Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions Containerfile.alpine
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
RUN /prep_build_container.sh

################################################################################
FROM base AS final
FROM base AS app

# renovate: datasource=rubygems depName=hiera-eyaml
ARG RUBYGEM_HIERA_EYAML=5.0.1
Expand Down Expand Up @@ -82,7 +82,7 @@
org.label-schema.version="$OPENVOXSERVER_VERSION" \
org.label-schema.name="OpenVox Server"

ENV AUTOSIGN=true \

Check warning on line 85 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Scan alpine / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 85 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Scan alpine / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 85 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Build alpine / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 85 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Build alpine / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
CA_ALLOW_SUBJECT_ALT_NAMES=false \
CA_ENABLED=true \
CA_TTL=157680000 \
Expand Down Expand Up @@ -111,7 +111,7 @@
OPENVOXSERVER_GRAPHITE_HOST=exporter \
OPENVOXSERVER_GRAPHITE_PORT=9109 \
OPENVOXSERVER_HOSTNAME="" \
OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m -XX:SharedArchiveFile=/opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa" \
OPENVOXSERVER_MAX_ACTIVE_INSTANCES=1 \
OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \
OPENVOXSERVER_PORT=8140 \
Expand All @@ -138,6 +138,14 @@

USER puppet:0

# Create a CDS archive in a stage for faster class loading.
FROM app AS cds
RUN OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m -XX:ArchiveClassesAtExit=/opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa -Xlog:cds=off" \
timeout --preserve-status 60 dumb-init /container-entrypoint.sh foreground || [ $? -eq 143 ]

FROM app AS final
COPY --from=cds /opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa /opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa

# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]

Expand Down
12 changes: 10 additions & 2 deletions Containerfile.ubuntu
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
RUN /prep_build_container.sh

################################################################################
FROM base AS final
FROM base AS app

# renovate: datasource=rubygems depName=hiera-eyaml
ARG RUBYGEM_HIERA_EYAML=5.0.1
Expand Down Expand Up @@ -91,7 +91,7 @@
org.label-schema.version="$OPENVOXSERVER_VERSION" \
org.label-schema.name="OpenVox Server"

ENV AUTOSIGN=true \

Check warning on line 94 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Scan ubuntu / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 94 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Scan ubuntu / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 94 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Build ubuntu / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 94 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Build ubuntu / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
CA_ALLOW_SUBJECT_ALT_NAMES=false \
CA_ENABLED=true \
CA_TTL=157680000 \
Expand Down Expand Up @@ -120,7 +120,7 @@
OPENVOXSERVER_GRAPHITE_HOST=exporter \
OPENVOXSERVER_GRAPHITE_PORT=9109 \
OPENVOXSERVER_HOSTNAME="" \
OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m -XX:SharedArchiveFile=/opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa" \
OPENVOXSERVER_MAX_ACTIVE_INSTANCES=1 \
OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \
OPENVOXSERVER_PORT=8140 \
Expand All @@ -147,6 +147,14 @@

USER puppet:0

# Create a CDS archive in a stage for faster class loading.
FROM app AS cds
RUN OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m -XX:ArchiveClassesAtExit=/opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa -Xlog:cds=off" \
timeout --preserve-status 60 dumb-init /container-entrypoint.sh foreground || [ $? -eq 143 ]

FROM app AS final
COPY --from=cds /opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa /opt/puppetlabs/server/apps/puppetserver/puppetserver.jsa

# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]

Expand Down
9 changes: 6 additions & 3 deletions openvoxserver/files/container-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,20 @@ post_execution_handler() {

## Sigterm Handler
# shellcheck disable=SC2317 # function is called when the container receives a SIGTERM signal
# We're forwarding the sigterm to the child JVM process (/usr/bin/java) instead of the
# wrapper script (/opt/puppetlabs/server/apps/puppetserver/cli/apps/foreground), else it
# doesn't shut down gracefully.
sigterm_handler() {
echoerr "Catching SIGTERM"
if [ $pid -ne 0 ]; then
echoerr "sigterm_handler for PID '${pid}' triggered"
echoerr "sigterm_handler triggered, shutting down service"
# the above if statement is important because it ensures
# that the application has already started. without it you
# could attempt cleanup steps if the application failed to
# start, causing errors.
run_custom_handler sigterm-handler
kill -15 "$pid"
wait "$pid"
pkill -TERM -f puppet-server-release.jar
while pgrep -f puppet-server-release.jar > /dev/null; do sleep 1; done
post_execution_handler
fi
exit 143; # 128 + 15 -- SIGTERM
Expand Down
Loading