OCTO:Installing the Docker image on a Windows system: Difference between revisions
(No difference)
| |
Revision as of 10:33, 2 July 2025
Running Octo in Docker-Desktop
The requirement for this setup is as follows:
- Docker-Desktop installed and running with WSL 2 enabled (see https://docs.docker.com/desktop/features/wsl)
- From Octo Downloads (Milestones or Nightly, depending on which version is needed), download the zipped tar and zipped scripts. As of writing the latest were octoserver_docker_kube-lin64-1.3.4_2025-06-30_17-40-31.zip (tar) and octoserver_docker_kube-yaml-1.3.4_2025-06-30_17-40-31.zip (scripts).
Octoserverk Image location
To use the Octo docker-compose.yaml in Docker-Desktop you need to setup a project directory from where the docker-compose for Octo will be started, for example c:/work/docker-desktop/octo-server. At this point you also should probably switch to this directory.
Unpack the zip files to the project directory (for example with the File Explorer or 7Zip).
From here on docker commands are run from a Windows powershell terminal in the project directory setup for the octo-server. The project directory should look something like this:
Before running the docker-compose command the octoserverk image must be available in the local docker repository. This can be done by using the octoserverk image (tar) or by pulling the image from the Harbor docker repository, which requires an enabled Harbor user.
Image load from remote location (pull from Harbor)
From the project directory do a docker login to the Harbor docker repository with:
docker login -u ?username? harbor.remainsoftware.com
After a successful login you can pull the latest octo image with the command
docker pull harbor.remainsoftware.com/octo-nightly/octoserverk:latest
After a successful pull the octoserverk image will be available in the local docker repository. To be able to use this image you will need to change the image definition used in the docker-compose.yaml to:
image: harbor.remainsoftware.com/octo-nightly/octoserverk:latest
Image load from local location
If you are not going to pull the Octo image from the Harbor docker repository then you do not need to change the image name in the docker-compose.yaml. But you do need to manually load the octoserverk image into the local docker repository. The docker command to do this is, is for example:
docker load -i octoserverk_1.3.4-250630.tar
Octo HTTP/HTTPS configuration
The HTTP/HTTP configuration might need to be updated if you want to test Octo locally using the HTTP protocol. By default, the HTTP/HTTPS setting is set to https-only, which will not allow the http protocol to be used with Octo. For local testing the docker-compose configuration for HTTP/HTTPS can be set to the following (see changes in bold):
ENABLE_HTTP: true # defaults to true if not set and NGINX_SUPPORT is enable
ENABLE_HTTPS: true # defaults to true if not set and NGINX_SUPPORT is enable...
ENABLE_HTTPS_ONLY: false # defaults to true if not set and NGINX_SUPPORT is enable...
HTTPS_ONLY_PORT: 8443 # defaults to 443 else assign to the nginx configured https port
CERT_HOSTNAME: localhost # for HTTPS leave empty if already providing certificates...
The above HTTP/HTTPS configuration will allow the use of HTTP and HTTPS, albeit HTTPS support (with a self-signed certificate) will not be available in all browsers even if the Octo server public certificate has been imported. Most browsers will allow you to continue use HTTPS but by adding an exception for the site. If you need the certificate then you can copy it to the local directory with the command: “docker-compose cp octo-service:/opt/remain/octo-server/nginx/ssl/tls.crt .”. Even with a certificate, experience is that chromium-based browsers are a problem. Firefox and Opera allow you to continue by setting a site exception.
Running the Octo-server container
When the image is available in the local docker repo and the correct image name is defined in the docker-compose.yaml, then the Octo container can be started with the command “docker-compose up -d”. With the command “docker-compose logs” you can check if the startup was successful (the container console output can also be viewed from the Docker-Desktop UI). The output will look something like this:
octo-nginx | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration octo-nginx | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ octo-nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh octo-nginx | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist octo-nginx | /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh octo | 2025-06-30 10:40:06 INFO: initiating Octo app startup, user: octousr, current-dir: /opt/remain/octo-serverocto-nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh octo-nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d30-tune-worker-processes.sh octo-nginx | /docker-entrypoint.sh: Configuration complete; ready for start up octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: using the "epoll" event method octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: nginx/1.29.0 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: built by gcc 14.2.0 (Alpine 14.2.0) octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: OS: Linux 5.15.167.4-microsoft-standard-WSL2 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker processes octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 20 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 21 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 22 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 23 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 24 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 25 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 26 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 27 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 28 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 29 octo | 2025-06-30 10:40:06 INFO: creating server_conf.json in /opt/remain/octo-server/config octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 30 octo | 2025-06-30 10:40:06 INFO: creating db_conf.json in /opt/remain/octo-server/config octo | 2025-06-30 10:40:06 INFO: creating access_token.js in /opt/remain/octo-server/config octo | 2025-06-30 10:40:06 INFO: NGINX_SUPPORT: enable octo | 2025-06-30 10:40:06 INFO: ENABLE_HTTP: false octo | 2025-06-30 10:40:06 INFO: ENABLE_HTTPS: false octo | 2025-06-30 10:40:06 INFO: ENABLE_HTTPS_ONLY: true octo | 2025-06-30 10:40:06 INFO: HTTPS_ONLY_PORT: 8443 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 31
octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 32 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 33 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 34 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 35 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 36 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 37 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 38 octo-nginx | 2025/06/30 08:40:06 [notice] 1#1: start worker process 39 octo | 2025-06-30 10:40:06 INFO: creating tls certificate and key for host: 'devkube' in directory: /opt/remain/octo-server/nginx/ssl octo | Generating a RSA private key octo | .....+++++ octo | .....+++++ octo | writing new private key to '/opt/remain/octo-server/nginx/ssl/tls.key' octo | ----- octo | 2025-06-30 10:40:06 INFO: installing default Octo-Nginx HTTPS configuration octo | 2025-06-30 10:40:06 INFO: installing default Octo-Nginx HTTP to HTTPS redirect configuration octo | 2025-06-30 10:40:06 INFO: update HTTPS port number on HTTP redirect, port: 8443 octo | 2025-06-30 10:40:06 INFO: updating file permission of Nginx configurations octo | 2025-06-30 10:40:06 INFO: start MongoDB on port 27017, log-file: /opt/remain/octo-server/log/mongodb.log octo | 2025-06-30 10:40:06 INFO: MongoDB started on PID: 68 octo | 2025-06-30 10:40:11 INFO: check availability of MongoDB... octo | 2025-06-30 10:40:12 INFO: MongoDB is available octo | 2025-06-30 10:40:12 INFO: starting cron for background job processing octo | 2025-06-30 10:40:12 INFO: creating backup.env in /opt/remain/octo-server/config/env octo | 2025-06-30 10:40:12 INFO: starting node server.js in: /opt/remain/octo-server/server octo | 2025-06-30T10:40:12.303 [INFO] [default] log4js setup completed, log file: /opt/remain/octo-server/log/octo.log octo | 2025-06-30T10:40:12.981 [INFO] [Store Service] Octo Admin DB trying to connect... octo | 2025-06-30T10:40:12.982 [INFO] [Store Service] Octo Admin Database name: octo octo | 2025-06-30T10:40:13.361 [INFO] [Octo Server] Octo Server started octo | 2025-06-30T10:40:13.362 [INFO] [Octo Server] Octo Server available on http://172.18.0.2:47007 octo | 2025-06-30T10:40:13.370 [INFO] [Store Service] Octo Admin DB connected successfully! octo | 2025-06-30T10:40:13.370 [INFO] [Store Service] MongoDB Driver Version: 6.10.0 octo | 2025-06-30T10:40:13.370 [INFO] [Store Service] Mongoose Version: 6.13.8 octo | 2025-06-30T10:40:13.378 [INFO] [Store Service] MongoDB Server Version: 6.0.9 octo | 2025-06-30T10:40:13.386 [INFO] [Store Service] MongoDB Server Compatibility Version: 6.0 octo | 2025-06-30T10:40:13.387 [WARN] [Store Service] MongoDB Server Compatibility Version (6.0) does not match the MongoDB Server Version (6.0.9) octo | 2025-06-30T10:40:13.389 [INFO] [Session Log Service] Checking sign-in logs to purge... octo | 2025-06-30T10:40:13.393 [WARN] [Configuration Service] checkProductConfig() Failed to initialize the host name because the product configuration doesn't exist! This warning should not appear once you configure and save the email SMTP server settings using Octo Admin > Email. octo | 2025-06-30T10:40:13.395 [INFO] [Tenant Service] Initializing tenants... octo | 2025-06-30T10:40:13.395 [INFO] [Tenant Service] Initializing tenants... Found: 0 organizations octo | 2025-06-30T10:40:13.395 [INFO] [Tenant Service] Initializing tenants... Done! octo | 2025-06-30T10:40:13.396 [INFO] [Session Log Service] Checking sign-in logs to purge... No configurations found! Reverting to default settings. octo | 2025-06-30T10:40:13.396 [INFO] [Session Log Service] Purging 'failed' sign-ins logs older than 365 days... octo | 2025-06-30T10:40:13.397 [INFO] [Session Log Service] Purging 'successful' sign-ins logs older than 365 days... octo | 2025-06-30T10:40:13.399 [INFO] [Session Log Service] Purged 0 'successful' sign-in logs. octo | 2025-06-30T10:40:13.399 [INFO] [Session Log Service] Purging 'successful' sign-in logs to purge... Done octo | 2025-06-30T10:40:13.399 [INFO] [Session Log Service] Purged 0 'failed' sign-in logs. octo | 2025-06-30T10:40:13.399 [INFO] [Session Log Service] Purging 'failed' sign-in logs to purge... Done
Docker-Desktop will show the following:
First task in the Octo-server setup is the configuration of the email data. To be able to do this a user has to be registered, followed by a login with the registered username using the Octo server admin token as the password.
Get the Octo admin token
The admin token can be retrieved using the script dc_admintoken.sh (in the same zip file as the docker-compose.yaml). Once the script is run with: ‘./ dc_admintoken.sh’, the file admin.token will be created in the project directory, the created file will contain the password (token) that can be used for an admin login. If you do not have the dc_admintoken.sh script readily available, you can use the command:
docker-compose exec octo-service grep "exports.ADMIN_ACCESS_TOKEN =" /opt/remain/octo-server/config/access_token.js
The output of this command will be similar to the text below:
exports.ADMIN_ACCESS_TOKEN = "fa4dbe12-a826-49d8-9377-649a2b518c32";
The admin token will be the quoted id but without the quotes.
For here on Octo is available from a web browser, either as http://localhost:8080 or https:/localhost:8443 (using Firefox or Opera).
Vulnerabilities with status high
Qs 6.5.3 CVE-2022-24999
+-- express@4.18.2 | +-- body-parser@1.20.1 | | `-- qs@6.11.0 deduped | `-- qs@6.11.0 `-- request@2.88.2 `-- qs@6.5.3
Summary qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
Note that the vulnerability has been fixed and back ported to qs version 6.5.3 (and others, see https://github.com/ljharb/qs/pull/428), the back ported and safe version is being used in Octoserver as a dependency of request 2.88.2.
Dicer 0.3.1 CVE-2022-24434
+-- dicer@0.3.1
Summary This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. A complete denial of service can be achieved by sending the malicious form in a loop.
There is no fix available for this issue. We are working on replacing dicer.
A word on sending modified data and prototype pollution vulnerability as is possible with the javascript __proto__ key.
The way Octoserver interacts with the back-end is not sensitive to how prototype pollution can be applied i.e. an unauthenticated request in which a javascript __proto___ key is injected into the request payload. With Octoserver every back-end call is authenticated by a token in the supplied request, unauthenticated requests will not be processed, furthermore all Octoserver requests are backed by a REST API which fully sanitize input requests and make it impossible to manipulate the request data to have the API execute unauthorized actions or exploit security vulnerabilities.