alpine-s6
MultiArch Alpine Linux + S6 Init System.
This image serves as a base image for applications / services that need an init system to launch the process(es) and pass the proper signals when interacted with the containers.
Based on Alpine Linux from the base image with the s6 init system overlayed on it. Versioned accordingly with releases from /just-containers/s6-overlay.
Get the Image¶
Pull the image from Docker Hub.
Image Tags
The image is tagged respectively for the following architectures,
latest tag is annotated as multiarch so pulling without any tags should fetch the correct image for your architecture. Same goes for any of the version tags.
non-x86_64 builds have embedded binfmt_misc support and contain the qemu-user-static binary that allows for running it also inside an x86_64 environment that has support for it.
Run¶
Run bash
in the container to get a shell.
Multi-Arch Support
If you want to run images for other architectures on a x86_64 machine, you will need to have binfmt support configured for your machine before running the image. multiarch, has made it easy for us containing that into a docker container, just run
Now images built for other architectures will also be executable. This is optional though, without the above, you can still run the image that is made for your architecture.
Configuration¶
We can customize the runtime behaviour of the container with the following environment variables.
ENV Vars | Default | Description |
---|---|---|
S6_NEEDED_PACKAGES | empty string | Space-separated list of extra APK packages to install on start. E.g. "curl git tzdata" |
PUID | 1000 | Id of S6_USER . |
PGID | 100 | Group id of S6_USER . |
S6_USER | alpine | (Preset) Default non-root user for services to drop privileges to. |
S6_USERHOME | /home/alpine | (Preset) HOME directory for S6_USER . |
HGID_(groupname) | unset | Update (or create) groupname with non-zero positive integer gid (to match with host). E.g HGID_VIDEO=995 will change gid of video group to 995 . (since 3.2.0.0) |
S6_USERGROUPS | empty string | Comma-separated list of groups to add S6_USER to. E.g. "audio,video,tty" , groups must exist. |
S6_USERPASS | unset | Password for S6_USER . |
Did you know?
You can check your own UID/GID by running the command id
in a terminal.
But wait!! There's more...
Secrets¶
To use docker-secrets that are available inside the container as pre-exported environment variables, we can specify the variable as SECRET__(variablename)
with the path to the secret-file set as the value, and at runtime it should read and export the secret as the value of variablename
. These environment variables are available to any scope that uses container-env (with-contenv
).
Usershell¶
Docker images by default, do not provide a easy way to dynamically drop privileges to a user before executing CMD
definitions, it is not always feasible to hardcode those in the Dockerfile
and it becomes more complex with the additional initialization stages that s6
introduces. To ease this problem, in addition to the /init
entrypoint script that s6 brings, another alternate script is added at /usershell
that takes over the initialization stage tasks, and then executes the CMD
as a not-root user. This way, images that set their entrypoint to /usershell
have all the benefits of s6, but the CMD that is run, is run by S6_USER
(by default alpine
). Checkout any of the images tagged usershell for an example.
Build Your Own¶
Feel free to clone (or fork) the repository and customize it for your own usage, build the image for yourself on your own systems, and optionally, push it to your own public (or private) repository.
Here's how...
Setting up¶
Before we clone the /repository, we must have Git, GNU make, and Docker (optionally, with buildx plugin for multi-platform images) setup on the machine. Also, for multi-platform annotations, we might require enabling experimental features of Docker.
Now, to get the code,
Clone the repository with,
To get a list of all available targets, run
Always Check Before You Make!
Did you know, we could check what any make target is going to execute before we actually run them, with
Build and Test¶
To create the image for your architecture, run the build
and test
target with
For building an image that targets another architecture, it is required to specify the ARCH
parameter when building. e.g.
Build Parameters
All images have a few common build parameters that can be customized at build time, like
ARCH
- The target architecture to build for. Defaults to host architecture, auto-detected at build-time if not specified. Also determines if binfmt support is required before build or run and runs the
regbinfmt
target automatically. Possible values areaarch64
,armhf
,armv7l
, andx86_64
.
BUILDDATE
- The date of the build. Can be used to create separate tags for images. (format:
yyyymmdd
)
DOCKERFILE
- The dockerfile to use for build. Defaults to the file Dockerfile, but if per-arch dockerfiles exist, (e.g. for x86_64 the filename would be
Dockerfile_x86_64
) that is used instead.
TESTCMD
- The command to run for testing the image after build. Runs in a bash shell.
VERSION
- The version of the app/tool, may need to be preset before starting the build (e.g. for binaries from github releases), or extracted from the image after build (e.g. for APK or pip packages).
REGISTRY
- The registry to push to, defaults to the Docker Hub Registry (
docker.io
) or any custom registry that is set via docker configurations. Does not need to be changed for local or test builds, but to override, either pass it by setting an environment variable, or with everymake
command.
ORGNAME
- The organization (or user) name under which the image repositories exist, defaults to
woahbase
. Does not need to be changed for local or test builds, but to override, either pass it by setting an environment variable, or with everymake
command.
The image may also require custom parameters (like binary architecture). Before you build, check the makefile for a complete list of parameters to see what may (or may not) need to be set.
BuildX and Self-signed certificates
If you're using a private registry (a-la docker distribution server) with self-signed certificates, that fail to validate when pulling/pushing images. You will need to configure buildx to allow insecure access to the registry. This is configured via the config.toml
file. A sample is provided in the repository, make sure to replace YOUR.PRIVATE.REGISTRY
with your own (include port if needed).
Make to Run¶
Running the image creates a container and either starts a service (for service images) or provides a shell (can be either a root-shell or usershell) to execute commands in, depending on the image. We can run the image with
But if we just need a root-shell in the container without any fance pre-tasks (e.g. for debug or to test something bespoke), we can run bash
in the container with --entrypoint /bin/bash
. This is wrapped in the makefile as
Nothing vs All vs Run vs Shell
By default, if make
is run without any arguments, it calls the target all
. In our case this is usually mapped to the target run
(which in turn may be mapped to shell
).
There may be more such targets defined as per the usage of the image. Check the makefile for more information.
Push the Image¶
If the build and test steps finish without any error, and we want to use the image on other machines, it is the next step push the image we built to a container image repository (like /hub), for that, run the push
target with
If the built image targets another architecture then it is required to specify the ARCH
parameter when pushing. e.g.
Pushing Multiple Tags
With a single make push
, we are actually pushing 3 tags of the same image, e.g. for x86_64
architecture, they're namely
alpine-s6:x86_64
- The actual image that is built.
alpine-s6:x86_64_(version)
- It is expected that the application is versioned when built or packaged, it can be specified in the tag, this makes pulling an image by tag possible. Usually this is obtained from the parameter
VERSION
, which by default, is set by calling a function to extract the version string from the package installed in the container, or from github releases. Can be skipped with the parameterSKIP_VERSIONTAG
to a non-empty string value like1
.
alpine-s6:x86_64_(version)_(builddate)
- When building multiple versions of the same image (e.g. for providing fixes or revisions), this ensures that a more recent push does not fully replace a previously pushed image. This way, although the architecture and version tags are replaced, it is possible to roll back to the previously built image by build date (format
yyyymmdd
). This value is obtained from theBUILDDATE
parameter, and if not essential, can be skipped by setting the parameterSKIP_BUILDDATETAG
to a non-empty string value like1
.
Pushing To A Private Registry
If you want to push the image to a custom registry that is not pre-configured on your system, you can set the REGISTRY
variable either on the build environment, or as a makefile parameter, and that will be used instead of the default Docker Hub repository. Make sure to have push access set up before you actually push, and include port if needed. E.g.
or
Annotate Manifest(s)¶
For single architecture images, the above should suffice, the built image can be used in the host machine, and on other machines that have the same architecture too, i.e. after a push.
But for use-cases that need to support multiple architectures, there's a couple more things that need to be done. We need to create
(or amend
if already created beforehand) a manifest for the image(s) that we built, then annotate it to map the images to their respective architectures. And for our three tags created above we need to do it thrice.
Did you know?
We can inspect the manifest of any image by running
Tag Latest¶
Assuming we built the images for all supported architectures, to facilitate pulling the correct image for the architecture, we can create/amend the latest
manifest and annotate it to map the tags :aarch64
, :armhf
, :armv7l
, :x86_64
to the tag :latest
by running
How it works
First we create or amend the manifest with the tag latest
Then annotate the image for each architecture in the manifest with
And finally, push it to the repository using
Tag Version¶
Next, to facilitate pulling images by version, we create/amend the image-version manifest and annotate it to map the tags :aarch64_(version)
, :armhf_(version)
, :armv7l_(version)
, :x86_64_(version)
to the tag :(version)
by running
How it works
First we create or amend the manifest with the tag (version)
Then annotate the image for each architecture in the manifest with
And finally, push it to the repository using
Tag Build-Date¶
Then, (optionally) we create/amend the (version)_(builddate)
manifest and annotate it to map the tags :aarch64_(version)_(builddate)
, :armhf_(version)_(builddate)
, :armv7l_(version)_(builddate)
, :x86_64_(version)_(builddate)
to the tag :(version)_(builddate)
by running
How it works
First we create or amend the manifest with the tag (version)_(builddate)
Then annotate the image for each architecture in the manifest with
And finally, push it to the repository using
That's all folks! Happy containerizing!
Maintenance¶
Sources at Github. Built and tested at home using Buildbot. Images at Docker Hub.
Maintained (or sometimes a lack thereof?) by WOAHBase.