Page History
...
- The Dockerfile implements two stages to exclude installer files from the resulting image.
- Line 3: The base image is the current Alpine image at build-time.
- Line 6 - 7: The release identification is injected by build arguments. This information is used to determine the tarball to be downloaded or copied.
- Line 10 - 13: Defaults for the user id running the JOC Cockpit inside the container as well as HTTP and HTTPS ports are provided. These values can be overwritten by providing the relevant build arguments.
- Line 16 - 17: Users can either download the JOC Cockpit tarball directly from the SOS web site or store the tarball with the build directory and copy from this location.
Line 20: The tarball integrity is tested.
- Line 23 - 24: The JOC Cockpit Installer Script is downloaded or copied, see JS7 - Unix Shell Installation Script - js7_install_joc.sh
- Line 27: The
config
folder available in the build directory is copied to the appropriateconfig
folder in the image. This can be useful for creating an image with individual settings in configuration files, see the JS7 - JOC Cockpit Configuration Items article for more information.- The
hibernate.cfg.xml
specifies the database connection. This file is not used at build-time. However, it is provided as a sample for run-time configuration. You will find details in the JS7 - Database article. - The default
https-keystore.p12
andhttps-truststore.p12
files are copied that would hold the private key and certificate required for server authentication with HTTPS. By default empty keystore and truststore files are used that users would add their private keys and certificates to at run-time.
- The
- Line 32: A recent Java release is added to the pre-image.
- Line 33: The
jobscheduler
account is created. - Line 35 - 52: The JOC Cockpit Installer Script is executed with arguments performing installation for the
jobscheduler
account. For use of arguments see headless installation of the JOC Cockpit, see JS7 - JOC Cockpit Installation On Premises. In fact a JOC Cockpit installation is performed when building the image - Line 72 - 75: Environment variables are provided at run-time, not at build-time. They can be used to specify ports and Java options when running the container.
Line 81: The
entrypoint.sh
script is copied from the build directory to the image, see next chapter.- Line 82: The
jetty.sh
script is copied from the build directory to the image. This script ships with the Jetty Servlet Container and for on premises installations is available from theJETTY_HOME/bin
directory. Users might have to adjust the script to strip off commands that require root permissions, for examplechown
, and commands that might not be applicable to their container environment, for example use ofsu
. - Line 87 - 93: The image OS is updated and additional packages are installed (ps, netstat, bash, git).
- Line 94: The most recent Java 11 package available with Alpine is applied. JOC Cockpit can be operated with newer Java releases. However, stick to Oracle, OpenJDK or AdoptOpenJDK as the source for your Java LTS release. Alternatively you can use your own base image and install Java on top of this. For details see Which Java versions is JobScheduler available for?
- Line 95: Java releases might make use of
/dev/random
for random number generation. This is a bottleneck as random number generation with this file is blocking. Instead/dev/urandom
should be used that implements non-blocking behavior. The change of the random file is applied to the Java security file. - Line 96: Users might want to disable certain TLS protocol versions or algorithms by applying changes to the Java security file.
- Line 97 - 100: The
jobscheduler
account is created and is assigned the user id handed over by the relevant build argument. This suggests that the account running the JOC Cockpit inside the container and the account that starts the container are assigned the same user id. This allows the account running the container to access any files created by the JOC Cockpit in mounted volumes with identical permissions.- Consider that the account is assigned the
root
group. For environments in which the entrypoint script is executed with an arbitrary non-root user id this allows access to files created by the JOC Cockpit provided to any accounts that are assigned theroot
group. - Accordingly any files owned by the
jobscheduler
account are made accessible to theroot
group with similar user permissions. Read access to/etc/passwd
can be required in such environments. - For details see JS7 - Running Containers for User Accounts.
- Consider that the account is assigned the
- Line 105: The entrypoint script is executed and is dynamically parameterized from environment variables which are forwarded when starting the container.
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
#!/bin/sh #!/bin/bash JETTY_HOME="/opt/sos-berlin.com/js7/joc/jetty" JETTY_BASE="/var/sos-berlin.com/js7/joc" startiniupdate_tojoc_startdproperties() { # update convert oncejoc.properties file: ${JETTY_BASE}/resources/joc/start.ini to joc.properties rc=$(grep -E '^cluster_id' "${JETTY_BASE}/resources/joc/startjoc.dproperties") if [ -dz "${JETTY_BASE}/start.drc}" ]; then echo if [ -f ""updating cluster_id in ${JETTY_BASE}/resources/joc/startjoc.iniproperties" ] && [ -dprintf "${JETTY_cluster_id = joc\n" >> "${JETTY_BASE}/resources/joc/joc.properties" fi rc=$(grep -E '^ordering' "${JETTY_BASE}/resources/joc/joc.properties") if [ -z "${rc}" ] then echo "updating ordering in ${JETTY_BASE}/resources/joc/joc.properties" printf "ordering=$(shuf -i 0-99 -n 1)\n" >> "${JETTY_BASE}/resources/joc/joc.properties" fi } startini_to_startd() { # convert once ${JETTY_BASE}/resources/joc/start.ini to ${JETTY_BASE}/resources/joc/start.d if [ -d "${JETTY_BASE}/start.d" ]; then if [ -f "${JETTY_BASE}/resources/joc/start.ini" ] && [ -d "${JETTY_BASE}/resources/joc/start.d" ]; then echo "convert start.ini to start.d ini files" for file in "${JETTY_BASE}"/resources/joc/start.d/*.ini; do module="$(basename "$file" | cut -d. -f1)" echo "processing module ${module}" while read -r line; do modulevariablekeyprefix="$(echo "${line}" | cut -d. -f1,2)" if [ "${modulevariablekeyprefix}" = "jetty.${module}" ] || [ "${modulevariablekeyprefix}" = "jetty.${module}Context" ]; then modulevariablekey="$(echo "${line}" | cut -d= -f1 | sed 's/\s*$//g')" echo "${line}" sed -i "s;.*${modulevariablekey}\s*=.*;${line};g" "${file}" fi done < "${JETTY_BASE}/resources/joc/start.ini" done mv -f "${JETTY_BASE}/resources/joc/start.ini" "${JETTY_BASE}/resources/joc/start.in~" fi fi } add_start_configuration() { # overwrite ini files in start.d if available from config folder if [ -d "${JETTY_BASE}/start.d" ]; then if [ -d "${JETTY_BASE}/resources/joc/start.d" ]; then for file in "${JETTY_BASE}"/resources/joc/start.d/*.ini; do echo "copy ${file} -> ${JETTY_BASE}/start.d/" cp -f "$file" "${JETTY_BASE}/start.d/" done fi fi } add_jdbc_and_license() { # if license folder not empty then copy js7-license.jar to Jetty's class path if [ -d "${JETTY_BASE}/resources/joc/license" ]; then if [ -f "${JETTY_BASE}/resources/joc/lib/js7-license.jar" ]; then echo "copy ${JETTY_BASE}/resources/joc/lib/js7-license.jar -> ${JETTY_BASE}/lib/ext/joc/" cp -f "${JETTY_BASE}/resources/joc/lib/js7-license.jar" "${JETTY_BASE}/lib/ext/joc/" fi fi # if JDBC driver added then copy to Jetty's class path and move exiting JDBC drivers back to avoid conflicts if [ -d "${JETTY_BASE}/resources/joc/lib" ]; then if [ -n "$(ls "${JETTY_BASE}"/resources/joc/lib/*.jar 2>/dev/null | grep -v "js7-license.jar")" ]; then for file in "${JETTY_BASE}"/lib/ext/joc/*.jar; do if [ "$(basename "$file")" != "js7-license.jar" ]; then echo "move ${file} -> ${JETTY_BASE}/resources/joc/lib/$(basename "$file")~" mv -f "$file" "${JETTY_BASE}/resources/joc/lib/$(basename "$file")~" fi done for file in "${JETTY_BASE}"/resources/joc/lib/*.jar; do echo "copy ${file} -> ${JETTY_BASE}/lib/ext/joc/" cp -f "$file" "${JETTY_BASE}/lib/ext/joc/" done fi fi } add_custom_logo() { # if image folder in the configuration directory is not empty then images are copied to the installation directory if [ -d "${JETTY_BASE}"/resources/joc/image ];then mkdir -p "${JETTY_BASE}/webapps/root/ext/images" echo "copy ${JETTY_BASE}/resources/joc/image/* -> ${JETTY_BASE}/webapps/root/ext/images/" cp "${JETTY_BASE}"/resources/joc/image/* "${JETTY_BASE}/webapps/root/ext/images/" fi } patch_jars() { if [ -d "${JETTY_BASE}"/resources/joc/patches ]; then # "extract patch files if exist" ls "${JETTY_BASE}"/resources/joc/patches/*.jar 2>/dev/null if [ -n "$(ls "${JETTY_BASE}"/resources/joc/patches/*.jar 2>/dev/null)" ]; then if [ -d "${JETTY_BASE}/webapps/joc/WEB-INF/classes" ]; then cd "${JETTY_BASE}/webapps/joc/WEB-INF/classes" > /dev/null || exit for file in "${JETTY_BASE}"/resources/joc/patches/*.jar; do echo "extract ${file} -> ${JETTY_BASE}/webapps/joc/WEB-INF/classes" unzip -o "${file}" done cd - > /dev/null || exit fi fi fi } # create Jetty start script echo "#!/bin/sh" > "${JETTY_BASE}"/start-joc.sh echo "/opt/sos-berlin.com/js7/joc/jetty/bin/jetty.sh start && tail -f /dev/null" >> "${JETTY_BASE}"/start-joc.sh chmod +x "${JETTY_BASE}"/start-joc.sh_BASE}"/start-joc.sh # update joc.properties file update_joc_properties # start.ini_to_startd add_start_configuration # copy custom logo add_custom_logo if [ -n "${RUN_JS_HTTP_PORT}" ] then if [ -f "${JETTY_BASE}/start.d/http.in~" ] && [ ! -f "${JETTY_BASE}/start.d/http.ini" ]; then # enable http access in start.d directory mv "${JETTY_BASE}/start.d/http.in~" "${JETTY_BASE}/start.d/http.ini" fi if [ -f "${JETTY_BASE}/start.d/http.ini" ]; then # set port for http access in start.d directory sed -i "s/.*jetty.http.port\s*=.*/jetty.http.port=$RUN_JS_HTTP_PORT/g" "${JETTY_BASE}/start.d/http.ini" fi else if [ -f "${JETTY_BASE}/start.d/http.ini" ]; then # disable http access in start.d directory mv -f "${JETTY_BASE}/start.d/http.ini" "${JETTY_BASE}/start.d/http.in~" fi fi if [ -n "${RUN_JS_HTTPS_PORT}" ] then if [ -f "${JETTY_BASE}/start.d/https.in~" ] && [ ! -f "${JETTY_BASE}/start.d/https.ini" ]; then # enable https access in start.d directory mv "${JETTY_BASE}/start.d/https.in~" "${JETTY_BASE}/start.d/https.ini" fi if [ -f "${JETTY_BASE}/start.d/ssl.in~" ] && [ ! -f "${JETTY_BASE}/start.d/ssl.ini" ]; then # enable https access in start.d directory mv "${JETTY_BASE}/start.d/ssl.in~" "${JETTY_BASE}/start.d/ssl.ini" fi if [ -f "${JETTY_BASE}/start.d/ssl.ini" ]; then # set port for https access in start.d directory sed -i "s/.*jetty.ssl.port\s*=.*/jetty.ssl.port=${RUN_JS_HTTPS_PORT}/g" "${JETTY_BASE}/start.d/ssl.ini" fi else if [ -f "${JETTY_BASE}/start.d/https.ini" ]; then # disable https access in start.d directory mv -f "${JETTY_BASE}/start.d/https.ini" "${JETTY_BASE}/start.d/https.in~" fi if [ -f "${JETTY_BASE}/start.d/ssl.ini" ]; then # disable https access in start.d directory mv -f "${JETTY_BASE}/start.d/ssl.ini" "${JETTY_BASE}/start.d/ssl.in~" fi fi if [ -n "${RUN_JS_JAVA_OPTIONS}" ] then export JAVA_OPTIONS="${JAVA_OPTIONS} ${RUN_JS_JAVA_OPTIONS}" fi JS_USER_ID=$(echo "${RUN_JS_USER_ID}" | cut -d ':' -f 1) JS_GROUP_ID=$(echo "${RUN_JS_USER_ID}" | cut -d ':' -f 2) JS_USER_ID=${JS_USER_ID:-$(id -u)} JS_GROUP_ID=${JS_GROUP_ID:-$(id -g)} BUILD_GROUP_ID=$(cat /etc/group | grep jobscheduler | cut -d ':' -f 3) BUILD_USER_ID=$(cat /etc/passwd | grep jobscheduler | cut -d ':' -f 4) add_jdbc_and_license patch_jars if [ "$(id -u)" = "0" ] then if [ ! "${BUILD_USER_ID}" = "${JS_USER_ID}" ] then echo "JS7 entrypoint script switching ownership of image user id '${BUILD_USER_ID}' -> '${JS_USER_ID}'" usermod -u "${JS_USER_ID}" jobscheduler find /var/sos-berlin.com/ -user "${BUILD_USER_ID}" -exec chown -h jobscheduler {} \; find /var/log/sos-berlin.com/ -user/sos-berlin.com/ -user "${BUILD_USER_ID}" -exec chown -h jobscheduler {} \; fi if [ ! "${BUILD_GROUP_ID}" = "${JS_GROUP_ID}" ] then if grep -q "${BUILDJS_USERGROUP_ID}" -exec chown -h jobscheduler {} \; fi if [ !/etc/group then groupmod -g "${BUILDJS_GROUP_ID}" = " jobscheduler else addgroup -g ${JS_GROUP_ID}" -S ]jobscheduler then fi echo "JS7 entrypoint script switching ownership of image group id '${BUILD_GROUP_ID}' -> '${JS_GROUP_ID}'" groupmod -g "${JS_GROUP_ID}" jobscheduler find /var/sos-berlin.com/ -group "${BUILD_GROUP_ID}" -exec chgrp -h jobscheduler {} \; find /var/log/sos-berlin.com/ -group "${BUILD_GROUP_ID}" -exec chgrp -h jobscheduler {} \; fi echo "JS7 entrypoint script switching to user account 'jobscheduler' to run start script" echo "JS7 entrypoint script starting JOC Cockpit: exec su-exec ${JS_USER_ID}:${JS_GROUP_ID} /opt/sos-berlin.com/js7/joc/jetty/bin/jetty.sh start" exec su-exec "${JS_USER_ID}":"${JS_GROUP_ID}" "${JETTY_BASE}"/start-joc.sh else if [ "${BUILD_USER_ID}" = "${JS_USER_ID}" ] then if [ "$(id -u)" = "${JS_USER_ID}" ] then echo "JS7 entrypoint script running for user id '$(id -u)'" else echo "JS7 entrypoint script running for user id '$(id -u)' using user id '${JS_USER_ID}', group id '${JS_GROUP_ID}'" echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option" fi else echo "JS7 entrypoint script running for user id '$(id -u)', image user id '${BUILD_USER_ID}' -> '${JS_USER_ID}', image group id '${BUILD_GROUP_ID}' -> '${JS_GROUP_ID}'" fi echo "JS7 entrypoint script starting JOC Cockpit: exec sh -c /opt/sos-berlin.com/js7/joc/jetty/bin/jetty.sh start" exec sh -c "${JETTY_BASE}/start-joc.sh" fi |
...
Overview
Content Tools