From 8e5f708561ed2319d53d0062deca3704e48796d4 Mon Sep 17 00:00:00 2001 From: James Swineson Date: Sat, 14 May 2022 18:33:13 +0800 Subject: [PATCH] update docker run commands and docker-compose.yaml to be near identical --- README.md | 28 +++++++++++++++++++++++++--- docker-compose.yaml | 27 +++++++++++++++------------ entrypoint.sh | 6 +++++- 3 files changed, 45 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 1c405c9..d77f23d 100644 --- a/README.md +++ b/README.md @@ -25,13 +25,15 @@ The following prebuilt tags are available at [Docker Hub](https://hub.docker.com ## Running +### Using `docker run` + First we start the container: ```shell docker run --detach --restart=always \ --log-driver json-file --log-opt max-size=10m \ --cpus=1 --memory=64m --memory-reservation=64m \ - --cap-add=SYS_ADMIN --cap-add=NET_RAW --cap-add=CHOWN \ + --cap-drop=ALL --cap-add=CHOWN --cap-add=SETUID --cap-add=SETGID --cap-add=DAC_OVERRIDE --cap-add=NET_RAW \ -v /var/atlas-probe/etc:/var/atlas-probe/etc \ -v /var/atlas-probe/status:/var/atlas-probe/status \ -e RXTXRPT=yes \ @@ -47,6 +49,18 @@ cat /var/atlas-probe/etc/probe_key.pub [Register](https://atlas.ripe.net/apply/swprobe/) the probe with your public key. After the registration being manually processed, you'll see your new probe in your account. +### Using Docker Compose + +An example [`docker-compose.yaml`](/docker-compose.yaml) is provided. Note that the example config uses volumes instead of local directories. + +## Building + +```shell +DOCKER_BUILDKIT=1 docker build -t ripe-atlas . +``` + +Note that building this container image requires [BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/). + ## Caveats ### IPv6 @@ -102,6 +116,14 @@ Then start the RIPE Atlas container with argument `--label=com.centurylinklabs.w All the config files are stored at `/var/atlas-probe`. Just backup it. -### BuildKit +### `sleep` command not working -The `Dockerfile` requires [BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/). +On some systems, syscall `clock_nanosleep` and `clock_nanosleep_time64` are disabled by the default Docker seccomp. + +Symptoms: +- During container startup, `WARNING: clock_nanosleep or clock_nanosleep_time64 is not available on the system` is printed +- Atlas software stops working after a while, printing logs like `sleep: cannot read realtime clock: Operation not permitted` + +Temporary workaround: + +Add `--security-opt seccomp:unconfined` to the `docker run` commandline. diff --git a/docker-compose.yaml b/docker-compose.yaml index 04e0de9..2a9f2f6 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,27 +1,30 @@ version: "2.0" -volumes: - ripe_config: - ripe_status: - ripe_data: + services: - ripe: + ripe-atlas: image: jamesits/ripe-atlas:latest - container_name: ripe restart: always environment: RXTXRPT: "yes" - tmpfs: /var/atlasdata volumes: - - "ripe_config:/var/atlas-probe/etc" - - "ripe_data:/var/atlas-probe/data" - - "ripe_status:/var/atlas-probe/status" + - "/var/atlas-probe/etc:/var/atlas-probe/etc" + - "/var/atlas-probe/status:/var/atlas-probe/status" + cap_drop: + - ALL cap_add: - - SYS_ADMIN - CHOWN + - SETUID + - SETGID + - DAC_OVERRIDE - NET_RAW - hostname: ripe mem_limit: "64000000000" mem_reservation: 64m labels: - "traefik.enable=false" - "com.centurylinklabs.watchtower.enable=true" + logging: + driver: json-file + options: + max-size: 10m + # security_opt: + # - seccomp:unconfined diff --git a/entrypoint.sh b/entrypoint.sh index ce05640..956903b 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,6 +6,11 @@ declare -a OPTIONS=( "RXTXRPT" ) +# test essential syscalls +if ! sleep 0 >/dev/null 2>&1; then + >&2 echo "WARNING: clock_nanosleep or clock_nanosleep_time64 is not available on the system" +fi + # create essential files and fix permission mkdir -p /var/atlas-probe/status chown -R atlas:atlas /var/atlas-probe/status @@ -24,4 +29,3 @@ for OPT in "${OPTIONS[@]}"; do done exec gosu atlas:atlas "$@" -