run/docker.sock'
|
|
|
|
|
+ restart: always
|
|
|
|
|
+
|
|
|
|
|
+networks:
|
|
|
|
|
+ default:
|
|
|
|
|
+ external:
|
|
|
|
|
+ name: scoobydoo
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+Now in the NPM UI you can create a proxy host with `portainer` as the hostname,
|
|
|
|
|
+and port `9000` as the port. Even though this port isn't listed in the docker-compose
|
|
|
|
|
+file, it's "exposed" by the portainer docker image for you and not available on
|
|
|
|
|
+the docker host outside of this docker network. The service name is used as the
|
|
|
|
|
+hostname, so make sure your service names are unique when using the same network.
|
|
|
|
|
+
|
|
|
## Docker Secrets
|
|
## Docker Secrets
|
|
|
|
|
|
|
|
This image supports the use of Docker secrets to import from file and keep sensitive usernames or passwords from being passed or preserved in plaintext.
|
|
This image supports the use of Docker secrets to import from file and keep sensitive usernames or passwords from being passed or preserved in plaintext.
|
|
@@ -34,7 +82,7 @@ services:
|
|
|
DB_MYSQL_PORT: 3306
|
|
DB_MYSQL_PORT: 3306
|
|
|
DB_MYSQL_USER: "npm"
|
|
DB_MYSQL_USER: "npm"
|
|
|
# DB_MYSQL_PASSWORD: "npm" # use secret instead
|
|
# DB_MYSQL_PASSWORD: "npm" # use secret instead
|
|
|
- DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
|
|
|
|
|
|
|
+ DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
|
|
|
DB_MYSQL_NAME: "npm"
|
|
DB_MYSQL_NAME: "npm"
|
|
|
# If you would rather use Sqlite uncomment this
|
|
# If you would rather use Sqlite uncomment this
|
|
|
# and remove all DB_MYSQL_* lines above
|
|
# and remove all DB_MYSQL_* lines above
|
|
@@ -55,7 +103,7 @@ services:
|
|
|
MYSQL_DATABASE: "npm"
|
|
MYSQL_DATABASE: "npm"
|
|
|
MYSQL_USER: "npm"
|
|
MYSQL_USER: "npm"
|
|
|
# MYSQL_PASSWORD: "npm" # use secret instead
|
|
# MYSQL_PASSWORD: "npm" # use secret instead
|
|
|
- MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
|
|
|
|
|
|
|
+ MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
|
|
|
volumes:
|
|
volumes:
|
|
|
- ./data/mysql:/var/lib/mysql
|
|
- ./data/mysql:/var/lib/mysql
|
|
|
```
|
|
```
|
jc21