├── .dockerignore ├── .gitattributes ├── .github └── workflows │ ├── cron.update.yml │ ├── docker.yml │ ├── readme.yml │ └── tags.yml ├── .gitignore ├── .json ├── LICENSE ├── README.md ├── arch.dockerfile ├── compose.yaml ├── project.md └── rootfs └── usr └── local └── bin ├── cmd-socket └── entrypoint.sh /.dockerignore: -------------------------------------------------------------------------------- 1 | .git* 2 | *.md 3 | LICENSE 4 | maintain/ 5 | project* -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | *.sh eol=lf -------------------------------------------------------------------------------- /.github/workflows/cron.update.yml: -------------------------------------------------------------------------------- 1 | name: cron-update 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: "0 5 * * *" 7 | 8 | jobs: 9 | cron-update: 10 | runs-on: ubuntu-latest 11 | 12 | permissions: 13 | actions: read 14 | contents: write 15 | 16 | steps: 17 | - name: init / checkout 18 | uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 19 | with: 20 | ref: 'master' 21 | fetch-depth: 0 22 | 23 | - name: cron-update / get latest version 24 | run: | 25 | echo "LATEST_VERSION=$(curl -s https://api.github.com/repos/ptchinster/dcron/tags | jq .[0].name | sed -E 's/[v"]//g')" >> "${GITHUB_ENV}" 26 | echo "LATEST_TAG=$(git describe --abbrev=0 --tags `git rev-list --tags --max-count=1` | sed 's/v//')" >> "${GITHUB_ENV}" 27 | 28 | - name: cron-update / setup node 29 | uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 30 | with: 31 | node-version: '20' 32 | - run: npm i semver 33 | 34 | - name: cron-update / compare latest with current version 35 | uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298 36 | with: 37 | script: | 38 | const { existsSync, readFileSync, writeFileSync } = require('node:fs'); 39 | const { resolve } = require('node:path'); 40 | const { inspect } = require('node:util'); 41 | const semver = require('semver') 42 | const repository = {dot:{}}; 43 | 44 | try{ 45 | const path = resolve('.json'); 46 | if(existsSync(path)){ 47 | try{ 48 | repository.dot = JSON.parse(readFileSync(path).toString()); 49 | }catch(e){ 50 | throw new Error('could not parse .json'); 51 | } 52 | }else{ 53 | throw new Error('.json does not exist'); 54 | } 55 | }catch(e){ 56 | core.setFailed(e); 57 | } 58 | 59 | const latest = semver.valid(semver.coerce('${{ env.LATEST_VERSION }}')); 60 | const current = semver.valid(semver.coerce(repository.dot.semver.version)); 61 | const tag = semver.valid(semver.coerce('${{ env.LATEST_TAG }}')); 62 | 63 | if(latest && latest !== current){ 64 | core.info(`new ${semver.diff(current, latest)} release found (${latest})!`) 65 | repository.dot.semver.version = latest; 66 | if(tag){ 67 | core.exportVariable('WORKFLOW_NEW_TAG', semver.inc(tag, semver.diff(current, latest))); 68 | } 69 | 70 | if(repository.dot.semver?.latest){ 71 | repository.dot.semver.latest = repository.dot.semver.version; 72 | } 73 | 74 | if(repository.dot?.readme?.comparison?.image){ 75 | repository.dot.readme.comparison.image = repository.dot.readme.comparison.image.replace(current, repository.dot.semver.version); 76 | } 77 | 78 | try{ 79 | writeFileSync(resolve('.json'), JSON.stringify(repository.dot, null, 2)); 80 | core.exportVariable('WORKFLOW_AUTO_UPDATE', true); 81 | }catch(e){ 82 | core.setFailed(e); 83 | } 84 | }else{ 85 | core.info('no new release found'); 86 | } 87 | 88 | core.info(inspect(repository.dot, {showHidden:false, depth:null, colors:true})); 89 | 90 | - name: cron-update / checkout 91 | id: checkout 92 | if: env.WORKFLOW_AUTO_UPDATE == 'true' 93 | run: | 94 | git config user.name "github-actions[bot]" 95 | git config user.email "41898282+github-actions[bot]@users.noreply.github.com" 96 | git add .json 97 | git commit -m "[upgrade] ${{ env.LATEST_VERSION }}" 98 | git push origin HEAD:master 99 | 100 | - name: cron-update / tag 101 | if: env.WORKFLOW_AUTO_UPDATE == 'true' && steps.checkout.outcome == 'success' 102 | run: | 103 | SHA256=$(git rev-list --branches --max-count=1) 104 | git tag -a v${{ env.WORKFLOW_NEW_TAG }} -m "v${{ env.WORKFLOW_NEW_TAG }}" ${SHA256} 105 | git push --follow-tags 106 | 107 | - name: cron-update / build docker image 108 | if: env.WORKFLOW_AUTO_UPDATE == 'true' && steps.checkout.outcome == 'success' 109 | uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7 110 | with: 111 | workflow: docker.yml 112 | wait-for-completion: false 113 | token: "${{ secrets.REPOSITORY_TOKEN }}" 114 | inputs: '{ "release":"true", "readme":"true" }' 115 | ref: "v${{ env.WORKFLOW_NEW_TAG }}" -------------------------------------------------------------------------------- /.github/workflows/docker.yml: -------------------------------------------------------------------------------- 1 | name: docker 2 | run-name: ${{ inputs.run-name }} 3 | 4 | on: 5 | workflow_dispatch: 6 | inputs: 7 | run-name: 8 | description: 'set run-name for workflow (multiple calls)' 9 | type: string 10 | required: false 11 | default: 'docker' 12 | 13 | runs-on: 14 | description: 'set runs-on for workflow (github or selfhosted)' 15 | type: string 16 | required: false 17 | default: 'ubuntu-22.04' 18 | 19 | build: 20 | description: 'set WORKFLOW_BUILD' 21 | required: false 22 | default: 'true' 23 | 24 | release: 25 | description: 'set WORKFLOW_GITHUB_RELEASE' 26 | required: false 27 | default: 'false' 28 | 29 | readme: 30 | description: 'set WORKFLOW_GITHUB_README' 31 | required: false 32 | default: 'false' 33 | 34 | etc: 35 | description: 'base64 encoded json string' 36 | required: false 37 | 38 | jobs: 39 | docker: 40 | runs-on: ${{ inputs.runs-on }} 41 | timeout-minutes: 1440 42 | 43 | services: 44 | registry: 45 | image: registry:2 46 | ports: 47 | - 5000:5000 48 | 49 | permissions: 50 | actions: read 51 | contents: write 52 | packages: write 53 | 54 | steps: 55 | - name: init / checkout 56 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 57 | with: 58 | ref: ${{ github.ref_name }} 59 | fetch-depth: 0 60 | 61 | - name: init / setup environment 62 | uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298 63 | with: 64 | script: | 65 | const { existsSync, readFileSync } = require('node:fs'); 66 | const { resolve } = require('node:path'); 67 | const { inspect } = require('node:util'); 68 | const { Buffer } = require('node:buffer'); 69 | const inputs = `${{ toJSON(github.event.inputs) }}`; 70 | const opt = {input:{}, dot:{}}; 71 | 72 | try{ 73 | if(inputs.length > 0){ 74 | opt.input = JSON.parse(inputs); 75 | if(opt.input?.etc){ 76 | opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii')); 77 | } 78 | } 79 | }catch(e){ 80 | core.warning('could not parse github.event.inputs'); 81 | } 82 | 83 | try{ 84 | const path = resolve('.json'); 85 | if(existsSync(path)){ 86 | try{ 87 | opt.dot = JSON.parse(readFileSync(path).toString()); 88 | }catch(e){ 89 | throw new Error('could not parse .json'); 90 | } 91 | }else{ 92 | throw new Error('.json does not exist'); 93 | } 94 | }catch(e){ 95 | core.setFailed(e); 96 | } 97 | 98 | core.info(inspect(opt, {showHidden:false, depth:null, colors:true})); 99 | 100 | const docker = { 101 | image:{ 102 | name:opt.dot.image, 103 | arch:(opt.dot.arch || 'linux/amd64,linux/arm64'), 104 | prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''), 105 | suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''), 106 | description:(opt.dot?.readme?.description || ''), 107 | tags:[], 108 | }, 109 | app:{ 110 | image:opt.dot.image, 111 | name:opt.dot.name, 112 | version:(opt.input?.etc?.version || opt.dot.semver.version), 113 | root:opt.dot.root, 114 | UID:(opt.input?.etc?.uid || 1000), 115 | GID:(opt.input?.etc?.gid || 1000), 116 | no_cache:new Date().getTime(), 117 | }, 118 | cache:{ 119 | registry:'localhost:5000/', 120 | }, 121 | tags:[], 122 | }; 123 | 124 | docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`; 125 | docker.cache.grype = `${docker.cache.registry}${docker.image.name}:${docker.image.prefix}grype${docker.image.suffix}`; 126 | docker.app.prefix = docker.image.prefix; 127 | docker.app.suffix = docker.image.suffix; 128 | 129 | // setup tags 130 | if(!opt.dot.semver?.disable?.rolling){ 131 | docker.image.tags.push('rolling'); 132 | } 133 | if(opt.input?.etc?.dockerfile !== 'arch.dockerfile' && opt.input?.etc?.tag){ 134 | docker.image.tags.push(`${context.sha.substring(0,7)}`); 135 | docker.image.tags.push(opt.input.etc.tag); 136 | docker.image.tags.push(`${opt.input.etc.tag}-${docker.app.version}`); 137 | docker.cache.name = `${docker.image.name}:buildcache-${opt.input.etc.tag}`; 138 | }else if(opt.dot?.semver?.version){ 139 | const semver = opt.dot.semver.version.split('.'); 140 | docker.image.tags.push(`${context.sha.substring(0,7)}`); 141 | if(Array.isArray(semver)){ 142 | if(semver.length >= 1) docker.image.tags.push(`${semver[0]}`); 143 | if(semver.length >= 2) docker.image.tags.push(`${semver[0]}.${semver[1]}`); 144 | if(semver.length >= 3) docker.image.tags.push(`${semver[0]}.${semver[1]}.${semver[2]}`); 145 | } 146 | if(opt.dot.semver?.stable && new RegExp(opt.dot.semver.stable, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('stable'); 147 | if(opt.dot.semver?.latest && new RegExp(opt.dot.semver.latest, 'ig').test(docker.image.tags.join(','))) docker.image.tags.push('latest'); 148 | }else if(opt.input?.etc?.version && opt.input.etc.version === 'latest'){ 149 | docker.image.tags.push('latest'); 150 | } 151 | 152 | for(const tag of docker.image.tags){ 153 | docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`); 154 | docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`); 155 | //docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`); - service is down 156 | } 157 | 158 | // setup build arguments 159 | if(opt.input?.etc?.build?.args){ 160 | for(const arg in opt.input.etc.build.args){ 161 | docker.app[arg] = opt.input.etc.build.args[arg]; 162 | } 163 | } 164 | if(opt.dot?.build?.args){ 165 | for(const arg in opt.dot.build.args){ 166 | docker.app[arg] = opt.dot.build.args[arg]; 167 | } 168 | } 169 | const arguments = []; 170 | for(const argument in docker.app){ 171 | arguments.push(`APP_${argument.toUpperCase()}=${docker.app[argument]}`); 172 | } 173 | 174 | // export to environment 175 | core.exportVariable('DOCKER_CACHE_REGISTRY', docker.cache.registry); 176 | core.exportVariable('DOCKER_CACHE_NAME', docker.cache.name); 177 | core.exportVariable('DOCKER_CACHE_GRYPE', docker.cache.grype); 178 | 179 | core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name); 180 | core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch); 181 | core.exportVariable('DOCKER_IMAGE_TAGS', docker.tags.join(',')); 182 | core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description); 183 | core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n")); 184 | core.exportVariable('DOCKER_IMAGE_DOCKERFILE', opt.input?.etc?.dockerfile || 'arch.dockerfile'); 185 | 186 | core.exportVariable('WORKFLOW_BUILD', (opt.input?.build === undefined) ? false : opt.input.build); 187 | core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release === undefined) ? false : opt.input.release); 188 | core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme === undefined) ? false : opt.input.readme); 189 | core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.dot?.grype?.fail === undefined) ? true : opt.dot.grype.fail); 190 | core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high')); 191 | if(opt.dot?.readme?.comparison){ 192 | core.exportVariable('WORKFLOW_CREATE_COMPARISON', true); 193 | core.exportVariable('WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE', opt.dot.readme.comparison.image); 194 | core.exportVariable('WORKFLOW_CREATE_COMPARISON_IMAGE', `${docker.image.name}:${docker.app.version}`); 195 | } 196 | 197 | 198 | 199 | # DOCKER 200 | - name: docker / login to hub 201 | uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 202 | with: 203 | username: 11notes 204 | password: ${{ secrets.DOCKER_TOKEN }} 205 | 206 | - name: github / login to ghcr 207 | uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 208 | with: 209 | registry: ghcr.io 210 | username: 11notes 211 | password: ${{ secrets.GITHUB_TOKEN }} 212 | 213 | - name: quay / login to quay 214 | uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 215 | with: 216 | registry: quay.io 217 | username: 11notes+github 218 | password: ${{ secrets.QUAY_TOKEN }} 219 | 220 | - name: docker / setup qemu 221 | if: env.WORKFLOW_BUILD == 'true' 222 | uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a 223 | 224 | - name: docker / setup buildx 225 | if: env.WORKFLOW_BUILD == 'true' 226 | uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 227 | with: 228 | driver-opts: network=host 229 | 230 | - name: docker / build & push & tag grype 231 | if: env.WORKFLOW_BUILD == 'true' 232 | id: docker-build 233 | uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d 234 | with: 235 | context: . 236 | file: ${{ env.DOCKER_IMAGE_DOCKERFILE }} 237 | push: true 238 | platforms: ${{ env.DOCKER_IMAGE_ARCH }} 239 | cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }} 240 | cache-to: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true 241 | build-args: | 242 | ${{ env.DOCKER_IMAGE_ARGUMENTS }} 243 | tags: | 244 | ${{ env.DOCKER_CACHE_GRYPE }} 245 | 246 | - name: grype / scan 247 | if: env.WORKFLOW_BUILD == 'true' 248 | id: grype 249 | uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e 250 | with: 251 | image: ${{ env.DOCKER_CACHE_GRYPE }} 252 | fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }} 253 | severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }} 254 | output-format: 'sarif' 255 | by-cve: true 256 | cache-db: true 257 | 258 | - name: grype / fail 259 | if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure') 260 | uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e 261 | with: 262 | image: ${{ env.DOCKER_CACHE_GRYPE }} 263 | fail-build: false 264 | severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }} 265 | output-format: 'table' 266 | by-cve: true 267 | cache-db: true 268 | 269 | - name: docker / build & push 270 | if: env.WORKFLOW_BUILD == 'true' 271 | uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d 272 | with: 273 | context: . 274 | file: ${{ env.DOCKER_IMAGE_DOCKERFILE }} 275 | push: true 276 | sbom: true 277 | provenance: mode=max 278 | platforms: ${{ env.DOCKER_IMAGE_ARCH }} 279 | cache-from: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }} 280 | cache-to: type=registry,ref=${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true 281 | build-args: | 282 | ${{ env.DOCKER_IMAGE_ARGUMENTS }} 283 | tags: | 284 | ${{ env.DOCKER_IMAGE_TAGS }} 285 | 286 | 287 | 288 | # RELEASE 289 | - name: github / release / log 290 | continue-on-error: true 291 | id: git-log 292 | run: | 293 | LOCAL_LAST_TAG=$(git describe --abbrev=0 --tags `git rev-list --tags --skip=1 --max-count=1`) 294 | echo "using last tag: ${LOCAL_LAST_TAG}" 295 | LOCAL_COMMITS=$(git log ${LOCAL_LAST_TAG}..HEAD --oneline) 296 | 297 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) 298 | echo "commits<<${EOF}" >> ${GITHUB_OUTPUT} 299 | echo "${LOCAL_COMMITS}" >> ${GITHUB_OUTPUT} 300 | echo "${EOF}" >> ${GITHUB_OUTPUT} 301 | 302 | - name: github / release / markdown 303 | if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-log.outcome == 'success' 304 | id: git-release 305 | uses: 11notes/action-docker-release@v1 306 | # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?! 307 | # --------------------------------------------------------------------------------- 308 | # the next step "github / release / create" creates a new release based on the code 309 | # in the repo. This code is not modified and can't be modified by this action. 310 | # It does create the markdown for the release, which could be abused, but to what 311 | # extend? Adding a link to a malicious repo? 312 | with: 313 | git_log: ${{ steps.git-log.outputs.commits }} 314 | 315 | - name: github / release / create 316 | if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-release.outcome == 'success' 317 | uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0 318 | env: 319 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 320 | with: 321 | tag_name: ${{ github.ref }} 322 | release_name: ${{ github.ref }} 323 | body: ${{ steps.git-release.outputs.release }} 324 | draft: false 325 | prerelease: false 326 | 327 | 328 | 329 | 330 | # LICENSE 331 | - name: license / update year 332 | continue-on-error: true 333 | uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298 334 | with: 335 | script: | 336 | const { existsSync, readFileSync, writeFileSync } = require('node:fs'); 337 | const { resolve } = require('node:path'); 338 | const file = 'LICENSE'; 339 | const year = new Date().getFullYear(); 340 | try{ 341 | const path = resolve(file); 342 | if(existsSync(path)){ 343 | let license = readFileSync(file).toString(); 344 | if(!new RegExp(`Copyright \\(c\\) ${year} 11notes`, 'i').test(license)){ 345 | license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `); 346 | writeFileSync(path, license); 347 | } 348 | }else{ 349 | throw new Error(`file ${file} does not exist`); 350 | } 351 | }catch(e){ 352 | core.setFailed(e); 353 | } 354 | 355 | 356 | 357 | 358 | # README 359 | - name: github / checkout HEAD 360 | continue-on-error: true 361 | run: | 362 | git checkout HEAD 363 | 364 | - name: docker / setup comparison images 365 | if: env.WORKFLOW_CREATE_COMPARISON == 'true' 366 | continue-on-error: true 367 | run: | 368 | docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }} 369 | docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size0.log 370 | 371 | docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} 372 | docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size1.log 373 | 374 | docker run --entrypoint "/bin/sh" --rm ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} -c id &> ./comparison.id.log 375 | 376 | - name: github / create README.md 377 | id: github-readme 378 | continue-on-error: true 379 | if: env.WORKFLOW_CREATE_README == 'true' 380 | uses: 11notes/action-docker-readme@v1 381 | # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?! 382 | # --------------------------------------------------------------------------------- 383 | # the next step "github / commit & push" only adds the README and LICENSE as well as 384 | # compose.yaml to the repository. This does not pose a security risk if this action 385 | # would be compromised. The code of the app can't be changed by this action. Since 386 | # only the files mentioned are commited to the repo. Sure, someone could make a bad 387 | # compose.yaml, but since this serves only as an example I see no harm in that. 388 | with: 389 | sarif_file: ${{ steps.grype.outputs.sarif }} 390 | build_output_metadata: ${{ steps.docker-build.outputs.metadata }} 391 | 392 | - name: docker / push README.md to docker hub 393 | continue-on-error: true 394 | if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != '' 395 | uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8 396 | env: 397 | DOCKER_USER: 11notes 398 | DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }} 399 | with: 400 | destination_container_repo: ${{ env.DOCKER_IMAGE_NAME }} 401 | provider: dockerhub 402 | short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }} 403 | readme_file: 'README_NONGITHUB.md' 404 | 405 | - name: github / commit & push 406 | continue-on-error: true 407 | if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != '' 408 | run: | 409 | git config user.name "github-actions[bot]" 410 | git config user.email "41898282+github-actions[bot]@users.noreply.github.com" 411 | git add README.md 412 | if [ -f compose.yaml ]; then 413 | git add compose.yaml 414 | fi 415 | if [ -f LICENSE ]; then 416 | git add LICENSE 417 | fi 418 | git commit -m "github-actions[bot]: update README.md" 419 | git push origin HEAD:master 420 | 421 | 422 | 423 | 424 | # REPOSITORY SETTINGS 425 | - name: github / update description and set repo defaults 426 | run: | 427 | curl --request PATCH \ 428 | --url https://api.github.com/repos/${{ github.repository }} \ 429 | --header 'authorization: Bearer ${{ secrets.REPOSITORY_TOKEN }}' \ 430 | --header 'content-type: application/json' \ 431 | --data '{ 432 | "description":"${{ env.DOCKER_IMAGE_DESCRIPTION }}", 433 | "homepage":"", 434 | "has_issues":true, 435 | "has_discussions":true, 436 | "has_projects":false, 437 | "has_wiki":false 438 | }' \ 439 | --fail -------------------------------------------------------------------------------- /.github/workflows/readme.yml: -------------------------------------------------------------------------------- 1 | name: readme 2 | 3 | on: 4 | workflow_dispatch: 5 | 6 | jobs: 7 | readme: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: update README.md 11 | uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7 12 | with: 13 | wait-for-completion: false 14 | workflow: docker.yml 15 | token: "${{ secrets.REPOSITORY_TOKEN }}" 16 | inputs: '{ "build":"false", "release":"false", "readme":"true" }' -------------------------------------------------------------------------------- /.github/workflows/tags.yml: -------------------------------------------------------------------------------- 1 | name: tags 2 | on: 3 | push: 4 | tags: 5 | - 'v*' 6 | jobs: 7 | tags: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: build docker image 11 | uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7 12 | with: 13 | workflow: docker.yml 14 | wait-for-completion: false 15 | token: "${{ secrets.REPOSITORY_TOKEN }}" 16 | inputs: '{ "release":"true", "readme":"true" }' -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | maintain/ -------------------------------------------------------------------------------- /.json: -------------------------------------------------------------------------------- 1 | { 2 | "image":"11notes/cron", 3 | "name":"cron", 4 | "root":"/cron", 5 | 6 | "semver":{ 7 | "version":"4.6" 8 | }, 9 | 10 | "readme":{ 11 | "description":"rootless cron scheduler with cmd-socket command", 12 | "parent":{ 13 | "image":"11notes/alpine:stable" 14 | }, 15 | "built":{ 16 | "dcron":"https://github.com/ptchinster/dcron" 17 | } 18 | } 19 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 11notes 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![banner](https://github.com/11notes/defaults/blob/main/static/img/banner.png?raw=true) 2 | 3 | # CRON 4 | [](https://github.com/11notes/docker-CRON)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![size](https://img.shields.io/docker/image-size/11notes/cron/4.6?color=0eb305)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![version](https://img.shields.io/docker/v/11notes/cron/4.6?color=eb7a09)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![pulls](https://img.shields.io/docker/pulls/11notes/cron?color=2b75d6)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)[](https://github.com/11notes/docker-CRON/issues)![5px](https://github.com/11notes/defaults/blob/main/static/img/transparent5x2px.png?raw=true)![swiss_made](https://img.shields.io/badge/Swiss_Made-FFFFFF?labelColor=FF0000&logo=data:image/svg%2bxml;base64,PHN2ZyB2ZXJzaW9uPSIxIiB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDMyIDMyIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxwYXRoIGQ9Im0wIDBoMzJ2MzJoLTMyeiIgZmlsbD0iI2YwMCIvPjxwYXRoIGQ9Im0xMyA2aDZ2N2g3djZoLTd2N2gtNnYtN2gtN3YtNmg3eiIgZmlsbD0iI2ZmZiIvPjwvc3ZnPg==) 5 | 6 | rootless cron scheduler with cmd-socket command 7 | 8 | # SYNOPSIS 📖 9 | **What can I do with this?** This image will give you the ability to execute cron jobs in a complete rootless environment. It also contains the ```cmd-socket``` command to execute commands inside other images that use the [cmd-socket](https://github.com/11notes/go-cmd-socket) binary. 10 | 11 | # COMPOSE ✂️ 12 | ```yaml 13 | name: "cron" 14 | services: 15 | cron: 16 | image: "11notes/cron:4.6" 17 | environment: 18 | TZ: "Europe/Zurich" 19 | CRONTAB: |- 20 | * * * * * eleven log info "I run every minute" >> /proc/1/fd/1 21 | 0 3 * * * cmd-socket '{"bin":"df", "arguments":["-h"]}' >> /proc/1/fd/1 22 | restart: "always" 23 | ``` 24 | 25 | # DEFAULT SETTINGS 🗃️ 26 | | Parameter | Value | Description | 27 | | --- | --- | --- | 28 | | `user` | docker | user name | 29 | | `uid` | 1000 | [user identifier](https://en.wikipedia.org/wiki/User_identifier) | 30 | | `gid` | 1000 | [group identifier](https://en.wikipedia.org/wiki/Group_identifier) | 31 | | `home` | /cron | home directory of user docker | 32 | 33 | # ENVIRONMENT 📝 34 | | Parameter | Value | Default | 35 | | --- | --- | --- | 36 | | `TZ` | [Time Zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) | | 37 | | `DEBUG` | Will activate debug option for container image and app (if available) | | 38 | 39 | # MAIN TAGS 🏷️ 40 | These are the main tags for the image. There is also a tag for each commit and its shorthand sha256 value. 41 | 42 | * [4.6](https://hub.docker.com/r/11notes/cron/tags?name=4.6) 43 | 44 | ### There is no latest tag, what am I supposed to do about updates? 45 | It is of my opinion that the ```:latest``` tag is super dangerous. Many times, I’ve introduced **breaking** changes to my images. This would have messed up everything for some people. If you don’t want to change the tag to the latest [semver](https://semver.org/), simply use the short versions of [semver](https://semver.org/). Instead of using ```:4.6``` you can use ```:4```. Since on each new version these tags are updated to the latest version of the software, using them is identical to using ```:latest``` but at least fixed to a major or minor version. 46 | 47 | If you still insist on having the bleeding edge release of this app, simply use the ```:rolling``` tag, but be warned! You will get the latest version of the app instantly, regardless of breaking changes or security issues or what so ever. You do this at your own risk! 48 | 49 | # REGISTRIES ☁️ 50 | ``` 51 | docker pull 11notes/cron:4.6 52 | docker pull ghcr.io/11notes/cron:4.6 53 | docker pull quay.io/11notes/cron:4.6 54 | ``` 55 | 56 | # SOURCE 💾 57 | * [11notes/cron](https://github.com/11notes/docker-CRON) 58 | 59 | # PARENT IMAGE 🏛️ 60 | * [11notes/alpine:stable](https://hub.docker.com/r/11notes/alpine) 61 | 62 | # BUILT WITH 🧰 63 | * [dcron](https://github.com/ptchinster/dcron) 64 | * [11notes/util](https://github.com/11notes/docker-util) 65 | 66 | # GENERAL TIPS 📌 67 | > [!TIP] 68 | >* Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints 69 | >* Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services 70 | 71 | # ElevenNotes™️ 72 | This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-cron/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-cron/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-cron/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories). 73 | 74 | *created 13.05.2025, 15:58:54 (CET)* -------------------------------------------------------------------------------- /arch.dockerfile: -------------------------------------------------------------------------------- 1 | # ╔═════════════════════════════════════════════════════╗ 2 | # ║ SETUP ║ 3 | # ╚═════════════════════════════════════════════════════╝ 4 | # :: GLOBAL 5 | ARG APP_UID=1000 \ 6 | APP_GID=1000 7 | 8 | # :: FOREIGN IMAGES 9 | FROM 11notes/util AS util 10 | 11 | # ╔═════════════════════════════════════════════════════╗ 12 | # ║ BUILD ║ 13 | # ╚═════════════════════════════════════════════════════╝ 14 | 15 | FROM alpine AS build 16 | COPY --from=util /usr/local/bin /usr/local/bin 17 | USER root 18 | 19 | ARG APP_VERSION \ 20 | APP_ROOT 21 | 22 | ENV BUILD_ROOT=/dcron \ 23 | BUILD_BIN=/dcron/crond \ 24 | CC=clang 25 | 26 | RUN set -ex; \ 27 | apk --update --no-cache add \ 28 | build-base \ 29 | upx \ 30 | clang \ 31 | make \ 32 | cmake \ 33 | g++ \ 34 | git; 35 | 36 | RUN set -ex; \ 37 | git clone https://github.com/ptchinster/dcron -b v${APP_VERSION}; \ 38 | sed -i 's/VERSION = .\+/VERSION = '${APP_VERSION}'/' ${BUILD_ROOT}/Makefile; 39 | 40 | RUN set -ex; \ 41 | cd ${BUILD_ROOT}; \ 42 | make -s -j $(nproc) \ 43 | PREFIX=/usr \ 44 | CRONTAB_GROUP=wheel \ 45 | CRONTABS=${APP_ROOT}/etc \ 46 | CRONSTAMPS=${APP_ROOT}/var \ 47 | SCRONTABS=${APP_ROOT}/etc/cron.d \ 48 | LDFLAGS="-static"; 49 | 50 | RUN set -ex; \ 51 | eleven checkStatic ${BUILD_BIN}; \ 52 | eleven strip ${BUILD_BIN}; \ 53 | mkdir -p /distroless/usr/local/bin; \ 54 | cp ${BUILD_BIN} /distroless/usr/local/bin; 55 | 56 | # ╔═════════════════════════════════════════════════════╗ 57 | # ║ IMAGE ║ 58 | # ╚═════════════════════════════════════════════════════╝ 59 | 60 | # :: HEADER 61 | FROM 11notes/alpine:stable 62 | 63 | # :: arguments 64 | ARG TARGETARCH \ 65 | APP_IMAGE \ 66 | APP_NAME \ 67 | APP_VERSION \ 68 | APP_ROOT \ 69 | APP_UID \ 70 | APP_GID 71 | 72 | # :: environment 73 | ENV APP_IMAGE=${APP_IMAGE} \ 74 | APP_NAME=${APP_NAME} \ 75 | APP_VERSION=${APP_VERSION} \ 76 | APP_ROOT=${APP_ROOT} 77 | 78 | # :: multi-stage 79 | COPY --from=util /usr/local/bin /usr/local/bin 80 | COPY --from=build /distroless/usr/local/bin /usr/local/bin 81 | 82 | # :: SETUP 83 | USER root 84 | RUN eleven printenv; 85 | 86 | # :: install application 87 | RUN set -ex; \ 88 | apk --update --no-cache --virtual .setup add \ 89 | libcap-setcap; \ 90 | eleven mkdir ${APP_ROOT}/{etc,var}; \ 91 | mkdir -p ${APP_ROOT}/etc/cron.d; 92 | 93 | # :: copy filesystem changes and set correct permissions 94 | COPY ./rootfs / 95 | RUN set -ex; \ 96 | chmod +x -R /usr/local/bin; \ 97 | chown -R ${APP_UID}:${APP_GID} \ 98 | /usr/local/bin/crond \ 99 | ${APP_ROOT}; 100 | 101 | # :: set special caps 102 | RUN set -ex; \ 103 | setcap cap_setuid=ep /usr/local/bin/crond; \ 104 | setcap cap_setgid=ep /usr/local/bin/crond; \ 105 | apk del --no-network .setup; 106 | 107 | # :: HEALTH 108 | HEALTHCHECK --interval=5s --timeout=2s --start-period=5s \ 109 | CMD ps aux | grep -q "/usr/local/bin/crond" 110 | 111 | # :: RUN 112 | USER ${APP_UID}:${APP_GID} -------------------------------------------------------------------------------- /compose.yaml: -------------------------------------------------------------------------------- 1 | name: "cron" 2 | services: 3 | cron: 4 | image: "11notes/cron:4.6" 5 | environment: 6 | TZ: "Europe/Zurich" 7 | CRONTAB: |- 8 | * * * * * eleven log info "I run every minute" >> /proc/1/fd/1 9 | 0 3 * * * cmd-socket '{"bin":"df", "arguments":["-h"]}' >> /proc/1/fd/1 10 | restart: "always" -------------------------------------------------------------------------------- /project.md: -------------------------------------------------------------------------------- 1 | ${{ content_synopsis }} This image will give you the ability to execute cron jobs in a complete rootless environment. It also contains the ```cmd-socket``` command to execute commands inside other images that use the [cmd-socket](https://github.com/11notes/go-cmd-socket) binary. 2 | 3 | ${{ content_compose }} 4 | 5 | ${{ content_defaults }} 6 | 7 | ${{ content_environment }} 8 | 9 | ${{ content_source }} 10 | 11 | ${{ content_parent }} 12 | 13 | ${{ content_built }} 14 | 15 | ${{ content_tips }} -------------------------------------------------------------------------------- /rootfs/usr/local/bin/cmd-socket: -------------------------------------------------------------------------------- 1 | #!/bin/ash 2 | curl --unix-socket /run/cmd/cmd.sock http:/cmd -H 'Content-Type: application/json' -d ${1} -------------------------------------------------------------------------------- /rootfs/usr/local/bin/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/ash 2 | if [ -z "${1}" ]; then 3 | echo -e "${CRONTAB}" > ${APP_ROOT}/etc/docker 4 | set -- /usr/local/bin/crond -c ${APP_ROOT}/etc -f -P 5 | eleven log start 6 | fi 7 | 8 | exec "$@" --------------------------------------------------------------------------------