{"id":21079206,"url":"https://github.com/focela/alpine","last_synced_at":"2026-03-08T11:35:13.280Z","repository":{"id":263461672,"uuid":"800364938","full_name":"focela/alpine","owner":"focela","description":"Alpine-based image with monitoring, logging, security, and management tools.","archived":false,"fork":false,"pushed_at":"2024-11-28T08:21:14.000Z","size":86,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-24T01:46:41.837Z","etag":null,"topics":["alpine","devops","docker","fluentbit","logging","monitoring","scheduling","zabbix"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/focela.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://www.paypal.me/focela"],"github":["focela"]}},"created_at":"2024-05-14T07:36:59.000Z","updated_at":"2025-02-15T20:54:15.000Z","dependencies_parsed_at":"2025-01-20T23:35:35.623Z","dependency_job_id":null,"html_url":"https://github.com/focela/alpine","commit_stats":null,"previous_names":["focela/alpine","powaline/docker-gitlab"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/focela%2Falpine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/focela%2Falpine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/focela%2Falpine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/focela%2Falpine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/focela","download_url":"https://codeload.github.com/focela/alpine/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250546043,"owners_count":21448255,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine","devops","docker","fluentbit","logging","monitoring","scheduling","zabbix"],"created_at":"2024-11-19T19:45:13.245Z","updated_at":"2025-04-24T01:46:47.374Z","avatar_url":"https://github.com/focela.png","language":"Dockerfile","readme":"# Focela Alpine: Lightweight and Flexible Docker Image\n\n[![GitHub release](https://img.shields.io/github/v/tag/focela/alpine?style=flat-square)](https://github.com/focela/alpine/releases/latest)\n[![Build Status](https://img.shields.io/github/actions/workflow/status/focela/alpine/main.yml?branch=main\u0026style=flat-square)](https://github.com/focela/alpine/actions)\n[![Docker Stars](https://img.shields.io/docker/stars/focela/alpine.svg?style=flat-square\u0026logo=docker)](https://hub.docker.com/r/focela/alpine/)\n[![Docker Pulls](https://img.shields.io/docker/pulls/focela/alpine.svg?style=flat-square\u0026logo=docker)](https://hub.docker.com/r/focela/alpine/)\n[![Become a sponsor](https://img.shields.io/badge/sponsor-focela-181717.svg?logo=github\u0026style=flat-square)](https://github.com/sponsors/focela)\n[![Paypal Donate](https://img.shields.io/badge/donate-paypal-00457c.svg?logo=paypal\u0026style=flat-square)](https://www.paypal.me/focela)\n\n---\n\n## Table of Contents\n1. [About](#about)\n2. [Features](#features)\n3. [Installation](#installation)\n - [Getting Started](#getting-started)\n - [Multi Architecture Support](#multi-architecture-support)\n4. [Available Tags](#available-tags)\n5. [Configuration](#configuration)\n - [Quick Start](#quick-start)\n - [Persistent Storage](#persistent-storage)\n - [Environment Variables](#environment-variables)\n - [Developing / Overriding](#developing--overriding)\n6. [Debug Mode](#debug-mode)\n7. [Support](#support)\n8. [License](#license)\n\n---\n\n## About\n\nA lightweight and flexible [Alpine Linux](https://www.alpinelinux.org/) container image optimized for various use cases such as monitoring, logging, scheduling, and security. This image integrates essential tools to simplify container management.\n\n---\n\n## Features\n\n- **Init System**: [s6 overlay](https://github.com/just-containers/s6-overlay) for PID 1 init capabilities.\n- **Monitoring**: Includes [Zabbix Agent](https://zabbix.org) (Classic and Modern) for container monitoring.\n- **Scheduling**: Integrated `cron` for task automation.\n- **Utilities**: Comes with helpful tools like `bash`, `curl`, `less`, `logrotate`, `nano`, and `vi`.\n- **Messaging**: Built-in MSMTP for sending emails via an external SMTP server.\n- **Firewall**: Configured with [Fail2ban](https://github.com/fail2ban/fail2ban) to block malicious hosts based on log analysis.\n- **Logging**: Supports log shipping to remote servers using [Fluent-Bit](https://github.com/fluent/fluent-bit).\n- **Permission Management**: Dynamically updates User ID and Group ID permissions.\n\n---\n\n## Installation\n\n### Getting Started\nYou can use this image either by building it locally or pulling prebuilt images from trusted registries.\n\n#### Build from Source\nIf you want to build the image locally:\n```bash\ndocker build \u003carguments\u003e (imagename) .\n```\n\n#### Prebuilt Images\nPrebuilt images are available in the following registries:\n\n- **Docker Hub**:\n ```bash\n docker pull docker.io/focela/alpine:(imagetag)\n ```\n\n- **GitHub Container Registry**:\n ```bash\n docker pull ghcr.io/focela/alpine:(imagetag)\n ```\n\n### Multi Architecture Support\nThis image is primarily built for `amd64` architecture. Variants for `arm/v7`, `arm64`, and others are available but not officially supported.\n\nTo verify the architecture compatibility of a specific image:\n```bash\ndocker manifest inspect (image):(tag)\n```\n\n---\n\n## Available Tags\n\n| **Alpine Version** | **Tag** |\n|--------------------|----------|\n| `edge` | `:edge` |\n| `3.20` | `:3.20` |\n| `3.19` | `:3.19` |\n| `3.18` | `:3.18` |\n| `3.17` | `:3.17` |\n| `3.16` | `:3.16` |\n| `3.15` | `:3.15` |\n| `3.14` | `:3.14` |\n| `3.13` | `:3.13` |\n| `3.12` | `:3.12` |\n| `3.11` | `:3.11` |\n| `3.10` | `:3.10` |\n| `3.9` | `:3.9` |\n| `3.8` | `:3.8` |\n| `3.7` | `:3.7` |\n| `3.6` | `:3.6` |\n| `3.5` | `:3.5` |\n\n---\n\n## Configuration\n\n### Quick Start\n\nUse this image as a base for your builds. For more details on enabling the S6 init system, visit the [s6 overlay repository](https://github.com/just-containers/s6-overlay). You can also refer to other images based on this setup for additional examples.\n\n### Persistent Storage\n\nThe following directories can be mapped to the host machine to retain configuration and log files:\n\n| **Directory** | **Description** |\n|-------------------------------------|-------------------------------------------|\n| `/etc/fluent-bit/conf.d/` | Fluent-Bit custom configuration directory |\n| `/etc/fluent-bit/parsers.d/` | Fluent-Bit custom parsers directory |\n| `/etc/zabbix/zabbix_agentd.conf.d/` | Zabbix Agent configuration directory |\n| `/etc/fail2ban/filter.d` | Custom Fail2ban filter configuration |\n| `/etc/fail2ban/jail.d` | Custom Fail2ban jail configuration |\n| `/var/log` | Logs for container, cron, Zabbix, etc. |\n| `/assets/cron` | Drop custom crontabs here |\n| `/assets/iptables` | Drop custom IPTables rules here |\n\n**Note:** Mapping these directories ensures data persistence between container restarts.\n\n### Environment Variables\n\nBelow is a list of variables available for customizing the container. Variables marked with 'x' in the `_FILE` column can load values from files, which is useful for managing sensitive information.\n\n#### **Container Options**\n\n| **Parameter** | **Description** | **Default** |\n|------------------------------------|--------------------------------------------------------------------------------|------------------------------------|\n| `CONTAINER_ENABLE_LOG_TIMESTAMP` | Add timestamps to container logs | `TRUE` |\n| `CONTAINER_COLORIZE_OUTPUT` | Enable/Disable colorized console output | `TRUE` |\n| `CONTAINER_CUSTOM_BASH_PROMPT` | Set a custom bash prompt (e.g., '(imagename):(version) HH:MM:SS # ') | |\n| `CONTAINER_CUSTOM_PATH` | Path to custom files loaded at startup | `/assets/custom` |\n| `CONTAINER_CUSTOM_SCRIPTS_PATH` | Path to custom scripts executed at startup | `/assets/custom-scripts` |\n| `CONTAINER_ENABLE_PROCESS_COUNTER` | Display the execution count of a process in logs | `TRUE` |\n| `CONTAINER_LOG_LEVEL` | Log level (`INFO`, `WARN`, `NOTICE`, `DEBUG`) | `NOTICE` |\n| `CONTAINER_LOG_PREFIX_TIME_FMT` | Format for log timestamps (time) | `%H:%M:%S` |\n| `CONTAINER_LOG_PREFIX_DATE_FMT` | Format for log timestamps (date) | `%Y-%m-%d` |\n| `CONTAINER_LOG_PREFIX_SEPERATOR` | Separator for timestamp components | `-` |\n| `CONTAINER_LOG_FILE_LEVEL` | Log level for internal container logs | `DEBUG` |\n| `CONTAINER_LOG_FILE_NAME` | File name for container logs | `/var/log/container/container.log` |\n| `CONTAINER_LOG_FILE_PATH` | Path for container logs | `/var/log/container/` |\n| `CONTAINER_LOG_PREFIX_TIME_FMT` | Format for log timestamps (time) | `%H:%M:%S` |\n| `CONTAINER_LOG_PREFIX_DATE_FMT` | Format for log timestamps (date) | `%Y-%m-%d` |\n| `CONTAINER_LOG_PREFIX_SEPARATOR` | Separator for timestamp components | `-` |\n| `CONTAINER_NAME` | Custom container name for monitoring and log shipping | (hostname) |\n| `CONTAINER_POST_INIT_COMMAND` | Commands to run after all services have initialized (comma-separated) | |\n| `CONTAINER_POST_INIT_SCRIPT` | Scripts to execute after all services have initialized (comma-separated paths) | |\n| `TIMEZONE` | Set container timezone | `Etc/GMT` |\n\n**Example Usage:**\nTo set a post-initialization script:\n```bash\ndocker run -e CONTAINER_POST_INIT_SCRIPT=\"/assets/scripts/init.sh\" my-container\n```\n\n#### Scheduling Options\n\nThis image allows you to execute scheduled tasks at specified times using [cron syntax](https://cron.help/). Currently, the image supports **BusyBox cron** but can be extended to other scheduling backends with minimal effort.\n\n| **Parameter** | **Description** | **Default** |\n|----------------------------------|---------------------------------------|--------------------|\n| `CONTAINER_ENABLE_SCHEDULING` | Enable scheduled tasks | `TRUE` |\n| `CONTAINER_SCHEDULING_BACKEND` | Scheduling tool to use (`cron`) | `cron` |\n| `CONTAINER_SCHEDULING_LOCATION` | Directory for cron task files | `/assets/cron/` |\n| `SCHEDULING_LOG_TYPE` | Log type (`FILE`) | `FILE` |\n| `SCHEDULING_LOG_LOCATION` | Log file location | `/var/log/cron/` |\n| `SCHEDULING_LOG_LEVEL` | Log level (`1` = loud to `8` = quiet) | `6` |\n\n**Note:** Only BusyBox cron is supported by default. To use other scheduling backends, you may need additional configuration.\n\n##### Cron Options\n\nYou can define cron jobs in two ways:\n1. Drop files into `/assets/cron/`. These will be parsed when the container starts.\n2. Use environment variables prefixed with `CRON_`.\n\n| **Parameter** | **Description** | **Default** |\n|---------------|-----------------------------------------------------------------------|-------------|\n| `CRON_*` | Name of the job, followed by the cron schedule and command to execute | `` |\n\n**Example Usage:**\n```bash\n# Add a cron job to run every minute\nCRON_HELLO=\"* * * * * echo 'hello' \u003e /tmp/hello.log\"\n```\n\n**Disabling Cron Jobs:**\nIf a cron job is baked into the parent Docker image, you can override it by:\n- Replacing it with your own value.\n- Disabling it entirely by setting its value to `FALSE`.\n\nExample:\n```bash\nCRON_HELLO=FALSE\n```\n\n#### Messaging Options\n\nTo enable email messaging capabilities, set `CONTAINER_ENABLE_MESSAGING=TRUE` and configure the following environment variables. Currently, only the `msmtp` backend is supported, but others can be added easily.\n\n| **Parameter** | **Description** | **Default** |\n|-------------------------------|------------------------------------------|-------------|\n| `CONTAINER_ENABLE_MESSAGING` | Enable messaging services like SMTP | `TRUE` |\n| `CONTAINER_MESSAGING_BACKEND` | Messaging backend to use (e.g., `msmtp`) | `msmtp` |\n\n##### SMTP Configuration\n\nTo configure `msmtp` for sending emails, set the required SMTP parameters in your environment. Refer to the [MSMTP Configuration Options](https://marlam.de/msmtp/msmtp.html) for detailed documentation.\n\n| **Parameter** | **Description** | **Default** | **`_FILE`** |\n|----------------------------|---------------------------------------------------------------------------------|-----------------|-------------|\n| `SMTP_AUTO_FROM` | Automatically set the sender based on the email address (useful for Gmail SMTP) | `FALSE` | |\n| `SMTP_HOST` | Hostname of the SMTP server | `postfix-relay` | x |\n| `SMTP_PORT` | Port number of the SMTP server | `25` | x |\n| `SMTP_DOMAIN` | HELO/EHLO domain to identify the client | `docker` | |\n| `SMTP_MAILDOMAIN` | Domain to use in the `From` field | `local` | |\n| `SMTP_AUTHENTICATION` | Authentication type (`none`, `plain`, `login`, or `cram-md5`) | `none` | |\n| `SMTP_USER` | Username for SMTP authentication | `` | x |\n| `SMTP_PASS` | Password for SMTP authentication | `` | x |\n| `SMTP_TLS` | Enable TLS encryption (`TRUE` or `FALSE`) | `FALSE` | |\n| `SMTP_STARTTLS` | Enable STARTTLS within the session (`TRUE` or `FALSE`) | `FALSE` | |\n| `SMTP_TLSCERTCHECK` | Verify the remote certificate when using TLS | `FALSE` | |\n| `SMTP_ALLOW_FROM_OVERRIDE` | Allow overriding the `From` address manually | `` | |\n\n**Example Usage:**\nTo configure SMTP with TLS:\n```bash\ndocker run \\\n -e SMTP_HOST=smtp.gmail.com \\\n -e SMTP_PORT=587 \\\n -e SMTP_USER=myemail@gmail.com \\\n -e SMTP_PASS=mysecurepassword \\\n -e SMTP_TLS=TRUE \\\n -e SMTP_STARTTLS=TRUE \\\n my-container\n```\n\n**Example with Plain Authentication:**\nFor servers not requiring TLS or STARTTLS:\n```bash\ndocker run \\\n -e SMTP_HOST=mail.example.com \\\n -e SMTP_PORT=25 \\\n -e SMTP_AUTHENTICATION=plain \\\n -e SMTP_USER=myuser \\\n -e SMTP_PASS=myplainpassword \\\n my-container\n```\n\n**Security Recommendations:**\n- Always use `_FILE` variables (e.g., `SMTP_USER_FILE`, `SMTP_PASS_FILE`) to store sensitive information in files rather than passing them directly as environment variables.\n- Example for using `_FILE` variables:\n```bash\ndocker run \\\n -e SMTP_USER_FILE=/run/secrets/smtp_user \\\n -e SMTP_PASS_FILE=/run/secrets/smtp_pass \\\n my-container\n```\n\n**Additional Notes:**\n- For Gmail SMTP, ensure `SMTP_AUTO_FROM=TRUE` and the email address matches the sender domain.\n- For advanced configuration and troubleshooting, see the [MSMTP Configuration Options](https://marlam.de/msmtp/msmtp.html).\n- To integrate with Zabbix, refer to the [Official Zabbix Agent Documentation](https://www.zabbix.com/documentation/5.4/manual/appendix/config/zabbix_agentd).\n\n#### Monitoring Options\n\nThis image includes agents for monitoring application metrics. Currently, it supports Zabbix as the monitoring platform, with the potential for future integration with other platforms.\n\n| **Parameter** | **Description** | **Default** |\n|--------------------------------|----------------------------------------------|-------------|\n| `CONTAINER_ENABLE_MONITORING` | Enable monitoring of applications or metrics | `TRUE` |\n| `CONTAINER_MONITORING_BACKEND` | Monitoring agent to use (`zabbix`) | `zabbix` |\n\n##### Zabbix Options\n\nThis image supports both Zabbix Agent 1 (Classic, C-compiled) and Zabbix Agent 2 (Modern, Go-compiled). You can configure the agents using environment variables or by placing custom files in `/etc/zabbix/zabbix_agentd.conf.d`.\n\nTo switch to manual configuration, set `ZABBIX_SETUP_TYPE=MANUAL`.\n\n| **Parameter** | **Description** | **Default** | 1 | 2 | `_FILE` |\n|--------------------------------------|-----------------------------------------------------------------------------------|--------------------------|-----|-----|---------|\n| `ZABBIX_SETUP_TYPE` | Configuration mode: `AUTO` or `MANUAL` | `AUTO` | x | x | |\n| `ZABBIX_AGENT_TYPE` | Version of Zabbix Agent to use (`1` or `2`) | `1` | N/A | N/A | |\n| `ZABBIX_AGENT_LOG_PATH` | Directory for Zabbix agent log files | `/var/log/zabbix/agent/` | x | x | |\n| `ZABBIX_AGENT_LOG_FILE` | Name of the log file for the agent | `zabbix_agentd.log` | x | x | |\n| `ZABBIX_CERT_PATH` | Directory for storing Zabbix certificates | `/etc/zabbix/certs/` | x | x | |\n| `ZABBIX_ENCRYPT_PSK_ID` | Pre-shared Key (PSK) ID for secure communication | `` | x | x | x |\n| `ZABBIX_ENCRYPT_PSK_KEY` | Pre-shared Key (PSK) for secure communication | `` | x | x | x |\n| `ZABBIX_ENCRYPT_PSK_FILE` | Path to a file containing the Pre-shared Key | `` | x | x | |\n| `ZABBIX_ENABLE_AUTOREGISTRATION` | Enable auto-registration to the Zabbix server | `TRUE` | x | x | |\n| `ZABBIX_ENABLE_AUTOREGISTRATION_DNS` | Use DNS instead of IP for auto-registration | `TRUE` | x | x | |\n| `ZABBIX_AUTOREGISTRATION_DNS_NAME` | Custom DNS name for auto-registration (default: `CONTAINER_NAME`) | `$CONTAINER_NAME` | x | x | |\n| `ZABBIX_AUTOREGISTRATION_DNS_SUFFIX` | Append a suffix to the auto-registration DNS name | `` | x | x | |\n| `ZABBIX_LOG_FILE_SIZE` | Maximum size for the agent log file | `0` | x | x | |\n| `ZABBIX_DEBUGLEVEL` | Debug level (`0` = off, `4` = maximum verbosity) | `1` | x | x | |\n| `ZABBIX_REMOTECOMMANDS_ALLOW` | Allow remote commands from the Zabbix server | `*` | x | x | |\n| `ZABBIX_REMOTECOMMANDS_DENY` | Deny remote commands | `` | x | x | |\n| `ZABBIX_REMOTECOMMANDS_LOG` | Enable logging for remote commands (`0` = off, `1` = on) | `1` | x | `` | |\n| `ZABBIX_SERVER` | IP address or hostname of the Zabbix server | `0.0.0.0/0` | x | x | |\n| `ZABBIX_STATUS_PORT` | Agent will listen to this port for status requests (http://localhost:port/status) | `10050` | `` | x | |\n| `ZABBIX_SERVER_ACTIVE` | Zabbix server for active checks | `zabbix-proxy` | x | x | x |\n| `ZABBIX_HOSTNAME` | Hostname reported to the Zabbix server | `$CONTAINER_NAME` | x | x | |\n| `ZABBIX_LISTEN_PORT` | Port for Zabbix agent to listen | `10050` | x | x | |\n| `ZABBIX_LISTEN_IP` | IP address for Zabbix agent to bind | `0.0.0.0` | x | x | |\n| `ZABBIX_START_AGENTS` | Number of agent instances to start | `1` | x | `` | |\n| `ZABBIX_REFRESH_ACTIVE_CHECKS` | Interval in seconds to refresh active checks | `120` | x | x | |\n| `ZABBIX_BUFFER_SEND` | Buffer send size in seconds | `5` | x | x | |\n| `ZABBIX_BUFFER_SIZE` | Buffer size for metrics | `100` | x | x | |\n| `ZABBIX_MAXLINES_SECOND` | Maximum lines sent per second | `20` | x | `` | |\n| `ZABBIX_SOCKET` | Path to the socket used for communication | `/tmp/zabbix.sock` | `` | x | |\n| `ZABBIX_ALLOW_ROOT` | Allow the agent to run as root | `1` | x | `` | |\n| `ZABBIX_USER` | User account to run the Zabbix agent | `zabbix` | x | x | |\n| `ZABBIX_USER_SUDO` | Allow the Zabbix user to execute commands as sudo | `TRUE` | x | x | |\n| `ZABBIX_AGENT_TIMEOUT` | Timeout in seconds for user parameter checks | `3` | x | x | |\n\n##### Example Usage\n\n**Auto-Registration with PSK:**\n```bash\ndocker run \\\n -e ZABBIX_SETUP_TYPE=AUTO \\\n -e ZABBIX_ENCRYPT_PSK_ID=my-psk-id \\\n -e ZABBIX_ENCRYPT_PSK_KEY=my-psk-key \\\n my-container\n```\n\n**Using Custom Configuration Files:**\n```bash\ndocker run \\\n -e ZABBIX_SETUP_TYPE=MANUAL \\\n -v /path/to/zabbix/config:/etc/zabbix/zabbix_agentd.conf.d \\\n my-container\n```\n\n#### Additional Notes\n\n- Auto-registration tags can be defined in configuration files using `# Autoregister=`. These tags are added to the `HostMetadata` field and can be used for host discovery.\n- Check the `[zabbix_templates](zabbix_templates/)` directory for server templates.\n\n#### Logging Options\n\nThis section is part of an ongoing effort to develop a comprehensive logging solution. Currently, the functionality allows for daily log rotation. Future enhancements will include the ability to ship logs to external data warehouses like Loki or Elasticsearch. At present, log shipping is supported only via `fluent-bit` and is limited to the `x86_64` architecture.\n\n| **Parameter** | **Description** | **Default** |\n|------------------------------------------|----------------------------------------------------------------------------------------|--------------|\n| `CONTAINER_ENABLE_LOGROTATE` | Enable log rotation (requires scheduling to be enabled). | `TRUE` |\n| `CONTAINER_ENABLE_LOGSHIPPING` | Enable log shipping to an external backend. | `FALSE` |\n| `CONTAINER_LOGSHIPPING_BACKEND` | Backend to use for log shipping. Current option: `fluent-bit`. | `fluent-bit` |\n| `LOGROTATE_COMPRESSION_TYPE` | Compression algorithm for rotated log files. Options: `NONE`, `BZIP2`, `GZIP`, `ZSTD`. | `ZSTD` |\n| `LOGROTATE_COMPRESSION_VALUE` | Compression level for the selected algorithm. | `8` |\n| `LOGROTATE_COMPRESSION_EXTRA_PARAMETERS` | Additional parameters for the compression command (optional). | |\n| `LOGROTATE_RETAIN_DAYS` | Number of days to retain rotated logs. | `7` |\n\n##### Log Shipping Parsing\n\nYou can enable log shipping by defining an environment variable. Create a variable prefixed with `LOGSHIP_` followed by a name, and set its value to the location of the log files. Setting the value to `FALSE` disables an existing configuration.\n\n##### Example Usage\n```bash\nLOGSHIP_NGINX=/var/log/nginx/*.log\n```\nThis configuration tags all log files in the specified directory as originating from `CONTAINER_NAME` and `nginx`. Note: This does not allow for custom parsing and simply ships raw log entries.\n\n##### Auto Configuration of Logrotate for Log Shipping\n\nIf `LOGSHIPPING_AUTO_CONFIG_LOGROTATE` is set to `TRUE`, you can specify which parser should be used for shipped logs. Ensure the appropriate `.conf` parser files are available in `/etc/fluent-bit/parsers.d/`.\n\nTo configure, add a line to the corresponding `logrotate.d/\u003cfile\u003e` that includes the directive:\n```bash\n# logship: \u003cparser\u003e\n```\n\n- **Multiple Parsers**: Separate parser names with commas.\n- **Exclude Logs**: Use `SKIP` to prevent a specific log file from being shipped.\n\n| **Parameter** | **Description** | **Default** |\n|-------------------------------------|------------------------------------------------------------------------------|-------------|\n| `LOGSHIPPING_AUTO_CONFIG_LOGROTATE` | Automatically configure log shipping for files listed in `/etc/logrotate.d`. | `TRUE` |\n\n#### Fluent-Bit Options\n\nBelow is the complete list of configuration parameters for Fluent-Bit. These options control various aspects of Fluent-Bit operation, including log processing, forwarding, and storage.\n\n| **Parameter** | **Description** | **Default** | **`_FILE`** |\n|---------------------------------------|---------------------------------------------------------------------------------------------------|--------------------------|-------------|\n| `FLUENTBIT_CONFIG_PARSERS` | Parsers config file name | `parsers.conf` | |\n| `FLUENTBIT_CONFIG_PLUGINS` | Plugins config file name | `plugins.conf` | |\n| `FLUENTBIT_ENABLE_HTTP_SERVER` | Embedded HTTP Server for metrics `TRUE` / `FALSE` | `TRUE` | |\n| `FLUENTBIT_ENABLE_STORAGE_METRICS` | Public storage pipeline metrics in /api/v1/storage | `TRUE` | |\n| `FLUENTBIT_FLUSH_SECONDS` | Wait time to flush records in seconds | `1` | |\n| `FLUENTBIT_FORWARD_BUFFER_CHUNK_SIZE` | Buffer Chunk Size | `32KB` | |\n| `FLUENTBIT_FORWARD_BUFFER_MAX_SIZE` | Buffer Maximum Size | `64KB` | |\n| `FLUENTBIT_FORWARD_PORT` | What port when using `PROXY` (listen) mode or `FORWARD` (client) output | `24224` | |\n| `FLUENTBIT_GRACE_SECONDS` | Wait time before exit in seconds | `1` | |\n| `FLUENTBIT_HTTP_LISTEN_IP` | HTTP Listen IP | `0.0.0.0` | |\n| `FLUENTBIT_HTTP_LISTEN_PORT` | HTTP Listening Port | `2020` | |\n| `FLUENTBIT_LOG_FILE` | Log File | `fluentbit.log` | |\n| `FLUENTBIT_LOG_LEVEL` | Log Level `info` `warn` `error` `debug` `trace` | `info` | |\n| `FLUENTBIT_LOG_PATH` | Log Path | `/var/log/fluentbit/` | |\n| `FLUENTBIT_MODE` | Type of operation - Client `NORMAL` or Proxy `PROXY` | `NORMAL` | |\n| `FLUENTBIT_OUTPUT_FORWARD_HOST` | Where to forward Fluent-Bit data to | `fluent-proxy` | x |\n| `FLUENTBIT_OUTPUT_FORWARD_TLS_VERIFY` | Verify certificates when using TLS | `FALSE` | |\n| `FLUENTBIT_OUTPUT_FORWARD_TLS` | Enable TLS when forwarding | `FALSE` | |\n| `FLUENTBIT_OUTPUT_LOKI_COMPRESS_GZIP` | Enable GZIP compression when sending to loki host | `TRUE` | |\n| `FLUENTBIT_OUTPUT_LOKI_HOST` | Host for Loki Output | `loki` | x |\n| `FLUENTBIT_OUTPUT_LOKI_PORT` | Port for Loki Output | `3100` | x |\n| `FLUENTBIT_OUTPUT_LOKI_TLS` | Enable TLS For Loki Output | `FALSE` | |\n| `FLUENTBIT_OUTPUT_LOKI_TLS_VERIFY` | Enable TLS Certificate Verification For Loki Output | `FALSE` | |\n| `FLUENTBIT_OUTPUT_LOKI_USER` | (optional) Username to authenticate to Loki Server | `` | x |\n| `FLUENTBIT_OUTPUT_LOKI_PASS` | (optional) Password to authenticate to Loki Server | `` | x |\n| `FLUENTBIT_OUTPUT_TENANT_ID` | (optional) Tenant ID to pass to Loki Server | `` | x |\n| `FLUENTBIT_OUTPUT` | Output plugin to use `LOKI` , `FORWARD`, `NULL` | `FORWARD` | |\n| `FLUENTBIT_TAIL_BUFFER_CHUNK_SIZE` | Buffer Chunk Size for Tail | `32k` | |\n| `FLUENTBIT_TAIL_BUFFER_MAX_SIZE` | Maximum size for Tail | `32k` | |\n| `FLUENTBIT_TAIL_READ_FROM_HEAD` | Read from Head instead of Tail | `FALSE` | |\n| `FLUENTBIT_TAIL_SKIP_EMPTY_LINES` | Skip Empty Lines when Tailing | `TRUE` | |\n| `FLUENTBIT_TAIL_SKIP_LONG_LINES` | Skip Long Lines when Tailing | `TRUE` | |\n| `FLUENTBIT_TAIL_DB_ENABLE` | Enable Offset DB per tracked file (will be same name as log file yet hidden and a suffix of `db`) | `TRUE` | |\n| `FLUENTBIT_TAIL_DB_SYNC` | DB Sync Type `normal` or `full` | `normal` | |\n| `FLUENTBIT_TAIL_DB_LOCK` | Lock access to DB File | `TRUE` | |\n| `FLUENTBIT_TAIL_DB_JOURNAL_MODE` | Journal Mode for DB `WAL` `DELETE` `TRUNCATE` `PERSIST` `MEMORY` `OFF` | `WAL` | |\n| `FLUENTBIT_TAIL_KEY_PATH_ENABLE` | Enable sending Key for Log Filename/Path | `TRUE` | |\n| `FLUENTBIT_TAIL_KEY_PATH` | Path Key Name | `filename` | |\n| `FLUENTBIT_TAIL_KEY_OFFSET_ENABLE` | Enable sending Key for Offset in Log file | `FALSE` | |\n| `FLUENTBIT_TAIL_KEY_OFFSET` | Offset Path Key Name | `offset` | |\n| `FLUENTBIT_SETUP_TYPE` | Automatically generate configuration based on these variables `AUTO` or `MANUAL` | `AUTO` | |\n| `FLUENTBIT_STORAGE_BACKLOG_LIMIT` | Maximum amount of memory to use for backlogged/unsent records | `5M` | |\n| `FLUENTBIT_STORAGE_CHECKSUM` | Create CRC32 checksum for filesystem RW functions | `FALSE` | |\n| `FLUENTBIT_STORAGE_PATH` | Absolute file system path to store filesystem data buffers | `/tmp/fluentbit/storage` | |\n| `FLUENTBIT_STORAGE_SYNC` | Synchronization mode to store data in filesystem `normal` or `full` | `normal` | |\n\n#### Firewall Options\n\nWhen the appropriate capabilities are set for the container, it can apply detailed block/allow rules through a firewall at startup. Currently, only `iptables` is supported.\n\nTo enable this functionality, ensure that your container is run with the following capabilities added: \n`NET_ADMIN`, `NET_RAW`\n\n| **Parameter** | **Description** | **Default** |\n|------------------------------|------------------------------------------------|-------------|\n| `CONTAINER_ENABLE_FIREWALL` | Enable firewall functionality | `FALSE` |\n| `CONTAINER_FIREWALL_BACKEND` | Firewall backend to use (currently `iptables`) | `iptables` |\n| `FIREWALL_RULE_00` | First firewall rule to execute | |\n| `FIREWALL_RULE_01` | Second firewall rule to execute | |\n\nYou can define firewall rules using `FIREWALL_RULE_XX` environment variables. Below is an example of how to block access to a port for all except a specific IP address:\n\n```bash\nFIREWALL_RULE_00=-I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 389 -j ACCEPT\nFIREWALL_RULE_01=-I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 389 -j DROP\n```\n\n##### Host Override Options\n\nIn some cases, you may need to modify the container's host file by adding custom entries. This is achievable using the following parameter:\n\n| **Parameter** | **Description** | **Default** |\n|------------------------------|-----------------------------|-------------|\n| `CONTAINER_HOST_OVERRIDE_01` | Create a manual hosts entry | |\n\n##### Example:\nThe value should follow the format: \n`\u003cdestination\u003e override1 override2`\n\nExamples:\n- `1.2.3.4 example.org example.com` \n (Maps `example.org` and `example.com` to IP `1.2.3.4`)\n- `proxy example.com example.org` \n (If no IP is provided, the system will resolve the domain to an IP address.)\n\n##### IPTables Options\n\nIf you prefer to define a ruleset file instead of using environment variables for individual rules, you can provide an `iptables-restore` compatible ruleset. This ruleset will be applied during container startup.\n\n| **Parameter** | **Description** | **Default** |\n|-----------------------|------------------------------------------------------------------|---------------------|\n| `IPTABLES_RULES_PATH` | Path to the IPTables rules directory | `/assets/iptables/` |\n| `IPTABLES_RULES_FILE` | IPTables rules file to restore if it exists at container startup | `iptables.rules` |\n\n##### Example Ruleset:\nSave the ruleset in a file (e.g., `iptables.rules`) in the specified directory. The file should follow the `iptables-restore` format.\n\n##### Fail2Ban Options\n\nThe container supports Fail2Ban if `CONTAINER_ENABLE_FIREWALL=TRUE` is enabled. Fail2Ban monitors log files for suspicious patterns and blocks remote hosts attempting unauthorized connections for a configurable period.\n\nYou can add custom jail configurations as `.conf` files in `/etc/fail2ban/jail.d/` and custom filters in `/etc/fail2ban/filter.d`. These configurations will be parsed during container startup. Use the startup delay environment variable (`FAIL2BAN_STARTUP_DELAY`) to prevent Fail2Ban from failing when logs are unavailable during a fresh installation.\n\n| **Parameter** | **Description** | **Default** |\n|-----------------------------|-----------------------------------------------------------------------------------|------------------------------------------------|\n| `CONTAINER_ENABLE_FAIL2BAN` | Enable Fail2Ban functionality. Requires `CONTAINER_ENABLE_FIREWALL=TRUE`. | `FALSE` |\n| `FAIL2BAN_BACKEND` | Backend for Fail2Ban operation. | `AUTO` |\n| `FAIL2BAN_CONFIG_PATH` | Path for Fail2Ban configuration files. | `/etc/fail2ban/` |\n| `FAIL2BAN_DB_FILE` | Name of the persistent Fail2Ban database file. | `fail2ban.sqlite3` |\n| `FAIL2BAN_DB_PATH` | Path for storing the persistent Fail2Ban database file. | `/data/fail2ban/` |\n| `FAIL2BAN_DB_PURGE_AGE` | Purge database entries after the specified time (in seconds). | `86400` (1 day) |\n| `FAIL2BAN_DB_TYPE` | Type of database to use: `NONE`, `MEMORY`, or `FILE`. | `MEMORY` |\n| `FAIL2BAN_IGNORE_IP` | Space-separated list of IPs or ranges to ignore. | `127.0.0.1/8 ::1 172.16.0.0/12 192.168.0.0/24` |\n| `FAIL2BAN_IGNORE_SELF` | Ignore the container's own IP. `TRUE` or `FALSE`. | `TRUE` |\n| `FAIL2BAN_LOG_PATH` | Path for storing Fail2Ban log files. | `/var/log/fail2ban/` |\n| `FAIL2BAN_LOG_FILE` | Name of the Fail2Ban log file. | `fail2ban.log` |\n| `FAIL2BAN_LOG_LEVEL` | Log level: `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, or `DEBUG`. | `INFO` |\n| `FAIL2BAN_LOG_TYPE` | Output logs to `FILE` or `CONSOLE`. | `FILE` |\n| `FAIL2BAN_MAX_RETRY` | Maximum number of matches for a pattern within the `FAIL2BAN_TIME_FIND` window. | `5` |\n| `FAIL2BAN_STARTUP_DELAY` | Delay (in seconds) before Fail2Ban starts monitoring to allow log initialization. | `15` |\n| `FAIL2BAN_TIME_BAN` | Default ban duration for detected patterns. | `10m` |\n| `FAIL2BAN_TIME_FIND` | Time window to monitor log patterns. | `10m` |\n| `FAIL2BAN_USE_DNS` | Use DNS lookups: `yes`, `warn`, `no`, or `raw`. | `warn` |\n\n##### Examples\n\n1. **Custom Jail Configuration**:\n Create a `.conf` file in `/etc/fail2ban/jail.d/` to specify custom behavior. For instance:\n ```conf\n [nginx-auth]\n enabled = true\n filter = nginx-auth\n logpath = /var/log/nginx/access.log\n maxretry = 3\n bantime = 3600\n ```\n\n2. **Startup Delay**:\n Use `FAIL2BAN_STARTUP_DELAY` to give time for monitored logs to generate data, especially in newly deployed systems:\n ```bash\n FAIL2BAN_STARTUP_DELAY=30\n ```\n\n3. **Ignoring Specific IPs**:\n Specify trusted IP ranges that Fail2Ban should ignore:\n ```bash\n FAIL2BAN_IGNORE_IP=\"192.168.1.0/24 10.0.0.0/8\"\n ```\n\n4. **Custom Filters**:\n Add custom patterns to `/etc/fail2ban/filter.d/` to match specific log entries.\n\n#### Permissions\n\nYou can modify internal user and group IDs in the container by setting environment variables. For example, adding `USER_NGINX=1000` will change the container's `nginx` user ID from the default `82` to `1000`.\n\nIf you set `DEBUG_PERMISSIONS=TRUE`, all modified users and groups will be displayed in the output during container startup.\n\n**Tip:** Modify the Group ID (`GID`) to match your local development user's UID \u0026 GID. This prevents Docker permission issues during development.\n\n| **Parameter** | **Description** |\n|-----------------------------------|-----------------------------------------------------------------------------|\n| `CONTAINER_USER_\u003cUSERNAME\u003e` | Modifies the UID for the specified user in `/etc/passwd`. |\n| `CONTAINER_GROUP_\u003cGROUPNAME\u003e` | Modifies the GID for the specified group in `/etc/group` and `/etc/passwd`. |\n| `CONTAINER_GROUP_ADD_\u003cGROUPNAME\u003e` | Adds the username to the specified group in `/etc/group`. |\n\n#### Process Watchdog\n\nThis experimental feature enables you to call an external script whenever a process is executed. This script can be used for various scenarios, such as:\n\n- Sending alerts to a Slack channel when a process executes multiple times.\n- Disabling a process after it restarts a set number of times (e.g., 50 times).\n- Writing additional log entries.\n- Updating a webserver to display \"Under Maintenance\" if a specific process is not expected to run repeatedly.\n\n#### How It Works:\n1. When a process starts, the container looks for a bash script in `CONTAINER_PROCESS_HELPER_PATH` with the same name as the process.\n - If the script is found, it is executed with the following arguments: `DATE`, `TIME`, `SCRIPT_NAME`, `TIMES_EXECUTED`, `HOSTNAME`.\n - Example: `2021-07-01 23:01:04 04-scheduling 2 container`.\n2. If no matching script is found, the container uses the default script specified by `CONTAINER_PROCESS_HELPER_SCRIPT`.\n\n#### Example:\nFor a process named `04-scheduling`, the container will look for a script at `$CONTAINER_PROCESS_HELPER_PATH/04-scheduling`. The script can use arguments as follows:\n```bash\n#!/bin/bash\necho \"Process $3 executed $4 times on host $5 at $1 $2\"\n```\n\n| **Parameter** | **Description** | **Default** |\n|-----------------------------------------------|----------------------------------------------------------------------------|------------------------------------|\n| `CONTAINER_PROCESS_HELPER_PATH` | Path for storing external helper scripts. | `/assets/container/processhelper/` |\n| `CONTAINER_PROCESS_HELPER_SCRIPT` | Default helper script name if no specific script is found. | `processhelper.sh` |\n| `CONTAINER_PROCESS_HELPER_DATE_FMT` | Date format passed to the external script. | `%Y-%m-%d` |\n| `CONTAINER_PROCESS_HELPER_TIME_FMT` | Time format passed to the external script. | `%H:%M:%S` |\n| `CONTAINER_PROCESS_RUNAWAY_PROTECTOR` | Enables protection against runaway processes. | `TRUE` |\n| `CONTAINER_PROCESS_RUNAWAY_DELAY` | Delay (in seconds) before restarting a process. | `1` |\n| `CONTAINER_PROCESS_RUNAWAY_LIMIT` | Maximum number of restarts before the process is disabled. | `50` |\n| `CONTAINER_PROCESS_RUNAWAY_SHOW_OUTPUT_FINAL` | Displays the program's output during the final execution before disabling. | `TRUE` |\n\n#### Networking\n\nThe container exposes the following ports for communication:\n\n| **Port** | **Description** |\n|----------|-----------------|\n| `2020` | Fluent Bit |\n| `10050` | Zabbix Agent |\n\n---\n\n## Developing / Overriding\n\nThis base image has been successfully used to build secondary images in over a hundred projects. While the approach deviates from the \"one process per container\" rule, it allows for rapid image development. For more complex scalability, the work can be split into individual containers. Below is a crash course on how this image works: *(Work in Progress)*\n\n1. **Defaults**: Place defaults in `/assets/defaults/(script name)`.\n2. **Functions**: Place reusable functions in `/assets/functions/(script name)`.\n3. **Initialization Scripts**: Place initialization scripts in `/etc/cont-init.d/(script name)`.\n - Use these scripts to prepare the container environment.\n4. **Service Scripts**: Place service scripts in `/etc/services.available/(script name)`.\n - These scripts manage individual service start-ups.\n\n### Initialization Script Example\n\nPlace the following script in `/etc/cont-init.d/(script name)`:\n\n```bash\n#!/command/with-contenv bash # Import container environment variables\nsource /assets/functions/00-container # Import custom container functions\nprepare_service single # Load functions and defaults matching the script filename\nPROCESS_NAME=\"process\" # Prefix for logging\n\n# Custom scripting starts here\nprint_info \"This is an INFO log\"\nprint_warn \"This is a WARN log\"\nprint_error \"This is an ERROR log\"\n\nliftoff # Write state files to prove execution (checks /tmp/.container/ files)\n```\n\n### Service Script Example\n\nPlace the following script in `/etc/services.available/(script name)`:\n\n```bash\n#!/command/with-contenv bash # Import container environment variables\nsource /assets/functions/00-container # Import custom container functions\nprepare_service defaults single # Load defaults matching the script filename\nPROCESS_NAME=\"process\" # Prefix for logging\n\ncheck_container_initialized # Verify the container is properly initialized\ncheck_service_initialized init # Wait until the `cont-init.d/(script name)` script completes\nliftoff # Ensure the script executed successfully\n\nprint_start \"Starting processname\" # Log process start with a counter if enabled\nfakeprocess (args) # Replace `fakeprocess` with your actual process and arguments\n```\n\n| **Parameter** | **Description** | **Default** |\n|-------------------------------|--------------------------------------------------------------|-------------|\n| `CONTAINER_SKIP_SANITY_CHECK` | Skip verification of script execution in `/etc/cont-init.d`. | `FALSE` |\n| `DEBUG_MODE` | Enable debug mode to show all script output (`set -x`). | `FALSE` |\n| `PROCESS_NAME` | Prefix for logging messages in scripts. | `container` |\n\n#### Improvements Made\n\n1. **Clarity**:\n - Added detailed explanations for each directory and its purpose.\n - Simplified technical descriptions for easier comprehension.\n\n2. **Examples**:\n - Provided structured and clear examples for initialization and service scripts.\n - Demonstrated where and how specific functions and parameters are used.\n\n3. **Consistency**:\n - Unified formatting for commands, script examples, and explanations.\n - Used consistent terminology for processes and parameters.\n\n4. **Table Optimization**:\n - Streamlined the parameter descriptions for clarity and conciseness.\n\n---\n\n## Debug Mode\n\nWhen using this base image, you can enable debug functionality by setting the environment variable `DEBUG_MODE=TRUE`. This allows your applications and scripts to output more detailed logs and enables debugging features where applicable.\n\nWhen `DEBUG_MODE=TRUE` is enabled, this base image provides the following functionality:\n\n1. **Verbose Logging for Zabbix Agent**:\n - Configures the Zabbix Agent to produce detailed log output, helping you troubleshoot issues more effectively.\n\n2. **Script Debugging**:\n - Shows all script output by enabling debug tracing (`set -x` equivalent), allowing you to see each command as it is executed.\n\n### Implementation Example\n\nIn your custom startup script, you can add conditions to check for `DEBUG_MODE=TRUE` and enable application-specific debugging modes:\n\n```bash\nif [ \"${DEBUG_MODE}\" = \"TRUE\" ]; then\n echo \"Debug mode is enabled\"\n # Example: Enable verbose logging in your application\n export APP_LOG_LEVEL=debug\n export APP_ENABLE_VERBOSE=true\nfi\n```\n\n### Best Practices\n\n1. **Use Debug Mode for Development**:\n - Enable `DEBUG_MODE=TRUE` only during development or troubleshooting to avoid excessive logging in production environments.\n\n2. **Combine with Application Debug Flags**:\n - Ensure your custom applications or processes respect the `DEBUG_MODE` flag to enable consistent debugging across your container.\n\n3. **Monitor Logs**:\n - Regularly monitor and review the verbose output to identify issues and fine-tune your configuration.\n\n### Improvements Made\n\n1. **Clarity**:\n - Enhanced the explanation of `DEBUG_MODE` functionality.\n - Added examples for better understanding of implementation.\n\n2. **Structure**:\n - Organized content into key features, examples, and best practices for readability.\n\n3. **Professional Tone**:\n - Improved phrasing for a more professional and user-friendly tone.\n\n---\n\n## Support\n\nThese images were originally built to address specific needs in a production environment and have been enhanced over time based on community feedback.\n\n### Usage\n\n- The [Discussions board](../../discussions) is an excellent place to collaborate with the community, share tips, and learn tricks for using this image effectively.\n- For personalized support, consider [sponsoring me](https://focela.com/sponsor).\n\n### Bug Fixes\n\n- If you encounter an issue or something is not working as expected, please submit a [Bug Report](issues/new). \n I’ll prioritize the fix and aim to resolve it as quickly as possible.\n\n### Feature Requests\n\n- You are welcome to submit feature requests to improve the functionality of this image. \n However, please note that there is no guarantee of implementation or a specific timeline for delivery.\n- For priority feature development, you can [sponsor me](https://focela.com/sponsor).\n\n### Updates\n\n- I make every effort to track upstream changes and update the image as needed, especially if I actively use it in a production environment.\n- For guaranteed up-to-date releases, consider [sponsoring me](https://focela.com/sponsor).\n\n---\n\n## License\n\nThis image is licensed under the MIT License. See [LICENSE](LICENSE) for full details.\n","funding_links":["https://www.paypal.me/focela","https://github.com/sponsors/focela"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffocela%2Falpine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffocela%2Falpine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffocela%2Falpine/lists"}