JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 45

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 46

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • agent
    • build.sh
    • build
      • Dockerfile
      • entrypoint.sh
      • start-agent.sh
      • config

The root directory agent can have any name. Note that build script listed below will, by default, use the directory name and release number to determine the resulting image name.

The build script build.sh,  and entrypoint script entrypoint.sh and Agent start script start-agent.sh are described below.

Dockerfile

...

Code Block
languagebash
titleDockerfile for Agent Image
linenumberstrue
collapsetrue
# BUILD PRE-IMAGE

FROM alpine:latest AS js7-pre-image

# provide build arguments for release information
ARG JS_RELEASE
ARG JS_RELEASE_MAJOR
ARG JS_HTTP_PORT=${JS_HTTP_PORT:-4445}

# add/copy tarball
ADD https://download.sos-berlin.com/JobScheduler.${JS_RELEASE_MAJOR}/js7_agent_unix.${JS_RELEASE}.tar.gz /usr/local/src/
# COPY js7_agent_unix.${JS_RELEASE}.tar.gz /usr/local/src/

RUN mkdir -p /var/sos-berlin.com/js7 && \
    test -e /usr/local/src/js7_agent_unix.${JS_RELEASE}.tar.gz && \
    tar xfvz /usr/local/src/js7_agent_unix.${JS_RELEASE}.tar.gz -C /var/sos-berlin.com/js7

# add entrypoint script and start script
COPY entrypoint.sh /var/sos-berlin.com/js7/
COPY start-agent.sh /var/sos-berlin.com/js7/

# copy default configuration
COPY config/ /var/sos-berlin.com/js7/agent/var_$JS_HTTP_PORT/config/

# BUILD IMAGE

FROM alpine:latest AS js7-image

LABEL maintainer="Software- und Organisations-Service GmbH"

# provide build arguments for release information
ARG JS_RELEASE
ARG JS_RELEASE_MAJOR

# default user id has to match later run-time user
ARG JS_USER_ID=${UID:-1001}
ARG JS_HTTP_INTERFACEPORT=${JS_HTTP_INTERFACEPORT:-""4445}
ARG JS_HTTPHTTPS_PORT=${JS_HTTPHTTPS_PORT:-4445""}
ARG JS_HTTPSJAVA_INTERFACEOPTIONS=${JS_HTTPS_INTERFACE:-""}
ARG JS_HTTPS_PORT=${JS_HTTPS_PORT:-""}
ARG JS_JAVA_OPTIONS=${JS_JAVA_OPTIONS}

JAVA_OPTIONS}

# JS7 JobScheduler user id, ports and Java options
ENV RUN_JS_USER_ID=${RUN_JS_USER_ID:-1001}
ENV RUN_JS_HTTP_INTERFACEPORT=${RUN_JS_HTTP_INTERFACEPORT:-$JS_HTTP_INTERFACEPORT}
ENV RUN_JS_HTTPHTTPS_PORT=${RUN_JS_HTTPHTTPS_PORT:-$JS_HTTP_PORT}
ENV RUN_JS_HTTPSJAVA_INTERFACEOPTIONS=${RUN_JS_HTTPSJAVA_INTERFACEOPTIONS:-$JS_HTTPSJAVA_INTERFACEOPTIONS}

ENV RUN_JS_HTTPS_PORT=${RUN_JS_HTTPS_PORT}
ENV RUN_JS_JAVA_OPTIONS=${RUN_JS_JAVA_OPTIONS:-$JS_JAVA_OPTIONS}

COPY --COPY --from=js7-pre-image ["/var/sos-berlin.com/js7", "/var/sos-berlin.com/js7"]

# INSTALLATION

# install process tools, net tools, bash, openjdk
# for JDK < 12, /dev/random does not provide sufficient entropy, see https://kb.sos-berlin.com/x/lIM3
# make default user the owner of directories
RUN apk update && apk add --no-cache \
    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
    procps \
    net-tools \
    su-exec \
    bash \
    shadow \
    openjdk8 && \
    adduser -u ${JS_USER_ID:-1001} --disabled-password --home /home/jobscheduler --shell /bin/bash jobscheduler jobscheduler && \
    chown -R jobscheduler:jobscheduler /var/sos-berlin.com && \
    mv /var/sos-berlin.com/js7/entrypoint.sh /usr/local/bin/ && \
    chmod mv+x /usr/var/sos-berlin.com/js7/start-agent.sh /usr/local/bin/ && \
    chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/start-agentlocal/bin/entrypoint.sh && \
    sed -i 's/securerandom.source=file:\/dev\/random/securerandom.source=file:\/dev\/urandom/g' /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security

# MULTI-STAGE BUILDS

# <powershell>

# START

ENTRYPOINT ["sh", "/usr/local/bin/entrypoint.sh"]

CMD ["/usr/localvar/sos-berlin.com/js7/agent/bin/start-agent.sh", "--http-port=$RUN_JS_HTTP_INTERFACE:$RUN_JS_HTTP_PORT", "--https-port=$RUN_JS_HTTPS_INTERFACE:$RUN_JS_HTTPS_PORT", "--java-options=\"$RUN_JS_JAVA_OPTIONS\""]]

Explanation:

  • The build script implements two stages to exclude installer files from the resulting image.
  • Line 3: The base image is the current Alpine image at build-time.
  • Line 6 - 8: The release identification is injected by build arguments. This information is used to determine the tarball to be downloaded or copied.
  • Line 11 - 12: You can either download the Agent tarball directly from the SOS web site or you store the tarball with the build directory and copy from this location.

  • Line 14 - 16: The tarball is extracted. For Unix Agents no installer is used.

  • Line 19: The entrypoint.sh script is copied from the build directory to the image. Users can apply their own version of the entrypoint script. The entrypoint script used by SOS looks like this:
    Download: entrypoint.sh

    Code Block
    languagebash
    titleEntrypoint Script
    linenumberstrue
    collapsetrue
    #!/bin/sh

JSjs_USER_ID=`echo args=""

if [ ! "$RUN_JS_USERHTTP_IDPORT" |= cut"" -d ':' -f 1`
JS_GROUP_ID=`echo ] && [ ! "$RUN_JS_USERHTTP_IDPORT" | cut -d ':' -f 2`

BUILD_GROUP_ID=`cat /etc/group | grep jobscheduler | cut -d ':' -f 3`
BUILD_USER_ID=`cat /etc/passwd | grep jobscheduler | cut -d ':' -f 4`

if [ "$(id -u)" = "0= ":" ]
then
  js_args="$js_args --http-port=$RUN_JS_HTTP_PORT"
fi

if [ ! "$RUN_JS_HTTPS_PORT" = "" ] && [ ! "$RUN_JS_HTTPS_PORT" = ":" ]
then
  if [ ! "$BUILD_USER_ID" = "$JS_USER_ID" ]
  then
    echo "JS7 entrypoint script preparing switch of image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'"
    usermod -u $JS_USER_ID jobscheduler
    groupmod -g $JS_GROUP_ID jobscheduler
    find /var/sos-berlin.com/ -group $BUILD_GROUP_ID -exec chgrp -h jobscheduler {} \;
    find /var/sos-berlin.com/ -user $BUILD_USER_ID -exec chown -h jobscheduler {} \;
  fi

  echo "JS7 entrypoint script switching to user account 'jobscheduler' to run start script"
  exec su jobscheduler -c "$*"
else
  if [ "$BUILD_USER_ID" = "$JS_USER_ID" ]
  then
    if [ "$(id -u)" = "$JS_USER_ID" ]
    then
      echo "JS7 entrypoint script running for user id '$(id -u)'"
    else
    js_args="$js_args --https-port=$RUN_JS_HTTPS_PORT"
fi

if [ ! "$RUN_JS_JAVA_OPTIONS" = "" ]
then
  js_args="$js_args --java-options=$RUN_JS_JAVA_OPTIONS"
fi

JS_USER_ID=`echo $RUN_JS_USER_ID | cut -d ':' -f 1`
JS_GROUP_ID=`echo $RUN_JS_USER_ID | cut -d ':' -f 2`

BUILD_GROUP_ID=`cat /etc/group | grep jobscheduler | cut -d ':' -f 3`
BUILD_USER_ID=`cat /etc/passwd | grep jobscheduler | cut -d ':' -f 4`

if [ "$(id -u)" = "0" ]
then
  if [ ! "$BUILD_USER_ID" = "$JS_USER_ID" ]
  then
    echo "JS7 entrypoint script switchng ownership of image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'"
    usermod -u $JS_USER_ID jobscheduler
    groupmod -g $JS_GROUP_ID jobscheduler
    find /var/sos-berlin.com/ -group $BUILD_GROUP_ID -exec chgrp -h jobscheduler {} \;
    find /var/sos-berlin.com/ -user $BUILD_USER_ID -exec chown -h jobscheduler {} \;
  fi

  echo "JS7 entrypoint script runningswitching forto user idaccount '$(id -u)jobscheduler' cannotto switchrun to user id '$JS_USER_ID', group id '$JS_GROUP_ID'"
      start script"
  echo "JS7 entrypoint script missingstarting permissionAgent: toexec switch user id and group id, consider to omit the 'docker run --user' option"
    fi
  else
    echo "su-exec jobscheduler:$JS_GROUP_ID /var/sos-berlin.com/js7/agent/bin/agent.sh start_docker $js_args"
  exec su-exec jobscheduler:$JS_GROUP_ID /var/sos-berlin.com/js7/agent/bin/agent.sh start_docker $js_args
else
  if [ "$BUILD_USER_ID" = "$JS_USER_ID" ]
  then
    if [ "$(id -u)" = "$JS_USER_ID" ]
    then
      echo "JS7 entrypoint script running for user id '$(id -u)'"
 cannot switch image  else
      echo "JS7 entrypoint script running for user id '$BUILD_USER_ID' ->$(id -u)' cannot switch to user id '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'"
      echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option"
    fi
  else
  exec sh -c "$*"
fi

    Line 20: The start-agent.sh script is copied from the build directory to the image. Users can apply their own version of the start script. The start script used by SOS looks like this:
    Download: start-agent.sh

    Code Block
    languagebash
    titleAgent Start Script
    linenumberstrue
    collapsetrue
    #!/bin/sh

js_http_port=""
js_https_port=""
js_java_options=""

for option in "$@"
do
  case "$option" in
         --http-port=*)    js_http_port=`echo "$option" | sed 's/--http-port=//'`
                           ;;
         --https-port=*)   js_https_port=`echo "$option" | sed 's/--https-port=//'`
                           ;;
         --java-options=*) js_java_options=`echo "$option" | sed 's/--java-options=//'`
                           ;;
         *)                echo "unknown argument: $option"
                           exit 1
                           ;;
  esac
done


js_args=""

if [ ! "$js_http_port" = "" ] && [ ! "$js_http_port" = ":" ]
then
  js_args="$js_args --http-port=$js_http_port"
fi

if [ ! "$js_https_port" = "" ] && [ ! "$js_https_port" = ":" ]
then
  js_args="$js_args --https-port=$js_https_port"
fi

if [ ! "$js_java_options" = "" ]
then
  js_args="$js_args --java-options=$js_java_options"
fi

echo "starting Agent: echo "JS7 entrypoint script running for user id '$(id -u)' cannot switch image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'"
    echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option"
  fi

  echo "JS7 entrypoint script starting Agent: exec sh -c /var/sos-berlin.com/js7/agent/bin/agent.sh start_docker $js_args"
  exec sh -c "/var/sos-berlin.com/js7/agent/bin/agent.sh start_docker $js_args && tail -f /dev/null"
fi

  • Line 20: 


  • Line 23: The config folder available in the build directory is copied to the config sub-folder in the image. The parent folder var_<port> is determined from the HTTP port that the Agent is built for. This can be useful to create an image with individual default settings in configuration files, see JS7 - Agent Configuration Items.
  • Line 36 - 41: Defaults for the user id running the Agent inside the container as well as HTTP and HTTPS ports are provided. These values can be overwritten by providing the respective build arguments.
  • Line 44 - 49: Environment variables are provided at run-time, not at build-time. They can be used to specify ports and Java options when running the container.
  • Line 58 - 62: The image OS is updated and additional packages are installed (ps, netstat, bash).
  • Line 64: The most recent Java 1.8 package available with Alpine is applied. Agents can be operated with newer Java releases, however, stick to Oracle, OpenJDK or AdoptOpenJDK as the source for your Java LTS release. Alternatively you can use your own base image and install Java 1.8 or later on top of this.
  • Line 64: The jobscheduler user account is created and is assigned the user id and group id handed over by the respective build arguments. This translates to the fact that the account running the Agent inside the container and the account that starts the container are assigned the same user id and group id. This allows the account running the container to access any files created by the Agent in mounted volumes with identical permissions.
  • Line 66 - 69: The jobscheduler user account is made the owner of installed files and the entrypoint script and start script is made executable.
  • Line 70: Java releases < Java 12 make use of /dev/random for random number generation. This is a bottleneck as random number generation with this file is blocking. Instead /dev/urandom should be used that implements non-blocking behavior. The change of the random file is applied to the Java security file.
  • Line 78-80: The entrypoint script and start script is executed and is dynamically parameterized from environment variables that are forwarded when starting the container.

...