Page History
...
controller
build.sh
build
Dockerfile
entrypoint.sh
start-controller.sh
config
The root directory controller
can have any name. Note that build script listed below will, by default, use the directory name and release number to determine the resulting image name.
The build script build.sh
, and entrypoint script entrypoint.sh
and Controller start script start-controller.sh
are described below.
Dockerfile
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
# BUILD PRE-IMAGE FROM alpine:latest AS js7-pre-image # provide build arguments for release information ARG JS_RELEASE ARG JS_RELEASE_MAJOR # add/copy installation tarball ADD https://download.sos-berlin.com/JobScheduler.${JS_RELEASE_MAJOR}/js7_controller_unix.${JS_RELEASE}.tar.gz /usr/local/src/ # COPY js7_controller_unix.${JS_RELEASE}.tar.gz /usr/local/src/ RUN mkdir -p /var/sos-berlin.com/js7 && \ test -e /usr/local/src/js7_controller_unix.${JS_RELEASE}.tar.gz && \ tar xfvz /usr/local/src/js7_controller_unix.${JS_RELEASE}.tar.gz -C /var/sos-berlin.com/js7/ # add entrypoint script and start script COPY entrypoint.sh /var/sos-berlin.com/js7/ COPY start-controller.sh /var/sos-berlin.com/js7/ # copy configuration COPY config/ /var/sos-berlin.com/js7/controller/var/config/ # BUILD IMAGE FROM alpine:latest AS js7-image LABEL maintainer="Software- und Organisations-Service GmbH" # provide build arguments for release information ARG JS_RELEASE ARG JS_RELEASE_MAJOR # image user id has to match later run-time user id ARG JS_USER_ID=${JS_USER_ID:-1001} ARG JS_ID=${JS_ID:-jobscheduler} ARG JS_HTTP_INTERFACE=${JS_HTTP_INTERFACE:-""} ARG JS_HTTP_PORT=${JS_HTTP_PORT:-4444} ARG JS_HTTPS_INTERFACEPORT=${JS_HTTPS_INTERFACEPORT:-""} ARG JS_HTTPSJAVA_PORTOPTIONS=${JS_HTTPS_PORT:-""} ARG JS_JAVA_OPTIONS=${JS_JAVA_OPTIONS} # JS7 user id, Controller ID, ports and Java optionsa ENV RUN_JS_USER_ID=${RUN_JS_USER_ID:-1001} ENV RUN_JS_ID=${RUN_JS_ID:-$JS_ID} ENV RUN_JS_HTTP_INTERFACEPORT=${RUN_JS_HTTP_INTERFACEPORT:-$JS_HTTP_INTERFACEPORT} ENV RUN_JS_HTTPHTTPS_PORT=${RUN_JS_HTTP_PORT:-$JS_HTTPHTTPS_PORT} ENV RUN_JS_HTTPSJAVA_INTERFACEOPTIONS=${RUN_JS_HTTPSJAVA_INTERFACEOPTIONS:-$JS_HTTPSJAVA_INTERFACEOPTIONS} ENV RUN_JS_HTTPS_PORT=${RUN_JS_HTTPS_PORT} ENV RUN_JS_JAVA_OPTIONS=${RUN_JS_JAVA_OPTIONS:-$JS_JAVA_OPTIONS} COPY --from=js7-pre- COPY --from=js7-pre-image ["/var/sos-berlin.com/js7", "/var/sos-berlin.com/js7"] # INSTALLATION # install process tools, net tools, bash, openjdk # add jobscheduler user account and make it the owner of directories # for JDK < 12, /dev/random does not provide sufficient entropy, see https://kb.sos-berlin.com/x/lIM3 RUN apk update && apk add --no-cache \ --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \ procps \ net-tools \ su-exec \ bash \ shadow \ openjdk8 && \ adduser -u ${JS_USER_ID:-1001} --disabled-password --home /home/jobscheduler --shell /bin/bash jobscheduler jobscheduler && \ chown -R jobscheduler:jobscheduler /var/sos-berlin.com && \ mv /var/sos-berlin.com/js7/entrypoint.sh /usr/local/bin/ && \ mvchmod +x /var/sos-berlin.com/js7/start-controller.sh /usr/local/bin/ && \ chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/start-controllerusr/local/bin/entrypoint.sh && \ sed -i 's/securerandom.source=file:\/dev\/random/securerandom.source=file:\/dev\/urandom/g' /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security # START ENTRYPOINT ["sh", "/license COPY --chown=jobscheduler:jobscheduler js7-license.jar /var/sos-berlin.com/js7/controller/lib/user_lib/ # START ENTRYPOINT ["sh", "/usr/local/bin/entrypoint.sh"] CMD ["/usr/local/var/sos-berlin.com/js7/controller/bin/start-controller.sh", "--id=\"$RUN_JS_ID\"", "--http-port=$RUN_JS_HTTP_INTERFACE:$RUN_JS_HTTP_PORT", "--https-port=$RUN_JS_HTTPS_INTERFACE:$RUN_JS_HTTPS_PORT", "--java-options=\"$RUN_JS_JAVA_OPTIONS\""] |
Explanation:
] |
Explanation:
- The build script implements two stages to exclude installer files from the resulting image.
- Line 3: The base image is the current Alpine image at build-time.
- Line 6 - 7: The release identification is injected by build arguments. This information is used to determine the tarball to be downloaded or copied.
- Line 10 - 11: You can either
- The build script implements two stages to exclude installer files from the resulting image.
- Line 3: The base image is the current Alpine image at build-time.
- Line 6 - 7: The release identification is injected by build arguments. This information is used to determine the tarball to be downloaded or copied.
- Line 10 - 11: You can either download the Controller tarball directly from the SOS web site or you store the tarball with the build directory and copy from this location.
Line 13 - 15: The tarball is extracted. For Unix Controllers no installer is used.
Line 18: The
entrypoint.sh
script is copied from the build directory to the image. Users can apply their own version of the entrypoint script. The start entrypoint script used by SOS looks like this:
Download: entrypoint.shCode Block language bash title Controller Entrypoint Script linenumbers true collapse true #!/bin/sh JSjs_USER_ID=`echo args="" if [ ! "$RUN_JS_USER_ID" | cut -d ':' -f 1` JS_GROUP_ID=`echo = "" ] then js_args="$js_args --id=$RUN_JS_ID" fi if [ ! "$RUN_JS_USER_ID | cut -d ':' -f 2` BUILD_GROUP_ID=`cat /etc/group | grep jobscheduler | cut -d ':' -f 3` BUILD_USER_ID=`cat /etc/passwd | grep jobscheduler | cut -d ':' -f 4` if [ "$(id -u)" = "0" ] then if [ ! "$BUILD_USER_ID" = "$JS_USER_ID" ] then echo "JS7 entrypoint script preparing switch of image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'" usermod -u $JS_USER_ID jobscheduler groupmod -g $JS_GROUP_ID jobscheduler find /var/sos-berlin.com/ -group $BUILD_GROUP_ID -exec chgrp -h jobscheduler {} \; find /var/sos-berlin.com/ -user $BUILD_USER_ID -exec chown -h jobscheduler {} \; fi echo "JS7 entrypoint script switching to user account 'jobscheduler' to run start script" exec su jobscheduler -c "$*" else if [ "$BUILD_USER_ID" = "$JS_USER_ID" ] then if [ "$(id -u)" = "$JS_USER_ID" ] then echo "JS7 entrypoint script running for user id '$(id -u)'" else echo "JS7 entrypoint script running for user id '$(id -u)' cannot switch to user id '$JS_USER_ID', group id '$JS_GROUP_ID'" echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option" fi else echo "JS7 entrypoint script running for user id '$(id -u)' cannot switch image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'" echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option" fi exec sh -c "$*" fi
Line 19: The
start-controller.sh
script is copied from the build directory to the image. Users can apply their own version of the start script. The start script used by SOS looks like this:
Download: start-controller.shCode Block language bash title Controller Start Script linenumbers true collapse true #!/bin/sh js_id="" js_http_port="" js_https_port="" js_java_options="" for option in "$@" do case "$option" in --id=*) js_id=`echo "$option" | sed 's/--id=//'` ;; --http-port=*) js_http_port=`echo "$option" | sed 's/--http-port=//'` ;; --https-port=*) js_https_port=`echo "$option" | sed 's/--https-port=//'` ;; --java-options=*) js_java_options=`echo "$option" | sed 's/--java-options=//'` ;; *) HTTP_PORT" = "" ] && [ ! "$RUN_JS_HTTP_PORT" = ":" ] then js_args="$js_args --http-port=$RUN_JS_HTTP_PORT" fi if [ ! "$RUN_JS_HTTPS_PORT" = "" ] && [ ! "$RUN_JS_HTTPS_PORT" = ":" ] then js_args="$js_args --https-port=$RUN_JS_HTTPS_PORT" fi if [ ! "$RUN_JS_JAVA_OPTIONS" = "" ] then js_args="$js_args --java-options=$RUN_JS_JAVA_OPTIONS" fi JS_USER_ID=`echo $RUN_JS_USER_ID | cut -d ':' -f 1` JS_GROUP_ID=`echo $RUN_JS_USER_ID | cut -d ':' -f 2` BUILD_GROUP_ID=`cat /etc/group | grep jobscheduler | cut -d ':' -f 3` BUILD_USER_ID=`cat /etc/passwd | grep jobscheduler | cut -d ':' -f 4` if [ "$(id -u)" = "0" ] then if [ ! "$BUILD_USER_ID" = "$JS_USER_ID" ] then echo "JS7 entrypoint script switchng ownership of image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'" usermod -u $JS_USER_ID jobscheduler groupmod -g $JS_GROUP_ID jobscheduler find /var/sos-berlin.com/ -group $BUILD_GROUP_ID -exec chgrp -h jobscheduler {} \; find /var/sos-berlin.com/ -user $BUILD_USER_ID -exec chown -h jobscheduler {} \; fi echo "JS7 entrypoint script switching to user account 'jobscheduler' to run start script" echo "JS7 entrypoint script starting Controller: exec su-exec jobscheduler:$JS_GROUP_ID /var/sos-berlin.com/js7/controller/bin/controller.sh start_docker $js_args" exec su-exec jobscheduler:$JS_GROUP_ID /var/sos-berlin.com/js7/controller/bin/controller.sh start_docker $js_args else if [ "$BUILD_USER_ID" = "$JS_USER_ID" ] then if [ "$(id -u)" = "$JS_USER_ID" ] then echo "JS7 entrypoint script running for user id '$(id -u)'" else echo "unknownJS7 argument: $option" entrypoint script running for user id '$(id -u)' cannot switch to user id '$JS_USER_ID', group id '$JS_GROUP_ID'" echo exit"JS7 1 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option" fi else ;; esac done js_args="" if [ ! "$js_http_port" = "" ] && [ ! "$js_http_port" = ":" ] then js_args="$js_args --http-port=$js_http_port" fi if [ ! "$js_https_port" = "" ] && [ ! "$js_https_port" = ":" ] then js_args="$js_args --https-port=$js_https_port" fi if [ ! "$js_java_options" = "" ] then js_args="$js_args --java-options=$js_java_options" fi echo "starting Controller: echo "JS7 entrypoint script running for user id '$(id -u)' cannot switch image user id '$BUILD_USER_ID' -> '$JS_USER_ID', group id '$BUILD_GROUP_ID' -> '$JS_GROUP_ID'" echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option" fi echo "JS7 entrypoint script starting Controller: exec sh -c /var/sos-berlin.com/js7/controller/bin/controller.sh start --id=$js_id_docker $js_args" exec sh -c "/var/sos-berlin.com/js7/controller/bin/controller.sh start --id=$js_id_docker $js_args && tail -f /dev/null" fi
- Line 22: The
config
folder available in the build directory is copied to theconfig
sub-folder in the image. This can be useful to create an image with individual default settings in configuration files, see JS7 - Controller Configuration Items. - Line 35 - 41: Defaults for the Controller ID and user id running the Controller inside the container as well as HTTP and HTTPS ports are provided. These values can be overwritten by providing the respective build arguments.
- Line 44 - 50: Environment variables are provided at run-time, not at build-time. They can be used to specify ports and Java options when running the container.
- Line 59 - 63: The image OS is updated and additional packages are installed (ps, netstat, bash,).
- Line 65: The most recent Java 1.8 package available with Alpine is applied. Controllers can be operated with newer Java releases, however, stick to Oracle, OpenJDK or AdoptOpenJDK as the source for your Java LTS release. Alternatively you can use your own base image and install Java 1.8 or later on top of this.
- Line 66 - 70: The user account
jobscheduler
is created and is assigned the user id and group id handed over by the respective build arguments. This translates to the fact that the account running the Controller inside the container and the account that starts the container are assigned the same user id and group id. This allows the account running the container to access any files created by the Controller in mounted volumes with identical permissions. - Line 71: Java releases < Java 12 make use of
/dev/random
for random number generation. This is a bottleneck as random number generation with this file is blocking. Instead/dev/urandom
should be used that implements non-blocking behavior. The change of the random file is applied to the Java security file. - Line 75-77: The entrypoint script and Controller start script is are executed and is are dynamically parameterized from environment variables that are forwarded when starting the container.
...