summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
W. Trevor King [Fri, 18 Jul 2014 20:00:04 +0000 (13:00 -0700)]
docker-registry: Trim dependencies now that some storage backends are external
The swift backend moved out-of-core in
f700ecda (s3 / boto
support - updated drivers, tests, mock, etc etc, 2014-05-15).
The glance backend moved out-of-core in commit
2e28ad0c (Cleanup,
2014-05-15), which also removed the keystoneclient dependency.
pyopenssl (Debian's python-openssl) was never imported anywhere, and
the Dockerfile reference was removed in
365b6313 (Cleaned-up docker
file, 2014-05-19).
W. Trevor King [Fri, 18 Jul 2014 18:26:29 +0000 (11:26 -0700)]
gentoo-openrc: Break out OpenRC configuration into a separate Dockerfile
Gentoo users could prefer another process manager, and we want them to
have a clean location for them to swap in their systemd (or whatever)
Dockerfile. The net stuff is new, and with it we no longer get issues
like:
* Bringing up network interface lo ...
SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
SIOCSIFNETMASK: Operation not permitted
SIOCADDRT: Operation not permitted [ !! ]
* ERROR: loopback failed to start
W. Trevor King [Fri, 18 Jul 2014 13:18:05 +0000 (06:18 -0700)]
build.sh: Bump DATE to
20140717
Yay, a successful amd64-auto build :).
W. Trevor King [Tue, 15 Jul 2014 17:32:13 +0000 (10:32 -0700)]
grab.sh: Try and download a matched stage3/snapshot pair
Catalyst's autobuilds have been flaky recently, so it's a bit
difficult to predict when the next amd64 stage3 will land. The
mirrors only keep a week of history, so it's easier to get the
stage3/snapshot pair from the same day if you try to grab them
automatically every evening. This script will do that, using the
latest-stage3.txt to find the most recent stage3, and then downloading
the auxilliary files and Portage snapshot. If the downloads all
succeed, it updates the default DATE in build.sh.
W. Trevor King [Thu, 3 Jul 2014 23:45:08 +0000 (16:45 -0700)]
gentoo-syslog/Dockerfile.template: Tweak sources (-system +socket)
Don't listen to /proc/kmsg, because Docker doesn't mount it for us.
This avoids:
* Starting syslog-ng ...
Error opening file for reading;
filename='/proc/kmsg', error='Operation not permitted (1)'
Error initializing message pipeline;
* start-stop-daemon: failed to start `/usr/sbin/syslog-ng'
* Failed to start syslog-ng [ !! ]
* ERROR: syslog-ng failed to start
Also add an explicit source listening to /dev/log. I don't have this
on my host system, and that syslog-ng creates /dev/log just fine, but
my containers seem to need an explicit listing here or they don't
create /dev/log.
Reported-by: Oleg Terenchuk <litwol@litwol.com>
W. Trevor King [Fri, 20 Jun 2014 04:36:55 +0000 (21:36 -0700)]
portage: Shift the emphasis from a running to a non-running container
Not messing with ENTRYPOINT makes it easier to run an interactive
container with:
$ docker run --rm -i -t wking/portage
if you want to poke around.
W. Trevor King [Thu, 19 Jun 2014 02:51:15 +0000 (19:51 -0700)]
gentoo-portage/Dockerfile.template: Use 'webrsync --revert'
To grab a specific snapshot of the Portage tree. Otherwise the
snapshot you get depends on when you run webrsync. The public mirrors
only seem to keep about a week of snapshots, so you may want to use
something like package-cache to cache interesting snapshots locally.
W. Trevor King [Wed, 18 Jun 2014 19:03:52 +0000 (12:03 -0700)]
gentoo-portage/Dockerfile.template: Remove 'emerge --sync' call
specing points out that the rsync behind 'emerge --sync' is vulnerable
to man-in-the-middle attacks. In any event, it's probably more
reproducible to stick to the daily snapshot releases used by webrsync
and ignore any changes that have since landed in the rsync mirrors.
W. Trevor King [Wed, 21 May 2014 20:10:13 +0000 (13:10 -0700)]
hubot/add-github-webhooks.sh: Add an script for creating GitHub webhooks
For notifying the github-commits and github-pull-request-notifier
scripts. Adding these hooks to a number of repositories by hand is
tedious, and it's so easy to automate ;).
W. Trevor King [Wed, 30 Apr 2014 18:32:11 +0000 (11:32 -0700)]
hubot/Dockerfile.template: Change 'REDISCLOUD_URL' -> 'REDIS_URL'
hubot-scripts has supported this since
48a3b142 (Added REDIS_URL to
support dokku, 2014-03-01). It still doesn't match Docker's
REDIS_PORT, but it's more generic than the provider-specific
REDISCLOUD_URL.
W. Trevor King [Wed, 30 Apr 2014 18:04:43 +0000 (11:04 -0700)]
hubot: Add jenrzzz/hubot-logger
This logger is not in the node index (which points to
adragomir/hubot-logger [1,2]). However, Jenner's package has more
recent activity (one month ago, vs. five for Andrei), and seems more
featureful. I also approve of using Redis (instead of on-disk files)
for log storage.
[1]: https://www.npmjs.org/package/hubot-logger
[2]: https://github.com/adragomir/hubot-logger
W. Trevor King [Thu, 24 Apr 2014 02:47:58 +0000 (19:47 -0700)]
hubot/Dockerfile.template: Bump gitio to gitio2 2.0.0
This catches us up with
da1abbd (Make use of more updated gitio2,
2014-02-09), which landed with #1317 on 2014-02-10 [1].
[1]: https://github.com/github/hubot-scripts/pull/1317
W. Trevor King [Wed, 16 Apr 2014 22:41:31 +0000 (15:41 -0700)]
docker-registry/package.accept_keywords: Update for
20140410 tree
Bump a number of versions, and drop the no-longer-needed
dev-python/netaddr and dev-python/prettytable keywords (which both
have stable versions for amd64 now).
W. Trevor King [Wed, 16 Apr 2014 20:18:09 +0000 (13:18 -0700)]
docker-registry: Enable the SQLAlchemy search backend
Now that it has landed [1].
[1]: https://github.com/dotcloud/docker-registry/pull/247
W. Trevor King [Wed, 16 Apr 2014 20:15:52 +0000 (13:15 -0700)]
docker-registry/Dockerfile.template: Emerge dev-python/sqlalchemy
Now that my search-index branch has landed [1].
[1]: https://github.com/dotcloud/docker-registry/pull/247
W. Trevor King [Wed, 16 Apr 2014 19:49:51 +0000 (12:49 -0700)]
build.sh: DATE to
20140410
Some of content needed by the old snapshot is no longer mirrored
(e.g. netaddr-0.7.10_p20130801.tar.gz used by dev-python/netaddr
needed for docker-registry).
W. Trevor King [Thu, 13 Mar 2014 15:26:59 +0000 (08:26 -0700)]
salt-minion/Dockerfile.template: Keyword dev-python/libcloud-0.14.1
Avoiding:
The following keyword changes are necessary to proceed:
(see "package.accept_keywords" in the portage(5) man page for more details)
# required by app-admin/salt-9999
# required by =app-admin/salt-9999 (argument)
=dev-python/libcloud-0.14.1 ~amd64
W. Trevor King [Thu, 13 Mar 2014 14:21:07 +0000 (07:21 -0700)]
Revert "build.sh: Shift Kibana packages in the default REPOS list"
This reverts commit
63031ef0041949c9df74145c3ea91c8a59a2b818.
'k' comes before 'm', but the Kibana images depend on the Nginx
images, so they have to come later.
W. Trevor King [Wed, 12 Mar 2014 21:32:30 +0000 (14:32 -0700)]
Update gentoo-syslog consumers to use tail-syslog
Folks who just used the stock:
CMD rc default && tail -F /var/log/messages
can now piggy-back on the CMD setup in the gentoo-syslog
Dockerfile.template, so I removed their CMD lines.
I updated folks that did fancier things (e.g. tweaking configs before
'rc default') to use 'exec tail-syslog' instead of 'tail -F
/var/log/messages'.
Folks that are built FROM gentoo-syslog but never used 'rc default'
should probably be FROM a more basic image, but I left them alone in
this commit.
W. Trevor King [Wed, 12 Mar 2014 19:08:07 +0000 (12:08 -0700)]
Run update-copyright.py
This bumps copyright dates for stuff that I've touched in 2014.
W. Trevor King [Wed, 12 Mar 2014 18:46:03 +0000 (11:46 -0700)]
gentoo-syslog/Dockerfile.template: Add tail-syslog (and other tweaks)
The main change here is a new tail-syslog script that traps SIGTERM
and shuts down running OpenRC processes (using 'rc shutdown'). This
gives us clean shutdowns for 'docker stop' and friends, which makes
'docker restart' and host reboots more reliable.
The tail-syslog script is not the most elegant solution. In fact,
rc(8) suggests:
There are some special runlevels that you should be aware of:
...
shutdown Changes to the shutdown runlevel and then halts the host.
You should not call any of these runlevels yourself. Instead you
should use init(8) and shutdown(8) and let them call these special
runlevels.
Indead, using 'CMD /sbin/init' seems to work fine, but I can't figure
out how to get the logs out via 'docker logs'. I tried a number of
things, including
RUN sed -i 's|^\([^#].*/sbin/agetty.*\)|#\1|' /etc/inittab
RUN echo 'log1:12345:respawn:/usr/bin/tail -F /var/log/messages >/dev/console' >> /etc/inittab
but none of my attempts along those lines worked.
You could work around this by volume-mounting a host directory to the
container's /var/log, or by configuring syslog-ng to forward logs to a
remote destination with something like:
RUN sed -i 's/^\(destination messages\).*;$/\1 { tcp("logs.example.net" port(514) };/' /etc/syslog-ng/syslog-ng.conf
But we don't have a central syslog instance to forward to, and I like
'docker logs' ;).
So that nixed the /sbin/init approach, and I started looking at signal
trapping in a shell script [1]. When I tried to use 'shutdown -h now'
in place of 'rc shutdown', I got log messages like:
Mar 12 18:29:14
f50a7b4bd8c9 logger: trapped SIGTERM, shutting down
Mar 12 18:29:14
f50a7b4bd8c9 shutdown[272]: shutting down for system halt
shutdown: /dev/initctl: No such file or directory
init: /dev/initctl: No such file or directory
because /sbin/init (which creates /dev/initctl) was not running).
Using 'rc shutdown' directly avoids that problem.
Also in this commit:
* Add an initial ^ to the console_all sed line, which just makes
explicit the fact that I'm matching from the beginning of the line.
* Enable boot logging to /var/log/rc.log, in case someone actually
does run /sbin/init.
[1]: 'trap' is in POSIX.1-2008 (IEEE Std 1003.1, 2013 Edition)
http://pubs.opengroup.org/onlinepubs/
9699919799/utilities/V3_chap02.html#tag_18_28
W. Trevor King [Wed, 12 Mar 2014 17:20:59 +0000 (10:20 -0700)]
irker/Dockerfile.template: Change branch from 'ssl-tls' to 'next'
Most of the SSL/TLS patches are now upstream, so I started a new
'next' branch to incorperate my additional changes.
W. Trevor King [Sat, 8 Mar 2014 03:19:53 +0000 (19:19 -0800)]
irker: Add irker, a simple IRC multiplexer daemon
Send messages to an IRC channel from Bash (or anything else that can
send JSON over UDP or TCP).
W. Trevor King [Wed, 5 Mar 2014 23:05:52 +0000 (15:05 -0800)]
ngircd: Add support for SSL=optional
If SSL.Ports is set and Global.Ports is not set, Global.Ports defaults
to empty (not 6667), and you don't get a plaintext listener [1]. With
the new 'optional' setting, explicitly declare Global.Ports so you
have both an SSL listener (on 6697) and a plaintext listener (on 6667).
[1]: http://arthur.barton.de/pipermail/ngircd-ml/2011-February/000471.html
W. Trevor King [Mon, 3 Mar 2014 16:46:09 +0000 (08:46 -0800)]
hubot/README.md: Mention HUBOT_LOG_LEVEL
Strangely, this environment variable does not seem to be documented at
all:
hubot$ git grep HUBOT_LOG_LEVEL
src/robot.coffee: @logger = new Log process.env.HUBOT_LOG_LEVEL or 'info'
W. Trevor King [Sun, 2 Mar 2014 23:49:24 +0000 (15:49 -0800)]
gentoo-node: Add a base image with Node and npm
I forgot to commit this before the hubot Dockerfile. Better late than
never ;).
W. Trevor King [Sun, 2 Mar 2014 20:35:24 +0000 (12:35 -0800)]
gentoo-utc: Setup /etc/timezone and /etc/localtime
Following the Gentoo x86 install guide [1]. This avoids errors like:
[Sun Mar 02 2014 20:22:48 GMT+0000 (Local time zone must be set--see zic manual page)] ...
Which I was getting in my hubot logs.
[1]: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=6#doc_chap4
W. Trevor King [Sun, 2 Mar 2014 23:13:38 +0000 (15:13 -0800)]
hubot: Add a hubot image
I had to instal Git to avoid a:
GET https://registry.npmjs.org/scoped-http-client
GET https://registry.npmjs.org/async
ERR! not found: git
npm ERR!
ERR! Failed using git.
This is most likely not a problem with npm itself.
Please check if you have git installed and in your PATH.
Linux 3.13.0
command "/usr/bin/node" "/usr/bin/npm" "install"
cwd /hubot
node -v v0.10.21
1.3.11
ENOGIT
error during the 'npm install'. Other than that, this is fairly
straightforward, although I wish that the script dependencies were
handled automatically :p.
Docker doesn't let you modify /etc/hosts at the moment [1]. If you
need to add custom DNS (because your target IRC server doesn't resolve
automatically), you can use dnsmasq [2]. I added something like this
to the tail of my hubot/Dockerfile.template:
RUN emerge -v dnsmasq
RUN rc-update add dnsmasq default
RUN echo 'address="/irc.example.net/192.168.0.2"' >> /etc/dnsmasq.conf
RUN echo 'nameserver 192.168.0.1' >> /etc/resolv.dnsmasq.conf
RUN echo 'resolv-file=/etc/resolv.dnsmasq.conf' >> /etc/dnsmasq.conf
RUN echo 'listen-address=127.0.0.1' >> /etc/dnsmasq.conf
RUN sed -i 's/need localmount net$/use localmount net/' /etc/init.d/dnsmasq
And fired up the container with:
docker run ... --dns 127.0.0.1 wking/hubot /bin/bash
# rc default
# cd hubot
# REDISCLOUD_URL="${REDIS_PORT}" exec bin/hubot --name "${HUBOT_IRC_NICK:-hubot}" -a irc
[1]: https://github.com/dotcloud/docker/issues/2267
[2]: https://github.com/dotcloud/docker/issues/1951#issuecomment-
24960347
W. Trevor King [Sun, 2 Mar 2014 20:18:51 +0000 (12:18 -0800)]
hubot: Add a hubot image
I had to instal Git to avoid a:
GET https://registry.npmjs.org/scoped-http-client
GET https://registry.npmjs.org/async
ERR! not found: git
npm ERR!
ERR! Failed using git.
This is most likely not a problem with npm itself.
Please check if you have git installed and in your PATH.
Linux 3.13.0
command "/usr/bin/node" "/usr/bin/npm" "install"
cwd /hubot
node -v v0.10.21
1.3.11
ENOGIT
error during the 'npm install'. Other than that, this is fairly
straightforward, although I wish that the script dependencies were
handled automatically :p.
Docker doesn't let you modify /etc/hosts at the moment [1]. If you
need to add custom DNS (because your target IRC server doesn't resolve
automatically), you can use dnsmasq [2]. I added something like this
to the tail of my hubot/Dockerfile.template:
RUN emerge -v dnsmasq
RUN rc-update add dnsmasq default
RUN echo 'address="/irc.example.net/192.168.0.2"' >> /etc/dnsmasq.conf
RUN echo 'nameserver 192.168.0.1' >> /etc/resolv.dnsmasq.conf
RUN echo 'resolv-file=/etc/resolv.dnsmasq.conf' >> /etc/dnsmasq.conf
RUN echo 'listen-address=127.0.0.1' >> /etc/dnsmasq.conf
RUN sed -i 's/need localmount net$/use localmount net/' /etc/init.d/dnsmasq
And fired up the container with:
docker run ... --dns 127.0.0.1 wking/hubot /bin/bash
# rc default
# cd hubot
# REDISCLOUD_URL="${REDIS_PORT}" exec bin/hubot --name "${HUBOT_IRC_NICK:-hubot}" -a irc
[1]: https://github.com/dotcloud/docker/issues/2267
[2]: https://github.com/dotcloud/docker/issues/1951#issuecomment-
24960347
W. Trevor King [Sat, 1 Mar 2014 19:28:54 +0000 (11:28 -0800)]
ngircd/README.md: Document the 20-character password limit
From the referenced INSTALL docs:
Differences to version 0.8.x
- The maximum length of passwords has been raised to 20 characters
(instead of 8 characters). If your passwords are longer than 8
characters then they are cut at an other position now.
so in v0.8 and earlier the password limit was even shorter.
W. Trevor King [Sat, 1 Mar 2014 05:44:28 +0000 (21:44 -0800)]
ngircd: Add support for GLOBAL_PASSWORD
We need to disable PAM support at compile time to get this working,
because with PAM compiled in global password are broken until
485d0ae
(Use server password when PAM is compiled in but disabled, 2014-02-27,
[1]).
485d0ae landed after ngIRCd v21, so it will probably be in the
next release after that. Once that lands in Gentoo's Portage tree, we
can re-enable PAM.
[1]: http://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd.git;a=commit;h=
485d0aec813db9966922f17aae044df2d82b0b67
W. Trevor King [Sat, 1 Mar 2014 00:45:19 +0000 (16:45 -0800)]
ngircd: Add optional SSL / TLS support
Unfortunately, irssi doesn't have a command-line flag to select
encrypted connections [1]. I'd like something like:
$ irssi -c irc.example.net -p 6697 --ssl
Until something like that is added, you'll need to add the server to
your irssi config:
$ cat ~/.irssi/config
...
servers = (
{
address = "irc.example.net";
chatnet = "example";
port = "6697";
use_ssl = "yes";
ssl_verify = "yes";
autoconnect = "yes";
},
...
);
chatnets = {
example = {
type = "IRC";
nick = "your-nick";
};
...
};
...
Or connect manually after firing up irssi:
$ irssi --noconnect
[(status)] /connect -ssl -ssl_verify nott 6697
Run `/help connect` for more information.
[1]: http://www.irssi.org/documentation/manual
W. Trevor King [Fri, 28 Feb 2014 19:00:16 +0000 (11:00 -0800)]
ngircd: Add an ngIRCd image
This doesn't support SSL yet, but I'll look into that later.
W. Trevor King [Fri, 28 Feb 2014 02:08:09 +0000 (18:08 -0800)]
x.509/Makefile-{link,server}: Allow users to override FQDNS
By using ?= to assign that variable only if it's not already set [1].
For Makefile-link, also append the 'nginx' entry using += [2], to
ensure it is always present.
[1]: https://www.gnu.org/software/make/manual/html_node/Setting.html
[2]: https://www.gnu.org/software/make/manual/html_node/Appending.html
W. Trevor King [Thu, 27 Feb 2014 19:11:22 +0000 (11:11 -0800)]
salt-minion/Dockerfile.template: Namespace /etc/portage/package.*
Use directories instead of files. This makes it easy for other folks
to drop in their own USE flag and keyword overrides without worring
about appending to our existing files.
W. Trevor King [Wed, 26 Feb 2014 19:31:59 +0000 (11:31 -0800)]
salt-minion/Dockerfile.template: Bump to Salt v2014.1.0
With
17ca2ae (Merge pull request #9024 from cachedout/#8976,
2013-12-05, saltstack/salt#9024, [1]), Salt gained the ability to
report LXC-ness as a grain, which is useful if you're writing Salt
states that will run in Docker containers. The series landed before
the v2014.1 tag and was released with v2014.1.0.
[1]: https://github.com/saltstack/salt/pull/9024
W. Trevor King [Wed, 26 Feb 2014 19:30:39 +0000 (11:30 -0800)]
salt-minion/Dockerfile.template: Add 'need logger' to salt-minion init script
Work around Gentoo's #502550 [1].
[1]: https://bugs.gentoo.org/show_bug.cgi?id=502550
W. Trevor King [Wed, 26 Feb 2014 19:22:48 +0000 (11:22 -0800)]
salt-minion/Dockerfile.template: Install dev-python/git-python
Work around Gentoo's #485522 [1].
[1]: https://bugs.gentoo.org/show_bug.cgi?id=485522
W. Trevor King [Tue, 25 Feb 2014 21:40:06 +0000 (13:40 -0800)]
salt-minion/README.md: Discuss minion caching and sync_all
I needed the explicit sync_all with Salt v0.17.0. It's possible that
this is a bug that has been (or will be) fixed in future versions.
W. Trevor King [Mon, 24 Feb 2014 23:14:42 +0000 (15:14 -0800)]
*/README.md: Replace '-name' with '--name' and '-link' with '--link'
Docker has adopted GNU-style long options with v0.8.0 :) [1]:
First step toward getopt style flags:
As we keep compatibility with flags like -dns we can't have -i -t ->
-it but at least - and -- are now correct.
[1]: https://github.com/dotcloud/docker/pull/3322
e71dbf4 (update commands.go, 2013-12-23)
W. Trevor King [Mon, 24 Feb 2014 23:07:59 +0000 (15:07 -0800)]
salt-minion: Add a Salt State minion image
If you already have a Salt setup, it might be easier to use Salt to
provision your container than to convert your Salt configs into
Dockerfiles.
W. Trevor King [Fri, 21 Feb 2014 19:45:30 +0000 (11:45 -0800)]
gentoo-portage/Dockerfile.template: Use distfiles.gentoo.org for GENTOO_MIRRORS
This is more generic, and it's easy to customize the mirror by using a
package-cache container as a transparent proxy. The clients can still
think they're using the generic mirror, but you can volume-mount an
/etc/conf.d/package-cache in the proxy container and set SOURCES to
whatever you like.
W. Trevor King [Fri, 21 Feb 2014 18:48:05 +0000 (10:48 -0800)]
package-cache: Add an image with my package-cache proxy
Along with iptables instructions for transparently proxying Gentoo
mirrors using this image.
W. Trevor King [Fri, 21 Feb 2014 17:50:12 +0000 (09:50 -0800)]
build.sh: Shift Kibana packages in the default REPOS list
'k' comes before 'm' in the alphabet ;).
W. Trevor King [Fri, 21 Feb 2014 17:48:38 +0000 (09:48 -0800)]
gentoo-layman: Add a layman container for easy overlay Dockerfiles
W. Trevor King [Wed, 19 Feb 2014 21:04:51 +0000 (13:04 -0800)]
elasticsearch/Dockerfile.template: Log to syslog instead of a local file
Use Log4j's SyslogAppender [1] to log to a local Syslog. The Syslog
appender doesn't use /dev/log [2], so we also need to Syslog to listen
on the UDP socket. Relevant threads from the Elasticsearch mailing
list [3,4].
[1]: http://logging.apache.org/log4j/2.x/manual/appenders.html#SyslogAppender
[2]: https://issues.apache.org/bugzilla/show_bug.cgi?id=44839
[3]: https://groups.google.com/forum/#!topic/elasticsearch/zeGWxzSQ4N4/discussion
Subject: Using the syslog appender in elasticsearch
From: Darron Froese
Date: 2011-12-28
[4]: https://groups.google.com/forum/#!topic/elasticsearch/-ydujtOC5Fw/discussion
Subject: use elasticsearch with syslog
From: Olivier Morel
Date: 2013-04-30
W. Trevor King [Sat, 15 Feb 2014 02:43:52 +0000 (18:43 -0800)]
x.509/Makefile-link: Add a basic Makefile for linking wildcard certs
W. Trevor King [Fri, 14 Feb 2014 22:54:21 +0000 (14:54 -0800)]
x.509/Makefile-stunnel: Add a basic Makefile for creating self-signed certs
This is similar to Makefile-server, but it only creates a single
key/certificate pair. It also bundles the private key and certificate
together in stunnel.pem, which is the format the stunnel image expects
(mount it at the container's /etc/stunnel/stunnel.pem).
W. Trevor King [Fri, 14 Feb 2014 22:47:25 +0000 (14:47 -0800)]
x.509/Makefile-server: Add a basic Makefile for creating self-signed certs
This requires a local CA, which you can build using Makefile-ca. Use
CA_KEY and CA_CERT to point at your local CA:
$ make -f Makefile-ca
$ make -f Makefile-server CA_KEY=key.pem CA_CERT=ca.pem
W. Trevor King [Fri, 14 Feb 2014 22:31:59 +0000 (14:31 -0800)]
x.509/Makefile-ca: Add a basic Makefile for creating self-signed CAs
W. Trevor King [Fri, 14 Feb 2014 20:35:32 +0000 (12:35 -0800)]
push.sh: Add a helper script to mass-push repositories to a registry
For example, after building, if you want to upload all of the new
images. Any repositories that already exist on the registry will just
be re-tagged.
W. Trevor King [Fri, 14 Feb 2014 19:47:48 +0000 (11:47 -0800)]
build.sh: Replace '-name' with '--name'
Docker has adopted GNU-style long options with v0.8.0 :) [1]:
First step toward getopt style flags:
As we keep compatibility with flags like -dns we can't have -i -t ->
-it but at least - and -- are now correct.
Strangely, I the short form doesn't always work for me anymore:
$ docker run -name my-container -hostname my-container wking/gentoo /bin/bash
flag provided but not defined: -hostname
Note that the -name works fine but the newer --hostname requires the
'--' form.
[1]: https://github.com/dotcloud/docker/pull/3322
e71dbf4 (update commands.go, 2013-12-23)
W. Trevor King [Fri, 14 Feb 2014 04:53:50 +0000 (20:53 -0800)]
kibana-azure: Add an image for Azure's custom Kibana
Pulling from https://github.com/wking/kibana/tree/azure instead of
from https://github.com/elasticsearch/kibana.
W. Trevor King [Thu, 13 Feb 2014 23:11:30 +0000 (15:11 -0800)]
build.sh: Die with an error if a wget fails
W. Trevor King [Thu, 13 Feb 2014 23:09:43 +0000 (15:09 -0800)]
build.sh: Use autobuilds for ARCH_URL instead of current-stage3
The autobuilds directory contains a few rounds of older stages, while
current-stage3 has only the most recent stage.
W. Trevor King [Thu, 13 Feb 2014 22:39:54 +0000 (14:39 -0800)]
build.sh: Add BUILD_OPTS for custom build options
For example, to rebuild a package without using the cache:
$ REPOS=docker-registry BUILD_OPTS=--no-cache ./build.sh
which lets you update your image after the upstream repository has
changed.
W. Trevor King [Wed, 12 Feb 2014 20:23:27 +0000 (12:23 -0800)]
docker-registry: Add a Gentoo-based docker-registry
The requirements are installed using Portage, because that handles
non-Python requirements gracefully, and caches all the source tarballs
for later use (e.g. if PyPI is down). Note with the
20140206
snapshot, this installs dev-python/gevent-1.0_rc3, which is based on
libev not libevent like the pre 1.0 gevents [1]:
New version of gevent uses libev and c-ares rather than libevent and
includes all the dependencies in the release tarball.
You may have to bump your gevent requirements (docker-registry's
requirements.txt currently pins it at 0.13.8) or install
dev-libs/libevent if you want to run the tox test suite.
Bugsnag doesn't have a Gentoo package, so I don't install it. That
means you won't be able to use Bugsnag with this image (unless you
install it yourself), and you'll want a version of docker-registry
that includes
e253550 (Merge pull request #241 from
wking/optional-bugsnag, 2014-02-11).
[1]: https://pypi.python.org/pypi/gevent/0.13.8
W. Trevor King [Mon, 10 Feb 2014 03:27:01 +0000 (19:27 -0800)]
build.sh: Bump DATE to
20140206
Move past the recent Python-and-/dev/shm issues now that Catalyst is
fixed. I've built the full suite of images with
20140206 without
issues.
W. Trevor King [Fri, 7 Feb 2014 23:34:32 +0000 (15:34 -0800)]
README.md: Remove 'is mounted from the host' typo
This was leftover from an old writeup of a host-mounted workaround,
and should never have been committed.
W. Trevor King [Fri, 7 Feb 2014 20:22:48 +0000 (12:22 -0800)]
gentoo-portage/Dockerfile.template: chown portage:portage /usr/portage
When the usersync feature is enabled (which it is by default),
emerge-webrsync uses the owner and group of /usr/portage
(${repo_location}) for the unpacked tree. This commit avoids having
the whole tree be owned by root:root.
W. Trevor King [Sat, 1 Feb 2014 02:59:40 +0000 (18:59 -0800)]
build.sh: Only extract busybox before building the portage image
There's no need to extract it again every time we run this script.
W. Trevor King [Wed, 29 Jan 2014 20:31:26 +0000 (12:31 -0800)]
build.sh: Add [--help] {build|missing} support
The 'missing' command show which repos remain unbuilt. I use this to
setup the REPOS environtment variable for subsequent build calls, if
on of the repos is giving me trouble.
W. Trevor King [Wed, 29 Jan 2014 20:30:45 +0000 (12:30 -0800)]
build.sh: Pull repo_exists out into a helper function
Don't repeat yourself ;).
W. Trevor King [Wed, 29 Jan 2014 17:55:32 +0000 (09:55 -0800)]
build.sh: Use functions to make the logical flow more obvious
Also log important actions to stdout so you can monitor what's
happening.
W. Trevor King [Mon, 27 Jan 2014 05:55:21 +0000 (21:55 -0800)]
build.sh: Use DOCKER to allow local command overrides
On Debian, the binary is installed as docker.io [1] to avoid confusion
with the existing window manager docker package [2].
While you can override DOCKER, it would be nice if we just worked out
of the box for everyone. Use 'command -v' [3] and the temporary
DOCKER_IO to setup the following chain:
1. If DOCKER is already set (e.g., by the user) use it.
2. Fall back to docker.io, if we find it in the PATH.
3. Fall back to docker.
The logic is that if docker.io exists, it's almost certainly what we
want. If docker exists in the path, it's more ambiguous.
[1]: http://packages.debian.org/unstable/docker.io
[2]: http://packages.debian.org/unstable/docker
[3]: http://pubs.opengroup.org/onlinepubs/
9699919799/utilities/command.html
W. Trevor King [Mon, 27 Jan 2014 05:34:13 +0000 (21:34 -0800)]
build.sh: Use generic distfiles.gentoo.org for MIRROR
Instead of hardcoding mcs.anl.gov. If you want to use a specific
mirror, you should override the MIRROR environment variable yourself.
W. Trevor King [Fri, 10 Jan 2014 03:42:38 +0000 (19:42 -0800)]
nginx-proxy/vhost-template.conf: Set X-Forwarded-Host
Since v1.5, Django cares about the requested Host (or
X-Forwarded-Host) [1], so we need to pass that information through.
With this Nginx config, you can set USE_X_FORWARDED_HOST [2] and parse
the appropriate hostname instead of your Docker container's IP.
[1]: https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
[2]: https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-USE_X_FORWARDED_HOST
W. Trevor King [Fri, 10 Jan 2014 03:41:12 +0000 (19:41 -0800)]
nginx-proxy/vhost-template.conf: Use $proxy_add_x_forwarded_for
Instead of $remote_addr. This gives a chain of remote addresses if we
have multiple layers of proxies [1]:
$proxy_add_x_forwarded_for
Contains client request-header "X-Forwarded-For" with separated by
comma $remote_addr. If there is no X-Forwarded-For request-header,
than $proxy_add_x_forwarded_for is equal to $remote_addr.
[1]: http://wiki.nginx.org/HttpProxyModule#.24proxy_add_x_forwarded_for
W. Trevor King [Fri, 3 Jan 2014 19:39:58 +0000 (11:39 -0800)]
postgresql/Dockerfile.template: Log to syslog
Also use sed to place the listen_addresses config near its associated
comments in the config file.
W. Trevor King [Fri, 3 Jan 2014 03:39:54 +0000 (19:39 -0800)]
nginx-proxy: Add an Nginx proxy image
I've got a bunch of HTTP server images, but I need a single proxy
container that supports SNI to expose them to the world. This
container can link to a colleciton of HTTP-serving containers and
proxy them under arbitrary hostnames using user-supplied, per-host
certificates and keys.
env and sed are both in POSIX 2013 [1,2], and the:
eval A=\$$B
variable indirection is because POSIX [3] doesn't support Bash's
indirect expansion "A=${!B}". The 'tcp' -> 'http' replacement maps
Docker's tcp:://${IP}:${PORT} addresses to http://${IP}:${PORT} for
use in the Nginx config.
envsubst is in gettext [4] and not in POSIX [5], so it may be slightly
less portable. However, envsubst and gettext are in Gentoo's x86 and
amd64 stage1s, our Gentoo-based images will have it.
[1]: http://pubs.opengroup.org/onlinepubs/
9699919799/utilities/env.html
[2]: http://pubs.opengroup.org/onlinepubs/
9699919799/utilities/sed.html
[3]: http://pubs.opengroup.org/onlinepubs/
9699919799/utilities/V3_chap02.html#tag_18_06_02
[4]: http://www.gnu.org/software/gettext/
[5]: http://pubs.opengroup.org/onlinepubs/
9699919799/idx/utilities.html
W. Trevor King [Thu, 2 Jan 2014 18:11:41 +0000 (10:11 -0800)]
nginx/Dockerfile.template: Change default hostname to _
From the docs [1]:
In catch-all server examples the strange name “_” can be seen:
server {
listen 80 default_server;
server_name _;
return 444;
}
There is nothing special about this name, it is just one of a myriad
of invalid domain names which never intersect with any real name.
Still, an invalid domain name makes more sense than 'localhost' for a
public server.
[1]: http://nginx.org/en/docs/http/server_names.html#miscellaneous_names
W. Trevor King [Thu, 2 Jan 2014 06:23:41 +0000 (22:23 -0800)]
postgresql: Declare /var/lib/postgresql a VOLUME
Avoid the hassle of maintaining a host-mounted volume by letting
Docker handle the volume maintenance ;). We need to declare the
VOLUME *after* filling it with content (with 'emerge --config'),
otherwise ownership and permissions on the empty volume are lost
[1,2,3], and future RUN commands die due to:
initdb: could not access directory "/var/lib/postgresql/9.3/data": Permission denied
[1]: https://github.com/dotcloud/docker/issues/2360
[2]: https://github.com/dotcloud/docker/issues/2969
[3]: https://github.com/dotcloud/docker/issues/2975
[4]: https://github.com/dotcloud/docker/pull/3008
W. Trevor King [Tue, 31 Dec 2013 05:38:26 +0000 (21:38 -0800)]
portage/README.md: You can mount volumes from stopped containers
As Sven Dowideit describes in a pending doc update [1].
[1]: https://github.com/dotcloud/docker/pull/3389
W. Trevor King [Mon, 30 Dec 2013 21:23:58 +0000 (13:23 -0800)]
redis/Dockerfile.template: Direct logs to syslog
Since I'm tailing /var/log/messages in CMD. This also makes it easier
if you want to redirect the logs to a central syslog server.
W. Trevor King [Sat, 28 Dec 2013 23:05:59 +0000 (15:05 -0800)]
build.sh: Bump DATE to
20131226 to match the new weekly build
W. Trevor King [Sat, 28 Dec 2013 22:49:15 +0000 (14:49 -0800)]
Use envsubst instead of sed to parse Dockerfile.template
Convert everything in one pass, instead of taking a separate pass for
each variable. Thanks to aluedeke for mentioning envsubst on #docker;
I hadn't heard of it before. It's distributed as part of gettext [1],
and not in POSIX [2], so it may be slightly less portable. However,
envsubst and gettext are in Gentoo's x86 and amd64 stage1s, so it
can't be *that* uncommon ;).
[1]: http://www.gnu.org/software/gettext/
[2]: http://pubs.opengroup.org/onlinepubs/
9699919799/idx/utilities.html
W. Trevor King [Sat, 28 Dec 2013 21:24:24 +0000 (13:24 -0800)]
memcached: Add a Memcached image
The 10MB of overhead memory were estimated from this output in a
running memcached container:
# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 20300 2124 ? S 20:57 0:00 /bin/bash
memcach+ 184 0.0 0.0 323124 1112 ? Ssl 20:58 0:00 /usr/bin/memcached -d -p 11211 -U 11211 -m 128 -c 1024 -u
root 224 0.0 0.0 25064 440 ? S 20:58 0:00 supervising syslog-ng
root 225 0.3 0.0 124708 3620 ? Ssl 20:58 0:00 /usr/sbin/syslog-ng --persist-file /var/lib/syslog-ng/sysl
root 263 0.0 0.0 18632 804 ? Ss 20:58 0:00 /usr/sbin/cron
root 300 0.0 0.0 15440 1148 ? R+ 20:58 0:00 ps aux
Less Bash and ps, that's 1112 + 3620 + 804 = 5.5MB of resident memory,
so 10MB seemed like a safe buffer.
W. Trevor King [Sat, 28 Dec 2013 17:14:49 +0000 (09:14 -0800)]
kibana: Add a Kibana image
Dump a Kibana tarball into Nginx's htdocs, and use an
ELASTICSEARCH_URL environment variable to adjust config.js at spin-up.
List Kibana after Nginx in build.sh's REPOS to ensure the Nginx image
is built first.
W. Trevor King [Sat, 28 Dec 2013 05:10:17 +0000 (21:10 -0800)]
nginx: Add an Nginx image
W. Trevor King [Sat, 28 Dec 2013 00:42:27 +0000 (16:42 -0800)]
stunnel: Add a stunnel-wrapper image
Make it easy to wrap arbitrary ports with stunnel.
The explicit pid configuration avoids errors like:
... stunnel: ... Cannot create pid file /var/lib/run/stunnel/stunnel.pid
... stunnel: ... create: No such file or directory (2)
which is probably just a wart in Gentoo's stunnel packaging.
W. Trevor King [Fri, 27 Dec 2013 21:43:21 +0000 (13:43 -0800)]
postgresql/README.md: Mention volume-mounts and setup
Without a host-mounted volume for /var/lib/postgresql I filled up the
10GB dm block allocated by Docker v0.7.2.
W. Trevor King [Fri, 27 Dec 2013 16:56:55 +0000 (08:56 -0800)]
redis/Dockerfile.template: Bind to all interfaces
It's not much good to have a Redis container that's only listening to
localhost ;).
W. Trevor King [Fri, 27 Dec 2013 00:53:02 +0000 (16:53 -0800)]
build.sh: Allow readlink for path-canonicalization
Debian doesn't have realpath installed by default [1], so fall back to
the more widely available readlink [2].
[1]: http://packages.debian.org/unstable/utils/realpath
[2]: http://www.gnu.org/software/coreutils/manual/html_node/readlink-invocation.html
W. Trevor King [Fri, 13 Dec 2013 23:31:27 +0000 (15:31 -0800)]
portage: Add a Portage-volume-exporting image
This builds the Portage snapshot into a stand-alone volume, which can
be mounted using -volumes-from. There's currently no
Dockerfile-supported way to mount this for builds, so gentoo-portage
still goes the emerge-webrsync route.
We need something to fill the role of /bin/sh in the Portage-snapshot
container, so I'm using the /bin/busybox from the 'gentoo' image. As
of 2013-12-12, it's:
sys-apps/busybox-1.21.0
USE="ipv6 pam static -livecd -make-symlinks -math -mdev -savedconfig
(-selinux) -sep-usr -syslog -systemd"
W. Trevor King [Fri, 13 Dec 2013 19:41:01 +0000 (11:41 -0800)]
build.sh: Bump DATE to
20131212 to match the new weekly build
W. Trevor King [Fri, 13 Dec 2013 04:30:44 +0000 (20:30 -0800)]
elasticsearch: Add Elasticsearch container instructions
W. Trevor King [Fri, 13 Dec 2013 03:53:16 +0000 (19:53 -0800)]
gentoo-java/Dockerfile.template: Add Gentoo+Java container instructions
I tried to bootstrap icedtea using icedtea-bin, but ran into a blocker
between app-admin/eselect-java-0.1.0 and
dev-java/java-config2.1.12-r1. Figuring out a resolution is not worth
my time ;).
W. Trevor King [Fri, 13 Dec 2013 00:08:48 +0000 (16:08 -0800)]
postgresql: Add PostgreSQL container instructions (Dockerfile and README)
The $(echo /etc/postgresql*/postgresql.conf) crazyness in the
Dockerfile is because Docker chokes on:
RUN echo host all all 0.0.0.0/0 trust >> /etc/postgresql*/pg_hba.conf
raising:
/bin/sh: /etc/postgresql*/pg_hba.conf: No such file or directory
I'm not sure why it's not expanding the glob. Perhaps Docker is
quoting redirection targets? In any case, the $(echo ...) form works,
so that's what I'm going with for now.
W. Trevor King [Thu, 12 Dec 2013 21:42:35 +0000 (13:42 -0800)]
redis: Add Redis container instructions (Dockerfile and README)
W. Trevor King [Thu, 12 Dec 2013 17:07:00 +0000 (09:07 -0800)]
Run update-copyright.py
W. Trevor King [Thu, 12 Dec 2013 16:53:29 +0000 (08:53 -0800)]
Add '# Copyright' tags for update-copyright
W. Trevor King [Thu, 12 Dec 2013 16:52:50 +0000 (08:52 -0800)]
.update-copyright.conf: add copyright configuration.
Use my external update-copyright package to maintain copyright blurbs.
http://pypi.python.org/pypi/update-copyright/
W. Trevor King [Thu, 12 Dec 2013 15:32:03 +0000 (07:32 -0800)]
gentoo-portage/Dockerfile.template: Set rc_sys="lxc"
Avoid:
$ docker run -p 8010:8010 wking/buildbot
...
* Caching service dependencies ... [ ok ]
* You are attempting to run an openrc service on a
* system which openrc did not boot.
* You may be inside a chroot or you may have used
* another initialization system to boot this system.
* In this situation, you will get unpredictable results!
* If you really want to do this, issue the following command:
* touch /run/openrc/softlevel
* ERROR: syslog-ng failed to start
...
W. Trevor King [Wed, 11 Dec 2013 22:18:45 +0000 (14:18 -0800)]
build.sh: Remove `function` from `die()` definition
`function` is a Bash-ism. POSIX suggests [1]:
fname() compound-command[io-redirect ...]
[1]: http://pubs.opengroup.org/onlinepubs/
9699919799/utilities/V3_chap02.html#tag_18_09_05
W. Trevor King [Wed, 11 Dec 2013 06:19:23 +0000 (22:19 -0800)]
COPYING: Add the 2-clause BSD license
From http://opensource.org/licenses/BSD-2-Clause
W. Trevor King [Wed, 11 Dec 2013 06:17:26 +0000 (22:17 -0800)]
Initial dockerfile commit
This builds a working Buildbot container from scratch using the Gentoo
stage3 tarball as a seed. Everything seems to work with Docker
v0.7.1.