From 68da43dc8f22b909859a3c2e1d930cddda156dee Mon Sep 17 00:00:00 2001 From: miketwc1984 Date: Tue, 9 Mar 2021 22:29:57 -0500 Subject: [PATCH] Docker updt --- Docker/Dockerfile | 7 +++- Docker/DockerfileMultistage | 73 +++++++++++++++++++++++++++++++++++++ Docker/Readme.md | 43 ++++++++++++++++++++-- Readme.md | 3 +- 4 files changed, 118 insertions(+), 8 deletions(-) create mode 100644 Docker/DockerfileMultistage diff --git a/Docker/Dockerfile b/Docker/Dockerfile index a1d9981..60040a4 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -1,4 +1,4 @@ -# build: docker build -t cronicle:edge -f Dockerfile --build-arg branch=main --build-arg echo=1 . +# build: docker build -t cronicle:edge -f Dockerfile --build-arg branch=main --build-arg echo=1 --build-arg bldonly=1 . # test run: docker run -it -v $HOME/data:/opt/cronicle/data -p 3012:3012 cronicle:edge manager FROM node:14-alpine3.12 @@ -51,7 +51,10 @@ RUN echo $echo ARG branch=main RUN git clone https://github.com/cronicle-edge/cronicle-edge.git /opt/cronicle RUN git checkout ${branch} -RUN npm audit fix --force; npm install; node bin/build dist +RUN npm audit fix --force; npm install +ARG bldonly +RUN echo $bldonly +RUN git pull && node bin/build dist # protect sensitive folders RUN mkdir -p /opt/cronicle/data /opt/cronicle/conf && chmod 0700 /opt/cronicle/data /opt/cronicle/conf diff --git a/Docker/DockerfileMultistage b/Docker/DockerfileMultistage new file mode 100644 index 0000000..67340a6 --- /dev/null +++ b/Docker/DockerfileMultistage @@ -0,0 +1,73 @@ +# build: docker build -t cronicle:pwsh -f DockerfileMultistage --build-arg branch=main --build-arg echo=1 . +# multistage build example + +FROM node:14-alpine3.12 AS BASE + +WORKDIR /opt/cronicle +RUN apk add git && git clone https://github.com/cronicle-edge/cronicle-edge.git /opt/cronicle +ARG branch=main +RUN git checkout ${branch} +RUN npm audit fix --force; npm install + + +# ------ main image ----------------------------- # + +FROM mcr.microsoft.com/powershell:alpine-3.12 +RUN apk add --no-cache nodejs-current git tini util-linux bash openssl procps coreutils curl acl jq +# required: all: tini; alpine: util-linux procps coreutils + +# optional lolcat for tty/color debugging +RUN apk add lolcat --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing + +# optional java 15, for java 11 just use "apk add openjdk11" +# RUN apk add openjdk15-jdk --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing +# ENV JAVA_HOME=/usr/lib/jvm/java-15-openjdk +# ENV PATH="$JAVA_HOME/bin:${PATH}" + +# optional PySpark +# RUN apk add python3 gcompat +# RUN pip3 install pyspark +# ENV SPARK_CLASSPATH=/jars/* +# python version, might change (e.g. to 3.9) +# ENV PYSPARK_PYTHON=python3.8 + +# optional mc s3 client (+20MB) +# RUN wget -O /usr/bin/mc http://dl.min.io/client/mc/release/linux-amd64/mc && chmod +x /usr/bin/mc + +# optional kafkacat +# RUN apk add kafkacat --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community +# extra deps if using kerberos: apk add krb5 cyrus-sasl cyrus-sasl-gssapiv2 + +# optional - set up custom CA cert +# COPY myCA.cer /usr/local/share/ca-certificates/myCA.crt +# RUN apk add --no-cache ca-certificates +# RUN update-ca-certificates +# ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/myCA.crt + +ENV CRONICLE_foreground=1 +ENV CRONICLE_echo=1 +ENV TZ=America/New_York +ENV EDITOR=nvim + +ENV PATH "/opt/cronicle/bin:${PATH}" + +# non root user for shell plugin +ARG CRONICLE_UID=1007 +ARG CRONICLE_GID=1099 +RUN addgroup cronicle --gid $CRONICLE_GID && adduser -D -h /opt/cronicle -u $CRONICLE_UID -G cronicle cronicle + +WORKDIR /opt/cronicle +ARG echo +RUN echo $echo +ARG branch=main +RUN git clone https://github.com/cronicle-edge/cronicle-edge.git /opt/cronicle +COPY --from=BASE /opt/cronicle/node_modules /opt/cronicle/node_modules +RUN git checkout ${branch} +#RUN npm audit fix --force; npm install +RUN git pull && node bin/build dist + + +# protect sensitive folders +RUN mkdir -p /opt/cronicle/data /opt/cronicle/conf && chmod 0700 /opt/cronicle/data /opt/cronicle/conf + +ENTRYPOINT ["/sbin/tini", "--"] diff --git a/Docker/Readme.md b/Docker/Readme.md index 388a38d..00c0649 100644 --- a/Docker/Readme.md +++ b/Docker/Readme.md @@ -1,7 +1,38 @@ -# Running cronicle in swarm mode +# Building image +You can use Dockerfile in this folder as an example. You need to use tini as an entrypoint to avoid Cronicle to become zombie. If using alpine make sure to install following packages: +```bash +apk add util-linux bash openssl procps coreutils +``` +You will likely need to use some different base image (e.g. python or java). In this case it's useful to use multistage build to speed up build times and reduce some space. Just add nodejs-current package to your base image, and run "npm install" using node image and then just copy node modules. Use DockerfileMultistage file as example. -## step 1 - create network and prepare volume for data +# Running using docker run +For debugging/development start interactive bash, then use *manager* or *worker* command +``` +docker run -it -p 3012:3012 cronicle/cronicle:edge bash +``` +For better security I'd suggest to run cronicle as root user, while setting shell plugin to run as non-root. This way you can limit access to data/conf directories and some other files with sensitive data. This is how demo image is set. + +For actual use: +- use *manager* as entrypoint command +- always use same hostname (e.g. manager1 ) to make data folder portable (without tweaking server list/groups later) +- for persistant volume you only need to map *data* folder +- to run cronicle "as a service" use *restart=always* option +- you may optionally use *--net=host* parameter if interacting with cronicle nodes on other machines (in this case don't use hostname parameter, it should be the same as your host) + +```bash +docker run -it --hostname manager1 --restart always \ + -e CRONICLE_manager=1 \ + -e CRONICLE_secret_key=123456 \ + -p 3017:3012 \ + -v $HOME/data:/opt/cronicle/data \ + cronicle:pwsh manager +``` + +# Running cronicle in swarm mode (as service) +If you have multiple machines it's a good idea to set up a swarm cluster. It's still could be useful on a single node too, since you'll get access to secret management, and will be able easily update/roll back cronicle version. + +## step 1 - create network and volume ```bash docker network create --driver overlay cron @@ -68,12 +99,16 @@ If you are going to deploy a cluster (1 manager + N workers), it's better to use # Setting up https reverse proxy with nginx -Below command assumes that ssl keys will be placed under /run/secrets/ as master.crt and master.key +For a single node cronicle Nginx should be a good reverse/https proxy solution. You can install it over docker as well. Check nginx.conf file and command below. It assumes ssl keys will be placed under /run/secrets/ as master.crt and master.key Edit nginx.conf to set different key path, or change/add other routes if needed (if running multiple apps on same server) Then: ```bash - docker run -d --net=host -v ~/secrets:/run/secrets --name nginx --restart=always nginx + docker run -d --net=host --name nginx --restart=always nginx docker cp nginx.conf nginx:/etc/nginx/nginx.conf docker restart nginx ``` + + If using Swarm with multiple nodes, you can also check out traefik. + + diff --git a/Readme.md b/Readme.md index f10c42d..f015ced 100644 --- a/Readme.md +++ b/Readme.md @@ -6,8 +6,7 @@ You can quickly try it using Docker: ```bash docker run -it -p 3012:3012 -e CRONICLE_manager=1 cronicle/cronicle:edge manager ``` -You can import some demo jobs from sample_conf/backup file. This can be done via UI (see below) -Docker folder contains Dockerfile and several other examples for real life use. +You can import some demo jobs from sample_conf/backup file. This can be done via UI (see below). Check [Docker](https://github.com/cronicle-edge/cronicle-edge/tree/main/Docker) section for Dockerfile and other examples for real life use. ### Shell Plugin Improvement: