JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 59

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 60

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleDockerfile for Agent Image
linenumberstrue
collapsetrue
# BUILD PRE-IMAGE

FROM alpine:3.17 AS js7-pre-image

# provide build arguments for release information
ARG JS_RELEASE
ARG JS_RELEASE_MAJOR

# image user id has to match later run-time user id
ARG JS_USER_ID=${UID:-1001}
ARG JS_HTTP_PORT=${JS_HTTP_PORT:-4445}
ARG JS_HTTPS_PORT=${JS_HTTPS_PORT:-""}
ARG JS_JAVA_OPTIONS=${JS_JAVA_OPTIONS}

# add/copy installation tarball
# ADD https://download.sos-berlin.com/JobScheduler.${JS_RELEASE_MAJOR}/js7_agent_unix.${JS_RELEASE}.tar.gz /usr/local/src/
COPY js7_agent_unix.${JS_RELEASE}.tar.gz /usr/local/src/

# test installation tarball
RUN test -e /usr/local/src/js7_agent_unix.${JS_RELEASE}.tar.gz

# add/copy installer script
# ADD  https://download.sos-berlin.com/JobScheduler.${JS_RELEASE_MAJOR}/js7_install_agent.sh /usr/local/bin/
COPY js7_install_agent.sh /usr/local/bin/

RUN adduser -u ${JS_USER_ID} -G root --disabled-password --home /home/jobscheduler --shell /bin/bash jobscheduler && \
    chmod +x /usr/local/bin/js7_install_agent.sh && \
    /usr/local/bin/js7_install_agent.sh \
        --home=/opt/sos-berlin.com/js7/agent \
        --data=/var/sos-berlin.com/js7/agent \
        --tarball=/usr/local/src/js7_agent_unix.${JS_RELEASE}.tar.gz \
        --user=jobscheduler \
        --http-port=${JS_HTTP_PORT} \
        --java-options="${JS_JAVA_OPTIONS}" \
        --make-dirs && \
    rm -f /usr/local/src/js7_agent_unix.${JS_RELEASE}.tar.gz

# BUILD IMAGE

FROM alpine:3.17 AS js7-image

LABEL maintainer="Software- und Organisations-Service GmbH"

# provide build arguments for release information
ARG JS_RELEASE
ARG JS_RELEASE_MAJOR

# default user id has to match later run-time user
ARG JS_USER_ID=${UID:-1001}
ARG JS_HTTP_PORT=${JS_HTTP_PORT:-4445}
ARG JS_HTTPS_PORT=${JS_HTTPS_PORT:-""}
ARG JS_JAVA_OPTIONS=${JS_JAVA_OPTIONS}

# JS7 JobScheduler user id, ports and Java options
ENV RUN_JS_USER_ID=${RUN_JS_USER_ID:-1001}
ENV RUN_JS_HTTP_PORT=${RUN_JS_HTTP_PORT:-$JS_HTTP_PORT}
ENV RUN_JS_HTTPS_PORT=${RUN_JS_HTTPS_PORT}
ENV RUN_JS_JAVA_OPTIONS=${RUN_JS_JAVA_OPTIONS:-$JS_JAVA_OPTIONS}

COPY --from=js7-pre-image ["/opt/sos-berlin.com/js7", "/opt/sos-berlin.com/js7"]
COPY --from=js7-pre-image ["/var/sos-berlin.com/js7", "/var/sos-berlin.com/js7"]

# copy configuration
COPY config/ /var/sos-berlin.com/js7/agent/config/

# copy entrypoint script
COPY entrypoint.sh /usr/local/bin/

# install process tools, net tools, bash, openjdk
# for JDK < 12, /dev/random does not provide sufficient entropy, see https://kb.sos-berlin.com/x/lIM3
# make default user the owner of directories
RUN apk update && apk add --no-cache \
    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
    procps \
    net-tools \
    su-exec \
    bash \
    shadow \
    openjdk11 && \
    sed -i 's/securerandom.source=file:\/dev\/random/securerandom.source=file:\/dev\/urandom/g' /usr/lib/jvm/java-11-openjdk/conf/security/java.security && \
    sed -i 's/jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \\/jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, TLSv1, TLSv1.1, \\/g' /usr/lib/jvm/java-11-openjdk/conf/security/java.security && \
    adduser -u ${JS_USER_ID} -G root --disabled-password --home /home/jobscheduler --shell /bin/bash jobscheduler && \
    chown -R jobscheduler:root /opt/sos-berlin.com  /var/sos-berlin.com && \
    chmod -R g=u /etc/passwd /opt/sos-berlin.com /var/sos-berlin.com && \
    chmod +x /usr/local/bin/entrypoint.sh

# START

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

Explanation:

  • The build script Dockerfile implements two stages to exclude installer files from the resulting image.
  • Line 3: The base image is the current Alpine image at build-time.
  • Line 6 - 8: The release identification is injected by build arguments. This information is used to determine the tarball to be downloaded or copied.
  • Line 10 - 13: Defaults for the user id running the Agent inside the container as well as HTTP and HTTPS ports are provided. These values can be overwritten by providing the relevant build arguments.
  • Line 16 - 17: Users can either download the Agent tarball directly from the SOS web site or store the tarball with the build directory and copy from this location.

  • Line 20: The tarball integrity is tested. 

  • Line 23 - 24: The Agent Installer Script is downloaded or copied, see JS7 - Unix Shell Installation Script - js7_install_agent.sh
  • Line 27: The jobscheduler account is created.
  • Line 27 - 35: The Agent Installer Script is executed with arguments performing installation for the jobscheduler account.
  • Line 55 - 58: Environment variables are provided at run-time, not at build-time. They can be used to specify ports and Java options when running the container.
  • Line 64: The config folder available in the build directory is copied to the config sub-folder in the image. The parent folder var_<port> is determined from the HTTP port that the Agent is built for. This can be useful for creating an image with individual default settings in configuration files, see the JS7 - Agent Configuration Items article for more information.
  • Line 67: The entrypoint.sh script is copied from the build directory to the image. Users can apply their own version of the entrypoint script. The entrypoint script used by SOS looks like this:
  • Line 72 - 78: The image OS is updated and additional packages are installed (ps, netstat, bash).
  • Line 79: The most recent Java 11 package available with Alpine is applied. Agents can be operated with newer Java releases. However, stick to Oracle, OpenJDK or AdoptOpenJDK as the source for your Java LTS release. Alternatively you can use your own base image and install Java on top of this. For details see Which Java versions is JobScheduler available for?
  • Line 80: Java releases might make use of /dev/random for random number generation. This is a bottleneck as random number generation with this file is blocking. Instead /dev/urandom should be used that implements non-blocking behavior. The change of the random file is applied to the Java security file.
  • Line 81: Users might want to disable certain TLS protocol versions or algorithms by applying changes to the Java security file.
  • Line 82 - 84: The jobscheduler account is created and is assigned the user id handed over by the relevant build argument. This suggests that the account running the Agent inside the container and the account that starts the container are assigned the same user id. This allows the account running the container to access any files created by the Agent in mounted volumes with identical permissions.
    • Consider that the account is assigned the root group. For environments in which the entrypoint script is executed with an arbitrary non-root user id this allows access to files created by the Agent provided to any accounts that are assigned the root group.
    • Accordingly any files owned by the jobscheduler account are made accessible to the root group with similar user permissions. Read access to /etc/passwd can be required in such environments.
  • Line 85: The entrypoint script is made executable.
  • Line 89: The entrypoint script is executed and is dynamically parameterized from environment variables when starting the container.

...