[FOLIO-3314] Set up Docker Team for FOLIO Project Created: 18/Oct/21  Updated: 23/Mar/23

Status: In Progress
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: TBD
Reporter: Peter Murray Assignee: Peter Murray
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Attachments: PNG File image-2023-03-23-17-32-21-978.png    
Issue links:
Relates
relates to FOLIO-2844 Create a Docker Hub account for the `... Closed
relates to FOLIO-2722 Set up Docker Hub organization beyond... Closed
Sprint: DevOps Sprint 160
Development Team: FOLIO DevOps

 Description   

Currently, we use one Docker Hub account called 'folio' which is currently under the "Docker personal plan" (i.e the free tier).    Under this account there are three "organizations" - folioorg, folioci, and foliolib.   'folioorg' and 'folioci' are essentially docker hub namespaces for FOLIO releases and snapshots respectively. 'foliolib' is currently unused.    Under this "personal plan",  we are a bit limited in what we can do.  For example:

  • only one unscoped access token can be generated.  By unscoped, I mean the token grants read/write/delete privileges to all organizations.  It would be useful to be able to grant multiple tokens with a more limited scope.
  • maximum of 3 members per organization.  A "member" in this context is a Docker Hub account that has access to the organization.
  • maximum of two teams per organization.  The first team is a mandatory "owners" team that has admin privs.   The second team is currently used by the FOLIO Jenkins account for read/write to all repos under each organization.

What I'd like to accomplish is the ability for repos in github.com/library-data-platform to publish artifacts to the folioorg namespace for ldp, etc via Github Actions workflows. However,  I do not want that github org to use the same Jenkins credentials that folio-org uses to publish to the folioorg namespace.  I feel like that's a bit dangerous since those credentials are too permissive.   I'd prefer to use an account with credentials that can only write to certain docker hub repos.    However, I'm unable to accomplish this due to the limitations above.

Ultimately, it would be kind of cool to be able to publish FOLIO docker artifacts (modules, etc) from different github repositories (or anywhere else) to the Docker Hub folioorg namespace.   In order to do this safely, however, we need additional capacity to add additional members and teams to this Docker Hub account.    I feel like we can accomplish this by upgrading the Docker Hub 'folio' account to the "Team plan" and start with 5 members initially.   The cost would be $35 per month and would also get additional Docker Hub features.



 Comments   
Comment by Peter Murray [ 18/Oct/21 ]

From: Peter Murray <peter.murray@openlibraryfoundation.org>
Date: Oct 18, 2021, 3:48 PM -0400
To: Marina Kvitnitsky <opensource@docker.com>
Subject: Docker support for Team plans for open source projects (was: Welcome to Docker Open Source Program)

Hello Marina,

Thank you again for recognizing the FOLIO Project in the Docker Open Source Program.  Since we last exchanged email in November, the FOLIO platform has had two major releases and been installed in another half-dozen libraries around the world with more coming.  (First libraries in Asia and South America!)  We are starting to see the project's vision of an open source "platform of apps for libraries", but as this vision meets reality we are finding our complications in adding open source apps from outside the FOLIO project to the continuous integration and the hosted reference environments.  One of the project's devops engineers described it this way:

_Currently, we use one Docker Hub account called 'folio' which is currently under the "Docker personal plan" (i.e the free tier).    Under this account there are three "organizations" - folioorg, folioci, and foliolib.   'folioorg' and 'folioci' are essentially docker hub namespaces for FOLIO releases and snapshots respectively. 'foliolib' is currently unused.    Under this "personal plan",  we are a bit limited in what we can do.  For example:
  • only one unscoped access token can be generated.  By unscoped, I mean the token grants read/write/delete privileges to all organizations.  It would be useful to be able to grant multiple tokens with a more limited scope.
  • maximum of 3 members per organization.  A "member" in this context is a Docker Hub account that has access to the organization.
  • maximum of two teams per organization.  The first team is a mandatory "owners" team that has admin privs.   The second team is currently used by the FOLIO Jenkins account for read/write to all repos under each organization.
_What I'd like to accomplish is the ability for repos in github.com/library-data-platform to publish artifacts to the folioorg namespace for ldp, etc via Github Actions workflows. However,  I do not want that github org to use the same Jenkins credentials that folio-org uses to publish to the folioorg namespace.  I feel like that's a bit dangerous since those credentials are too permissive.   I'd prefer to use an account with credentials that can only write to certain docker hub repos.    However, I'm unable to accomplish this due to the limitations above.

 
_Ultimately, it would be kind of cool to be able to publish FOLIO docker artifacts (modules, etc) from different github repositories (or anywhere else) to the Docker Hub folioorg namespace.   In order to do this safely, however, we need additional capacity to add additional members and teams to this Docker Hub account.    I feel like we can accomplish this by upgrading the Docker Hub 'folio' account to the "Team plan" and start with 5 members initially.   The cost would be $35 per month and would also get additional Docker Hub features._

LDP is the "Library Data Platform"—a new project that we are incubating at the Open Library Foundation.  I expect we will also face the same complication with Project ReShare—an effort to have open source alternatives to manage the exchange of materials between libraries that is also a set of apps on the FOLIO platform.

Does Docker have a program for supporting complicated open source programs like this?  I looked on TechSoup.org for the easy path—Docker providing gratis or discounted Team plan licenses—but didn't see anything.

Peter

Comment by Peter Murray [ 29/Nov/21 ]

Resent email to William Quiviger.

Comment by Peter Murray [ 23/Mar/23 ]

It looks like the FOLIO organization on Docker Hub is affected by this.  From: What to know about the end of Docker Free Teams...

 


How can I see if I’m affected?

Please consult the Organizations page of your Docker account; any affected organizations are labeled “Docker Free Team” in the “Subscription” column. Less than 2% of Docker users have a Free Team organization on their account.

Even if some of your organizations are affected, your individual Docker account (or other organizations) will not be affected by this change.


 

 

I have submitted an application to the Docker-Sponsored Open Source Program.

Generated at Thu Feb 08 23:27:11 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.