Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ecs ready runit-focal and runit-nodejs-focal #224

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions runit-focal-ecs/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
FROM phusion/baseimage:focal-1.1.0
LABEL maintainer="Socrata 'sysadmin@socrata.com'"

# Default to basic no_proxy list for things that respect it such as set_ark_*
ENV no_proxy localhost,127.0.0.1,169.254.169.254,jenkins
ENV DEBIAN_FRONTEND noninteractive

# Add a user so containers can run things as non root. Not perfect since it is shared across containers,
# but eventually uid namespacing will hopefully fix that.
RUN groupadd -r socrata && useradd -m -r -g socrata socrata

RUN apt-get -y update && \
apt-get -y dist-upgrade; \
apt-get -y install \
build-essential \
locales \
curl \
dnsutils \
python3-jinja2 \
python-is-python3 \
zip \
ruby2.7 \
iproute2
RUN apt-get -y install --no-install-recommends collectd-core && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

RUN gem2.7 install aws-sdk-s3 -v '>= 1.76.0'
RUN gem2.7 install --no-document aws-sdk-resources --pre -v '>= 2.11.562'

# Add shared files from shipyard repo, this is done to keep these files in sync across all images
ADD https://raw.githubusercontent.com/socrata/shipyard/main/files/env_parse /bin/
ADD https://raw.githubusercontent.com/socrata/shipyard/main/files/set_ark_host /bin/
ADD https://raw.githubusercontent.com/socrata/shipyard/main/files/set_ark_hostname /bin/
ADD https://raw.githubusercontent.com/socrata/shipyard/main/files/set_local_dev_hostname /etc/my_init.d/
# Credential management bits
ADD https://raw.githubusercontent.com/socrata/shipyard/main/files/clortho-ecs-safe /etc/my_init.d/clortho-get
# Disable core dumps for CIS benchmark
ADD https://raw.githubusercontent.com/socrata/shipyard/main/files/coredump.conf /etc/systemd/
# Mark these as executable
RUN chmod 755 /bin/env_parse /bin/set_ark_host /bin/set_ark_hostname /etc/my_init.d/set_local_dev_hostname /etc/my_init.d/clortho-get

CMD ["/sbin/my_init"]

# Configure collectd
RUN mkdir -p /etc/collectd/conf.d
COPY collectd.conf /etc/collectd/collectd.conf
COPY sv/collectd-run /etc/service/collectd/run

# Set shutdown env vars to reasonable defaults (5 min)
ENV KILL_ALL_PROCESSES_TIMEOUT 300
ENV KILL_PROCESS_TIMEOUT 300

# Ensure that containers and apps default to UTF-8
RUN locale-gen en_US.UTF-8
ENV LANG en_US.UTF-8

# LABEL must be last for proper base image discoverability
LABEL repository.socrata/runit-focal-ecs=""
58 changes: 58 additions & 0 deletions runit-focal-ecs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
socrata/runit-focal:ecs
============

Image based on phusion/baseimage-docker that establises a base set of patterns and tools for building other containers with support for multiple processes via runit.

### Features

- Ubuntu 20.04 LTS. The base system.
- A correct init process (my_init) with
- proper process reaping
- Docker Stop sends SIGTERM to the init process, which stops all processes gracefully on termination.
- runit replaces Ubuntu's Upstart. Used for service supervision and management
- syslog-ng: A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog
- logrotate Rotates and compresses logs on a regular basis.
- SSH server: disabled by default
- cron The cron daemon must be running for cron jobs to work.
- setuser A tool for running a command as another user. Easier to use than su, has a smaller attack vector than sudo, and unlike chpst this tool sets $HOME correctly. Available as /sbin/setuser.

See the usage section below

Inside a docker container, the host’s ip and name are not available. By invoking these scripts, we can make the container aware of its host as necessary. They create the environment variables ARK_HOST and ARK_HOSTNAME.

- env_parse:
A tool for generating config files from [jinja](http://jinja.pocoo.org/) templates and environment variables.

This script lets a service owner build configuration files that are created at run time from environment variables and a template file. The template language is jinja and any template variables must be available as environment variables. env_parse takes one argument, the template, and an optional argument for the output file. If omitted, the output file is identical to the template file name with the trailing .j2 removed.

### Usage

Any container built on top of the socrata/runit-focal image will default to running the whatever services are configured in /etc/service according via runit.

Anything placed in /etc/my_init.d will be run on startup in lexigraphical order before runit is invoked. A non-zero return code from any of these will halt the container.

### Example

Assuming we build an image called awesome_sauce from a Dockerfile like this:

```Dockerfile
FROM socrata/runit-focal

RUN mkdir /etc/service/myservice
COPY myservice-run /etc/service/myservice/run
COPY myservice-log /etc/service/myservice/log/run
```

Where `run` and `log` are runit service definitions where the `run` script looks like:

```bash
#!/bin/sh
exec /sbin/setuser socrata my_binary
```

and the `log` script looks like:

```bash
#!/bin/sh
exec svlogd -tt /var/log/myservice
```
19 changes: 19 additions & 0 deletions runit-focal-ecs/collectd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
BaseDir "/var/lib/collectd"
PIDFile "/run/collectd.pid"
Interval 60
FQDNLookup false

LoadPlugin logfile
<plugin logfile>
LogLevel info
File stdout
Timestamp true
</plugin>

LoadPlugin network
<plugin network>
Server "172.17.42.1" "25826"
</plugin>

Include "/etc/collectd/conf.d/*.conf"

2 changes: 2 additions & 0 deletions runit-focal-ecs/sv/collectd-log
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/sh
exec svlogd -tt /var/log/collectd
3 changes: 3 additions & 0 deletions runit-focal-ecs/sv/collectd-run
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/sh
sleep 10 # need collectd to start after other processes
exec /usr/sbin/collectd -C /etc/collectd/collectd.conf -f >/dev/null
17 changes: 17 additions & 0 deletions runit-nodejs-focal/20x-ecs/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
FROM socrata/runit-focal-ecs
MAINTAINER Socrata <sysadmin@socrata.com>

# Add the NodeSource apt repository. Instructions taken from:
# https://github.com/nodesource/distributions/blob/master/README.md#debmanual
ENV NODE_VERSION=node_20.x
RUN mkdir -p /etc/apt/keyrings && \
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/$NODE_VERSION nodistro main" | \
tee /etc/apt/sources.list.d/nodesource.list && \
echo "deb-src [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/$NODE_VERSION nodistro main" | \
tee -a /etc/apt/sources.list.d/nodesource.list
RUN apt-get -y update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y libyajl2 nodejs git

# LABEL must be last for proper base image discoverability
LABEL repository.socrata/runit-nodejs-focal:20x-ecs=""