tedge-container-bundle/Dockerfile at main · thin-edge/tedge-container-bundle · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
ARG TEDGE_TAG=2.0.0
# thin-edge.io base image name: tedge, tedge-main
ARG TEDGE_IMAGE=tedge
FROM ghcr.io/thin-edge/${TEDGE_IMAGE}:${TEDGE_TAG}
ARG TARGETPLATFORM
ARG S6_OVERLAY_VERSION=3.2.0.0
ARG DATA_DIR=/data/tedge
# Match default tedge uid/gid used by Yocto images
ARG USERID=999
ARG GROUPID=992

USER root

# Notes: ca-certificates is required for the initial connection with c8y, otherwise the c8y cert is not trusted
# to test out the connection. But this is only needed for the initial connection, so it seems unnecessary
RUN apk add --no-cache \
        mosquitto \
        jq \
        bash \
        curl \
        shadow \
        sudo

# Install s6-overlay
# Based on https://github.com/just-containers/s6-overlay#which-architecture-to-use-depending-on-your-targetarch
RUN case ${TARGETPLATFORM} in \
        "linux/amd64")  S6_ARCH=x86_64  ;; \
        "linux/arm64")  S6_ARCH=aarch64  ;; \
        "linux/arm/v6")  S6_ARCH=armhf  ;; \
        "linux/arm/v7")  S6_ARCH=arm  ;; \
        *) echo "Unsupported target platform: TARGETPLATFORM=$TARGETPLATFORM"; exit 1 ;; \
    esac \
    && curl https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz -L -s --output /tmp/s6-overlay-noarch.tar.xz \
    && tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz \
    && curl https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz -L -s --output /tmp/s6-overlay-${S6_ARCH}.tar.xz \
    && tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz \
    && rm -f /tmp/s6-overlay-noarch.tar.xz \
    && rm -f /tmp/s6-overlay-${S6_ARCH}.tar.xz

# Add custom service definitions (e.g. s6-overlay) and community plugins
RUN rm -f /etc/tedge/system.toml
RUN wget -O - https://thin-edge.io/install-services.sh | sh -s -- s6_overlay \
    && apk add --no-cache \
        tedge-command-plugin \
        tedge-apk-plugin \
        # Enable easier management of containers using docker compose
        # without requiring the cli to be installed on the host (as read-only filesystems)
        # might not have access to it
        # Note: Volumes should be configured to persist the docker compose files
        docker-cli-compose \
        "tedge-container-plugin-ng" \
    # Support updating from older images which still use the deprecated self type
    && ln -s /usr/bin/tedge-container /etc/tedge/sm-plugins/self

# Set an explicit uid and gid to allow better control
# when sharing files/sockets from the host to the non-root user
# running in the container
# Set permissions of all files under /etc/tedge
# TODO: Can thin-edge.io set permissions during installation?
RUN usermod -u "$USERID" tedge \
    && groupmod -g "$GROUPID" tedge \
    # create empty folder so basic auth credentials can be mounted to it
    && mkdir -p /etc/tedge/credentials \
    && chown -R tedge:tedge /etc/tedge \
    && chown -R tedge:tedge /var/tedge \
    # original tedge settings
    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge, /etc/tedge/sm-plugins/[a-zA-Z0-9]*, /bin/sync, /sbin/init" > /etc/sudoers.d/tedge  \
    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge-write /etc/*" >> /etc/sudoers.d/tedge \
    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/share/tedge/log-plugins/[a-zA-Z0-9]*" >> /etc/sudoers.d/tedge \
    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/share/tedge/config-plugins/[a-zA-Z0-9]*" >> /etc/sudoers.d/tedge \
    # additional sudoers rules
    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /bin/sync, /sbin/init, /usr/bin/tedgectl, /bin/kill" >/etc/sudoers.d/tedge-system \
    # respect all tedge-container-plugin env variables when running commands under sudo
    && echo 'Defaults  env_keep += "CONTAINER_*"' >/etc/sudoers.d/tedge-containers \
    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge-container, /usr/bin/docker, /usr/bin/podman, /usr/bin/podman-remote, /usr/bin/podman-compose" >>/etc/sudoers.d/tedge-containers \
    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/fix-permissions.sh" >> /etc/sudoers.d/tedge-fix-permissions
# Custom init. scripts - e.g. write env variables data to files
COPY cont-init.d/*  /etc/cont-init.d/

# mosquitto configuration
COPY files/mosquitto/mosquitto.conf /etc/mosquitto/mosquitto.conf
RUN mkdir -p "$DATA_DIR" \
    && chown -R tedge:tedge "$DATA_DIR" \
    && sed -i "s|persistence_location .*|persistence_location $DATA_DIR/|g" /etc/mosquitto/mosquitto.conf

# Add custom thin-edge.io configuration (e.g. plugin config)
COPY files/tedge/tedge.toml /etc/tedge/
COPY files/tedge/plugins/*.toml /etc/tedge/plugins/
COPY files/tedge/c8y_RemoteAccessConnect /etc/tedge/operations/c8y/
COPY files/tedge/c8y_RemoteAccessConnect /etc/tedge/operations/c8y/
COPY files/tedge/launch-remote-access.sh /usr/bin/
# Self update workflow
COPY files/tedge/software_update.toml /etc/tedge/operations/
COPY files/tedge/self_update.toml /etc/tedge/operations/
# Self update compatibility script for updating from images <= 20241126.1855
COPY files/tedge/self_update.sh /usr/bin/
# Container log_upload customer handler
COPY files/tedge/container-logs.sh /usr/bin/
COPY files/tedge/log_upload.toml /etc/tedge/operations/
COPY files/tedge/log_upload_container.toml /etc/tedge/operations/
# Script to fix the permissions / ownership which is called on container startup
COPY files/tedge/fix-permissions.sh /usr/bin/
# Helper script to set the Cumulocity Basic Auth more easily
COPY files/tedge/set-c8y-basic-auth.sh /usr/bin/


ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=30000


# Control which mappers are running
# You can see the list of thin-edge.io services and the related env variable
# in the service definition under:
# * https://github.com/thin-edge/tedge-services/tree/main/services/s6-overlay/s6-rc.d
ENV SERVICE_MOSQUITTO=1

ENV SERVICE_TEDGE_MAPPER_AWS=0
ENV SERVICE_TEDGE_MAPPER_AZ=0
ENV SERVICE_TEDGE_MAPPER_C8Y=1
ENV SERVICE_TEDGE_MAPPER_COLLECTD=0

ENV SERVICE_TEDGE_AGENT=1
ENV SERVICE_C8Y_FIRMWARE_PLUGIN=0
ENV SERVICE_TEDGE_CONTAINER_PLUGIN=1


# Control thin-edge.io settings via env variables
ENV TEDGE_C8Y_PROXY_BIND_ADDRESS=0.0.0.0
ENV TEDGE_HTTP_BIND_ADDRESS=0.0.0.0
ENV TEDGE_RUN_LOCK_FILES=false
ENV TEDGE_MQTT_CLIENT_HOST=127.0.0.1
ENV TEDGE_HTTP_CLIENT_HOST=127.0.0.1
ENV TEDGE_C8Y_PROXY_CLIENT_HOST=127.0.0.1
# Store the agent information in the persistent data
# but don't share too much data as it can be destructive
ENV TEDGE_AGENT_STATE_PATH="$DATA_DIR/agent"
ENV TEDGE_LOGS_PATH="$DATA_DIR/logs"

# ensure tedge-container-plugin data is stored in a persistent directory
ENV CONTAINER_DATA_DIR="$DATA_DIR/tedge-container-plugin/data"
ENV CONTAINER_REGISTRY_CREDENTIALS_PATH="$DATA_DIR/tedge-container-plugin/credentials.toml"

# Persist tedge.toml under /data/tedge/tedge.toml by using
# a symlink from /etc/tedge/tedge.toml to /data/tedge/tedge.toml
# This allows the tedge.toml to be maintained across updates
ENV PERSIST_TEDGE_TOML=1

# Persist the mappers configuration under /data/tedge/mappers by using
# a symlink from /etc/tedge/mappers to /data/tedge/mappers.
# This allows the mappers configuration to be maintained across updates
ENV PERSIST_MAPPER_CONFIGS=1

EXPOSE 1883
EXPOSE 8000
EXPOSE 8001

USER "tedge"
# Allow users to re-use the container for one-off commands
# to ensure the thin-edge.io version remains the same
CMD [ "/init" ]