GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → tiredofit → docker-alpine

tiredofit / docker-alpine

Licence: MIT license
Docker Alpine Linux Base Images

Programming Languages

Dockerfile
14818 projects

Labels

dockeralpinezabbixs6-overlay

Projects that are alternatives of or similar to docker-alpine

docker-formio-api
Docker Form.io Server based on Debian w/s6 init, Zabbix Monitoring
Stars: ✭ 14 (-48.15%)
Mutual labels:  alpine, zabbix, s6-overlay
docker-mongodb-backup
Docker MongoDB Backup Container based on Alpine w/S6 init, Zabbix Monitoring
Stars: ✭ 27 (+0%)
Mutual labels:  alpine, s6-overlay
docker-tinc
Docker Tinc VPN Mesh server w/S6 Overlay Init, Zabbix Monitoring, and distributed configuration updating based on Alpine
Stars: ✭ 35 (+29.63%)
Mutual labels:  alpine, s6-overlay
docker-nfs4
Simple containerized NFS v4 server running on Alpine Linux
Stars: ✭ 19 (-29.63%)
Mutual labels:  alpine, s6-overlay
docker-jitsi-meet
Docker Jitsi Meet WebRTC conferencing system w/Prosody XMPP and s6 overlay
Stars: ✭ 66 (+144.44%)
Mutual labels:  alpine, s6-overlay
Docker Openldap
Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbix Monitoring based on Alpine
Stars: ✭ 74 (+174.07%)
Mutual labels:  alpine, zabbix
alpine-qbittorrent-openvpn
qBittorrent docker container with OpenVPN client running as unprivileged user on alpine linux
Stars: ✭ 230 (+751.85%)
Mutual labels:  alpine, s6-overlay
nginx
Nginx docker container image
Stars: ✭ 54 (+100%)
Mutual labels:  alpine
docker-node-ci
The Docker image based on the official "node" image optimized for a CI environment
Stars: ✭ 18 (-33.33%)
Mutual labels:  alpine
terragrunt
Auto-trigger docker build for terragrunt when new terraform version released
Stars: ✭ 23 (-14.81%)
Mutual labels:  alpine
akka-http-docker-sample
example of running an Sbt application in Docker based on openjdk:jre-alpine
Stars: ✭ 20 (-25.93%)
Mutual labels:  alpine
zabbix-cachet
Python script which sync Zabbix IT Services with Cachet
Stars: ✭ 78 (+188.89%)
Mutual labels:  zabbix
torpool
Containerized pool of multiple Tor instances with load balancing and HTTP proxy.
Stars: ✭ 42 (+55.56%)
Mutual labels:  alpine
zbxdb
Zabbix database monitoring, the easy and extendable way
Stars: ✭ 87 (+222.22%)
Mutual labels:  zabbix
docker-ansible
Alpine-based multistage-build version of Ansible for reproducible usage in CI
Stars: ✭ 168 (+522.22%)
Mutual labels:  alpine
docker-upsource
Dockerfile for Upsource.
Stars: ✭ 18 (-33.33%)
Mutual labels:  alpine
zabbix-module-python
Embedded Python interpreter module for Zabbix
Stars: ✭ 32 (+18.52%)
Mutual labels:  zabbix
docker-dataset
Docker database images with pre-populated data for testing and/or practice.
Stars: ✭ 35 (+29.63%)
Mutual labels:  alpine
dockerimages
🐳 Some dockerfiles based on alpine
Stars: ✭ 27 (+0%)
Mutual labels:  alpine
alpine-grafana
alpine-grafana
Stars: ✭ 14 (-48.15%)
Mutual labels:  alpine
View All Similar Projects ➔

github.com/tiredofit/docker-alpine

GitHub release Build Status Docker Stars Docker Pulls Become a sponsor Paypal Donate

About

Dockerfile to build an alpine linux container image.

  • Currently tracking 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17 and edge.
  • s6 overlay enabled for PID 1 init capabilities.
  • zabbix-agent (Classic and Modern) for individual container monitoring.
  • Scheduling via cron with other helpful tools (bash, curl, less, logrotate, nano, vim) for easier management.
  • Messaging ability via MSMTP enabled to send mail from container to external SMTP server.
  • Firewall included with capabilities of monitoring logs to block remote hosts via Fail2ban
  • Logshipping capabilities to remote log analysis servers via Fluent-Bit
  • Ability to update User ID and Group ID permissions dynamically.

Maintainer

Table of Contents

Prerequisites and Assumptions

No prerequisites required

Installation

Build from Source

Clone this repository and build the image with docker build <arguments> (imagename) .

Prebuilt Images

Builds of the image are available on Docker Hub and is the recommended method of installation.

docker pull tiredofit/alpine:(imagetag)

The following image tags are available along with their tagged release based on what's written in the Changelog:

Alpine version Tag
edge :edge
3.17 :3.17
3.16 :3.16
3.15 :3.15
3.14 :3.14
3.13 :3.13
3.12 :3.12
3.11 :3.11
3.10 :3.10
3.9 :3.9
3.8 :3.8
3.7 :3.7
3.6 :3.6
3.5 :3.5

Multi Architecture

Images are built primarily for amd64 architecture, and may also include builds for arm/v7, arm64 and others. These variants are all unsupported. Consider sponsoring my work so that I can work with various hardware. To see if this image supports multiple architecures, type docker manifest (image):(tag)

Configuration

Quick Start

Utilize this image as a base for further builds. Please visit the s6 overlay repository for instructions on how to enable the S6 init system when using this base or look at some of my other images which use this as a base.

Persistent Storage

The following directories are used for configuration and can be mapped for persistent storage.

Directory Description
/etc/fluent-bit/conf.d/ Fluent-Bit custom configuration directory
/etc/fluent-bit/parsers.d/ Fluent-Bit custom parsers directory
/etc/zabbix/zabbix_agentd.conf.d/ Zabbix Agent configuration directory
/etc/fail2ban/filter.d Custom Fail2ban Filter configuration
/etc/fail2ban/jail.d Custom Fail2ban Jail configuration
/var/log Container, Cron, Zabbix, other log files
/assets/cron Drop custom crontabs here
/assets/iptables Drop custom IPTables rules here

Environment Variables

Below is the complete list of available options that can be used to customize your installation.

Container Options

Parameter Description Default
CONAINER_ENABLE_LOG_TIMESTAMP Prefix this images container logs with timestamp TRUE
CONTAINER_COLORIZE_OUTPUT Enable/Disable colorized console output TRUE
CONTAINER_CUSTOM_BASH_PROMPT If you wish to set a different bash prompt then '(imagename):(version) HH:MM:SS # '
CONTAINER_CUSTOM_PATH Used for adding custom files into the image upon startup /assets/custom
CONTAINER_CUSTOM_SCRIPTS_PATH Used for adding custom scripts to execute upon startup /assets/custom-scripts
CONTAINER_ENABLE_PROCESS_COUNTER Show how many times process has executed in console log TRUE
CONTAINER_LOG_LEVEL Control level of output of container INFO, WARN, NOTICE, DEBUG NOTICE
CONTAINER_LOG_PREFIX_TIME_FMT Timestamp Time Format %H:%M:%S
CONTAINER_LOG_PREFIX_DATE_FMT Timestamp Date Format %Y-%m-%d
CONTAINER_LOG_PREFIX_SEPERATOR Timestamp seperator -
CONTAINER_LOG_FILE_LEVEL Control level of output of container INFO, WARN, NOTICE, DEBUG DEBUG
CONTAINER_LOG_FILE_NAME Internal Container Logs filename /var/log/container/container.log
CONTAINER_LOG_FILE_PATH Path where to find the internal container logs /var/log/container/
CONTAINER_LOG_FILE_PREFIX_TIME_FMT Timestamp Time Format %H:%M:%S
CONTAINER_LOG_FILE_PREFIX_DATE_FMT Timestamp Date Format %Y-%m-%d
CONTAINER_LOG_FILE_PREFIX_SEPERATOR Timestamp seperator -
CONTAINER_NAME Used for setting entries in Monnitoring and Log Shipping (hostname)
CONTAINER_POST_INIT_COMMAND If you wish to execute a command in the container after all services have initialized enter it here. Seperate multiple by commas
CONTAINER_POST_INIT_SCRIPT If you wish to execute a script in the container after all services have initialized enter the path here. Seperate multiple by commas
TIMEZONE Set Timezone Etc/GMT

Scheduling Options

The image has capability of executing tasks at differnt times of the day. It follows the cron syntax. Presently this image only supports the busybox cron however can be extended to other scheduling backends with little effort.

Parameter Description Default
CONTAINER_ENABLE_SCHEDULING Enable Scheduled Tasks TRUE
CONTAINR_SCHEDULING_BACKEND What scheduling tool to use cron cron
CONTAINER_SCHEDULING_LOCATION Where to read task files /assets/cron/
SCHEDULING_LOG_TYPE Log Type FILE FILE
SCHEDULING_LOG_LOCATION Log File Location /var/log/cron/
SCHEDULING_LOG_LEVEL Log Level 1 (loud) to 8 (quiet) 6
Cron Options

There are two ways to add jobs to be triggered via cron. One is to drop files into /assets/cron/ which will be parsed upon container startup, or to set environment variables.

Parameter Description Default
CRON_* Name of the job value of the time and output to be run ``

Example: CRON_HELLO="* * * * * echo 'hello' > /tmp/hello.log

Since you can't really disable environment variables in Docker if they are baked into parent Docker images, you can override a baked in Cron command with your own values, or to disable it entirely set the value to FALSE eg CRON_HELLO=FALSE.

Messaging Options

If you wish to send mail, set CONTAINER_ENABLE_MESSAGING=TRUE and configure the following environment variables. Presently we only support one backend, but more can be added with little effort.

Parameter Description Default
CONTAINER_ENABLE_MESSAGING Enable Messaging services like SMTP TRUE
CONTAINER_MESSAGING_BACKEND Messaging Backend - presently only msmtp msmtp
MSMTP Options

See the MSMTP Configuration Options for further information on options to configure MSMTP.

Parameter Description Default
SMTP_AUTO_FROM Add setting to support sending through Gmail SMTP FALSE
SMTP_HOST Hostname of SMTP Server postfix-relay
SMTP_PORT Port of SMTP Server 25
SMTP_DOMAIN HELO Domain docker
SMTP_MAILDOMAIN Mail Domain From local
SMTP_AUTHENTICATION SMTP Authentication none
SMTP_USER SMTP Username ``
SMTP_PASS SMTP Password ``
SMTP_TLS Use TLS FALSE
SMTP_STARTTLS Start TLS from within session FALSE
SMTP_TLSCERTCHECK Check remote certificate FALSE

See The Official Zabbix Agent Documentation for information about the following Zabbix values.

Monitoring Options

This image includes the capability of using agents inside the image to monitor metrics from applications. Presently at this time it only supports Zabbix as a monitoring platform, however is extendable to other platforms with little effort.

Parameter Description Default
CONTAINER_ENABLE_MONITORING Enable Monitoring of applications or metrics TRUE
CONTAINR_MONITORING_BACKEND What monitoring agent to use zabbix zabbix
Zabbix Options

This image comes with Zabbix Agent 1 (Classic or C compiled) and Zabbix Agent 2 (Modern, or Go compiled). See which variables work for each version and make your agent choice. Drop files in /etc/zabbix/zabbix_agentd.conf.d to setup your metrics. The environment variables below only affect the system end of the configuration. If you wish to use your own system configuration without these variables, change ZABBIX_SETUP_TYPE to MANUAL

Parameter Description Default 1 2
ZABBIX_SETUP_TYPE Automatically generate configuration based on these variables AUTO or MANUAL AUTO x x
ZABBIX_AGENT_TYPE Which version of Zabbix Agent to load 1 or 2 1 N/A N/A
ZABBIX_AGENT_LOG_PATH Log File Path /var/log/zabbix/agent/ x x
ZABBIX_AGENT_LOG_FILE Logfile name zabbix_agentd.log x x
ZABBIX_CERT_PATH Zabbix Certificates Path /etc/zabbix/certs/ x x
ZABBIX_ENABLE_AUTOREGISTRATION Use internal routine for Agent autoregistration based on config files with # Autoregister tag TRUE x x
ZABBIX_ENABLE_AUTOREGISTRATION_DNS Register with DNS name instead of IP Address when autoregistering TRUE x x
ZABBIX_AUTOREGISTRATION_DNS_NAME (optional) DNS Name to provide for auto register. Uses CONTAINER_NAME as default $CONTAINER_NAME x x
ZABBIX_AUTOREGISTRATION_DNS_SUFFIX If you want to append something after the generated DNS Name `` x x
ZABBIX_ENCRYPT_PSK_ID Zabbix Encryption PSK ID `` x x
ZABBIX_ENCRYPT_PSK_KEY Zabbix Encryption PSK Key `` x x
ZABBIX_ENCRYPT_PSK_FILE Zabbix Encryption PSK File (If not using above env var) `` x x
ZABBIX_LOG_FILE_SIZE Logfile size 0 x x
ZABBIX_DEBUGLEVEL Debug level 1 x x
ZABBIX_REMOTECOMMANDS_ALLOW Enable remote commands * x x
ZABBIX_REMOTECOMMANDS_DENY Deny remote commands `` x x
ZABBIX_REMOTECOMMANDS_LOG Enable remote commands Log (0/1) 1 x ``
ZABBIX_SERVER Allow connections from Zabbix server IP 0.0.0.0/0 x x
ZABBIX_STATUS_PORT Agent will listen to this port for status requests (http://localhost:port/status) 10050 `` x
ZABBIX_LISTEN_PORT Zabbix Agent listening port 10050 x x
ZABBIX_LISTEN_IP Zabbix Agent listening IP 0.0.0.0 x x
ZABBIX_START_AGENTS How many Zabbix Agents to start 1 x ``
ZABBIX_SERVER_ACTIVE Server for active checks zabbix-proxy x x
ZABBIX_HOSTNAME Container hostname to report to server $CONTAINER_NAME x x
ZABBIX_REFRESH_ACTIVE_CHECKS Seconds to refresh Active Checks 120 x x
ZABBIX_BUFFER_SEND Buffer Send 5 x x
ZABBIX_BUFFER_SIZE Buffer Size 100 x x
ZABBIX_MAXLINES_SECOND Max Lines Per Second 20 x ``
ZABBIX_SOCKET Socket for communicating /tmp/zabbix.sock `` x
ZABBIX_ALLOW_ROOT Allow running as root 1 x ``
ZABBIX_USER User to start agent zabbix x x
ZABBIX_USER_SUDO Allow Zabbix user to utilize sudo commands TRUE x x

This image supports autoregistering configuration as an Active Agent to a Zabbix Proxy or a Server. It looks in /etc/zabbix_agent.conf.d/*.conf for the string # Autoregister= and takes these values and adds it to the HostMetadata configuration entry automatically wrapped around : eg :application: . Use it by creating an Auto register rule and search for that string. You can find server templates in this repository in the [zabbix_templates](zabbix_templates/) directory.

Logging Options

This is work in progress for a larger logging solution. Presently there is functionality to rotate logs on a daily basis, however as this section matures there will be the capability to also ship the logs to an external data warehouse like Loki, or Elastic Search. At present Log shipping is only supported by fluent-bit and x86_64 only.

Parameter Description Default
CONTAINER_ENABLE_LOGROTATE Enable Logrotate (if scheduling enabled) TRUE
CONTAINER_ENABLE_LOGSHIPPING Enable Log Shipping FALSE
CONTAINER_LOGSHIPPING_BACKEND Log shipping backend fluent-bit fluent-bit
LOGROTATE_COMPRESSION_TYPE Logfile compression algorithm NONE BZIP2 GZIP ZSTD ZSTD
LOGROTATE_COMPRESSION_VALUE What level of compression to use 8
LOGROTATE_COMPRESSION_EXTRA_PARAMETERS Pass extra parameters to the compression command (optional)
LOGROTATE_RETAIN_DAYS Rotate and retain logs for x days 7
Log Shipping Parsing

You can set an environment variable to start shipping a log without any other configuration. Create a variable starting with LOGSHIP_<name> with the value of the location of the log files. You can also use this to null an existing configuration by setting the value of FALSE.

Example: LOGSHIP_NGINX=/var/log/nginx/*.log will create and tag all log files from that directory as to be coming from CONTAINER_NAME and from nginx. Note, it does not allow for custom parsing, so will simply parse the log entry as is.

If LOGSHIPPING_AUTO_CONFIG_LOGROTATE set to true, you can define what parser the configuration file should use. Make sure you have the appropriate .conf parsers in /etc/fluent-bit/parsers.d/ Create a line in the logrotate.d/<file> that looks like # logship: <parser>. Multiple parsers can be added by seperating via commas. Alternatively, if you wanted to skip a certain logfile from being parsed by the log shipper, use the value "SKIP".

Parameter Description Default
LOGSHIPPING_AUTO_CONFIG_LOGROTATE Automatically configure log shipping for files that are listed in /etc/logrotate.d TRUE
Fluent-Bit Options

Drop files in /etc/fluent-bit/conf.d to setup your inputs and outputs. The environment variables below only affect the system end of the configuration. If you wish to use your own system configuration without these variables, change FLUENTBIT_SETUP_TYPE to MANUAL. Container will attempt to automatically create configuration to send to a destination, or can also be set to act as a receiver from other fluent-bit hosts and forward data to a remote log analysis service.

Parameter Description Default
FLUENTBIT_CONFIG_PARSERS Parsers config file name parsers.conf
FLUENTBIT_CONFIG_PLUGINS Plugins config file name plugins.conf
FLUENTBIT_ENABLE_HTTP_SERVER Embedded HTTP Server for metrics TRUE / FALSE TRUE
FLUENTBIT_ENABLE_STORAGE_METRICS Public storage pipeline metrics in /api/v1/storage TRUE
FLUENTBIT_FLUSH_SECONDS Wait time to flush records in seconds 1
FLUENTBIT_FORWARD_BUFFER_CHUNK_SIZE Buffer Chunk Size 32KB
FLUENTBIT_FORWARD_BUFFER_MAX_SIZE Buffer Maximum Size 64KB
FLUENTBIT_FORWARD_PORT What port when using PROXY (listen) mode or FORWARD (client) output 24224
FLUENTBIT_GRACE_SECONDS Wait time before exit in seconds 1
FLUENTBIT_HTTP_LISTEN_IP HTTP Listen IP 0.0.0.0
FLUENTBIT_HTTP_LISTEN_PORT HTTP Listening Port 2020
FLUENTBIT_LOG_FILE Log File fluentbit.log
FLUENTBIT_LOG_LEVEL Log Level info warn error debug trace info
FLUENTBIT_LOG_PATH Log Path /var/log/fluentbit/
FLUENTBIT_MODE Type of operation - Client NORMAL or Proxy PROXY NORMAL
FLUENTBIT_OUTPUT_FORWARD_HOST Where to forward Fluent-Bit data to fluent-proxy
FLUENTBIT_OUTPUT_FORWARD_TLS_VERIFY Verify certificates when using TLS FALSE
FLUENTBIT_OUTPUT_FORWARD_TLS Enable TLS when forwading FALSE
FLUENTBIT_OUTPUT_LOKI_HOST Host for Loki Output loki
FLUENTBIT_OUTPUT_LOKI_PORT Port for Loki Output 3100
FLUENTBIT_OUTPUT_LOKI_TLS Enable TLS For Loki Output FALSE
FLUENTBIT_OUTPUT_LOKI_TLS_VERIFY Enable TLS Certificate Verification For Loki Output FALSE
FLUENTBIT_OUTPUT_LOKI_USER (optional) Username to authenticate to Loki Server ``
FLUENTBIT_OUTPUT_LOKI_PASS (optional) Password to authenticate to Loki Server ``
FLUENTBIT_OUTPUT_TENANT_ID (optional) Tenant ID to pass to Loki Server ``
FLUENTBIT_OUTPUT Output plugin to use LOKI , FORWARD, NULL FORWARD
FLUENTBIT_TAIL_BUFFER_CHUNK_SIZE Buffer Chunk Size for Tail 32k
FLUENTBIT_TAIL_BUFFER_MAX_SIZE Maximum size for Tail 32k
FLUENTBIT_TAIL_READ_FROM_HEAD Read from Head instead of Tail FALSE
FLUENTBIT_TAIL_SKIP_EMPTY_LINES Skip Empty Lines when Tailing TRUE
FLUENTBIT_TAIL_SKIP_LONG_LINES Skip Long Lines when Tailing TRUE
FLUENTBIT_TAIL_DB_ENABLE Enable Offset DB per tracked file (will be same name as log file yet hidden and a suffix of db TRUE
FLUENTBIT_TAIL_DB_SYNC DB Sync Type normal or full normal
FLUENTBIT_TAIL_DB_LOCK Lock access to DB File TRUE
FLUENTBIT_TAIL_DB_JOURNAL_MODE Journal Mode for DB WAL DELETE TRUNCATE PERSIST MEMORY OFF WAL
FLUENTBIT_TAIL_KEY_PATH_ENABLE Enable sending Key for Log Filename/Path TRUE
FLUENTBIT_TAIL_KEY_PATH Path Key Name filename
FLUENTBIT_TAIL_KEY_OFFSET_ENABLE Enable sending Key for Offset in Log file FALSE
FLUENTBIT_TAIL_KEY_OFFSET Offset Path Key Name offset
FLUENTBIT_SETUP_TYPE Automatically generate configuration based on these variables AUTO or MANUAL AUTO
FLUENTBIT_STORAGE_BACKLOG_LIMIT Maximum about of memory to use for backlogged/unsent records 5M
FLUENTBIT_STORAGE_CHECKSUM Create CRC32 checkcum for filesystem RW functions FALSE
FLUENTBIT_STORAGE_PATH Absolute file system path to store filesystem data buffers /tmp/fluentbit/storage
FLUENTBIT_STORAGE_SYNC Synchronization mode to store data in filesystem normal or full normal

Firewall Options

Included when proper capabilities are set on image is the capability to set up detailed block / allow rules via a firewall on container start. Presently only iptables is supported. You must use run your containers with the following capabilities added: NET_ADMIN, NET_RAW

Parameter Description Default
CONTAINER_ENABLE_FIREWALL Enable Firewall Functionality FALSE
CONTAINER_FIREWALL_BACKEND What Firewall backend to use iptables iptables
FIREWALL_RULE_00 Firewall rule to execute
FIREWALL_RULE_01 Next firewall rule to execute

One can use the FIREWALL_RULE_XX environment variables to pass rules to the firewall. In this example I am going to block someone from being able to access a port except if from a specific IP address:

FIREWALL_RULE_00=-I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 389 -j ACCEPT
FIREWALL_RULE_01=-I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 389 -j DROP
IPTables Options

Instead of relying on environment variables one can put a iptables-restore compatible ruleset below and it will be imported on container start.

| IPTABLES_RULES_PATH | Path for IPTables Rules | /assets/iptables/ | | IPTABLES_RULES_FILE | IPTables Rules File to restore if exists on container start | iptables.rules |

Fail2Ban Options

The container also has the capability should CONTAINER_ENABLE_FIREWALL=TRUE be enabled to launch Fail2ban, a process which watches logs for patterns and then blocks the remote host from connecting for a period of time. Drop your custom jail configs as *.conf files in /etc/fail2ban/jail.d/ and filters in /etc/fail2ban/filter.d for them to be parsed at startup. Note the startup delay environment variable to avoid the process failing if no log files exist from a fresh install.

Parameter Description Default
CONTAINER_ENABLE_FAIL2BAN Enable Firewall Functionality FALSE
FAIL2BAN_BACKEND Backend AUTO
FAIL2BAN_CONFIG_PATH Fail2ban Configuration Path /etc/fail2ban/
FAIL2BAN_DB_FILE Persistent Database File fail2ban.sqlite3
FAIL2BAN_DB_PATH Persistent Database Path /data/fail2ban/
FAIL2BAN_DB_PURGE_AGE Purge entries after how many seconds 86400
FAIL2BAN_DB_TYPE DB Type NONE, MEMORY, FILE MEMORY
FAIL2BAN_IGNORE_IP Ignore these IPs or Ranges space seperated 127.0.0.1/8 ::1 172.16.0.0/12 192.168.0.0/24
FAIL2BAN_IGNORE_SELF Ignroe Self TRUE FALSE TRUE
FAIL2BAN_LOG_PATH Fail2ban Log Path /var/log/fail2ban/
FAIL2BAN_LOG_FILE Fail2ban Log File fail2ban.log
FAIL2BAN_LOG_LEVEL Log Level CRITICAL ERROR WARNING NOTICE INFO DEBUG INFO
FAIL2BAN_LOG_TYPE Log to FILE or CONSOLE FILE
FAIL2BAN_MAX_RETRY Max times to find pattern in log over FAIL2BAN_TIME_FIND 5
FAIL2BAN_STARTUP_DELAY Startup Delay to give a chance for monitored logs to exist or have data in seconds 15
FAIL2BAN_TIME_BAN Length of time to ban in default 10m
FAIL2BAN_TIME_FIND Window to base pattern matches against 10m
FAIL2BAN_USE_DNS USE DNS for lookups yes warn no raw warn

Permissions

If you wish to change the internal id for users and groups you can set environment variables to do so. e.g. If you add USER_NGINX=1000 it will reset the containers nginx user id from 82 to 1000 -

If you enable DEBUG_PERMISSIONS=TRUE all the users and groups have been modified in accordance with environment variables will be displayed in output.

Hint, also change the Group ID to your local development users UID & GID and avoid Docker permission issues when developing.

Parameter Description
CONTAINER_USER_<USERNAME> The user's UID in /etc/passwd will be modified with new UID
CONTAINER_GROUP_<GROUPNAME> The group's GID in /etc/group and /etc/passwd will be modified with new GID
CONTAINER_GROUP_ADD_<GROUPNAME> The username will be added in /etc/group after the group name defined

Process Watchdog

This is experimental functionality to call an external script before a process is executed.

Sample use cases:

  • Alert slack channel when process has executed more than once
  • Disable process from executing further if restarted 50 times
  • Write to an additional log file..
  • Change a file to display "Under Maintenance" on a webserver if this process isn't supposed to be run more than 1 time.

It will pass 5 arguments to a bash script titled the same name as the executing script or if not found, use the default CONTAINER_PROCESS_HELPER_SCRIPT below. Drop your files into the CONTAINER_PROCESS_HELPER_PATH.

For example, if 04-scheduling was starting, it would look for $CONTAINER_PROCESS_HELPER_PATH/04-scheduling and if found execute it while passing the following arguments: DATE,TIME,SCRIPT_NAME,TIMES EXECUTED,HOSTNAME

e.g: 2021-07-01 23:01:04 04-scheduling 2 container

Use the values in your own bash script using the $1 $2 $3 $4 $5 syntax. Change time and date and settings with these environment variables

Parameter Description Default
CONTAINER_PROCESS_HELPER_PATH Path to file external helper scripts /assets/container/processhelper/
CONTAINER_PROCESS_HELPER_SCRIPT Default helper script name processhelper.sh
CONTAINER_PROCESS_HELPER_DATE_FMT Date format passed to external script %Y-%m-%d
CONTAINER_PROCESS_HELPER_TIME_FMT Time format passed to external script %H:%M:%S
CONTAINER_PROCESS_RUNAWAY_PROTECTOR Disables a service if executed more than (x) amount of times TRUE
CONTAINER_PROCESS_RUNAWAY_LIMIT The amount of times it needs to restart before disabling 50
CONTAINER_PROCESS_RUNAWAY_SHOW_OUTPUT_FINAL Show the program Output on the final execution before disabling TRUE

Networking

The following ports are exposed.

Port Description
2020 Fluent Bit
10050 Zabbix Agent

Developing / Overriding

This base image has been used over a hundred times to successfully build secondary images. My methodology is admittedly straying from the "one process per container" rule, however this methodology allows me to put together images at a rapid pace, and if more complex scalability is required, the work is split into their own individual images. Since you are reading this here's a crash course at how the image works: (WIP):

See /assets/functions/00-container for more detailed documentation for the various commands and functions/shortcuts

  • Put defaults in /assets/defaults/(script name)

  • Put functions in /assets/functions/(script name)

  • Put Initialization script in /etc/cont-init.d/(script name)

    Put at the top:

#!/command/with-contenv bash          # Pull in Container Environment Variables from Dockerfile/Docker Runtime
source /assets/functions/00-container # Pull in all custom container functions from this image
prepare_service single                # Read functions and defaults only from files matching this script filename - see detailed docs for more
PROCESS_NAME="process"                # set the prefix for any logging

.. your scripting ..
print_info "This an INFO log"
print_warn "This a WARN log"
print_error "This is a ERROR log"

liftoff                               # this writes to the state files at /tmp/.container/ to prove the script executed properly see CONTAINER_SKIP_SANITY_CHECK

  • Put Services script in /etc/services.available/(script name)

    Put at the top:

#!/command/with-contenv bash          # Pull in Container Environment Variables from Dockerfile/Docker Runtime
source /assets/functions/00-container # Pull in all custom container functions from this image
prepare_service defaults single       # Read defaults only from files matching this script filename - see detailed docs for more
PROCESS_NAME="process"                # set the prefix for any logging

check_container_initialized           # Check to make sure that the container properly initialized before proceeding
check_service_initialized init        # Check to see if the cont-init.d/scriptname executed correctly, otherwise wait until it has done
liftoff                               # Prove script was able to execute properly

print_start "Starting processname"    # Show STARTING log prefix, and also show if enabled a counter, and execute process watchdog script
fakeprocess (args)                    # whatever your process you want to start is
Parameter Description Default
CONTAINER_ENABLE_DOCKER_SECRETS Check Docker Secrets when checking for environment variables TRUE
CONTAINER_SKIP_SANITY_CHECK Skip the checking to see if all scripts in /etc/cont-init.d executed correctly FALSE
DEBUG_MODE Show all script output (set -x) FALSE
PROCESS_NAME Used for prefixing the script that is running container

Debug Mode

When using this as a base image, create statements in your startup scripts to check for existence of DEBUG_MODE=TRUE and set various parameters in your applications to output more detail, enable debugging modes, and so on. In this base image it does the following:

  • Sets zabbix-agent to output logs in verbosity
  • Shows all script output (equivalent to set -x)

Maintenance

Shell Access

For debugging and maintenance purposes you may want access the containers shell.

bash docker exec -it (whatever your container name is) bash

Support

These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.

Usage

  • The Discussions board is a great place for working with the community on tips and tricks of using this image.
  • Consider sponsoring me personalized support.

Bugfixes

  • Please, submit a Bug Report if something isn't working as expected. I'll do my best to issue a fix in short order.

Feature Requests

  • Feel free to submit a feature request, however there is no guarantee that it will be added, or at what timeline.
  • Consider sponsoring me regarding development of features.

Updates

  • Best effort to track upstream changes, More priority if I am actively using the image in a production environment.
  • Consider sponsoring me for up to date releases.

License

MIT. See LICENSE for more details.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].