github.com/tiredofit/docker-alpine
About
Dockerfile to build an alpine linux container image.
- Currently tracking 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18 , 3.19 and edge.
- s6 overlay enabled for PID 1 init capabilities.
- zabbix-agent (Classic and Modern) for individual container monitoring.
- Scheduling via cron with other helpful tools (bash, curl, less, logrotate, nano, vi) for easier management.
- Messaging ability via MSMTP enabled to send mail from container to external SMTP server.
- Firewall included with capabilities of monitoring logs to block remote hosts via Fail2ban
- Logshipping capabilities to remote log analysis servers via Fluent-Bit
- Ability to update User ID and Group ID permissions dynamically.
Maintainer
Table of Contents
- About
- Maintainer
- Table of Contents
- Prerequisites and Assumptions
- Installation
- Configuration
- Developing / Overriding
- Debug Mode
- Maintenance
- Support
- License
Prerequisites and Assumptions
No prerequisites required
Installation
Build from Source
Clone this repository and build the image with docker build <arguments> (imagename) .
Prebuilt Images
Builds of the image are available on Docker Hub
docker pull docker.io/tiredofdit/alpine:(imagetag)
Builds of the image are also available on the Github Container Registry
docker pull ghcr.io/tiredofit/docker-alpine:(imagetag)
The following image tags are available along with their tagged release based on what's written in the Changelog:
Alpine version | Tag |
---|---|
edge |
:edge |
3.19 |
:3.19 |
3.18 |
:3.18 |
3.17 |
:3.17 |
3.16 |
:3.16 |
3.15 |
:3.15 |
3.14 |
:3.14 |
3.13 |
:3.13 |
3.12 |
:3.12 |
3.11 |
:3.11 |
3.10 |
:3.10 |
3.9 |
:3.9 |
3.8 |
:3.8 |
3.7 |
:3.7 |
3.6 |
:3.6 |
3.5 |
:3.5 |
Multi Architecture
Images are built primarily for amd64
architecture, and may also include builds for arm/v7
, arm64
and others. These variants are all unsupported. Consider sponsoring my work so that I can work with various hardware. To see if this image supports multiple architecures, type docker manifest (image):(tag)
Configuration
Quick Start
Utilize this image as a base for further builds. Please visit the s6 overlay repository for instructions on how to enable the S6 init system when using this base or look at some of my other images which use this as a base.
Persistent Storage
The following directories are used for configuration and can be mapped for persistent storage.
Directory | Description |
---|---|
/etc/fluent-bit/conf.d/ |
Fluent-Bit custom configuration directory |
/etc/fluent-bit/parsers.d/ |
Fluent-Bit custom parsers directory |
/etc/zabbix/zabbix_agentd.conf.d/ |
Zabbix Agent configuration directory |
/etc/fail2ban/filter.d |
Custom Fail2ban Filter configuration |
/etc/fail2ban/jail.d |
Custom Fail2ban Jail configuration |
/var/log |
Container, Cron, Zabbix, other log files |
/assets/cron |
Drop custom crontabs here |
/assets/iptables |
Drop custom IPTables rules here |
Environment Variables
Below is the complete list of available options that can be used to customize your installation.
Variables showing an 'x' under the _FILE
column can be used for storing the information inside of a file, useful for secrets.
Container Options
Parameter | Description | Default |
---|---|---|
CONAINER_ENABLE_LOG_TIMESTAMP |
Prefix this images container logs with timestamp | TRUE |
CONTAINER_COLORIZE_OUTPUT |
Enable/Disable colorized console output | TRUE |
CONTAINER_CUSTOM_BASH_PROMPT |
If you wish to set a different bash prompt then '(imagename):(version) HH:MM:SS # ' | |
CONTAINER_CUSTOM_PATH |
Used for adding custom files into the image upon startup | /assets/custom |
CONTAINER_CUSTOM_SCRIPTS_PATH |
Used for adding custom scripts to execute upon startup | /assets/custom-scripts |
CONTAINER_ENABLE_PROCESS_COUNTER |
Show how many times process has executed in console log | TRUE |
CONTAINER_LOG_LEVEL |
Control level of output of container INFO , WARN , NOTICE , DEBUG |
NOTICE |
CONTAINER_LOG_PREFIX_TIME_FMT |
Timestamp Time Format | %H:%M:%S |
CONTAINER_LOG_PREFIX_DATE_FMT |
Timestamp Date Format | %Y-%m-%d |
CONTAINER_LOG_PREFIX_SEPERATOR |
Timestamp seperator | - |
CONTAINER_LOG_FILE_LEVEL |
Control level of output of container INFO , WARN , NOTICE , DEBUG |
DEBUG |
CONTAINER_LOG_FILE_NAME |
Internal Container Logs filename | /var/log/container/container.log |
CONTAINER_LOG_FILE_PATH |
Path where to find the internal container logs | /var/log/container/ |
CONTAINER_LOG_FILE_PREFIX_TIME_FMT |
Timestamp Time Format | %H:%M:%S |
CONTAINER_LOG_FILE_PREFIX_DATE_FMT |
Timestamp Date Format | %Y-%m-%d |
CONTAINER_LOG_FILE_PREFIX_SEPERATOR |
Timestamp seperator | - |
CONTAINER_NAME |
Used for setting entries in Monnitoring and Log Shipping | (hostname) |
CONTAINER_POST_INIT_COMMAND |
If you wish to execute a command in the container after all services have initialized enter it here. Seperate multiple by commas | |
CONTAINER_POST_INIT_SCRIPT |
If you wish to execute a script in the container after all services have initialized enter the path here. Seperate multiple by commas | |
TIMEZONE |
Set Timezone | Etc/GMT |
Scheduling Options
The image has capability of executing tasks at differnt times of the day. It follows the cron syntax. Presently this image only supports the busybox cron however can be extended to other scheduling backends with little effort.
Parameter | Description | Default |
---|---|---|
CONTAINER_ENABLE_SCHEDULING |
Enable Scheduled Tasks | TRUE |
CONTAINR_SCHEDULING_BACKEND |
What scheduling tool to use cron |
cron |
CONTAINER_SCHEDULING_LOCATION |
Where to read task files | /assets/cron/ |
SCHEDULING_LOG_TYPE |
Log Type FILE |
FILE |
SCHEDULING_LOG_LOCATION |
Log File Location | /var/log/cron/ |
SCHEDULING_LOG_LEVEL |
Log Level 1 (loud) to 8 (quiet) |
6 |
Cron Options
There are two ways to add jobs to be triggered via cron. One is to drop files into /assets/cron/
which will be parsed upon container startup, or to set environment variables.
Parameter | Description | Default |
---|---|---|
CRON_* |
Name of the job value of the time and output to be run | `` |
Example: CRON_HELLO="* * * * * echo 'hello' > /tmp/hello.log
Since you can't really disable environment variables in Docker if they are baked into parent Docker images, you can override a baked in Cron command with your own values, or to disable it entirely set the value to FALSE
eg CRON_HELLO=FALSE
.
Messaging Options
If you wish to send mail, set CONTAINER_ENABLE_MESSAGING=TRUE
and configure the following environment variables. Presently we only support one backend, but more can be added with little effort.
Parameter | Description | Default |
---|---|---|
CONTAINER_ENABLE_MESSAGING |
Enable Messaging services like SMTP | TRUE |
CONTAINER_MESSAGING_BACKEND |
Messaging Backend - presently only msmtp |
msmtp |
MSMTP Options
See the MSMTP Configuration Options for further information on options to configure MSMTP.
Parameter | Description | Default | _FILE |
---|---|---|---|
SMTP_AUTO_FROM |
Add setting to support sending through Gmail SMTP | FALSE |
|
SMTP_HOST |
Hostname of SMTP Server | postfix-relay |
x |
SMTP_PORT |
Port of SMTP Server | 25 |
x |
SMTP_DOMAIN |
HELO Domain | docker |
|
SMTP_MAILDOMAIN |
Mail Domain From | local |
|
SMTP_AUTHENTICATION |
SMTP Authentication | none |
|
SMTP_USER |
SMTP Username | `` | x |
SMTP_PASS |
SMTP Password | `` | x |
SMTP_TLS |
Use TLS | FALSE |
|
SMTP_STARTTLS |
Start TLS from within session | FALSE |
|
SMTP_TLSCERTCHECK |
Check remote certificate | FALSE |
|
SMTP_ALLOW_FROM_OVERRIDE |
SMTP Allow From Override | `` |
See The Official Zabbix Agent Documentation for information about the following Zabbix values.
Monitoring Options
This image includes the capability of using agents inside the image to monitor metrics from applications. Presently at this time it only supports Zabbix as a monitoring platform, however is extendable to other platforms with little effort.
Parameter | Description | Default |
---|---|---|
CONTAINER_ENABLE_MONITORING |
Enable Monitoring of applications or metrics | TRUE |
CONTAINR_MONITORING_BACKEND |
What monitoring agent to use zabbix |
zabbix |
Zabbix Options
This image comes with Zabbix Agent 1 (Classic or C compiled) and Zabbix Agent 2 (Modern, or Go compiled). See which variables work for each version and make your agent choice. Drop files in /etc/zabbix/zabbix_agentd.conf.d
to setup your metrics. The environment variables below only affect the system end of the configuration. If you wish to use your own system configuration without these variables, change ZABBIX_SETUP_TYPE
to MANUAL
Parameter | Description | Default | 1 | 2 | _FILE |
---|---|---|---|---|---|
ZABBIX_SETUP_TYPE |
Automatically generate configuration based on these variables AUTO or MANUAL |
AUTO |
x | x | |
ZABBIX_AGENT_TYPE |
Which version of Zabbix Agent to load 1 or 2 |
1 | N/A | N/A | |
ZABBIX_AGENT_LOG_PATH |
Log File Path | /var/log/zabbix/agent/ |
x | x | |
ZABBIX_AGENT_LOG_FILE |
Logfile name | zabbix_agentd.log |
x | x | |
ZABBIX_CERT_PATH |
Zabbix Certificates Path | /etc/zabbix/certs/ |
x | x | |
ZABBIX_ENABLE_AUTOREGISTRATION |
Use internal routine for Agent autoregistration based on config files with # Autoregister tag | TRUE |
x | x | |
ZABBIX_ENABLE_AUTOREGISTRATION_DNS |
Register with DNS name instead of IP Address when autoregistering | TRUE |
x | x | |
ZABBIX_AUTOREGISTRATION_DNS_NAME |
(optional) DNS Name to provide for auto register. Uses CONTAINER_NAME as default |
$CONTAINER_NAME |
x | x | |
ZABBIX_AUTOREGISTRATION_DNS_SUFFIX |
If you want to append something after the generated DNS Name | `` | x | x | |
ZABBIX_ENCRYPT_PSK_ID |
Zabbix Encryption PSK ID | `` | x | x | x |
ZABBIX_ENCRYPT_PSK_KEY |
Zabbix Encryption PSK Key | `` | x | x | x |
ZABBIX_ENCRYPT_PSK_FILE |
Zabbix Encryption PSK File (If not using above env var) | `` | x | x | |
ZABBIX_LOG_FILE_SIZE |
Logfile size | 0 |
x | x | |
ZABBIX_DEBUGLEVEL |
Debug level | 1 |
x | x | |
ZABBIX_REMOTECOMMANDS_ALLOW |
Enable remote commands | * |
x | x | |
ZABBIX_REMOTECOMMANDS_DENY |
Deny remote commands | `` | x | x | |
ZABBIX_REMOTECOMMANDS_LOG |
Enable remote commands Log (0 /1 ) |
1 |
x | `` | |
ZABBIX_SERVER |
Allow connections from Zabbix server IP | 0.0.0.0/0 |
x | x | |
ZABBIX_STATUS_PORT |
Agent will listen to this port for status requests (http://localhost:port/status) | 10050 |
`` | x | |
ZABBIX_LISTEN_PORT |
Zabbix Agent listening port | 10050 |
x | x | |
ZABBIX_LISTEN_IP |
Zabbix Agent listening IP | 0.0.0.0 |
x | x | |
ZABBIX_START_AGENTS |
How many Zabbix Agents to start | 1 |
x | `` | |
ZABBIX_SERVER_ACTIVE |
Server for active checks | zabbix-proxy |
x | x | x |
ZABBIX_HOSTNAME |
Container hostname to report to server | $CONTAINER_NAME |
x | x | |
ZABBIX_REFRESH_ACTIVE_CHECKS |
Seconds to refresh Active Checks | 120 |
x | x | |
ZABBIX_BUFFER_SEND |
Buffer Send | 5 |
x | x | |
ZABBIX_BUFFER_SIZE |
Buffer Size | 100 |
x | x | |
ZABBIX_MAXLINES_SECOND |
Max Lines Per Second | 20 |
x | `` | |
ZABBIX_SOCKET |
Socket for communicating | /tmp/zabbix.sock |
`` | x | |
ZABBIX_ALLOW_ROOT |
Allow running as root | 1 |
x | `` | |
ZABBIX_USER |
User to start agent | zabbix |
x | x | |
ZABBIX_USER_SUDO |
Allow Zabbix user to utilize sudo commands | TRUE |
x | x |
This image supports autoregistering configuration as an Active Agent to a Zabbix Proxy or a Server. It looks in /etc/zabbix_agent.conf.d/*.conf
for the string # Autoregister=
and takes these values and adds it to the HostMetadata
configuration entry automatically wrapped around :
eg :application:
. Use it by creating an Auto register rule and search for that string. You can find server templates in this repository in the [zabbix_templates](zabbix_templates/)
directory.
Logging Options
This is work in progress for a larger logging solution. Presently there is functionality to rotate logs on a daily basis, however as this section matures there will be the capability to also ship the logs to an external data warehouse like Loki, or Elastic Search. At present Log shipping is only supported by fluent-bit
and x86_64 only.
Parameter | Description | Default |
---|---|---|
CONTAINER_ENABLE_LOGROTATE |
Enable Logrotate (if scheduling enabled) | TRUE |
CONTAINER_ENABLE_LOGSHIPPING |
Enable Log Shipping | FALSE |
CONTAINER_LOGSHIPPING_BACKEND |
Log shipping backend fluent-bit |
fluent-bit |
LOGROTATE_COMPRESSION_TYPE |
Logfile compression algorithm NONE BZIP2 GZIP ZSTD |
ZSTD |
LOGROTATE_COMPRESSION_VALUE |
What level of compression to use | 8 |
LOGROTATE_COMPRESSION_EXTRA_PARAMETERS |
Pass extra parameters to the compression command (optional) | |
LOGROTATE_RETAIN_DAYS |
Rotate and retain logs for x days | 7 |
Log Shipping Parsing
You can set an environment variable to start shipping a log without any other configuration. Create a variable starting with LOGSHIP_<name>
with the value of the location of the log files. You can also use this to null an existing configuration by setting the value of FALSE
.
Example: LOGSHIP_NGINX=/var/log/nginx/*.log
will create and tag all log files from that directory as to be coming from CONTAINER_NAME
and from nginx
. Note, it does not allow for custom parsing, so will simply parse the log entry as is.
If LOGSHIPPING_AUTO_CONFIG_LOGROTATE
set to true, you can define what parser the configuration file should use. Make sure you have the appropriate .conf
parsers in /etc/fluent-bit/parsers.d/
Create a line in the logrotate.d/<file>
that looks like # logship: <parser>
. Multiple parsers can be added by seperating via commas. Alternatively, if you wanted to skip a certain logfile from being parsed by the log shipper, use the value "SKIP".
Parameter | Description | Default |
---|---|---|
LOGSHIPPING_AUTO_CONFIG_LOGROTATE |
Automatically configure log shipping for files that are listed in /etc/logrotate.d |
TRUE |
Fluent-Bit Options
Drop files in /etc/fluent-bit/conf.d
to setup your inputs and outputs. The environment variables below only affect the system end of the configuration. If you wish to use your own system configuration without these variables, change FLUENTBIT_SETUP_TYPE
to MANUAL
. Container will attempt to automatically create configuration to send to a destination, or can also be set to act as a receiver from other fluent-bit hosts and forward data to a remote log analysis service.
Parameter | Description | Default | _FILE |
---|---|---|---|
FLUENTBIT_CONFIG_PARSERS |
Parsers config file name | parsers.conf |
|
FLUENTBIT_CONFIG_PLUGINS |
Plugins config file name | plugins.conf |
|
FLUENTBIT_ENABLE_HTTP_SERVER |
Embedded HTTP Server for metrics TRUE / FALSE |
TRUE |
|
FLUENTBIT_ENABLE_STORAGE_METRICS |
Public storage pipeline metrics in /api/v1/storage | TRUE |
|
FLUENTBIT_FLUSH_SECONDS |
Wait time to flush records in seconds | 1 |
|
FLUENTBIT_FORWARD_BUFFER_CHUNK_SIZE |
Buffer Chunk Size | 32KB |
|
FLUENTBIT_FORWARD_BUFFER_MAX_SIZE |
Buffer Maximum Size | 64KB |
|
FLUENTBIT_FORWARD_PORT |
What port when using PROXY (listen) mode or FORWARD (client) output |
24224 |
|
FLUENTBIT_GRACE_SECONDS |
Wait time before exit in seconds | 1 |
|
FLUENTBIT_HTTP_LISTEN_IP |
HTTP Listen IP | 0.0.0.0 |
|
FLUENTBIT_HTTP_LISTEN_PORT |
HTTP Listening Port | 2020 |
|
FLUENTBIT_LOG_FILE |
Log File | fluentbit.log |
|
FLUENTBIT_LOG_LEVEL |
Log Level info warn error debug trace |
info |
|
FLUENTBIT_LOG_PATH |
Log Path | /var/log/fluentbit/ |
|
FLUENTBIT_MODE |
Type of operation - Client NORMAL or Proxy PROXY |
NORMAL |
|
FLUENTBIT_OUTPUT_FORWARD_HOST |
Where to forward Fluent-Bit data to | fluent-proxy |
x |
FLUENTBIT_OUTPUT_FORWARD_TLS_VERIFY |
Verify certificates when using TLS | FALSE |
|
FLUENTBIT_OUTPUT_FORWARD_TLS |
Enable TLS when forwading | FALSE |
|
FLUENTBIT_OUTPUT_LOKI_COMPRESS_GZIP |
Enable GZIP compression when sending to loki host | TRUE |
|
FLUENTBIT_OUTPUT_LOKI_HOST |
Host for Loki Output | loki |
x |
FLUENTBIT_OUTPUT_LOKI_PORT |
Port for Loki Output | 3100 |
x |
FLUENTBIT_OUTPUT_LOKI_TLS |
Enable TLS For Loki Output | FALSE |
|
FLUENTBIT_OUTPUT_LOKI_TLS_VERIFY |
Enable TLS Certificate Verification For Loki Output | FALSE |
|
FLUENTBIT_OUTPUT_LOKI_USER |
(optional) Username to authenticate to Loki Server | `` | x |
FLUENTBIT_OUTPUT_LOKI_PASS |
(optional) Password to authenticate to Loki Server | `` | x |
FLUENTBIT_OUTPUT_TENANT_ID |
(optional) Tenant ID to pass to Loki Server | `` | x |
FLUENTBIT_OUTPUT |
Output plugin to use LOKI , FORWARD , NULL |
FORWARD |
|
FLUENTBIT_TAIL_BUFFER_CHUNK_SIZE |
Buffer Chunk Size for Tail | 32k |
|
FLUENTBIT_TAIL_BUFFER_MAX_SIZE |
Maximum size for Tail | 32k |
|
FLUENTBIT_TAIL_READ_FROM_HEAD |
Read from Head instead of Tail | FALSE |
|
FLUENTBIT_TAIL_SKIP_EMPTY_LINES |
Skip Empty Lines when Tailing | TRUE |
|
FLUENTBIT_TAIL_SKIP_LONG_LINES |
Skip Long Lines when Tailing | TRUE |
|
FLUENTBIT_TAIL_DB_ENABLE |
Enable Offset DB per tracked file (will be same name as log file yet hidden and a suffix of db |
TRUE |
|
FLUENTBIT_TAIL_DB_SYNC |
DB Sync Type normal or full |
normal |
|
FLUENTBIT_TAIL_DB_LOCK |
Lock access to DB File | TRUE |
|
FLUENTBIT_TAIL_DB_JOURNAL_MODE |
Journal Mode for DB WAL DELETE TRUNCATE PERSIST MEMORY OFF |
WAL |
|
FLUENTBIT_TAIL_KEY_PATH_ENABLE |
Enable sending Key for Log Filename/Path | TRUE |
|
FLUENTBIT_TAIL_KEY_PATH |
Path Key Name | filename |
|
FLUENTBIT_TAIL_KEY_OFFSET_ENABLE |
Enable sending Key for Offset in Log file | FALSE |
|
FLUENTBIT_TAIL_KEY_OFFSET |
Offset Path Key Name | offset |
|
FLUENTBIT_SETUP_TYPE |
Automatically generate configuration based on these variables AUTO or MANUAL |
AUTO |
|
FLUENTBIT_STORAGE_BACKLOG_LIMIT |
Maximum about of memory to use for backlogged/unsent records | 5M |
|
FLUENTBIT_STORAGE_CHECKSUM |
Create CRC32 checkcum for filesystem RW functions | FALSE |
|
FLUENTBIT_STORAGE_PATH |
Absolute file system path to store filesystem data buffers | /tmp/fluentbit/storage |
|
FLUENTBIT_STORAGE_SYNC |
Synchronization mode to store data in filesystem normal or full |
normal |
Firewall Options|
Included when proper capabilities are set on image is the capability to set up detailed block / allow rules via a firewall on container start. Presently only iptables
is supported.
You must use run your containers with the following capabilities added: NET_ADMIN
, NET_RAW
Parameter | Description | Default |
---|---|---|
CONTAINER_ENABLE_FIREWALL |
Enable Firewall Functionality | FALSE |
CONTAINER_FIREWALL_BACKEND |
What Firewall backend to use iptables |
iptables |
FIREWALL_RULE_00 |
Firewall rule to execute | |
FIREWALL_RULE_01 |
Next firewall rule to execute |
One can use the FIREWALL_RULE_XX
environment variables to pass rules to the firewall. In this example I am going to block someone from being able to access a port except if from a specific IP address:
FIREWALL_RULE_00=-I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 389 -j ACCEPT
FIREWALL_RULE_01=-I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 389 -j DROP
IPTables Options
Instead of relying on environment variables one can put a iptables-restore
compatible ruleset below and it will be imported on container start.
Parameter | Description | Default |
---|---|---|
IPTABLES_RULES_PATH |
Path for IPTables Rules | /assets/iptables/ |
IPTABLES_RULES_FILE |
IPTables Rules File to restore if exists on container start | iptables.rules |
Fail2Ban Options
The container also has the capability should CONTAINER_ENABLE_FIREWALL=TRUE
be enabled to launch Fail2ban, a process which watches logs for patterns and then blocks the remote host from connecting for a period of time.
Drop your custom jail configs as *.conf files in /etc/fail2ban/jail.d/
and filters in /etc/fail2ban/filter.d
for them to be parsed at startup. Note the startup delay environment variable to avoid the process failing if no log files exist from a fresh install.
Parameter | Description | Default |
---|---|---|
CONTAINER_ENABLE_FAIL2BAN |
Enable Firewall Functionality | FALSE |
FAIL2BAN_BACKEND |
Backend | AUTO |
FAIL2BAN_CONFIG_PATH |
Fail2ban Configuration Path | /etc/fail2ban/ |
FAIL2BAN_DB_FILE |
Persistent Database File | fail2ban.sqlite3 |
FAIL2BAN_DB_PATH |
Persistent Database Path | /data/fail2ban/ |
FAIL2BAN_DB_PURGE_AGE |
Purge entries after how many seconds | 86400 |
FAIL2BAN_DB_TYPE |
DB Type NONE , MEMORY , FILE |
MEMORY |
FAIL2BAN_IGNORE_IP |
Ignore these IPs or Ranges space seperated | 127.0.0.1/8 ::1 172.16.0.0/12 192.168.0.0/24 |
FAIL2BAN_IGNORE_SELF |
Ignroe Self TRUE FALSE |
TRUE |
FAIL2BAN_LOG_PATH |
Fail2ban Log Path | /var/log/fail2ban/ |
FAIL2BAN_LOG_FILE |
Fail2ban Log File | fail2ban.log |
FAIL2BAN_LOG_LEVEL |
Log Level CRITICAL ERROR WARNING NOTICE INFO DEBUG |
INFO |
FAIL2BAN_LOG_TYPE |
Log to FILE or CONSOLE |
FILE |
FAIL2BAN_MAX_RETRY |
Max times to find pattern in log over FAIL2BAN_TIME_FIND |
5 |
FAIL2BAN_STARTUP_DELAY |
Startup Delay to give a chance for monitored logs to exist or have data in seconds | 15 |
FAIL2BAN_TIME_BAN |
Length of time to ban in default | 10m |
FAIL2BAN_TIME_FIND |
Window to base pattern matches against | 10m |
FAIL2BAN_USE_DNS |
USE DNS for lookups yes warn no raw |
warn |
Permissions
If you wish to change the internal id for users and groups you can set environment variables to do so.
e.g. If you add USER_NGINX=1000
it will reset the containers nginx
user id from 82
to 1000
-
If you enable DEBUG_PERMISSIONS=TRUE
all the users and groups have been modified in accordance with
environment variables will be displayed in output.
Hint, also change the Group ID to your local development users UID & GID and avoid Docker permission issues when developing.
Parameter | Description |
---|---|
CONTAINER_USER_<USERNAME> |
The user's UID in /etc/passwd will be modified with new UID |
CONTAINER_GROUP_<GROUPNAME> |
The group's GID in /etc/group and /etc/passwd will be modified with new GID |
CONTAINER_GROUP_ADD_<GROUPNAME> |
The username will be added in /etc/group after the group name defined |
Process Watchdog
This is experimental functionality to call an external script before a process is executed.
Sample use cases:
- Alert slack channel when process has executed more than once
- Disable process from executing further if restarted 50 times
- Write to an additional log file..
- Change a file to display "Under Maintenance" on a webserver if this process isn't supposed to be run more than 1 time.
It will pass 5 arguments to a bash script titled the same name as the executing script or if not found, use the default CONTAINER_PROCESS_HELPER_SCRIPT
below. Drop your files into the CONTAINER_PROCESS_HELPER_PATH
.
For example, if 04-scheduling
was starting, it would look for $CONTAINER_PROCESS_HELPER_PATH/04-scheduling
and if found execute it while passing the following arguments: DATE,TIME,SCRIPT_NAME,TIMES EXECUTED,HOSTNAME
e.g: 2021-07-01 23:01:04 04-scheduling 2 container
Use the values in your own bash script using the $1
$2
$3
$4
$5
syntax.
Change time and date and settings with these environment variables
Parameter | Description | Default |
---|---|---|
CONTAINER_PROCESS_HELPER_PATH |
Path to file external helper scripts | /assets/container/processhelper/ |
CONTAINER_PROCESS_HELPER_SCRIPT |
Default helper script name | processhelper.sh |
CONTAINER_PROCESS_HELPER_DATE_FMT |
Date format passed to external script | %Y-%m-%d |
CONTAINER_PROCESS_HELPER_TIME_FMT |
Time format passed to external script | %H:%M:%S |
CONTAINER_PROCESS_RUNAWAY_PROTECTOR |
Disables a service if executed more than (x) amount of times | TRUE |
CONTAINER_PROCESS_RUNAWAY_LIMIT |
The amount of times it needs to restart before disabling | 50 |
CONTAINER_PROCESS_RUNAWAY_SHOW_OUTPUT_FINAL |
Show the program Output on the final execution before disabling | TRUE |
Networking
The following ports are exposed.
Port | Description |
---|---|
2020 |
Fluent Bit |
10050 |
Zabbix Agent |
Developing / Overriding
This base image has been used over a hundred times to successfully build secondary images. My methodology is admittedly straying from the "one process per container" rule, however this methodology allows me to put together images at a rapid pace, and if more complex scalability is required, the work is split into their own individual images. Since you are reading this here's a crash course at how the image works: (WIP):
See /assets/functions/00-container
for more detailed documentation for the various commands and functions/shortcuts
-
Put defaults in
/assets/defaults/(script name)
-
Put functions in
/assets/functions/(script name)
-
Put Initialization script in
/etc/cont-init.d/(script name)
Put at the top:
#!/command/with-contenv bash # Pull in Container Environment Variables from Dockerfile/Docker Runtime
source /assets/functions/00-container # Pull in all custom container functions from this image
prepare_service single # Read functions and defaults only from files matching this script filename - see detailed docs for more
PROCESS_NAME="process" # set the prefix for any logging
.. your scripting ..
print_info "This an INFO log"
print_warn "This a WARN log"
print_error "This is a ERROR log"
liftoff # this writes to the state files at /tmp/.container/ to prove the script executed properly see CONTAINER_SKIP_SANITY_CHECK
-
Put Services script in
/etc/services.available/(script name)
Put at the top:
#!/command/with-contenv bash # Pull in Container Environment Variables from Dockerfile/Docker Runtime
source /assets/functions/00-container # Pull in all custom container functions from this image
prepare_service defaults single # Read defaults only from files matching this script filename - see detailed docs for more
PROCESS_NAME="process" # set the prefix for any logging
check_container_initialized # Check to make sure that the container properly initialized before proceeding
check_service_initialized init # Check to see if the cont-init.d/scriptname executed correctly, otherwise wait until it has done
liftoff # Prove script was able to execute properly
print_start "Starting processname" # Show STARTING log prefix, and also show if enabled a counter, and execute process watchdog script
fakeprocess (args) # whatever your process you want to start is
Parameter | Description | Default |
---|---|---|
CONTAINER_SKIP_SANITY_CHECK |
Skip the checking to see if all scripts in /etc/cont-init.d executed correctly | FALSE |
DEBUG_MODE |
Show all script output (set -x) | FALSE |
PROCESS_NAME |
Used for prefixing the script that is running | container |
Debug Mode
When using this as a base image, create statements in your startup scripts to check for existence of DEBUG_MODE=TRUE
and set various parameters in your applications to output more detail, enable debugging modes, and so on.
In this base image it does the following:
- Sets zabbix-agent to output logs in verbosity
- Shows all script output (equivalent to set -x)
Maintenance
Shell Access
For debugging and maintenance purposes you may want access the containers shell.
bash docker exec -it (whatever your container name is) bash
Support
These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.
Usage
- The Discussions board is a great place for working with the community on tips and tricks of using this image.
- Sponsor me for personalized support
Bugfixes
- Please, submit a Bug Report if something isn't working as expected. I'll do my best to issue a fix in short order.
Feature Requests
- Feel free to submit a feature request, however there is no guarantee that it will be added, or at what timeline.
- Sponsor me regarding development of features.
Updates
- Best effort to track upstream changes, More priority if I am actively using the image in a production environment.
- Sponsor me for up to date releases.
License
MIT. See LICENSE for more details.