RFC > Dockerfile: removed supervisor, added S6

Do not merge until workerized processes are 
converted from supervisor behavior

Author: Bryan Latten

Dockerfile

@@ -7,30 +7,49 @@ ENV SIGNAL_BUILD_STOP=99 \
     CONTAINER_ROLE=web \
     CONF_NGINX_SITE="/etc/nginx/sites-available/default" \
     CONF_NGINX_SERVER="/etc/nginx/nginx.conf" \
-    NOT_ROOT_USER=docker
+    NOT_ROOT_USER=www-data \
+    S6_BEHAVIOUR_IF_STAGE2_FAILS=2 \
+    S6_KILL_FINISH_MAXTIME=5000 \
+    S6_KILL_GRACETIME=3000
 
-# Create an unprivileged user
-RUN useradd -r -s /bin/false $NOT_ROOT_USER
 
+# Ensure base system is up to date
 RUN apt-get update && \
-    apt-get install -yq \
-        openssl \
-        ca-certificates \
+    apt-get upgrade -yqq && \
+    # Install pre-reqs \
+    apt-get install -yqq \
         software-properties-common \
-        supervisor \
-        nano \
     && \
-    rm -rf /var/lib/apt/lists/*
-
-# Install latest nginx (development PPA is actually mainline development)
-RUN add-apt-repository ppa:nginx/development -y && \
-    apt-get update -yq && \
-    apt-get install -yq nginx \
+    # Install latest nginx (development PPA is actually mainline development) \
+    add-apt-repository ppa:nginx/development -y && \
+    apt-get update -yqq && \
+    apt-get install -yqq nginx \
     && \
-    rm -rf /var/lib/apt/lists/*
+    # Perform cleanup, ensure unnecessary packages are removed \
+    apt-get remove --purge -yq \
+        manpages \
+        manpages-dev \
+        man-db \
+        patch \
+        make \
+        unattended-upgrades \
+        python* \
+        && \
+    apt-get autoclean -y && \
+    apt-get autoremove -y && \
+    rm -rf /var/lib/{cache,log}/ && \
+    rm -rf /var/lib/apt/lists/ && \
+    rm -rf /tmp/* /var/tmp/*
 
-# # Overlay the root filesystem from this repo
+# Overlay the root filesystem from this repo
 COPY ./container/root /
 
+# Add S6 overlay build, to avoid having to build from source
+RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C / && \
+    rm /tmp/s6-overlay-amd64.tar.gz
+
 EXPOSE 80
+
+# NOTE: intentionally NOT using s6 init as the entrypoint
+# This would prevent container debugging if any of those service crash
 CMD ["/bin/bash", "/run.sh"]

README.md

@@ -1,30 +1,60 @@
 # docker-nginx
-Provides base OS, patches and stable nginx for quick and easy spinup
+Provides base OS, patches and stable nginx for quick and easy spinup.
+Integrates S6 process supervisor for zombie reaping (as PID 1) and boot coordination.
+@see https://github.com/just-containers/s6-overlay
 
+### Expectations
+
+Applications using this as a container parent must copy their html/app into the `/var/www/html` folder
+
+
+
+### Environment Variables
 
 Variable | Example | Description
 --- | --- | ---
 `SERVER_MAX_BODY_SIZE` | `SERVER_MAX_BODY_SIZE=4M` | Allows the downstream application to specify a non-default `client_max_body_size` configuration for the `server`-level directive in `/etc/nginx/sites-available/default`
 `SERVER_INDEX` | `SERVER_INDEX index.html index.html index.php` | Changes the default pages to hit for folder and web roots
-`SERVER_APP_NAME` | `SERVER_APP_NAME='view'` | Sets a kv pair to be consumed by logging service for easy parsing and searching
+`SERVER_APP_NAME` | `SERVER_APP_NAME='view'` | Gets appended to the default logging format
 `SERVER_GZIP_OPTIONS` | `SERVER_GZIP_OPTIONS=1` | Allows default set of static content to be served gzipped
 `SERVER_SENDFILE` | `SERVER_SENDFILE=off` | Allows runtime to specify value of nginx's `sendfile` (default, on)
 `SERVER_KEEPALIVE` | `SERVER_KEEPALIVE=30` | Define HTTP 1.1's keepalive timeout
 `SERVER_WORKER_CONNECTIONS` | `SERVER_WORKER_CONNECTIONS=2048` | Sets up the number of connections for worker processes
 `SERVER_LOG_MINIMAL` | `SERVER_LOG_MINIMAL=1` | Minimize the logging format, appropriate for development environments
+`S6_KILL_FINISH_MAXTIME` | `S6_KILL_FINISH_MAXTIME=1000` | Wait time (in ms) for zombie reaping before sending a kill signal
+`S6_KILL_GRACETIME` | `S6_KILL_GRACETIME=500` | Wait time (in ms) for S6 finish scripts before sending kill signal
+
+
+### Startup/Runtime Modification
 
+To inject changes just before runtime, shell scripts (ending in .sh) may be placed into the
+`/etc/cont-init.d` folder. For example, the above environment variables are used to drive nginx configuration at runtime.
+As part of the process manager, these scripts are run in advance of the supervised processes. @see https://github.com/just-containers/s6-overlay#executing-initialization-andor-finalization-tasks
 
-### Runtime Commands
 
-To inject things into the runtime process, add shell scripts (ending in .sh) into the
-`/run.d` folder. These will be executed during container start.
+### Advanced Modification
 
-- If script terminates with a non-zero exit code, container will stop, terminating with the script's exit code, unless...
-- If script terminates with exit code of $SIGNAL_BUILD_STOP (99), this will signal the container to stop cleanly. This can be used for multi-stage builds that can be committed
+More advanced changes can take effect using the run.d system. Similar to the `/etc/cont-init.d/` script system, any scripts (ending in .sh) in the `/run.d/` folder will be executed ahead of the S6 initialization.
 
+- If run.d script terminates with a non-zero exit code, container will stop, terminating with the script's exit code, unless...
+- If script terminates with exit code of $SIGNAL_BUILD_STOP (99), this will signal the container to stop cleanly. This can be used for multi-stage builds
 
-### Long-running processes (workers)
+
+### Long-running processes (workers + crons)
+
+This container image can be shared between web and non-web processes. An example use case would be
+a web service and codebase that also has a few crons and background workers. To reuse this container for
+those types of workloads:
 
 `docker run {image_id} /worker.sh 3 /bin/binary -parameters -that -binary -receives`
 
-Runs 3 copies of `/bin/binary` that receives any arguments as parameters
+Runs `3` copies of `/bin/binary` that receives the parameters `-parameters -that -binary -receives`
+
+
+### Container Organization
+
+Besides the instructions contained in the Dockerfile, the majority of this
+container's use is in configuration and process. The `./container/root` repo directory is overlayed into a container during build. Adding additional files
+to the folders in there will be present in the final image.
+
+Nginx is currently set up as an S6 service in `/etc/services-available/nginx`, during default environment conditions, it will symlink itself to be supervised under `/etc/services.d/nginx`. When running under worker entrypoint (`worker.sh`), it will not be S6's `service.d` folder to be supervised.

container/root/run.d/10-nginx.sh renamed to container/root/etc/cont-init.d/10-nginx.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
 
 if [[ $SERVER_APP_NAME ]]
 then

container/root/etc/fix-attrs.d/01-stdout

@@ -0,0 +1 @@
+/dev/stdout false www-data 0644 2700

container/root/etc/fix-attrs.d/02-tmp

@@ -0,0 +1,4 @@
+# Shouldn't need to be two separate statements, something is requiring it
+/tmp/.nginx true www-data 0644 2700
+/tmp true www-data 0644 2700
+

container/root/etc/nginx/nginx.conf

@@ -7,10 +7,12 @@
 # add to the run.d/nginx script
 #############################################################
 
-user www-data;
+# Only set when running with superuser permissions, otherwise causes a warning
+# user www-data;
+
 worker_processes auto;
 
-pid /tmp/nginx.pid;
+pid /tmp/.nginx/nginx.pid;
 
 events {
     # @see http://serverfault.com/questions/209014/how-can-i-observe-what-nginx-is-doing-to-solve-1024-worker-connections-are-n
@@ -28,7 +30,7 @@ http {
 
     log_format minimal '$request_method $request_uri $status';
 
-    error_log /dev/stdout info;
+    error_log /dev/stdout;
     access_log /dev/stdout main;
 
     sendfile        on;
@@ -38,11 +40,11 @@ http {
 
     #gzip  on;
 
-    client_body_temp_path /tmp/client_body;
-    fastcgi_temp_path /tmp/fastcgi_temp;
-    proxy_temp_path /tmp/proxy_temp;
-    scgi_temp_path /tmp/scgi_temp;
-    uwsgi_temp_path /tmp/uwsgi_temp;
+    client_body_temp_path /tmp/.nginx/client_body;
+    fastcgi_temp_path /tmp/.nginx/fastcgi_temp;
+    proxy_temp_path /tmp/.nginx/proxy_temp;
+    scgi_temp_path /tmp/.nginx/scgi_temp;
+    uwsgi_temp_path /tmp/.nginx/uwsgi_temp;
 
     # Everything available is enabled in the container
     include /etc/nginx/sites-available/*;

container/root/etc/services-available/nginx/finish

@@ -0,0 +1,7 @@
+#!/usr/bin/execlineb -S1
+
+# @see https://github.com/just-containers/s6-overlay/issues/101
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
+
+s6-svscanctl -t /var/run/s6/services

container/root/etc/services-available/nginx/run

@@ -0,0 +1,4 @@
+#!/usr/bin/execlineb -P
+s6-setuidgid www-data
+
+nginx -g "daemon off;"

container/root/etc/services.d/.gitkeep

@@ -8,25 +8,30 @@ STATUS=0
 # When .sh run scripts fail (exit non-zero), container run will fail
 # NOTE: if a .sh script exits with 99, this is a stop signal, container must exit cleanly
 
-for file in $RUN_SCRIPTS/*.sh; do
+if ls ${RUN_SCRIPTS}/*.sh &>/dev/null
+then
+  for file in $RUN_SCRIPTS/*.sh; do
 
-  echo "[init] executing ${file}"
+    echo "[init] executing ${file}"
 
-  # Note: -e will enforce that any subcommand that fails will fail the entire script run
-  /bin/bash -e $file
+    # Note: -e will enforce that any subcommand that fails will fail the entire script run
+    /bin/bash -e $file
 
-  STATUS=$?  # Captures exit code from script that was run
+    STATUS=$?  # Captures exit code from script that was run
 
-  if [[ $STATUS == $SIGNAL_BUILD_STOP ]]
-  then
-    echo "[init] exit signalled - ${file}"
-    exit $STATUS
-  fi
+    if [[ $STATUS == $SIGNAL_BUILD_STOP ]]
+    then
+      echo "[init] exit signalled - ${file}"
+      exit $STATUS
+    fi
 
-  if [[ $STATUS != 0 ]]
-  then
-    echo "[init] failed executing - ${file}"
-    exit $STATUS
-  fi
+    if [[ $STATUS != 0 ]]
+    then
+      echo "[init] failed executing - ${file}"
+      exit $STATUS
+    fi
 
-done
+  done
+else
+  echo "[init] no run.d scripts"
+fi