Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tiredofit/docker-debian
Docker Debian Base Images
https://github.com/tiredofit/docker-debian
debian docker s6-overlay zabbix-agent
Last synced: about 6 hours ago
JSON representation
Docker Debian Base Images
- Host: GitHub
- URL: https://github.com/tiredofit/docker-debian
- Owner: tiredofit
- License: mit
- Created: 2017-08-22T17:20:05.000Z (about 7 years ago)
- Default Branch: main
- Last Pushed: 2024-09-16T21:35:02.000Z (about 2 months ago)
- Last Synced: 2024-09-17T02:47:31.535Z (about 2 months ago)
- Topics: debian, docker, s6-overlay, zabbix-agent
- Language: Dockerfile
- Size: 710 KB
- Stars: 17
- Watchers: 6
- Forks: 6
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# github.com/tiredofit/docker-
[](https://github.com/tiredofit/docker-debian/releases/latest)
[](https://github.com/tiredofit/docker-debian/actions)
[](https://hub.docker.com/r/tiredofit/debian/)
[](https://hub.docker.com/r/tiredofit/debian/)
[](https://github.com/sponsors/tiredofit)
[](https://www.paypal.me/tiredofit)
* * *
## About
Dockerfile to build a [Debian](https://www.debian.org/) linux container image.
* Currently tracking buster, and bullseye.
* [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 init capabilities.
* [zabbix-agent](https://zabbix.org) (Classic and Modern) for individual container monitoring.
* Scheduling via cron with other helpful tools (bash, curl, less, logrotate, nano) for easier management.
* Messaging ability via MSMTP enabled to send mail from container to external SMTP server.
* Firewall included with capabilities of monitoring logs to block remote hosts via [Fail2ban](https://github.com/fail2ban/fail2ban)
* Logshipping capabilities to remote log analysis servers via [Fluent-Bit](https://github.com/fluent/fluent-bit)
* Ability to update User ID and Group ID permissions dynamically.
## Maintainer
- [Dave Conroy](https://github/tiredofit)
## Table of Contents
- [About](#about)
- [Maintainer](#maintainer)
- [Table of Contents](#table-of-contents)
- [Prerequisites and Assumptions](#prerequisites-and-assumptions)
- [Installation](#installation)
- [Build from Source](#build-from-source)
- [Prebuilt Images](#prebuilt-images)
- [Multi Architecture](#multi-architecture)
- [Configuration](#configuration)
- [Quick Start](#quick-start)
- [Persistent Storage](#persistent-storage)
- [Environment Variables](#environment-variables)
- [Container Options](#container-options)
- [Scheduling Options](#scheduling-options)
- [Cron Options](#cron-options)
- [Messaging Options](#messaging-options)
- [MSMTP Options](#msmtp-options)
- [Monitoring Options](#monitoring-options)
- [Zabbix Options](#zabbix-options)
- [Logging Options](#logging-options)
- [Log Shipping Parsing](#log-shipping-parsing)
- [Fluent-Bit Options](#fluent-bit-options)
- [Firewall Options|](#firewall-options)
- [Host Override Options](#host-override-options)
- [IPTables Options](#iptables-options)
- [Fail2Ban Options](#fail2ban-options)
- [Permissions](#permissions)
- [Process Watchdog](#process-watchdog)
- [Networking](#networking)
- [Developing / Overriding](#developing--overriding)
- [Debug Mode](#debug-mode)
- [Maintenance](#maintenance)
- [Shell Access](#shell-access)
- [Support](#support)
- [Usage](#usage)
- [Bugfixes](#bugfixes)
- [Feature Requests](#feature-requests)
- [Updates](#updates)
- [License](#license)
## Prerequisites and Assumptions
No prerequisites required
## Installation
### Build from Source
Clone this repository and build the image with `docker build (imagename) .`
### Prebuilt Images
Builds of the image are available on [Docker Hub](https://hub.docker.com/r/tiredofit/debian)
```bash
docker pull docker.io/tiredofit/debian:(imagetag)
```
Builds of the image are also available on the [Github Container Registry](https://github.com/tiredofit/docker-debian/pkgs/container/docker-debian)
```
docker pull ghcr.io/tiredofit/docker-debian:(imagetag)
```
The following image tags are available along with their tagged release based on what's written in the [Changelog](CHANGELOG.md):
| Debian version | Tag |
| -------------- | ----------- |
| `bullseye` | `:bullseye` |
| `buster` | `:buster` |
#### Multi Architecture
Images are built primarily for `amd64` architecture, and may also include builds for `arm/v7`, `arm64` and others. These variants are all unsupported. Consider [sponsoring](https://github.com/sponsors/tiredofit) my work so that I can work with various hardware. To see if this image supports multiple architecures, type `docker manifest (image):(tag)`
## Configuration
### Quick Start
Utilize this image as a base for further builds. Please visit the [s6 overlay repository](https://github.com/just-containers/s6-overlay) for
instructions on how to enable the S6 init system when using this base or look at some of my other images
which use this as a base.
### Persistent Storage
The following directories are used for configuration and can be mapped for persistent storage.
| Directory | Description |
| ----------------------------------- | ----------------------------------------- |
| `/etc/fluent-bit/conf.d/` | Fluent-Bit custom configuration directory |
| `/etc/fluent-bit/parsers.d/` | Fluent-Bit custom parsers directory |
| `/etc/zabbix/zabbix_agentd.conf.d/` | Zabbix Agent configuration directory |
| `/etc/fail2ban/filter.d` | Custom Fail2ban Filter configuration |
| `/etc/fail2ban/jail.d` | Custom Fail2ban Jail configuration |
| `/var/log` | Container, Cron, Zabbix, other log files |
| `/assets/cron` | Drop custom crontabs here |
| `/assets/iptables` | Drop custom IPTables rules here |
### Environment Variables
Below is the complete list of available options that can be used to customize your installation.
Variables showing an 'x' under the `_FILE` column can be used for storing the information inside of a file, useful for secrets.
#### Container Options
| Parameter | Description | Default |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
| `CONAINER_ENABLE_LOG_TIMESTAMP` | Prefix this images container logs with timestamp | `TRUE` |
| `CONTAINER_COLORIZE_OUTPUT` | Enable/Disable colorized console output | `TRUE` |
| `CONTAINER_CUSTOM_BASH_PROMPT` | If you wish to set a different bash prompt then '(imagename):(version) HH:MM:SS # ' | |
| `CONTAINER_CUSTOM_PATH` | Used for adding custom files into the image upon startup | `/assets/custom` |
| `CONTAINER_CUSTOM_SCRIPTS_PATH` | Used for adding custom scripts to execute upon startup | `/assets/custom-scripts` |
| `CONTAINER_ENABLE_PROCESS_COUNTER` | Show how many times process has executed in console log | `TRUE` |
| `CONTAINER_LOG_LEVEL` | Control level of output of container `INFO`, `WARN`, `NOTICE`, `DEBUG` | `NOTICE` |
| `CONTAINER_LOG_PREFIX_TIME_FMT` | Timestamp Time Format | `%H:%M:%S` |
| `CONTAINER_LOG_PREFIX_DATE_FMT` | Timestamp Date Format | `%Y-%m-%d` |
| `CONTAINER_LOG_PREFIX_SEPERATOR` | Timestamp seperator | `-` |
| `CONTAINER_LOG_FILE_LEVEL` | Control level of output of container `INFO`, `WARN`, `NOTICE`, `DEBUG` | `DEBUG` |
| `CONTAINER_LOG_FILE_NAME` | Internal Container Logs filename | `/var/log/container/container.log` |
| `CONTAINER_LOG_FILE_PATH` | Path where to find the internal container logs | `/var/log/container/` |
| `CONTAINER_LOG_FILE_PREFIX_TIME_FMT` | Timestamp Time Format | `%H:%M:%S` |
| `CONTAINER_LOG_FILE_PREFIX_DATE_FMT` | Timestamp Date Format | `%Y-%m-%d` |
| `CONTAINER_LOG_FILE_PREFIX_SEPERATOR` | Timestamp seperator | `-` |
| `CONTAINER_NAME` | Used for setting entries in Monnitoring and Log Shipping | (hostname) |
| `CONTAINER_POST_INIT_COMMAND` | If you wish to execute a command in the container after all services have initialized enter it here. Seperate multiple by commas | |
| `CONTAINER_POST_INIT_SCRIPT` | If you wish to execute a script in the container after all services have initialized enter the path here. Seperate multiple by commas | |
| `TIMEZONE` | Set Timezone | `Etc/GMT` |
#### Scheduling Options
The image has capability of executing tasks at differnt times of the day. It follows the [cron syntax](https://cron.help/). Presently this image only supports the busybox cron however can be extended to other scheduling backends with little effort.
| Parameter | Description | Default |
| ------------------------------- | ----------------------------------- | ---------------- |
| `CONTAINER_ENABLE_SCHEDULING` | Enable Scheduled Tasks | `TRUE` |
| `CONTAINR_SCHEDULING_BACKEND` | What scheduling tool to use `cron` | `cron` |
| `CONTAINER_SCHEDULING_LOCATION` | Where to read task files | `/assets/cron/` |
| `SCHEDULING_LOG_TYPE` | Log Type `FILE` | `FILE` |
| `SCHEDULING_LOG_LOCATION` | Log File Location | `/var/log/cron/` |
| `SCHEDULING_LOG_LEVEL` | Log Level `1` (loud) to `8` (quiet) | `6` |
##### Cron Options
There are two ways to add jobs to be triggered via cron. One is to drop files into `/assets/cron/` which will be parsed upon container startup, or to set environment variables.
| Parameter | Description | Default |
| --------- | ------------------------------------------------------ | ------- |
| `CRON_*` | Name of the job value of the time and output to be run | `` |
Example: `CRON_HELLO="* * * * * echo 'hello' > /tmp/hello.log`
Since you can't really disable environment variables in Docker if they are baked into parent Docker images, you can override a baked in Cron command with your own values, or to disable it entirely set the value to `FALSE` eg `CRON_HELLO=FALSE`.
#### Messaging Options
If you wish to send mail, set `CONTAINER_ENABLE_MESSAGING=TRUE` and configure the following environment variables. Presently we only support one backend, but more can be added with little effort.
| Parameter | Description | Default |
| ----------------------------- | ------------------------------------------ | ------- |
| `CONTAINER_ENABLE_MESSAGING` | Enable Messaging services like SMTP | `TRUE` |
| `CONTAINER_MESSAGING_BACKEND` | Messaging Backend - presently only `msmtp` | `msmtp` |
##### MSMTP Options
See the [MSMTP Configuration Options](https://marlam.de/msmtp/msmtp.html) for further information on options to configure MSMTP.
| Parameter | Description | Default | `_FILE` |
| -------------------------- | ------------------------------------------------- | --------------- | ------- |
| `SMTP_AUTO_FROM` | Add setting to support sending through Gmail SMTP | `FALSE` | |
| `SMTP_HOST` | Hostname of SMTP Server | `postfix-relay` | x |
| `SMTP_PORT` | Port of SMTP Server | `25` | x |
| `SMTP_DOMAIN` | HELO Domain | `docker` | |
| `SMTP_MAILDOMAIN` | Mail Domain From | `local` | |
| `SMTP_AUTHENTICATION` | SMTP Authentication | `none` | |
| `SMTP_USER` | SMTP Username | `` | x |
| `SMTP_PASS` | SMTP Password | `` | x |
| `SMTP_TLS` | Use TLS | `FALSE` | |
| `SMTP_STARTTLS` | Start TLS from within session | `FALSE` | |
| `SMTP_TLSCERTCHECK` | Check remote certificate | `FALSE` | |
| `SMTP_ALLOW_FROM_OVERRIDE` | SMTP Allow From Override | `` | |
See The [Official Zabbix Agent Documentation](https://www.zabbix.com/documentation/5.4/manual/appendix/config/zabbix_agentd)
for information about the following Zabbix values.
#### Monitoring Options
This image includes the capability of using agents inside the image to monitor metrics from applications. Presently at this time it only supports Zabbix as a monitoring platform, however is extendable to other platforms with little effort.
| Parameter | Description | Default |
| ----------------------------- | -------------------------------------------- | -------- |
| `CONTAINER_ENABLE_MONITORING` | Enable Monitoring of applications or metrics | `TRUE` |
| `CONTAINR_MONITORING_BACKEND` | What monitoring agent to use `zabbix` | `zabbix` |
##### Zabbix Options
This image comes with Zabbix Agent 1 (Classic or C compiled) and Zabbix Agent 2 (Modern, or Go compiled). See which variables work for each version and make your agent choice. Drop files in `/etc/zabbix/zabbix_agentd.conf.d` to setup your metrics. The environment variables below only affect the system end of the configuration. If you wish to use your own system configuration without these variables, change `ZABBIX_SETUP_TYPE` to `MANUAL`
| Parameter | Description | Default | 1 | 2 | `_FILE` |
| ------------------------------------ | --------------------------------------------------------------------------------------------- | ------------------------ | --- | --- | ------- |
| `ZABBIX_SETUP_TYPE` | Automatically generate configuration based on these variables `AUTO` or `MANUAL` | `AUTO` | x | x | |
| `ZABBIX_AGENT_TYPE` | Which version of Zabbix Agent to load `1` or `2` | 1 | N/A | N/A | |
| `ZABBIX_AGENT_LOG_PATH` | Log File Path | `/var/log/zabbix/agent/` | x | x | |
| `ZABBIX_AGENT_LOG_FILE` | Logfile name | `zabbix_agentd.log` | x | x | |
| `ZABBIX_CERT_PATH` | Zabbix Certificates Path | `/etc/zabbix/certs/` | x | x | |
| `ZABBIX_ENABLE_AUTOREGISTRATION` | Use internal routine for Agent autoregistration based on config files with # Autoregister tag | `TRUE` | x | x | |
| `ZABBIX_ENABLE_AUTOREGISTRATION_DNS` | Register with DNS name instead of IP Address when autoregistering | `TRUE` | x | x | |
| `ZABBIX_AUTOREGISTRATION_DNS_NAME` | (optional) DNS Name to provide for auto register. Uses `CONTAINER_NAME` as default | `$CONTAINER_NAME` | x | x | |
| `ZABBIX_AUTOREGISTRATION_DNS_SUFFIX` | If you want to append something after the generated DNS Name | `` | x | x | |
| `ZABBIX_ENCRYPT_PSK_ID` | Zabbix Encryption PSK ID | `` | x | x | x |
| `ZABBIX_ENCRYPT_PSK_KEY` | Zabbix Encryption PSK Key | `` | x | x | x |
| `ZABBIX_ENCRYPT_PSK_FILE` | Zabbix Encryption PSK File (If not using above env var) | `` | x | x | |
| `ZABBIX_LOG_FILE_SIZE` | Logfile size | `0` | x | x | |
| `ZABBIX_DEBUGLEVEL` | Debug level | `1` | x | x | |
| `ZABBIX_REMOTECOMMANDS_ALLOW` | Enable remote commands | `*` | x | x | |
| `ZABBIX_REMOTECOMMANDS_DENY` | Deny remote commands | `` | x | x | |
| `ZABBIX_REMOTECOMMANDS_LOG` | Enable remote commands Log (`0`/`1`) | `1` | x | `` | |
| `ZABBIX_SERVER` | Allow connections from Zabbix server IP | `0.0.0.0/0` | x | x | |
| `ZABBIX_STATUS_PORT` | Agent will listen to this port for status requests (http://localhost:port/status) | `10050` | `` | x | |
| `ZABBIX_LISTEN_PORT` | Zabbix Agent listening port | `10050` | x | x | |
| `ZABBIX_LISTEN_IP` | Zabbix Agent listening IP | `0.0.0.0` | x | x | |
| `ZABBIX_START_AGENTS` | How many Zabbix Agents to start | `1` | x | `` | |
| `ZABBIX_SERVER_ACTIVE` | Server for active checks | `zabbix-proxy` | x | x | x |
| `ZABBIX_HOSTNAME` | Container hostname to report to server | `$CONTAINER_NAME` | x | x | |
| `ZABBIX_REFRESH_ACTIVE_CHECKS` | Seconds to refresh Active Checks | `120` | x | x | |
| `ZABBIX_BUFFER_SEND` | Buffer Send | `5` | x | x | |
| `ZABBIX_BUFFER_SIZE` | Buffer Size | `100` | x | x | |
| `ZABBIX_MAXLINES_SECOND` | Max Lines Per Second | `20` | x | `` | |
| `ZABBIX_SOCKET` | Socket for communicating | `/tmp/zabbix.sock` | `` | x | |
| `ZABBIX_ALLOW_ROOT` | Allow running as root | `1` | x | `` | |
| `ZABBIX_USER` | User to start agent | `zabbix` | x | x | |
| `ZABBIX_USER_SUDO` | Allow Zabbix user to utilize sudo commands | `TRUE` | x | x | |
This image supports autoregistering configuration as an Active Agent to a Zabbix Proxy or a Server. It looks in `/etc/zabbix_agent.conf.d/*.conf` for the string `# Autoregister=` and takes these values and adds it to the `HostMetadata` configuration entry automatically wrapped around `:` eg `:application:` . Use it by creating an Auto register rule and search for that string. You can find server templates in this repository in the `[zabbix_templates](zabbix_templates/)` directory.
#### Logging Options
This is work in progress for a larger logging solution. Presently there is functionality to rotate logs on a daily basis, however as this section matures there will be the capability to also ship the logs to an external data warehouse like Loki, or Elastic Search. At present Log shipping is only supported by `fluent-bit` and x86_64 only.
| Parameter | Description | Default |
| ---------------------------------------- | ----------------------------------------------------------- | ------------ |
| `CONTAINER_ENABLE_LOGROTATE` | Enable Logrotate (if scheduling enabled) | `TRUE` |
| `CONTAINER_ENABLE_LOGSHIPPING` | Enable Log Shipping | `FALSE` |
| `CONTAINER_LOGSHIPPING_BACKEND` | Log shipping backend `fluent-bit` | `fluent-bit` |
| `LOGROTATE_COMPRESSION_TYPE` | Logfile compression algorithm `NONE` `BZIP2` `GZIP` `ZSTD` | `ZSTD` |
| `LOGROTATE_COMPRESSION_VALUE` | What level of compression to use | `8` |
| `LOGROTATE_COMPRESSION_EXTRA_PARAMETERS` | Pass extra parameters to the compression command (optional) | |
| `LOGROTATE_RETAIN_DAYS` | Rotate and retain logs for x days | `7` |
##### Log Shipping Parsing
You can set an environment variable to start shipping a log without any other configuration. Create a variable starting with `LOGSHIP_` with the value of the location of the log files. You can also use this to null an existing configuration by setting the value of `FALSE`.
Example: `LOGSHIP_NGINX=/var/log/nginx/*.log` will create and tag all log files from that directory as to be coming from `CONTAINER_NAME` and from `nginx`. Note, it does not allow for custom parsing, so will simply parse the log entry as is.
If `LOGSHIPPING_AUTO_CONFIG_LOGROTATE` set to true, you can define what parser the configuration file should use. Make sure you have the appropriate `.conf` parsers in `/etc/fluent-bit/parsers.d/`
Create a line in the `logrotate.d/` that looks like `# logship: `. Multiple parsers can be added by seperating via commas. Alternatively, if you wanted to skip a certain logfile from being parsed by the log shipper, use the value "SKIP".
| Parameter | Description | Default |
| ----------------------------------- | ------------------------------------------------------------------------------------ | ------- |
| `LOGSHIPPING_AUTO_CONFIG_LOGROTATE` | Automatically configure log shipping for files that are listed in `/etc/logrotate.d` | `TRUE` |
##### Fluent-Bit Options
Drop files in `/etc/fluent-bit/conf.d` to setup your inputs and outputs. The environment variables below only affect the system end of the configuration. If you wish to use your own system configuration without these variables, change `FLUENTBIT_SETUP_TYPE` to `MANUAL`. Container will attempt to automatically create configuration to send to a destination, or can also be set to act as a receiver from other fluent-bit hosts and forward data to a remote log analysis service.
| Parameter | Description | Default | `_FILE` |
| ------------------------------------- | ------------------------------------------------------------------------------------------------ | ------------------------ | ------- |
| `FLUENTBIT_CONFIG_PARSERS` | Parsers config file name | `parsers.conf` | |
| `FLUENTBIT_CONFIG_PLUGINS` | Plugins config file name | `plugins.conf` | |
| `FLUENTBIT_ENABLE_HTTP_SERVER` | Embedded HTTP Server for metrics `TRUE` / `FALSE` | `TRUE` | |
| `FLUENTBIT_ENABLE_STORAGE_METRICS` | Public storage pipeline metrics in /api/v1/storage | `TRUE` | |
| `FLUENTBIT_FLUSH_SECONDS` | Wait time to flush records in seconds | `1` | |
| `FLUENTBIT_FORWARD_BUFFER_CHUNK_SIZE` | Buffer Chunk Size | `32KB` | |
| `FLUENTBIT_FORWARD_BUFFER_MAX_SIZE` | Buffer Maximum Size | `64KB` | |
| `FLUENTBIT_FORWARD_PORT` | What port when using `PROXY` (listen) mode or `FORWARD` (client) output | `24224` | |
| `FLUENTBIT_GRACE_SECONDS` | Wait time before exit in seconds | `1` | |
| `FLUENTBIT_HTTP_LISTEN_IP` | HTTP Listen IP | `0.0.0.0` | |
| `FLUENTBIT_HTTP_LISTEN_PORT` | HTTP Listening Port | `2020` | |
| `FLUENTBIT_LOG_FILE` | Log File | `fluentbit.log` | |
| `FLUENTBIT_LOG_LEVEL` | Log Level `info` `warn` `error` `debug` `trace` | `info` | |
| `FLUENTBIT_LOG_PATH` | Log Path | `/var/log/fluentbit/` | |
| `FLUENTBIT_MODE` | Type of operation - Client `NORMAL` or Proxy `PROXY` | `NORMAL` | |
| `FLUENTBIT_OUTPUT_FORWARD_HOST` | Where to forward Fluent-Bit data to | `fluent-proxy` | x |
| `FLUENTBIT_OUTPUT_FORWARD_TLS_VERIFY` | Verify certificates when using TLS | `FALSE` | |
| `FLUENTBIT_OUTPUT_FORWARD_TLS` | Enable TLS when forwading | `FALSE` | |
| `FLUENTBIT_OUTPUT_LOKI_COMPRESS_GZIP` | Enable GZIP compression when sending to loki host | `TRUE` | |
| `FLUENTBIT_OUTPUT_LOKI_HOST` | Host for Loki Output | `loki` | x |
| `FLUENTBIT_OUTPUT_LOKI_PORT` | Port for Loki Output | `3100` | x |
| `FLUENTBIT_OUTPUT_LOKI_TLS` | Enable TLS For Loki Output | `FALSE` | |
| `FLUENTBIT_OUTPUT_LOKI_TLS_VERIFY` | Enable TLS Certificate Verification For Loki Output | `FALSE` | |
| `FLUENTBIT_OUTPUT_LOKI_USER` | (optional) Username to authenticate to Loki Server | `` | x |
| `FLUENTBIT_OUTPUT_LOKI_PASS` | (optional) Password to authenticate to Loki Server | `` | x |
| `FLUENTBIT_OUTPUT_TENANT_ID` | (optional) Tenant ID to pass to Loki Server | `` | x |
| `FLUENTBIT_OUTPUT` | Output plugin to use `LOKI` , `FORWARD`, `NULL` | `FORWARD` | |
| `FLUENTBIT_TAIL_BUFFER_CHUNK_SIZE` | Buffer Chunk Size for Tail | `32k` | |
| `FLUENTBIT_TAIL_BUFFER_MAX_SIZE` | Maximum size for Tail | `32k` | |
| `FLUENTBIT_TAIL_READ_FROM_HEAD` | Read from Head instead of Tail | `FALSE` | |
| `FLUENTBIT_TAIL_SKIP_EMPTY_LINES` | Skip Empty Lines when Tailing | `TRUE` | |
| `FLUENTBIT_TAIL_SKIP_LONG_LINES` | Skip Long Lines when Tailing | `TRUE` | |
| `FLUENTBIT_TAIL_DB_ENABLE` | Enable Offset DB per tracked file (will be same name as log file yet hidden and a suffix of `db` | `TRUE` | |
| `FLUENTBIT_TAIL_DB_SYNC` | DB Sync Type `normal` or `full` | `normal` | |
| `FLUENTBIT_TAIL_DB_LOCK` | Lock access to DB File | `TRUE` | |
| `FLUENTBIT_TAIL_DB_JOURNAL_MODE` | Journal Mode for DB `WAL` `DELETE` `TRUNCATE` `PERSIST` `MEMORY` `OFF` | `WAL` | |
| `FLUENTBIT_TAIL_KEY_PATH_ENABLE` | Enable sending Key for Log Filename/Path | `TRUE` | |
| `FLUENTBIT_TAIL_KEY_PATH` | Path Key Name | `filename` | |
| `FLUENTBIT_TAIL_KEY_OFFSET_ENABLE` | Enable sending Key for Offset in Log file | `FALSE` | |
| `FLUENTBIT_TAIL_KEY_OFFSET` | Offset Path Key Name | `offset` | |
| `FLUENTBIT_SETUP_TYPE` | Automatically generate configuration based on these variables `AUTO` or `MANUAL` | `AUTO` | |
| `FLUENTBIT_STORAGE_BACKLOG_LIMIT` | Maximum about of memory to use for backlogged/unsent records | `5M` | |
| `FLUENTBIT_STORAGE_CHECKSUM` | Create CRC32 checkcum for filesystem RW functions | `FALSE` | |
| `FLUENTBIT_STORAGE_PATH` | Absolute file system path to store filesystem data buffers | `/tmp/fluentbit/storage` | |
| `FLUENTBIT_STORAGE_SYNC` | Synchronization mode to store data in filesystem `normal` or `full` | `normal` | |
#### Firewall Options|
Included when proper capabilities are set on image is the capability to set up detailed block / allow rules via a firewall on container start. Presently only `iptables` is supported.
You must use run your containers with the following capabilities added: `NET_ADMIN`, `NET_RAW`
| Parameter | Description | Default |
| ---------------------------- | --------------------------------------- | ---------- |
| `CONTAINER_ENABLE_FIREWALL` | Enable Firewall Functionality | `FALSE` |
| `CONTAINER_FIREWALL_BACKEND` | What Firewall backend to use `iptables` | `iptables` |
| `FIREWALL_RULE_00` | Firewall rule to execute | |
| `FIREWALL_RULE_01` | Next firewall rule to execute | |
One can use the `FIREWALL_RULE_XX` environment variables to pass rules to the firewall. In this example I am going to block someone from being able to access a port except if from a specific IP address:
````bash
FIREWALL_RULE_00=-I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 389 -j ACCEPT
FIREWALL_RULE_01=-I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 389 -j DROP
````
##### Host Override Options
Sometimes you may need to do some host file trickery. This will add an entry to the contains hosts file.
Instead of relying on environment variables one can put a `iptables-restore` compatible ruleset below and it will be imported on container start.
| Parameter | Description | Default |
| ---------------------------- | ------------------------- | ------- |
| `CONTAINER_HOST_OVERRIDE_01` | Create manual hosts entry | |
Make the value ` override1 override2` eg `1.2.3.4 example.org example.com`. If you omit an IP Address and instead use a domain name it will attempt to look it up to an IP eg `proxy example.com example.org`
##### IPTables Options
Instead of relying on environment variables one can put a `iptables-restore` compatible ruleset below and it will be imported on container start.
| Parameter | Description | Default |
| --------------------- | ----------------------------------------------------------- | ------------------- |
| `IPTABLES_RULES_PATH` | Path for IPTables Rules | `/assets/iptables/` |
| `IPTABLES_RULES_FILE` | IPTables Rules File to restore if exists on container start | `iptables.rules` |
##### Fail2Ban Options
The container also has the capability should `CONTAINER_ENABLE_FIREWALL=TRUE` be enabled to launch Fail2ban, a process which watches logs for patterns and then blocks the remote host from connecting for a period of time.
Drop your custom jail configs as *.conf files in `/etc/fail2ban/jail.d/` and filters in `/etc/fail2ban/filter.d` for them to be parsed at startup. Note the startup delay environment variable to avoid the process failing if no log files exist from a fresh install.
| Parameter | Description | Default |
| --------------------------- | ---------------------------------------------------------------------------------- | ---------------------------------------------- |
| `CONTAINER_ENABLE_FAIL2BAN` | Enable Firewall Functionality | `FALSE` |
| `FAIL2BAN_BACKEND` | Backend | `AUTO` |
| `FAIL2BAN_CONFIG_PATH` | Fail2ban Configuration Path | `/etc/fail2ban/` |
| `FAIL2BAN_DB_FILE` | Persistent Database File | `fail2ban.sqlite3` |
| `FAIL2BAN_DB_PATH` | Persistent Database Path | `/data/fail2ban/` |
| `FAIL2BAN_DB_PURGE_AGE` | Purge entries after how many seconds | `86400` |
| `FAIL2BAN_DB_TYPE` | DB Type `NONE`, `MEMORY`, `FILE` | `MEMORY` |
| `FAIL2BAN_IGNORE_IP` | Ignore these IPs or Ranges space seperated | `127.0.0.1/8 ::1 172.16.0.0/12 192.168.0.0/24` |
| `FAIL2BAN_IGNORE_SELF` | Ignroe Self `TRUE` `FALSE` | `TRUE` |
| `FAIL2BAN_LOG_PATH` | Fail2ban Log Path | `/var/log/fail2ban/` |
| `FAIL2BAN_LOG_FILE` | Fail2ban Log File | `fail2ban.log` |
| `FAIL2BAN_LOG_LEVEL` | Log Level `CRITICAL` `ERROR` `WARNING` `NOTICE` `INFO` `DEBUG` | `INFO` |
| `FAIL2BAN_LOG_TYPE` | Log to `FILE` or `CONSOLE` | `FILE` |
| `FAIL2BAN_MAX_RETRY` | Max times to find pattern in log over `FAIL2BAN_TIME_FIND` | `5` |
| `FAIL2BAN_STARTUP_DELAY` | Startup Delay to give a chance for monitored logs to exist or have data in seconds | `15` |
| `FAIL2BAN_TIME_BAN` | Length of time to ban in default | `10m` |
| `FAIL2BAN_TIME_FIND` | Window to base pattern matches against | `10m` |
| `FAIL2BAN_USE_DNS` | USE DNS for lookups `yes` `warn` `no` `raw` | `warn` |
#### Permissions
If you wish to change the internal id for users and groups you can set environment variables to do so.
e.g. If you add `USER_NGINX=1000` it will reset the containers `nginx` user id from `82` to `1000` -
If you enable `DEBUG_PERMISSIONS=TRUE` all the users and groups have been modified in accordance with
environment variables will be displayed in output.
Hint, also change the Group ID to your local development users UID & GID and avoid Docker permission issues when developing.
| Parameter | Description |
| --------------------------------- | --------------------------------------------------------------------------- |
| `CONTAINER_USER_` | The user's UID in /etc/passwd will be modified with new UID |
| `CONTAINER_GROUP_` | The group's GID in /etc/group and /etc/passwd will be modified with new GID |
| `CONTAINER_GROUP_ADD_` | The username will be added in /etc/group after the group name defined |
#### Process Watchdog
This is experimental functionality to call an external script before a process is executed.
Sample use cases:
- Alert slack channel when process has executed more than once
- Disable process from executing further if restarted 50 times
- Write to an additional log file..
- Change a file to display "Under Maintenance" on a webserver if this process isn't supposed to be run more than 1 time.
It will pass 5 arguments to a bash script titled the same name as the executing script or if not found, use the default `CONTAINER_PROCESS_HELPER_SCRIPT` below. Drop your files into the `CONTAINER_PROCESS_HELPER_PATH`.
For example, if `04-scheduling` was starting, it would look for `$CONTAINER_PROCESS_HELPER_PATH/04-scheduling` and if found execute it while passing the following arguments: DATE,TIME,SCRIPT_NAME,TIMES EXECUTED,HOSTNAME
e.g: `2021-07-01 23:01:04 04-scheduling 2 container`
Use the values in your own bash script using the `$1` `$2` `$3` `$4` `$5` syntax.
Change time and date and settings with these environment variables
| Parameter | Description | Default |
| --------------------------------------------- | --------------------------------------------------------------- | ---------------------------------- |
| `CONTAINER_PROCESS_HELPER_PATH` | Path to file external helper scripts | `/assets/container/processhelper/` |
| `CONTAINER_PROCESS_HELPER_SCRIPT` | Default helper script name | `processhelper.sh` |
| `CONTAINER_PROCESS_HELPER_DATE_FMT` | Date format passed to external script | `%Y-%m-%d` |
| `CONTAINER_PROCESS_HELPER_TIME_FMT` | Time format passed to external script | `%H:%M:%S` |
| `CONTAINER_PROCESS_RUNAWAY_PROTECTOR` | Disables a service if executed more than (x) amount of times | `TRUE` |
| `CONTAINER_PROCESS_RUNAWAY_DELAY` | Delay in seconds to restart process | `1` |
| `CONTAINER_PROCESS_RUNAWAY_LIMIT` | The amount of times it needs to restart before disabling | `50` |
| `CONTAINER_PROCESS_RUNAWAY_SHOW_OUTPUT_FINAL` | Show the program Output on the final execution before disabling | `TRUE` |
### Networking
The following ports are exposed.
| Port | Description |
| ------- | ------------ |
| `2020` | Fluent Bit |
| `10050` | Zabbix Agent |
## Developing / Overriding
This base image has been used over a hundred times to successfully build secondary images. My methodology is admittedly straying from the "one process per container" rule, however this methodology allows me to put together images at a rapid pace, and if more complex scalability is required, the work is split into their own individual images. Since you are reading this here's a crash course at how the image works: (WIP):
See `/assets/functions/00-container` for more detailed documentation for the various commands and functions/shortcuts
- Put defaults in `/assets/defaults/(script name)`
- Put functions in `/assets/functions/(script name)`
- Put Initialization script in `/etc/cont-init.d/(script name)`
Put at the top:
````bash
#!/command/with-contenv bash # Pull in Container Environment Variables from Dockerfile/Docker Runtime
source /assets/functions/00-container # Pull in all custom container functions from this image
prepare_service single # Read functions and defaults only from files matching this script filename - see detailed docs for more
PROCESS_NAME="process" # set the prefix for any logging
.. your scripting ..
print_info "This an INFO log"
print_warn "This a WARN log"
print_error "This is a ERROR log"
liftoff # this writes to the state files at /tmp/.container/ to prove the script executed properly see CONTAINER_SKIP_SANITY_CHECK
````
- Put Services script in `/etc/services.available/(script name)`
Put at the top:
````bash
#!/command/with-contenv bash # Pull in Container Environment Variables from Dockerfile/Docker Runtime
source /assets/functions/00-container # Pull in all custom container functions from this image
prepare_service defaults single # Read defaults only from files matching this script filename - see detailed docs for more
PROCESS_NAME="process" # set the prefix for any logging
check_container_initialized # Check to make sure that the container properly initialized before proceeding
check_service_initialized init # Check to see if the cont-init.d/scriptname executed correctly, otherwise wait until it has done
liftoff # Prove script was able to execute properly
print_start "Starting processname" # Show STARTING log prefix, and also show if enabled a counter, and execute process watchdog script
fakeprocess (args) # whatever your process you want to start is
````
| Parameter | Description | Default |
| ----------------------------- | ------------------------------------------------------------------------------ | ----------- |
| `CONTAINER_SKIP_SANITY_CHECK` | Skip the checking to see if all scripts in /etc/cont-init.d executed correctly | `FALSE` |
| `DEBUG_MODE` | Show all script output (set -x) | `FALSE` |
| `PROCESS_NAME` | Used for prefixing the script that is running | `container` |
## Debug Mode
When using this as a base image, create statements in your startup scripts to check for existence of `DEBUG_MODE=TRUE`
and set various parameters in your applications to output more detail, enable debugging modes, and so on.
In this base image it does the following:
* Sets zabbix-agent to output logs in verbosity
* Shows all script output (equivalent to set -x)
## Maintenance
### Shell Access
For debugging and maintenance purposes you may want access the containers shell.
``bash
docker exec -it (whatever your container name is) bash
``
## Support
These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.
### Usage
- The [Discussions board](../../discussions) is a great place for working with the community on tips and tricks of using this image.
- [Sponsor me](https://tiredofit.ca/sponsor) for personalized support
### Bugfixes
- Please, submit a [Bug Report](issues/new) if something isn't working as expected. I'll do my best to issue a fix in short order.
### Feature Requests
- Feel free to submit a feature request, however there is no guarantee that it will be added, or at what timeline.
- [Sponsor me](https://tiredofit.ca/sponsor) regarding development of features.
### Updates
- Best effort to track upstream changes, More priority if I am actively using the image in a production environment.
- [Sponsor me](https://tiredofit.ca/sponsor) for up to date releases.
## License
MIT. See [LICENSE](LICENSE) for more details.