update docker run commands and docker-compose.yaml to be near identical

README.md

@@ -25,13 +25,15 @@ The following prebuilt tags are available at [Docker Hub](https://hub.docker.com
 
 ## Running
 
+### Using `docker run`
+
 First we start the container:
 
 ```shell
 docker run --detach --restart=always \
 	--log-driver json-file --log-opt max-size=10m \
 	--cpus=1 --memory=64m --memory-reservation=64m \
-	--cap-add=SYS_ADMIN --cap-add=NET_RAW --cap-add=CHOWN \
+	--cap-drop=ALL --cap-add=CHOWN --cap-add=SETUID --cap-add=SETGID --cap-add=DAC_OVERRIDE --cap-add=NET_RAW \
 	-v /var/atlas-probe/etc:/var/atlas-probe/etc \
 	-v /var/atlas-probe/status:/var/atlas-probe/status \
 	-e RXTXRPT=yes \
@@ -47,6 +49,18 @@ cat /var/atlas-probe/etc/probe_key.pub
 
 [Register](https://atlas.ripe.net/apply/swprobe/) the probe with your public key. After the registration being manually processed, you'll see your new probe in your account.
 
+### Using Docker Compose
+
+An example [`docker-compose.yaml`](/docker-compose.yaml) is provided. Note that the example config uses volumes instead of local directories. 
+
+## Building
+
+```shell
+DOCKER_BUILDKIT=1 docker build -t ripe-atlas .
+```
+
+Note that building this container image requires [BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/).
+
 ## Caveats
 
 ### IPv6
@@ -102,6 +116,14 @@ Then start the RIPE Atlas container with argument `--label=com.centurylinklabs.w
 
 All the config files are stored at `/var/atlas-probe`. Just backup it.
 
-### BuildKit
+### `sleep` command not working
 
-The `Dockerfile` requires [BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/).
+On some systems, syscall `clock_nanosleep` and `clock_nanosleep_time64` are disabled by the default Docker seccomp. 
+
+Symptoms:
+- During container startup, `WARNING: clock_nanosleep or clock_nanosleep_time64 is not available on the system` is printed
+- Atlas software stops working after a while, printing logs like `sleep: cannot read realtime clock: Operation not permitted`
+
+Temporary workaround: 
+
+Add `--security-opt seccomp:unconfined` to the `docker run` commandline. 

docker-compose.yaml

@@ -1,27 +1,30 @@
 version: "2.0"
-volumes:
+
-  ripe_config:
-  ripe_status:
-  ripe_data:
 services:
-  ripe:
+  ripe-atlas:
     image: jamesits/ripe-atlas:latest
-    container_name: ripe
     restart: always
     environment:
       RXTXRPT: "yes"
-    tmpfs: /var/atlasdata
     volumes:
-        - "ripe_config:/var/atlas-probe/etc"
+      - "/var/atlas-probe/etc:/var/atlas-probe/etc"
-        - "ripe_data:/var/atlas-probe/data"
+      - "/var/atlas-probe/status:/var/atlas-probe/status"
-        - "ripe_status:/var/atlas-probe/status"
+    cap_drop:
+      - ALL
     cap_add:
-      - SYS_ADMIN
       - CHOWN
+      - SETUID
+      - SETGID
+      - DAC_OVERRIDE
       - NET_RAW
-    hostname: ripe
     mem_limit: "64000000000"
     mem_reservation: 64m
     labels:
       - "traefik.enable=false"
       - "com.centurylinklabs.watchtower.enable=true"
+    logging:
+      driver: json-file
+      options:
+         max-size: 10m
+    # security_opt:
+    #   - seccomp:unconfined

entrypoint.sh

@@ -6,6 +6,11 @@ declare -a OPTIONS=(
 	"RXTXRPT"
 )
 
+# test essential syscalls
+if ! sleep 0 >/dev/null 2>&1; then
+	>&2 echo "WARNING: clock_nanosleep or clock_nanosleep_time64 is not available on the system"
+fi
+
 # create essential files and fix permission
 mkdir -p /var/atlas-probe/status
 chown -R atlas:atlas /var/atlas-probe/status
@@ -24,4 +29,3 @@ for OPT in "${OPTIONS[@]}"; do
 done
 
 exec gosu atlas:atlas "$@"
-