Docker, Google and SSL

jesdynf · June 28, 2019, 3:06am

Hi, Ken.

You won’t be able to usefully set DOMAIN and EMAIL as a function of first-launch from GCP, because at the moment the instance launches, you can’t yet have updated the domain records to point to the instance IP.

That said, the OpenEMR instance running on GCP is super-vanilla – there’s one tiny bit of run-once first time customization that runs when the instance is first launched ( openemr-devops/vm-rekey.sh at master · openemr/openemr-devops · GitHub resets the admin password to Google’s specs and the container SSL cert is wiped for regeneration). This means that you should have no issues with manipulating the docker-compose.yaml on your own terms and relaunching the container – or, if you intend to use vendor-supplied certs, simply injecting them and changing the Apache config to suit.

You may find your life would be easier yet if you chose to use the Lightsail script as your base directly – the primary reason I don’t find it HIPAA-eligible on AWS is the lack of encryption at rest, and Google doesn’t have that problem.

ken · June 29, 2019, 3:56am

Please forgive my stupidity, but in this GCP docker hub deployment, if the docker-compose.yml file is in the container in the openemr project root, does changing it on the container do anything when the container is restarted? Or would I have to clone the openemr repo, edit that docker-compose.yml file, and run docker-compose from there to create a new container? If that’s the case, how can we preserve the documents and site data?

stephenwaite · June 29, 2019, 5:01pm

hi @ken, on AWS at least you can just tweak the .yml file and rebuild the container

@jesdynf correct me if I’m wrong but it’s best to get your ssl working first and then import an existing database so you don’t lose your efforts on the docker compose down and up

jesdynf · June 29, 2019, 5:17pm

For the path I’m describing, it’s not my intent to rebuild the container at all, although now that you ask I’m not 100% certain if it wouldn’t be better to stop the container with docker instead of rebuild with docker-compose.

Honestly I think what you should do is just try it, see what happens, and tell us how it went; worst case, the experiment should only be an hour’s worth of billing.

In no case should it be necessary to clone the main OpenEMR repo; openemr-devops was cloned into /root, and it didn’t pull in the OpenEMR repo, it used our prebuilt container.