While this repository has been inactive for some time, this formal notice, issued on December 10, 2024, serves as the official declaration to clarify the situation. Consequently, this repository and all associated resources (including related projects, code, documentation, and distributed packages such as Docker images, PyPI packages, etc.) are now explicitly declared unmaintained and abandoned.
I would like to remind everyone that this project’s free license has always been based on the principle that the software is provided "AS-IS", without any warranty or expectation of liability or maintenance from the maintainer. As such, it is used solely at the user's own risk, with no warranty or liability from the maintainer, including but not limited to any damages arising from its use.
Due to the enactment of the Cyber Resilience Act (EU Regulation 2024/2847), which significantly alters the regulatory framework, including penalties of up to €15M, combined with its demands for unpaid and indefinite liability, it has become untenable for me to continue maintaining all my Open Source Projects as a natural person. The new regulations impose personal liability risks and create an unacceptable burden, regardless of my personal situation now or in the future, particularly when the work is done voluntarily and without compensation.
No further technical support, updates (including security patches), or maintenance, of any kind, will be provided.
These resources may remain online, but solely for public archiving, documentation, and educational purposes.
Users are strongly advised not to use these resources in any active or production-related projects, and to seek alternative solutions that comply with the new legal requirements (EU CRA).
Using these resources outside of these contexts is strictly prohibited and is done at your own risk.
Regarding the potential transfer of the project to another entity, discussions are ongoing, but no final decision has been made yet. As a last resort, if the project and its associated resources are not transferred, I may begin removing any published resources related to this project (e.g., from PyPI, Docker Hub, GitHub, etc.) starting March 15, 2025, especially if the CRA’s risks remain disproportionate.
-
Idea is to inject some tools inside base library images
-
We do not wrap
ONBUILDbased images. -
For all we want:
- the network swissknifes: socat, netcat, curl, wget.
- cops_pkgmgr_install.sh: arch agnostic package installer
- setup_locales.sh: helper to build and setup the default locale
- openssl: The SSL toolkit.
- cron: isc cron on debian like, cronie on redhat, busybox cron on alpine (dcron).
- rsyslog: the system logger
- logrotate: the venerable but still useful versatile logrotator
- bash: the venerable shell
- ca certificates: bundle of ROOT cas for SSL connections.
- process supervisors:
- forego: foreman in go, supervisord/runit/circus/foreman alike
- supervisord-go: supervisord in go, attention, it has bugs like PID1 proccess reaping issues, use with care and read the tracker and specially #60!
- runit (1)
- monit (1)
- foreman(ruby) & supervisord (python) are not bundled as they would add too much dependencies therefore make images grow too much.
- frep: tool to generates configs from templates when envsubst or basic shell is just not enougth
- confd: tool to generates configs from templates when frep is just not enougth
- remco: tool to generates configs from templates when confd is just not enougth
- dockerize: tool to orchestrate containers between themselves
- gosu: tool to downgrade privileges, the perfect SUDO.
- confenvsubst: tool to generate configs from env vars with well knows prefixes
- p7zip: the universal (un)archiver
- Except for alpine based images (using musl, so no locales): setup sensible locales for:
fr,en,de.
-
(1): if it is packaged on the underlying distrib (eg: runit is only on alpine>3)
-
debian 6 (stretch) is not supported anymore (tags remain, but we wont provide active support).
-
To be sure to include new tags nearly as soon as they are out, and to also refresh images to include their fixes including security patches, this repo has a Travis cron enabled to rebuild everything at least daily.
-
Note: All single binaries and scripts are installed inside
/cops_helpers, you can them use any docker-images related image as a source to ignite a volume or use multistage builds to copy them.
corpusops/postgres,corpusops/pgrouting&corpusops/postgispipelines has been moved to this repo and those 2 childrenpostgis-bare&&pgrouring-bareimages : postgis / pgrouting
| repo | status |
|---|---|
| docker-images |  |
| docker-postgis |  |
| docker-pgrouting |  |
| docker-postgres |  |
- other images managed separatly
- Those helpers (docker entrypoints) are added:
-
Think time to time to refresh
cops_pkgmgr_install.shcomes from corpusops.bootstrap/bin -
Then run
./main.sh gen
-
Commit the whole and check build status on travis
-
Image can override any of the hooks in this order (placing a
Dockerfile.<hook_name>in the image folder (precedence: tag folder itself, imagefolder (for all tags), and the default ones)
You better have to read the entrypoints to understand how they work.
-
/bin/supervisord.sh: helper to dockerize supervisord-go
- generates its config (read the helper) by concatenating all config (.conf, .ini) files
found inside subdirectories of
/etc/supervisor.d($SUPERVISORD_CONFIGS_DIR),/etc/supervisor,/etc/supervisord. - frep is done on config files for all vars beginning by
SUPERVISORD_ SUPERVISORD_CONFIGScan be set to alternate configs to aggregate to supervisord config, if the file is with a relative path, it will be searched inside/etc/supervisor.dSUPERVISORD_LOGFILEcan be set up to another path, as we set it to stdout by defaut
- generates its config (read the helper) by concatenating all config (.conf, .ini) files
found inside subdirectories of
-
One usual way to use this providen entrypoint is to launch it through supervisor to gain also logrotate support for free.
# configs can be given on CLI, v2 supervisord: image: "corpusops/supervisord" command: /bin/supervisord.sh s.conf # configs can be given on CLI, v1 supervisord: image: "corpusops/supervisord" entrypoint: /bin/supervisord.sh command: [s.conf] # /etc/supervisor.d/s.conf is a valid supervisord config snippet supervisord: image: "corpusops/supervisord" entrypoint: /bin/supervisord.sh environment: - SUPERVISORD_CONFIGS=s.conf # /foo/s.conf is a valid supervisord config snippet supervisord: image: "corpusops/supervisord" entrypoint: /bin/supervisord.sh environment: - SUPERVISORD_CONFIGS=/foo/s.conf
-
/bin/forego.sh: helper to dockerize forego :
- envsubst is done on Procfiles for all vars beginning by
FOREGO_
- envsubst is done on Procfiles for all vars beginning by
-
As you may know, forego uses a Procfile to configure itself.
-
You can either use this entrypoint directly by giving args including the Procfile
-
Or, easier, you can use The
PROCFILEenv var pointing to your config.- This config file will be parsed by envsubst.
nginx: command: "corpusops/nginx" entrypoint: /bin/forego.sh -d /my/path environment: # This way your procfile can be processed by envsubst ! - FOREGO_PROCFILE=/my/path/.Procfile
-
- /bin/cron.sh: helper to dockerize cron
- When you use a debian/ubuntu based image, it's impossible to use cron base logging as it is based on syslog.
- see this bug
- When you use other implementation, you can redirect to a file, but it won't end up into docker logs.
- So we made an entrypoint
-
- to handle different implementation startup arguments
-
- to handle a named pipe to escalate cron logs up to docker logs instead of a regular log file.
-
- What you have to do to log is to redirect output to
/var/log/cron.log.-
Usage is as easy as putting this in your docker-compose file
-
ALT: (not recommanded) without supervisor:
--- version: "3.6" services: # for alpine alpinecron: image: corpusops/alpine-bare command: - /bin/sh - "-c" - >- frep /mycrontab.frep:/etc/crontabs/mycrontab --overwrite && chmod 0700 /etc/crontabs/mycrontab && exec /bin/supervisord.sh environment: - SUPERVISORD_CONFIGS=/etc/supervisor.d/cron /etc/supervisor.d/rsyslog volumes: - ./mycrontab:/mycrontab.frep - ../rootfs/etc/rsyslog.conf.frep:/etc/rsyslog.conf.frep # for debian/redhat alike ubuntucron: image: corpusops/ubuntu-bare command: - /bin/sh - "-c" - >- frep /mycrontab.frep:/etc/cron.d/mycrontab --overwrite && chmod 0700 /etc/cron.d/mycrontab && exec /bin/supervisord.sh environment: - SUPERVISORD_CONFIGS=/etc/supervisor.d/cron /etc/supervisor.d/rsyslog volumes: - ./umycrontab:/mycrontab.frep - ../rootfs/etc/rsyslog.conf.frep:/etc/rsyslog.conf.frep
-
mycrontab
# debian / ubuntu / centos: /etc/crond.d/mycrontab 1 * * * * * root gosu myuser /bin/sh -c "backup 2>&1 | tee -a /var/log/cron.log" # alpine: /etc/crontabs/mycrontab 1 * * * * * gosu myuser /bin/sh -c "backup 2>&1 | tee -a /var/log/cron.log"
-
- /bin/nginx.sh: helper to dockerize nginx
- Helper image built by docker-project, tags:
corpusops/project:{nginx,nginx-alpine,nginx-stable,nginx-stable-alpine}
- One usual way to use this providen entrypoint is to launch it through supervisord-go to gain also logrotate support for free.
- Remember also that all files in
/etc/nginxwill be proccessed by frep - Remember also that all files in
/nginx.dif existing will be proccessed by frep with same rules and copied to /etc/nginx - Also ".skip|.template" files will be skipped from processing (eg: /etc/nginx/foo.template) but you can adapt the
NGINX_FREP_SKIPenvvar to any regex to skip other files from frep processing - if
NO_SSLis not set, generate a self signed certificate if the certificate provided path is not already existing. - Useful vars:
NGINX_FREP_SKIP=.skip|.template|.skipped: skip rendering files matching regexSKIP_EXTRA_CONF=: set to 1 to skip extra conf in /nginx.d copySKIP_CONF_RENDER=: set to 1 skip frep renderingSKIP_OPENSSL_INSTALL=: set to 1 skip openssl autoinstall if not installed- ALL
XXX_HTTP_PROTECT_USER/XXX_HTTP_PROTECT_PASSWORD/XXX_HTTP_PROTECT_FILE: generate$XXX_HTTP_PROTECT_FILE&/etc/htpasswd/protecthtpasswd files with those credentials- if
$XXX_HTTP_PROTECT_FILEisnt set, it defaults to/etc/htpasswd/xxxprotect - if
$XXX_HTTP_PROTECT_USERisnt set, it defaults toroot /etc/htpasswd/protectwill contain all defined users- Symlinks from
/etc/htpasswd-xxxprotectare done for convenience (retrocompat)
- if
VHOST_TEMPLATES: list of vhost template to render through frep. (default:/etc/nginx/conf.d/default.conf)VHOST_TEMPLATE_EXTS: exts to search for templatesNO_SSL=1: set to 1 not to generate a selfisgned certificate forSSL_CERT_BASENAMEandSSL_ALT_NAMES(space sparated)SSL_CERT_PATH=/certs/cert.pem: ssl certificate path (also used when using the selfsigned certificate generator)SSL_KEY_PATH=/certs/cert.key: ssl certificate key path
- examples
-
supervisord example
nginx: image: corpusops/nginx:1-alpine command: /bin/supervisord.sh environment: [SUPERVISORD_CONFIGS=cron nginx rsyslog] volumes: - ./nginx:/nginx.d
-
supervisord custom example
nginx: image: corpusops/nginx:1-alpine command: > /bin/sh -exc " frep /etc/nginx/conf.d/default.conf.template:/etc/nginx/conf.d/default.conf --overwrite && exec /bin/supervisord.sh" environment: [SUPERVISORD_CONFIGS=cron nginx rsyslog] volumes: - ./myvhost.conf:/etc/nginx/conf.d/default.conf.template
-
- Helper image built by docker-project, tags:
corpusops/project:helpers-ubuntucorpusops/project:helpers-ubuntu-{22,20,16,14,16}.04corpusops/project:helpers-debiancorpusops/project:helpers-debian-{11,10,9,8}corpusops/project:helpers-alpinecorpusops/project:helpers-alpine{3}corpusops/project:helpers-centoscorpusops/project:helpers-centos-{9,8,7}corpusops/project:helpers-centos-streamcorpusops/project:helpers-centos-stream{9,8,7}
- Install all helpers from
/cops_helpersto$HELPERS_DIR(/helpers) - It will start a dummy http server to work in pair with sidekar containers which use dockerize, unless you set
SKIP_HELPERS_SERVICE=1, eg
helpers:
image: corpusops/project:helpers-ubuntu-22.04
volumes: [helpers:/helpers]
redmine:
volumes: [helpers:/helpers]
entrypoint:
- /bin/bash
- '-exc'
- |-
export PATH="/helpers:$PATH";until [ -e /helpers/frep ];do sleep 1;done;dockerize -wait http://helpers -timeout 120s
# now frep is available
frep /conf/foo:/conf/bar --overwrite
/start-
see script
-
controlled via env vars:
SSL_COMMON_NAME= # default: $hostname SSL_ALT_NAMES= # default: $hostname www.$hostname SSL_CERT_BASENAME= # default to hostname and "cert" through nginx script SSL_CERT_PATH= SSL_KEY_PATH= SSL_KEY_VALIDITY= # cert validity in days SSL_CERT_VALIDITY= # cert validity in days SSL_DIR_MODuE= # directory perms mode SSL_CERT_MODE= # cert perms mode SSL_KEY_MODE= # key perms mode SSL_CERT= # x509 cert value if you want to give it SSL_KEY= # x509 cert key value if you want to give it
-
If
SSL_CERTis empty, a SSL key will be generated -
If
SSL_KEYis empty, a selfsigned cert will be generated
- /bin/traefik.sh: helper to dockerize traefik
- As you may know, forego uses a Procfile to configure itself.
-
You can either use this entrypoint directly by giving args including the traefik config
-
Or, easier, you can use either
- the
TRAEFIK_CONFIGenv var pointing to your config. - mount a file to
/traefik.toml
- the
-
This config file will be parsed by envsubst for any env var prefixed by
TRAEFIK_.traefik: image: "corpusops/traefik" entrypoint: /bin/traefik.sh environment: # if this file exists, it will be used as the config automatically - TRAEFIK_CONFIG=/traefik.toml
-
- See ./corpusops/rsyslog.
- tag is
corpusops/rsyslog- OS based variants:
corpusops/rsyslog:{debian,alpîne,ubuntu}
- OS based variants:
- this image exposes a syslog daemon on port
10514 - It will split with its default config every log inside
/var/log/docker/<prog_name>.log - logs also go to stdout
- env vars (mainly to control log retention) [see logrotate]:
RSYSLOG_PORT=10514: rsyslog portLOGROTATE_SIZE=5M: size to trigger a logrotate from.LOGROTATE_DAYS=30: number of days to keep logs for.LOGROTATE_LONGRETENTION_DAYS=365: number of days to keep long retention (web & loadbalancers) logs for.RSYSLOG_DOCKER_LOGS_PATH=/var/log/docker: path to logsRSYSLOG_DOCKER_LONGRETENTION_LOGS_PATH=/var/log/docker/longretention: path to logs with long retentionRSYSLOG_DOCKER_LONGRETENTION_PATTERN=^(lb|nginx|proxy|traefik|haproxy|apache): regex to know which tagnames can be treated as long retention logsRSYSLOG_SPLITTED_CONFIGS=1:- if
1: logs are splitted under/var/log/docker/<prog_name>.log - else things go inside like usually in
/var/log
- if
- Any file inside
/entrywill be copied to/etcwith same location - Any file named
*.frepinto/etc/logrotate.d&&/etc/rsyslog.dwill be processed through frep
One current pattern is to redirect docker logs through a local syslog this way:
x-vars:
base: &base
restart: always
# this will configure the baremetal host to reroute logs
# through localhost:1514 which forwards to ``log`` container itself
logging:
driver: "syslog"
options:
syslog-address: "tcp://localhost:1514"
tag: "someservice"
services:
log:
<<: [ *base ]
image: corpuspops/rsyslog
ports: ["127.0.0.1:1514:10514"]
# ensure no syslog log loop
logging: {driver: "json-file", options: {max-size: "10M", max-file: "50"}}
someservice:
<<: [ *base ]
image: some/service-
Helper image built by docker-project, tags:
corpusops/project:mailhog
-
corpusops/project:mailhog: mailhog wrapper to setup a user/password file from envvars:MAILCATCHER_PASSWORDMAILCATCHER_USER
-
smtp_port is on port
1025, UI/API on port8025
mailcatcher:
image: "corpusops/project:mailhog"
hostname: mailcatcher
volumes: ["mails:/mails"]- Helper image built by docker-project, tags:
corpusops/project:dbsetup
- helper to wait for db availability and then setup a dummy webserver to help dependent services orchestration