Introduction

• This article describes the build process for official Controller images.
• Users can build their own Docker container images for Controllers and adjust to their needs.

Build Environment

The following directory hierarchy is assumed for the build environment:

...

The build.sh build script and entrypoint.sh entrypoint script are described below.

Dockerfile

Download: Dockerfile

Docker images for JS7 Controllers provided by SOS make use of the following Dockerfile:

...

• The Dockerfile implements two stages to exclude installer files from the resulting image.
• Line 3: The base image is the current Alpine image at build-time.
• Line 6 - 8: The release identification is injected by build arguments. This information is used to determine the tarball to be downloaded or copied.
• Line 10 - 14: Defaults for the user id running the Controller inside the container as well as HTTP and HTTPS ports are provided. These values can be overwritten by providing the relevant build arguments.
• Line 16 - 17: Users can either download the Controller tarball directly from the SOS web site or store the tarball with the build directory and copy from this location.

• Line 20: The tarball integrity is tested. 

• Line 24 - 25: The Controller Installer Script is downloaded or copied, see JS7 - Controller - Unix Shell Installation Script - js7_install_controller.sh
• Line 27: The jobscheduler account is created.
• Line 29 - 37: The Controller Installer Script is executed with arguments performing installation for the jobscheduler account.
• Line 58 - 62: Environment variables are provided at run-time, not at build-time. They can be used to specify ports and Java options when running the container.
• Line 68: The config folder available in the build directory is copied to the config sub-folder in the image. The parent folder var_<port> is determined from the HTTP port that the Controller is built for. This can be useful for creating an image with individual default settings in configuration files, see the JS7 - Controller Configuration Items article for more information.
• Line 71: The entrypoint.sh script is copied from the build directory to the image. Users can apply their own version of the entrypoint script. The entrypoint script used by SOS looks like this:
• Line 76 - 82: The image OS is updated and additional packages are installed (ps, netstat, bash).
• Line 83: The most recent Java 11 package available with Alpine is applied. Controllers can be operated with newer Java releases. However, stick to Oracle, OpenJDK or AdoptOpenJDK as the source for your Java LTS release. Alternatively you can use your own base image and install Java on top of this. For details see Which Java versions is JobScheduler available for?
• Line 84: Java releases might make use of /dev/random for random number generation. This is a bottleneck as random number generation with this file is blocking. Instead /dev/urandom should be used that implements non-blocking behavior. The change of the random file is applied to the Java security file.
• Line 85: Users might want to disable certain TLS protocol versions or algorithms by applying changes to the Java security file.
• Line 86 - 88: The jobscheduler account is created and is assigned the user id handed over by the relevant build argument. This suggests that the account running the Controller inside the container and the account that starts the container are assigned the same user id. This allows the account running the container to access any files created by the Controller in mounted volumes with identical permissions.
  • Consider that the account is assigned the root group. For environments in which the entrypoint script is executed with an arbitrary non-root user id this allows access to files created by the Controller provided to any accounts that are assigned the root group.
  • Accordingly any files owned by the jobscheduler account are made accessible to the root group with similar user permissions. Read access to /etc/passwd can be required in such environments.
  • For details see JS7 - Running Containers for User Accounts.
• Line 89: The entrypoint script is made executable.
• Line 93: The entrypoint script is executed and is dynamically parameterized from environment variables when starting the container.

Entrypoint Script

Download: entrypoint.sh

The following entrypoint script is used to start Controller containers.

#!/bin/bash

js_args=()
js_args_count=0

if [ -n "${RUN_JS_ID}" ]
then
  js_args["${js_args_count}"]="--id=${RUN_JS_ID}"
  js_args_count=$(( "${js_args_count}" + 1 ))
fi

if [ -n "${RUN_JS_HTTP_PORT}" ] && [ ! "${RUN_JS_HTTP_PORT}" = ":" ]
then
  js_args["${js_args_count}"]="--http-port=${RUN_JS_HTTP_PORT}"
  js_args_count=$(( "${js_args_count}" + 1 ))
fi

if [ -n "${RUN_JS_HTTPS_PORT}" ] && [ ! "${RUN_JS_HTTPS_PORT}" = ":" ]
then
  js_args["${js_args_count}"]="--https-port=${RUN_JS_HTTPS_PORT}"
  js_args_count=$(( "${js_args_count}" + 1 ))
fi

if [ -n "${RUN_JS_JAVA_OPTIONS}" ]
then
  js_args["${js_args_count}"]="--java-options=\"${RUN_JS_JAVA_OPTIONS}\""
  js_args_count=$(( "${js_args_count}" + 1 ))
fi

# work directory will be created by container
if [ -d "/var/sos-berlin.com/js7/controller/work" ] && [ -w "/var/sos-berlin.com/js7/controller/work" ]
then
  rm -f -r /var/sos-berlin.com/js7/controller/work
fi

JS_USER_ID=$(echo "${RUN_JS_USER_ID}" | cut -d ':' -f 1)
JS_GROUP_ID=$(echo "${RUN_JS_USER_ID}" | cut -d ':' -f 2)

JS_USER_ID=${JS_USER_ID:-$(id -u)}
JS_GROUP_ID=${JS_GROUP_ID:-$(id -g)}

BUILD_GROUP_ID=$(cat /etc/group | grep jobscheduler | cut -d ':' -f 3)
BUILD_USER_ID=$(cat /etc/passwd | grep jobscheduler | cut -d ':' -f 4)

if [ "$(id -u)" = "0" ]
then
  if [ ! "{$BUILD_USER_ID}" = "${JS_USER_ID}" ]
  then
    echo "JS7 entrypoint script switching ownership of image user id '${BUILD_USER_ID}' -> '${JS_USER_ID}'"
    usermod -u "${JS_USER_ID}" jobscheduler
    find /var/sos-berlin.com/ -user "${BUILD_USER_ID}" -exec chown -h jobscheduler {} \;
  fi
  
  if [ ! "${BUILD_GROUP_ID}" = "${JS_GROUP_ID}" ]
  then
    if grep -q "${JS_GROUP_ID}" /etc/group
    then
      groupmod -g "${JS_GROUP_ID}" jobscheduler
    else
      addgroup -g ${JS_GROUP_ID} -S jobscheduler
    fi

    echo "JS7 entrypoint script switchng ownership of image group id '${BUILD_GROUP_ID}' -> '${JS_GROUP_ID}'"
    find /var/sos-berlin.com/ -group "${BUILD_GROUP_ID}" -exec chgrp -h jobscheduler {} \;
  fi

  echo "JS7 entrypoint script switching to user account 'jobscheduler' to run start script"
  echo "JS7 entrypoint script starting Controller: exec su-exec ${JS_USER_ID}:${JS_GROUP_ID} /opt/sos-berlin.com/js7/controller/bin/controller_instance.sh start-docker" "${js_args[@]}"
  exec su-exec "${JS_USER_ID}":"${JS_GROUP_ID}" /opt/sos-berlin.com/js7/controller/bin/controller_instance.sh start-docker "${js_args[@]}"
else
  if [ "${BUILD_USER_ID}" = "${JS_USER_ID}" ]
  then
    if [ "$(id -u)" = "${JS_USER_ID}" ]
    then
      echo "JS7 entrypoint script running for user id '$(id -u)'"
    else
      echo "JS7 entrypoint script running for user id '$(id -u)' using user id '${JS_USER_ID}', group id '${JS_GROUP_ID}'"
      echo "JS7 entrypoint script missing permission to switch user id and group id, consider to omit the 'docker run --user' option"
    fi
  else
    echo "JS7 entrypoint script running for user id '$(id -u)' using image user id '${BUILD_USER_ID}' -> '${JS_USER_ID}', image group id '${BUILD_GROUP_ID}' -> '${JS_GROUP_ID}'"
  fi

  echo "JS7 entrypoint script starting Controller: exec sh -c /opt/sos-berlin.com/js7/controller/bin/controller_instance.sh start-docker ${js_args[*]}"
  exec sh -c "/opt/sos-berlin.com/js7/controller/bin/controller_instance.sh start-docker ${js_args[*]}"
fi

Build Script

The build script offers a number of options to parameterize the Dockerfile:

...