├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ └── new-issue.md └── workflows │ └── release.yml ├── .gitignore ├── AUTHORS.md ├── CHANGELOG.md ├── CONTRIBUTING ├── COPYING ├── DCO ├── MOVING-TO-V3.md ├── Makefile ├── README.md ├── conf ├── defaults.mk ├── toolchains └── versions ├── doc ├── howto.txt ├── init.txt └── requirements.txt ├── layout ├── rootfs-overlay │ ├── command │ │ ├── logutil-newfifo │ │ ├── logutil-service │ │ ├── printcontenv │ │ ├── with-contenv │ │ └── with-retries │ ├── etc │ │ └── s6-overlay │ │ │ └── s6-rc.d │ │ │ ├── user │ │ │ ├── contents.d │ │ │ │ └── .empty │ │ │ └── type │ │ │ └── user2 │ │ │ ├── contents.d │ │ │ └── .empty │ │ │ └── type │ ├── init │ └── package │ │ └── admin │ │ └── s6-overlay-@VERSION@ │ │ ├── command │ │ ├── logutil-newfifo │ │ ├── logutil-service │ │ ├── printcontenv │ │ ├── with-contenv │ │ └── with-retries │ │ ├── etc │ │ ├── s6-linux-init │ │ │ └── skel │ │ │ │ ├── CMDSIG │ │ │ │ ├── rc.init │ │ │ │ ├── rc.shutdown │ │ │ │ └── rc.shutdown.final │ │ └── s6-rc │ │ │ ├── scripts │ │ │ ├── cont-finish │ │ │ ├── cont-init │ │ │ ├── fix-attrs │ │ │ ├── services-down │ │ │ └── services-up │ │ │ └── sources │ │ │ ├── base │ │ │ ├── contents.d │ │ │ │ ├── fix-attrs │ │ │ │ └── legacy-cont-init │ │ │ └── type │ │ │ ├── fix-attrs │ │ │ ├── type │ │ │ └── up │ │ │ ├── legacy-cont-init │ │ │ ├── dependencies.d │ │ │ │ └── fix-attrs │ │ │ ├── down │ │ │ ├── type │ │ │ └── up │ │ │ ├── legacy-services │ │ │ ├── dependencies.d │ │ │ │ ├── base │ │ │ │ └── user │ │ │ ├── down │ │ │ ├── type │ │ │ └── up │ │ │ └── top │ │ │ ├── contents.d │ │ │ ├── base │ │ │ ├── legacy-services │ │ │ ├── user │ │ │ └── user2 │ │ │ └── type │ │ └── libexec │ │ ├── fix-attrs │ │ ├── logutil-service-main │ │ ├── preinit │ │ └── stage0 └── syslogd-overlay │ ├── etc │ └── s6-overlay │ │ └── s6-rc.d │ │ ├── syslogd-bundle │ │ ├── contents.d │ │ │ ├── syslogd-pipeline │ │ │ └── syslogd-prepare │ │ └── type │ │ ├── syslogd-log │ │ ├── consumer-for │ │ ├── dependencies.d │ │ │ ├── base │ │ │ └── syslogd-prepare │ │ ├── notification-fd │ │ ├── pipeline-name │ │ ├── run │ │ └── type │ │ ├── syslogd-prepare │ │ ├── dependencies.d │ │ │ └── base │ │ ├── type │ │ └── up │ │ ├── syslogd │ │ ├── dependencies.d │ │ │ ├── base │ │ │ └── syslogd-prepare │ │ ├── notification-fd │ │ ├── producer-for │ │ ├── run │ │ └── type │ │ └── user │ │ └── contents.d │ │ └── syslogd-bundle │ └── package │ └── admin │ └── s6-overlay-@VERSION@ │ └── etc │ └── s6-rc │ └── scripts │ └── syslogd-prepare └── mk ├── bearssl.mk ├── skaware.mk └── toolchain.mk /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new-issue.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: New issue 3 | about: Default template for s6-overlay issues 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | # Please provide a small Dockerfile that demonstrates your issue. 11 | 12 | Being able to reproduce your issue helps greatly in troubleshooting, the 13 | best way to do that is to create a small Dockerfile that we can 14 | use to recreate the issue. 15 | 16 | # If you've identified a fix, please open a pull request. 17 | 18 | If you've found an issue and know the fix, please open a pull request with your fix. 19 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | tags: 6 | - '*' 7 | 8 | jobs: 9 | setup: 10 | runs-on: ubuntu-latest 11 | outputs: 12 | matrix: ${{ steps.matrix.outputs.s6_arch }} 13 | steps: 14 | - uses: actions/checkout@v3 15 | - id: matrix 16 | run: | 17 | echo s6_arch=$(cut -f1 conf/toolchains | sed -z '$ s/\n$//' | jq -R -s -c 'split("\n")') >> "$GITHUB_OUTPUT" 18 | 19 | - run: | 20 | . conf/versions 21 | printf "Binary releases include the following packages:\n\n" > release-notes.md 22 | printf "| Software | Version |\n" >> release-notes.md 23 | printf "| -------- |:-------:|\n" >> release-notes.md 24 | printf "| BearSSL | %s \n" "${BEARSSL_VERSION}" >> release-notes.md 25 | printf "| skalibs | %s \n" "${SKALIBS_VERSION}" >> release-notes.md 26 | printf "| execline | %s \n" "${EXECLINE_VERSION}" >> release-notes.md 27 | printf "| s6 | %s \n" "${S6_VERSION}" >> release-notes.md 28 | printf "| s6-rc | %s \n" "${S6_RC_VERSION}" >> release-notes.md 29 | printf "| s6-linux-init | %s \n" "${S6_LINUX_INIT_VERSION}" >> release-notes.md 30 | printf "| s6-portable-utils | %s \n" "${S6_PORTABLE_UTILS_VERSION}" >> release-notes.md 31 | printf "| s6-linux-utils | %s \n" "${S6_LINUX_UTILS_VERSION}" >> release-notes.md 32 | printf "| s6-dns | %s \n" "${S6_DNS_VERSION}" >> release-notes.md 33 | printf "| s6-networking | %s \n" "${S6_NETWORKING_VERSION}" >> release-notes.md 34 | printf "| s6-overlay-helpers | %s \n" "${S6_OVERLAY_HELPERS_VERSION}" >> release-notes.md 35 | printf "\n" >> release-notes.md 36 | 37 | - uses: ncipollo/release-action@v1 38 | with: 39 | omitBodyDuringUpdate: true 40 | allowUpdates: true 41 | bodyFile: release-notes.md 42 | 43 | release: 44 | needs: [ setup ] 45 | runs-on: ubuntu-latest 46 | strategy: 47 | matrix: 48 | s6_arch: ${{fromJson(needs.setup.outputs.matrix)}} 49 | 50 | steps: 51 | - uses: actions/checkout@v3 52 | 53 | # normalize version (remove 'git/refs/', remove leading 'v') 54 | - run: | 55 | VERSION="${GITHUB_REF##*/}" 56 | VERSION="${VERSION#v}" 57 | echo "S6_VERSION=${VERSION}" >> $GITHUB_ENV 58 | 59 | # create short arch name 60 | - run: | 61 | HW=$(echo "${{ matrix.s6_arch }}" | cut -f1 -d'-') 62 | if [ "${{matrix.s6_arch}}" = "arm-linux-musleabihf" ] ; then 63 | HW="armhf" 64 | fi 65 | echo "S6_HW=${HW}" >> $GITHUB_ENV 66 | 67 | - run: | 68 | make ARCH="${{ matrix.s6_arch }}" VERSION="${{ env.S6_VERSION }}" 69 | 70 | - run: | 71 | cd output ; for f in *.tar* ; do sha256sum "$f" > "$f".sha256 ; done 72 | 73 | # output arch-specific binary 74 | - uses: ncipollo/release-action@v1 75 | with: 76 | artifacts: "output/s6-overlay-${{ env.S6_HW }}*" 77 | omitBodyDuringUpdate: true 78 | allowUpdates: true 79 | 80 | - run: | 81 | rm -v output/s6-overlay-${{ env.S6_HW }}* 82 | 83 | # upload symlinks/non-arch on x86_64 only 84 | - uses: ncipollo/release-action@v1 85 | with: 86 | artifacts: "output/*.tar.*" 87 | omitBodyDuringUpdate: true 88 | allowUpdates: true 89 | if: ${{ matrix.s6_arch == 'x86_64-linux-musl' }} 90 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /output 2 | -------------------------------------------------------------------------------- /AUTHORS.md: -------------------------------------------------------------------------------- 1 | Laurent Bercot ([@skarnet](https://github.com/skarnet)) 2 | 3 | John Regan ([@jprjr](https://github.com/jprjr)) 4 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # CHANGELOG for s6-overlay 2 | 3 | ## Note about minor changes 4 | 5 | Please view the git log to see all the minor changes made to the code. This document only tracks major/breaking changes. 6 | 7 | ## Major changes 8 | 9 | ### Version 3.2.0.0 10 | 11 | * There is no default global timeout for starting services anymore. Previously, 12 | if the services took more than 5 seconds to be brought up, they would 13 | fail; the intent was to detect hanged containers (waiting on a dysfunctional 14 | network connection, for instance) and make them fail early, but it has 15 | proven to create more problems than it was solving - so the timeout has 16 | been removed. If you need it, you can, as before, use the `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` 17 | variable. 18 | * More unprivileged configurations are supported: you should now be 19 | able to use s6-overlay in containers created by Kubernetes, for instance. 20 | 21 | ### Version 3.1.0.0 22 | 23 | * `/etc/s6-overlay/config/global_path` isn't provided or taken into 24 | account anymore. Instead, the initial value of PATH for all the services 25 | is inherited from the `PATH` environment variable, that you can set 26 | in the Dockerfile. 27 | * Generated tarballs don't encode the version numbers anymore. 28 | (The download URLs provided by GitHub still encode the version numbers, 29 | so there is no possible confusion on what tarball you're downloading.) 30 | * justc-envdir does not exist anymore: use s6-envdir with the new -L 31 | option if you need environment variables with unlimited length. 32 | * `docker stop` now normally exits 0 (or any predefined exit code 33 | in `/run/s6-linux-init-container-results/exitcode`) instead of 111. 34 | 35 | ### Version 3.0.0.0 36 | 37 | * Completely revamp the build system and the installation system. 38 | * Building is now a single `make` invocation. 39 | * No more self-extracting installer. 40 | * One to five tarballs to be installed, depending on user needs. 41 | * Only one of these tarballs is architecture-dependent. 42 | * Use shell where beneficial. Execline is still used where it makes sense. 43 | * Take advantage of new skaware. 44 | * Stage 1 is now handled by [s6-linux-init](https://skarnet.org/software/s6-linux-init/). 45 | * The new `S6_CATCHALL_USER` variable can be used to run the catch-all logger as non-root. 46 | * Stage 2 is now handled by [s6-rc](https://skarnet.org/software/s6-rc/). 47 | * `fix-attrs`,`cont-init`/`cont-finish`, and `/etc/services.d` are 48 | still supported; under the hood, they're run as s6-rc services. 49 | * A `user` bundle is provided for users to put all their services in. 50 | * Move binaries out of the way. 51 | * All skaware is installed under `/package` and accessible via `/command`. 52 | * All binaries are accessed via PATH resolution, making it transparent. 53 | * `/usr/bin` symlinks are provided in optional tarballs. 54 | * Some distributions will provide skaware binaries in their own packages; 55 | those will likely be accessible via `/bin` or `/usr/bin`, but the overlay 56 | scripts do not care. 57 | * All in all this is a complete rewrite of s6-overlay, but the transition 58 | from 2.1.0.2 to 3.0.0.0 should be painless for users. 59 | 60 | ### Version 2.1.0.2 61 | 62 | * Add a new self-extracting installer as an installation 63 | option. It works correctly on all distros, whether or not `/bin` is a 64 | symlink to `/usr/bin` or a directory. 65 | 66 | ### Version 2.1.0.0 67 | 68 | * Add initial support for Docker's `USER` directive. 69 | * Add a new binary to the tarball (`s6-overlay-preinit`), and move creating 70 | a specific folder from the build-time to runtime. 71 | 72 | ### Version 2.0.0.1 73 | 74 | * Fix issues with shells overwriting the `cd` 75 | binary [#278](https://github.com/just-containers/s6-overlay/issues/278) 76 | and tarballs having too-loose permissions [#274](https://github.com/just-containers/s6-overlay/issues/274). 77 | 78 | ### Version 2.0.0.0 79 | 80 | * Starting with version `2.0.0.0`, `with-contenv` no longer uses `s6-envdir`, instead it 81 | uses [justc-envdir](https://github.com/just-containers/justc-envdir), a small fork that 82 | uses the entire contents of the files in the envdir. A new script is introduced, `with-contenv-legacy`, 83 | in case you rely on the old behavior. 84 | 85 | ### Version 1.21.8.0 86 | 87 | * Up to and including version `1.21.8.0`, the init system would call `s6-sync` to sync disks when 88 | the container exited. This actually syncs all block devices on the hosts, which is 89 | likely not what you want to do. As of version `1.22.0.0`, this is disabled by default, see the 90 | README on how to re-enable it. 91 | -------------------------------------------------------------------------------- /CONTRIBUTING: -------------------------------------------------------------------------------- 1 | Please add a Signed-Off-By: line at the end of your commit, 2 | which certifies that you have the right and authority to pass 3 | it on as an open-source patch, as explicited in the Developer's 4 | Certificate of Origin available in this project's DCO file, 5 | or at https://developercertificate.org/ 6 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Internet Systems Consortium license 2 | =================================== 3 | 4 | Copyright (c) 2021-2024 Laurent Bercot , John Regan 5 | 6 | Permission to use, copy, modify, and distribute this software for any 7 | purpose with or without fee is hereby granted, provided that the above 8 | copyright notice and this permission notice appear in all copies. 9 | 10 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | -------------------------------------------------------------------------------- /DCO: -------------------------------------------------------------------------------- 1 | Developer Certificate of Origin 2 | Version 1.1 3 | 4 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 5 | 1 Letterman Drive 6 | Suite D4700 7 | San Francisco, CA, 94129 8 | 9 | Everyone is permitted to copy and distribute verbatim copies of this 10 | license document, but changing it is not allowed. 11 | 12 | 13 | Developer's Certificate of Origin 1.1 14 | 15 | By making a contribution to this project, I certify that: 16 | 17 | (a) The contribution was created in whole or in part by me and I 18 | have the right to submit it under the open source license 19 | indicated in the file; or 20 | 21 | (b) The contribution is based upon previous work that, to the best 22 | of my knowledge, is covered under an appropriate open source 23 | license and I have the right under that license to submit that 24 | work with modifications, whether created in whole or in part 25 | by me, under the same open source license (unless I am 26 | permitted to submit under a different license), as indicated 27 | in the file; or 28 | 29 | (c) The contribution was provided directly to me by some other 30 | person who certified (a), (b) or (c) and I have not modified 31 | it. 32 | 33 | (d) I understand and agree that this project and the contribution 34 | are public and that a record of the contribution (including all 35 | personal information I submit with it, including my sign-off) is 36 | maintained indefinitely and may be redistributed consistent with 37 | this project or the open source license(s) involved. 38 | -------------------------------------------------------------------------------- /MOVING-TO-V3.md: -------------------------------------------------------------------------------- 1 | 2 | # Moving from s6-overlay v2 to s6-overlay v3 3 | 4 | There are a lot of changes between version 2 of s6-overlay, which was 5 | the one used until 2021, and version 3, which was released in January 2022. 6 | 7 | This document sums up the most important changes. 8 | As always, please refer to the latest version of the 9 | [README.md file](https://github.com/just-containers/s6-overlay/blob/master/README.md) 10 | for detailed s6-overlay usage instructions. 11 | 12 | Thanks for @alexyao2015 for the initial ideas for this document. 13 | 14 | ## Immediately visible changes 15 | 16 | - s6-overlay is now provided as a series of several tarballs, that you can pick 17 | and choose depending on the details of how you use s6-overlay. Most people will 18 | need *two* tarballs (the architecture-dependent binaries, and the architecture-independent 19 | overlay scripts). 20 | * These tarballs are `.tar.xz` files: to extract them, most distributions 21 | require installing the `xz-utils` package, which is not always provided by 22 | default. 23 | - Except when specifically built otherwise, commands and scripts provided by s6-overlay 24 | now reside under `/command`. This means several things: 25 | * The default PATH always contains `/command` as well as `/usr/bin` and `/bin`. You can 26 | add directories to that PATH by declaring your own `PATH` variable in the Dockerfile. 27 | * s6-overlay commands should *always* be called by their short name, never by an 28 | absolute path. You should always trust PATH to do the right thing. 29 | + In practice: every time you used something like `/bin/s6-chmod`, change it to 30 | `s6-chmod` instead. That will work in every situation. 31 | * Shebangs, which require absolute paths, are an exception, and need manual editing. 32 | For instance, `#!/usr/bin/with-contenv` should be changed to `#!/command/with-contenv`. 33 | + To give you time to perform that change incrementally, s6-overlay provides 34 | optional tarballs that install `/usr/bin/foobar` symlinks to `/command/foobar`. 35 | - All the user scripts need to be executable: they are now *executed* instead of 36 | *interpreted by a shell*. 37 | - The supervision tree now resides in `/run/service`, and you should not attempt to stop it 38 | when you want to exit the container; more generally you should not attempt to send 39 | control commands to the supervision tree. In particular, you should not try to run 40 | the `s6-svscanctl -t /var/run/s6/services` command - it will not work anyway because 41 | the supervision tree has changed locations. If you need to exit a container from the 42 | inside, without your CMD dying (or without having declared a CMD), run the 43 | `/run/s6/basedir/bin/halt` command instead. 44 | * Services that were previously addressed via `/var/run/s6/services/foobar` are now 45 | addressed via `/run/service/foobar`. 46 | - The CMD, if any, always used to run under the container environment. This is not 47 | the case anymore: just like supervised services, the CMD is now run with a minimal 48 | environment by default, and you need to prepend it with `with-contenv` if you want 49 | to provide it with the full container environment. 50 | 51 | ## Service management-related changes 52 | 53 | The container startup process now uses [s6-rc](https://skarnet.org/software/s6-rc/), 54 | which has several benefits over the old method. This impacts the overlay in the 55 | following ways: 56 | 57 | - There is a global timeout for all the services, adjustable via the 58 | `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` variable. You can disable it via setting this 59 | variable to 0. 60 | - The scripts in `/etc/cont-init.d` are now run as the `up` command of the first service 61 | (a oneshot); the scripts in `/etc/cont-finish.d` are run as the `down` command of the 62 | same service. This means `/etc/cont-init.d` is run as the first thing when the container 63 | starts, and `/etc/cont-finish.d` is run as the last thing when the container stops. (This 64 | does not change from the v2 behaviour.) 65 | * This means that `/etc/cont-init.d` is subjected to the `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` 66 | timeout. Adjust this timeout if your container initialization scripts take a long time 67 | to run. 68 | - The service directories in `/etc/services.d` are copied to a subdirectory of `/run` and 69 | supervised by s6, as the `up` command of the second service. This means they're started 70 | after `/etc/cont-init.d` is run, and they are *not stopped* until the container stops. 71 | Services declared in `/etc/services.d` are still running when `/etc/cont-finish.d` is 72 | run; they are stopped afterwards. 73 | - Rather than running their services in `/etc/cont-init.d`, `/etc/services.d` and 74 | `/etc/cont-finish.d`, users can now add s6-rc source definitions for them, so they will 75 | be run independently by the service manager. The old way is still supported, and will 76 | continue to be, but we encourage users to switch to the new way. 77 | * This has the advantage of supporting both oneshots (scripts that do one thing and 78 | exit) and longruns (daemons that are supervised with s6), and dependencies can be 79 | declared between services for super flexible ordering; you can also add more 80 | complex service pipelines for multi-step log processing. 81 | * The drawback is that it requires following the 82 | [s6-rc source format](https://skarnet.org/software/s6-rc/s6-rc-compile.html#source), 83 | which is not immediately intuitive. Please read the documentation attentively 84 | if you want to convert your services to that format. As a quickstart, what you 85 | need to know immediately is: 86 | + You need a `type` file in the directory, saying whether the service is a 87 | `oneshot` or a `longrun`. 88 | + The source definition directory for a *longrun* looks a lot like a service 89 | directory: it has a `run` script, possibly a `finish` script, etc. 90 | + The source definition directory for a *oneshot* is different. It 91 | needs an `up` file, but don't write your script in it. Instead, put your 92 | script in another executable file, in a place of your choice (for instance 93 | `/etc/s6-overlay/scripts/foobar`, and just put `/etc/s6-overlay/scripts/foobar` 94 | in your `up` file. *Be aware that `up` is __not__ a shell script*, and will not 95 | honor shebangs; for the details, look for `weird syntax` in the 96 | [README file](README.md). 97 | + To get your service _foo_ properly started at container boot time, you need 98 | to add it to the `user` bundle: `touch /etc/s6-overlay/s6-rc.d/user/contents.d/foo`. 99 | Also, to ensure it's started at the proper time, you should make it depend on 100 | `base`: `mkdir /etc/s6-overlay/s6-rc.d/foo/dependencies.d && touch 101 | /etc/s6-overlay/s6-rc.d/foo/dependencies.d/base`. 102 | - Services are run from their own, temporary, current working directory, instead 103 | of `WORKDIR`; scripts should now use absolute paths instead of paths relative 104 | to `WORKDIR`. The CMD, if any, is still run in `WORKDIR`. 105 | 106 | ## Other changes 107 | 108 | - Socklog has been replaced by a `syslogd-overlay` tarball, provided by 109 | s6-overlay. The tarball expands into a series of s6-rc services implementing 110 | a small syslogd emulation, using a combination of the new `s6-socklog` 111 | binary and a `s6-log` service with a complex logging script that dispatches 112 | logs the same way syslogd would. 113 | 114 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | it: all 2 | 3 | include conf/defaults.mk 4 | 5 | ifeq ($(strip $(OUTPUT)),) 6 | OUTPUT := output 7 | endif 8 | OUTPUT := $(abspath $(OUTPUT)) 9 | HW := $(if $(findstring arm-linux-musleabihf,$(ARCH)),armhf,$(firstword $(subst -, ,$(ARCH)))) 10 | 11 | include conf/versions 12 | include mk/toolchain.mk 13 | include mk/bearssl.mk 14 | include mk/skaware.mk 15 | 16 | .PHONY: it distclean clean all 17 | 18 | distclean: 19 | exec rm -rf $(OUTPUT) 20 | 21 | clean: 22 | ls -1 $(OUTPUT) | grep -vF sources | while read a ; do rm -rf $(OUTPUT)/"$$a" & : ; done ; true 23 | 24 | all: rootfs-overlay-arch-tarball symlinks-overlay-arch-tarball rootfs-overlay-noarch-tarball symlinks-overlay-noarch-tarball syslogd-overlay-noarch-tarball 25 | 26 | 27 | .PHONY: rootfs-overlay-arch rootfs-overlay-arch-tarball 28 | rootfs-overlay-arch: $(OUTPUT)/rootfs-overlay-$(ARCH)/package/admin/execline/command/execlineb 29 | rootfs-overlay-arch-tarball: $(OUTPUT)/s6-overlay-$(HW).tar.xz 30 | 31 | $(OUTPUT)/rootfs-overlay-$(ARCH)/package/admin/execline/command/execlineb: skaware-install 32 | exec rm -rf $(OUTPUT)/rootfs-overlay-$(ARCH) 33 | exec mkdir -p $(OUTPUT)/rootfs-overlay-$(ARCH) 34 | exec cp -a $(OUTPUT)/staging-$(ARCH)/package $(OUTPUT)/staging-$(ARCH)/command $(OUTPUT)/rootfs-overlay-$(ARCH)/ 35 | exec rm -rf $(OUTPUT)/rootfs-overlay-$(ARCH)/package/*/*/include $(OUTPUT)/rootfs-overlay-$(ARCH)/package/*/*/library 36 | 37 | $(OUTPUT)/s6-overlay-$(HW).tar.xz: rootfs-overlay-arch 38 | exec rm -f $@.tmp 39 | cd $(OUTPUT)/rootfs-overlay-$(ARCH) && tar -Jcvf $@.tmp --owner=0 --group=0 --numeric-owner . 40 | exec mv -f $@.tmp $@ 41 | 42 | .PHONY: symlinks-overlay-arch symlinks-overlay-arch-tarball 43 | symlinks-overlay-arch: $(OUTPUT)/symlinks-overlay-arch/usr/bin/execlineb 44 | symlinks-overlay-arch-tarball: $(OUTPUT)/s6-overlay-symlinks-arch.tar.xz 45 | 46 | $(OUTPUT)/symlinks-overlay-arch/usr/bin/execlineb: rootfs-overlay-arch 47 | exec rm -rf $(OUTPUT)/symlinks-overlay-arch 48 | exec mkdir -p $(OUTPUT)/symlinks-overlay-arch/usr/bin 49 | for i in `ls -1 $(OUTPUT)/rootfs-overlay-$(ARCH)/command` ; do ln -s "../../command/$$i" $(OUTPUT)/symlinks-overlay-arch/usr/bin/ ; done 50 | 51 | $(OUTPUT)/s6-overlay-symlinks-arch.tar.xz: symlinks-overlay-arch 52 | exec rm -f $@.tmp 53 | cd $(OUTPUT)/symlinks-overlay-arch && tar -Jcvf $@.tmp --owner=0 --group=0 --numeric-owner . 54 | exec mv -f $@.tmp $@ 55 | 56 | .PHONY: rootfs-overlay-noarch rootfs-overlay-noarch-tarball 57 | rootfs-overlay-noarch: $(OUTPUT)/rootfs-overlay-noarch/init 58 | rootfs-overlay-noarch-tarball: $(OUTPUT)/s6-overlay-noarch.tar.xz 59 | 60 | TMPDIR1 := $(OUTPUT)/rootfs-overlay-noarch.tmp 61 | 62 | $(OUTPUT)/rootfs-overlay-noarch/init: layout/rootfs-overlay/init 63 | exec rm -rf $(TMPDIR1) 64 | exec mkdir -p $(OUTPUT) 65 | exec cp -a layout/rootfs-overlay $(TMPDIR1) 66 | find $(TMPDIR1) -type f -name .empty -print | xargs rm -f -- 67 | find $(TMPDIR1) -name '*@VERSION@*' -print | while read name ; do mv -f "$$name" `echo "$$name" | sed -e 's/@VERSION@/$(VERSION)/'` ; done 68 | find $(TMPDIR1) -type f -size +0c -print | xargs sed -i -e 's|@SHEBANGDIR@|$(SHEBANGDIR)|g; s/@VERSION@/$(VERSION)/g;' -- 69 | exec ln -s s6-overlay-$(VERSION) $(TMPDIR1)/package/admin/s6-overlay 70 | exec mv -f $(TMPDIR1) $(OUTPUT)/rootfs-overlay-noarch 71 | 72 | $(OUTPUT)/s6-overlay-noarch.tar.xz: rootfs-overlay-noarch 73 | exec rm -f $@.tmp 74 | cd $(OUTPUT)/rootfs-overlay-noarch && tar -Jcvf $@.tmp --owner=0 --group=0 --numeric-owner . 75 | exec mv -f $@.tmp $@ 76 | 77 | .PHONY: symlinks-overlay-noarch symlinks-overlay-noarch-tarball 78 | symlinks-overlay-noarch: $(OUTPUT)/symlinks-overlay-noarch/usr/bin/printcontenv 79 | symlinks-overlay-noarch-tarball: $(OUTPUT)/s6-overlay-symlinks-noarch.tar.xz 80 | 81 | $(OUTPUT)/symlinks-overlay-noarch/usr/bin/printcontenv: rootfs-overlay-noarch 82 | exec rm -rf $(OUTPUT)/symlinks-overlay-noarch 83 | exec mkdir -p $(OUTPUT)/symlinks-overlay-noarch/usr/bin 84 | for i in `ls -1 $(OUTPUT)/rootfs-overlay-noarch/command` ; do ln -s "../../command/$$i" $(OUTPUT)/symlinks-overlay-noarch/usr/bin/ ; done 85 | 86 | $(OUTPUT)/s6-overlay-symlinks-noarch.tar.xz: symlinks-overlay-noarch 87 | exec rm -f $@.tmp 88 | cd $(OUTPUT)/symlinks-overlay-noarch && tar -Jcvf $@.tmp --owner=0 --group=0 --numeric-owner . 89 | exec mv -f $@.tmp $@ 90 | 91 | .PHONY: syslogd-overlay-noarch syslogd-overlay-noarch-tarball 92 | syslogd-overlay-noarch: $(OUTPUT)/syslogd-overlay-noarch/etc/s6-overlay/s6-rc.d/syslogd/run 93 | syslogd-overlay-noarch-tarball: $(OUTPUT)/syslogd-overlay-noarch.tar.xz 94 | 95 | TMPDIR2 := $(OUTPUT)/syslogd-overlay-noarch.tmp 96 | 97 | $(OUTPUT)/syslogd-overlay-noarch/etc/s6-overlay/s6-rc.d/syslogd/run: layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/run 98 | exec rm -rf $(TMPDIR2) 99 | exec mkdir -p $(OUTPUT) 100 | exec cp -a layout/syslogd-overlay $(TMPDIR2) 101 | find $(TMPDIR2) -type f -name .empty -print | xargs rm -f -- 102 | find $(TMPDIR2) -name '*@VERSION@*' -print | while read name ; do mv -f "$$name" `echo "$$name" | sed -e 's/@VERSION@/$(VERSION)/'` ; done 103 | find $(TMPDIR2) -type f -size +0c -print | xargs sed -i -e 's|@SHEBANGDIR@|$(SHEBANGDIR)|g; s/@VERSION@/$(VERSION)/g;' -- 104 | exec mv -f $(TMPDIR2) $(OUTPUT)/syslogd-overlay-noarch 105 | 106 | $(OUTPUT)/syslogd-overlay-noarch.tar.xz: syslogd-overlay-noarch 107 | exec rm -f $@.tmp 108 | cd $(OUTPUT)/syslogd-overlay-noarch && tar -Jcvf $@.tmp --owner=0 --group=0 --numeric-owner . 109 | exec mv -f $@.tmp $@ 110 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | 3 | - [Quickstart](#quickstart) 4 | - [Compatibility with v2](#compatibility-with-v2) 5 | - [Goals](#goals) 6 | - [Features](#features) 7 | - [The Docker Way?](#the-docker-way) 8 | - [Init stages](#init-stages) 9 | - [Installation](#installation) 10 | - [Usage](#usage) 11 | - [Using `CMD`](#using-cmd) 12 | - [Writing a service script](#writing-a-service-script) 13 | - [Setting the exit code of the container to the exit code of your main service](#setting-the-exit-code-of-the-container-to-the-exit-code-of-your-main-service) 14 | - [Fixing ownership and permissions](#fixing-ownership-and-permissions) 15 | - [Executing initialization and finalization tasks](#executing-initialization-and-finalization-tasks) 16 | - [Writing an optional finish script](#writing-an-optional-finish-script) 17 | - [Logging](#logging) 18 | - [Dropping privileges](#dropping-privileges) 19 | - [Read-only Root Filesystem](#read-only-root-filesystem) 20 | - [Container environment](#container-environment) 21 | - [Customizing s6-overlay's behaviour](#customizing-s6-overlay-behaviour) 22 | - [syslog](#syslog) 23 | - [Performance](#performance) 24 | - [Verifying Downloads](#verifying-downloads) 25 | - [Notes](#notes) 26 | - [Releases](#releases) 27 | - [Which architecture to use depending on your TARGETARCH](#which-architecture-to-use-depending-on-your-targetarch) 28 | - [Contributing](#contributing) 29 | - [Building the overlay yourself](#building-the-overlay-yourself) 30 | - [Upgrade notes](#upgrade-notes) 31 | 32 | # s6-overlay [![Build Status](https://api.travis-ci.org/just-containers/s6-overlay.svg?branch=master)](https://travis-ci.org/just-containers/s6-overlay) 33 | 34 | s6-overlay is an easy-to-install (just extract a tarball or two!) set of scripts and utilities 35 | allowing you to use existing Docker images while using [s6](https://skarnet.org/software/s6/overview.html) 36 | as a pid 1 for your container and process supervisor for your services. 37 | 38 | ## Quickstart 39 | 40 | Build the following Dockerfile and try it out: 41 | 42 | ``` 43 | # Use your favorite image 44 | FROM ubuntu 45 | ARG S6_OVERLAY_VERSION=3.2.1.0 46 | 47 | RUN apt-get update && apt-get install -y nginx xz-utils 48 | RUN echo "daemon off;" >> /etc/nginx/nginx.conf 49 | CMD ["/usr/sbin/nginx"] 50 | 51 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp 52 | RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz 53 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp 54 | RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz 55 | ENTRYPOINT ["/init"] 56 | ``` 57 | 58 | ``` 59 | docker-host $ docker build -t demo . 60 | docker-host $ docker run --name s6demo -d -p 80:80 demo 61 | docker-host $ docker top s6demo acxf 62 | PID TTY STAT TIME COMMAND 63 | 11735 ? Ss 0:00 \_ s6-svscan 64 | 11772 ? S 0:00 \_ s6-supervise 65 | 11773 ? Ss 0:00 | \_ s6-linux-init-s 66 | 11771 ? Ss 0:00 \_ rc.init 67 | 11812 ? S 0:00 | \_ nginx 68 | 11814 ? S 0:00 | \_ nginx 69 | 11816 ? S 0:00 | \_ nginx 70 | 11813 ? S 0:00 | \_ nginx 71 | 11815 ? S 0:00 | \_ nginx 72 | 11779 ? S 0:00 \_ s6-supervise 73 | 11785 ? Ss 0:00 | \_ s6-ipcserverd 74 | 11778 ? S 0:00 \_ s6-supervise 75 | docker-host $ curl --head http://127.0.0.1/ 76 | HTTP/1.1 200 OK 77 | Server: nginx/1.18.0 (Ubuntu) 78 | Date: Mon, 17 Jan 2022 13:33:58 GMT 79 | Content-Type: text/html 80 | Content-Length: 612 81 | Last-Modified: Mon, 17 Jan 2022 13:32:11 GMT 82 | Connection: keep-alive 83 | ETag: "61e56fdb-264" 84 | Accept-Ranges: bytes 85 | 86 | ``` 87 | 88 | ## Compatibility with v2 89 | 90 | If you're migrating from a previous version of s6-overlay (*v2*) to the 91 | new version (*v3*), you may need to make some changes to your services 92 | or the way you use s6-overlay in order for everything to work smoothly. 93 | This document tries to be accurate on how v3 works, but we have a 94 | [separate page](https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.md) 95 | listing the main differences, and things you're likely to notice. Please 96 | read it if you're in this situation! 97 | 98 | ## Goals 99 | 100 | The project has the following goals: 101 | 102 | * Be usable on top of *any* Docker image 103 | * Make it easy to create new images, that will operate like any other images 104 | * Provide users with a turnkey s6 installation that will give them a stable 105 | pid 1, a fast and orderly init sequence and shutdown sequence, and the power 106 | of process supervision and automatically rotated logs. 107 | 108 | ## Features 109 | 110 | * A simple init process which allows the end-user to execute tasks like initialization (`cont-init.d`), 111 | finalization (`cont-finish.d`) and their own services with dependencies between them 112 | * The s6-overlay provides proper `PID 1` functionality 113 | * You'll never have zombie processes hanging around in your container, they will be properly cleaned up. 114 | * Multiple processes in a single container 115 | * Able to operate in "The Docker Way" 116 | * Usable with all base images - Ubuntu, CentOS, Fedora, Alpine, Busybox... 117 | * Distributed as a small number of .tar.xz files depending on what exact functionality you need - to keep your image's number of layers small. 118 | * A whole set of utilities included in `s6` and `s6-portable-utils`. They include handy and composable utilities which make our lives much, much easier. 119 | * Log rotating out-of-the-box through `logutil-service` which uses [`s6-log`](https://skarnet.org/software/s6/s6-log.html) under the hood. 120 | * Some support for Docker's `USER` directive, to run your whole process tree as a specific user. Not compatible with all features, details in the [notes](#notes) section. 121 | 122 | ## The Docker Way? 123 | 124 | One of the oft-repeated Docker mantras is "one process per container", but we disagree. 125 | There's nothing inherently *bad* about running multiple processes in a container. 126 | The more abstract "one *thing* per container" is our policy - a container should do one thing, 127 | such as "run a chat service" or "run gitlab." This may involve multiple processes, which is fine. 128 | 129 | The other reason image authors shy away from process supervisors is they believe a process supervisor 130 | *must* restart failed services, meaning the Docker container will never die. 131 | 132 | This does effectively break the Docker ecosystem - most images run one process that will 133 | exit when there's an error. By exiting on error, you allow the system administrator to 134 | handle failures however they prefer. If your image will never exit, you now need some 135 | alternative method of error recovery and failure notification. 136 | 137 | Our policy is that if "the thing" fails, then the container should fail, too. 138 | We do this by determining which processes can restart, and which should bring down 139 | the container. For example, if `cron` or `syslog` fails, your container can most 140 | likely restart it without any ill effects, but if `ejabberd` fails, the container 141 | should exit so the system administrator can take action. 142 | 143 | Our interpretation of "The Docker Way" is thus: 144 | 145 | * Containers should do one thing 146 | * Containers should stop when that thing stops 147 | 148 | and our init system is designed to do exactly that. Your images will behave like 149 | other Docker images and fit in with the existing ecosystem of images. 150 | 151 | See "Writing an optional finish script" under the [Usage](#usage) section for details on stopping "the thing." 152 | 153 | ## Init stages 154 | 155 | Our overlay init is a properly customized one to run appropriately in containerized environments. 156 | This section briefly explains how stages work but if you want to know how a complete init system 157 | should work, you can read this article: [How to run s6-svscan as process 1](https://skarnet.org/software/s6/s6-svscan-1.html) 158 | 159 | 1. **stage 1**: Its purpose is to set up the image to execute the supervision tree which 160 | will handle all the auxiliary services, and to launch stage 2. Stage 1 is where all the 161 | black magic happens, all the container setup details that we handle for you so that you don't 162 | have to care about them. 163 | 2. **stage 2**: This is where most of the end-user provided files are meant to be executed: 164 | 1. Execute legacy oneshot user scripts contained in `/etc/cont-init.d`. 165 | 2. Run user s6-rc services declared in `/etc/s6-overlay/s6-rc.d`, following dependencies 166 | 3. Copy legacy longrun user services (`/etc/services.d`) to a temporary directory and have s6 start (and supervise) them. 167 | 3. **stage 3**: This is the shutdown stage. When the container is supposed to exit, it will: 168 | 1. Send a TERM signal to all legacy longrun services and, if required, wait for them to exit. 169 | 2. Bring down user s6-rc services in an orderly fashion. 170 | 3. Run any finalization scripts contained in `/etc/cont-finish.d`. 171 | 4. Send all remaining processes a `TERM` signal. There should not be any remaining processes anyway. 172 | 5. Sleep for a small grace time, to allow stray processes to exit cleanly. 173 | 6. Send all processes a `KILL` signal. Then the container exits. 174 | 175 | ## Installation 176 | 177 | s6-overlay comes as a set of tarballs that you can extract onto your image. 178 | The tarballs you need are a function of the image you use; most people will 179 | need the first two, and the other ones are extras you can use at your 180 | convenience. 181 | 182 | 1. `s6-overlay-noarch.tar.xz`: this tarball contains the scripts 183 | implementing the overlay. We call it "noarch" because it is architecture- 184 | independent: it only contains scripts and other text files. Everyone who 185 | wants to run s6-overlay needs to extract this tarball. 186 | 2. `s6-overlay-x86_64.tar.xz`: replace `x86_64` with your 187 | system's architecture. This tarball contains all the necessary binaries 188 | from the s6 ecosystem, all linked statically and out of the way of 189 | your image's binaries. Unless you know for sure that your image already 190 | comes with all the packages providing the binaries used in the overlay, 191 | you need to extract this tarball. 192 | 3. `s6-overlay-symlinks-noarch.tar.xz`: this tarball contains 193 | symlinks to the s6-overlay scripts so they are accessible via `/usr/bin`. 194 | It is normally not needed, all the scripts are accessible via the PATH 195 | environment variable, but if you have old user scripts containing 196 | shebangs such as `#!/usr/bin/with-contenv`, installing these symlinks 197 | will make them work. 198 | 4. `s6-overlay-symlinks-arch.tar.xz`: this tarball contains 199 | symlinks to the binaries from the s6 ecosystem provided by the second 200 | tarball, to make them accessible via `/usr/bin`. It is normally not 201 | needed, but if you have old user scripts containing shebangs such as 202 | `#!/usr/bin/execlineb`, installing these symlinks will make them work. 203 | 5. `syslogd-overlay-noarch.tar.xz`: this tarball contains 204 | definitions for a `syslogd` service. If you are running daemons that 205 | cannot log to stderr to take advantage of the s6 logging infrastructure, 206 | but hardcode the use of the old `syslog()` mechanism, you can extract 207 | this tarball, and your container will run a lightweight emulation of a 208 | `syslogd` daemon, so your syslog logs will be caught and stored to disk. 209 | 210 | To install those tarballs, add lines to your Dockerfile that correspond 211 | to the functionality you want to install. For instance, most people would 212 | use the following: 213 | ``` 214 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp 215 | RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz 216 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp 217 | RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz 218 | ``` 219 | 220 | Make sure to preserve file permissions when extracting (i.e. to use the 221 | `-p` option to `tar`.) 222 | 223 | ## Usage 224 | 225 | The project is distributed as a set of standard .tar.xz files, which you extract at the root of your image. 226 | (You need the xz-utils package for `tar` to understand `.tar.xz` files; it is available 227 | in every distribution, but not always in the default container images, so you may need 228 | to `apt install xz-utils` or `apk add xz`, or equivalent, before you can 229 | expand the archives.) 230 | 231 | Afterwards, set your `ENTRYPOINT` to `/init`. 232 | 233 | Right now, we recommend using Docker's `ADD` directive instead of running `wget` or `curl` 234 | in a `RUN` directive - Docker is able to handle the https URL when you use `ADD`, whereas 235 | your base image might not be able to use https, or might not even have `wget` or `curl` 236 | installed at all. 237 | 238 | From there, you have a couple of options: 239 | 240 | * If you want the container to exit when your program exits: run the program as your image's `CMD`. 241 | * If you want the container to run until told to exit, and your program to be supervised by s6: 242 | write a service script for your program. 243 | 244 | ### Using `CMD` 245 | 246 | Using `CMD` is a convenient way to take advantage of the overlay. Your `CMD` can be given at 247 | build time in the Dockerfile, or at run time on the command line, either way is fine. It will 248 | be run as a normal process in the environment set up by s6; when it fails or exits, the 249 | container will shut down cleanly and exit. You can run interactive programs in this manner: 250 | only the CMD will receive your interactive command, the support processes will be unimpacted. 251 | 252 | For example: 253 | 254 | ``` 255 | FROM busybox 256 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp 257 | RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz 258 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp 259 | RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz 260 | ENTRYPOINT ["/init"] 261 | ``` 262 | 263 | ``` 264 | docker-host $ docker build -t s6demo . 265 | docker-host $ docker run -ti s6demo /bin/sh 266 | /package/admin/s6-overlay/libexec/preinit: notice: /var/run is not a symlink to /run, fixing it 267 | s6-rc: info: service s6rc-oneshot-runner: starting 268 | s6-rc: info: service s6rc-oneshot-runner successfully started 269 | s6-rc: info: service fix-attrs: starting 270 | s6-rc: info: service fix-attrs successfully started 271 | s6-rc: info: service legacy-cont-init: starting 272 | s6-rc: info: service legacy-cont-init successfully started 273 | s6-rc: info: service legacy-services: starting 274 | s6-rc: info: service legacy-services successfully started 275 | / # ps 276 | PID USER TIME COMMAND 277 | 1 root 0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service 278 | 17 root 0:00 {rc.init} /bin/sh -e /run/s6/basedir/scripts/rc.init top /bin/sh 279 | 18 root 0:00 s6-supervise s6-linux-init-shutdownd 280 | 20 root 0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B 281 | 24 root 0:00 s6-supervise s6rc-fdholder 282 | 25 root 0:00 s6-supervise s6rc-oneshot-runner 283 | 31 root 0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /packa 284 | 58 root 0:00 /bin/sh 285 | 66 root 0:00 ps 286 | / # exit 287 | s6-rc: info: service legacy-services: stopping 288 | s6-rc: info: service legacy-services successfully stopped 289 | s6-rc: info: service legacy-cont-init: stopping 290 | s6-rc: info: service legacy-cont-init successfully stopped 291 | s6-rc: info: service fix-attrs: stopping 292 | s6-rc: info: service fix-attrs successfully stopped 293 | s6-rc: info: service s6rc-oneshot-runner: stopping 294 | s6-rc: info: service s6rc-oneshot-runner successfully stopped 295 | docker-host $ 296 | ``` 297 | 298 | ### Writing a service script 299 | 300 | The other way to use a container with s6-overlay is to make your 301 | services supervised. You can supervise any number of services; 302 | usually they're just support services for the main daemon you run as 303 | a CMD, but if that's what you want, nothing prevents you from having 304 | an empty CMD and running your main daemon as a supervised service as 305 | well. In that case, the daemon will be restarted by s6 whenever it 306 | exits; the container will only stop when you tell it to do so, either 307 | via a `docker stop` command, or from inside the container with the 308 | `/run/s6/basedir/bin/halt` command. 309 | 310 | There are two ways of making a supervised service. The old way, which 311 | is still supported, is to make a "pure s6" service directory. Create a 312 | directory with the name of your service in `/etc/services.d` and put an executable `run` 313 | file into it; this is the file in which you'll put your long-lived process execution. 314 | For details of supervision of service directories, and how you can 315 | configure how s6 handles your daemon, you can take a look at the 316 | [servicedir](https://skarnet.org/software/s6/servicedir.html) documentation. 317 | A simple example would look like this: 318 | 319 | `/etc/services.d/myapp/run`: 320 | ``` 321 | #!/command/execlineb -P 322 | nginx -g "daemon off;" 323 | ``` 324 | 325 | The new way is to make an [s6-rc](https://skarnet.org/software/s6-rc/) 326 | *source definition directory* in the `/etc/s6-overlay/s6-rc.d` directory, 327 | and add the name of that directory to the `user` bundle, i.e. create an 328 | empty file with the same name in the `/etc/s6-overlay/s6-rc.d/user/contents.d` 329 | directory. The format of a *source definition directory* is described in 330 | [this page](https://skarnet.org/software/s6-rc/s6-rc-compile.html). Note that 331 | you can define *longruns*, i.e. daemons that will get supervised by s6 just 332 | like with the `/etc/services.d` method, but also *oneshots*, i.e. programs that 333 | will run once and exit. Your main service is probably a *longrun*, not a 334 | *oneshot*: you probably need a daemon to stick around. 335 | 336 | The advantage of this new format is that it allows you to define dependencies 337 | between services: if *B* depends on *A*, then *A* will start first, then *B* will 338 | start when *A* is ready, and when the container is told to exit, *B* will stop 339 | first, then *A*. If you have a complex architecture where various processes 340 | depends on one another, or simply where you have to mix *oneshots* and *longruns* 341 | in a precise order, this may be for you. 342 | 343 | The example above could be rewritten this way: 344 | 345 | `/etc/s6-overlay/s6-rc.d/myapp/type`: 346 | ``` 347 | longrun 348 | ``` 349 | 350 | `/etc/s6-overlay/s6-rc.d/myapp/run`: 351 | ``` 352 | #!/command/execlineb -P 353 | nginx -g "daemon off;" 354 | ``` 355 | 356 | `/etc/s6-overlay/s6-rc.d/user/contents.d/myapp`: empty file. 357 | (This adds `myapp` to the set of services that s6-rc will start at 358 | container boot.) 359 | 360 | `/etc/s6-overlay/s6-rc.d/myapp/dependencies.d/base`: empty file. 361 | (This tells s6-rc to only start `myapp` when all the base services 362 | are ready: it prevents race conditions.) 363 | 364 | We encourage you to switch to the new format, but if you don't need its 365 | benefits, you can stick with regular service directories in `/etc/services.d`, 366 | it will work just as well. 367 | 368 | ### Setting the exit code of the container to the exit code of your main service 369 | 370 | If you run your main service as a CMD, you have nothing to do: when your CMD 371 | exits, or when you run `docker stop`, the container will naturally exit with the 372 | same exit code as your service. (Be aware, however, that in the `docker stop` 373 | case, your service will get a SIGTERM, in which case the exit code will entirely 374 | depend on how your service handles it - it could trap it and exit 0, trap it and 375 | exit something else, or not trap it and let the shell exit its own code for it - 376 | normally 130.) 377 | 378 | If you run your main service as a supervised service, however, things are 379 | different, and you need to tell the container what code to exit with when you 380 | send it a `docker stop` command. To do that, you need to write a `finish` script: 381 | 382 | - If your service is a legacy service in `/etc/services.d`, you need an 383 | executable `/etc/services.d/myapp/finish` script. 384 | - If your service is an s6-rc one, you need a 385 | `/etc/s6-overlay/s6-rc.d/myapp/finish` file containing your script (the 386 | file may or may not be executable). 387 | 388 | This `finish` script will be run when your service exits, and will take 389 | two arguments: 390 | 391 | - The first argument will be the exit code of your service, or 256 if 392 | your service was killed by an uncaught signal. 393 | - The second argument is only meaningful if your service was killed by 394 | an uncaught signal, and contains the number of said signal. 395 | 396 | In the `finish` script, you need to write the container exit code you 397 | want to the `/run/s6-linux-init-container-results/exitcode` file - and 398 | that's it. 399 | 400 | For instance, the `finish` script for the `myapp` service above could 401 | be something like this: 402 | ```sh 403 | #!/bin/sh 404 | 405 | if test "$1" -eq 256 ; then 406 | e=$((128 + $2)) 407 | else 408 | e="$1" 409 | fi 410 | 411 | echo "$e" > /run/s6-linux-init-container-results/exitcode 412 | ``` 413 | When you send a `docker stop` command to your container, the `myapp` 414 | service will be killed and this script will be run; it will write 415 | either `myapp`'s exit code (if `myapp` catches the TERM signal) or 416 | 130 (if `myapp` does not catch the TERM signal) to the special 417 | `/run/s6-linux-init-container-results/exitcode` file, which will 418 | be read by s6-overlay at the end of the container shutdown procedure, 419 | and your container will exit with that value. 420 | 421 | ### Fixing ownership and permissions 422 | 423 | This section describes a functionality from the versions of s6-overlay 424 | that are **anterior to** v3. fix-attrs is still supported in v3, 425 | but is **deprecated**, for several reasons: one of them is that it's 426 | generally not good policy to change ownership dynamically when it can be 427 | done statically. Another reason is that it doesn't work with USER containers. 428 | Instead of fix-attrs, we now recommend you to take care of ownership and 429 | permissions on host mounts *offline, before running the container*. This 430 | should be done in your Dockerfile, when you have all the needed information. 431 | 432 | That said, here is what we wrote for previous versions and that is still 433 | applicable today (but please stop depending on it): 434 | 435 | Sometimes it's interesting to fix ownership & permissions before proceeding because, 436 | for example, you have mounted/mapped a host folder inside your container. Our overlay 437 | provides a way to tackle this issue using files in `/etc/fix-attrs.d`. 438 | This is the pattern format followed by fix-attrs files: 439 | 440 | ``` 441 | path recurse account fmode dmode 442 | ``` 443 | * `path`: File or dir path. 444 | * `recurse`: (Set to `true` or `false`) If a folder is found, recurse through all containing files & folders in it. 445 | * `account`: Target account. It's possible to default to fallback `uid:gid` if the account isn't found. For example, `nobody,32768:32768` would try to use the `nobody` account first, then fallback to `uid 32768` instead. 446 | If, for instance, `daemon` account is `UID=2` and `GID=2`, these are the possible values for `account` field: 447 | * `daemon: UID=2 GID=2` 448 | * `daemon,3:4: UID=2 GID=2` 449 | * `2:2,3:4: UID=2 GID=2` 450 | * `daemon:11111,3:4: UID=2 GID=11111` 451 | * `11111:daemon,3:4: UID=11111 GID=2` 452 | * `daemon:daemon,3:4: UID=2 GID=2` 453 | * `daemon:unexisting,3:4: UID=2 GID=4` 454 | * `unexisting:daemon,3:4: UID=3 GID=2` 455 | * `11111:11111,3:4: UID=11111 GID=11111` 456 | * `fmode`: Target file mode. For example, `0644`. 457 | * `dmode`: Target dir/folder mode. For example, `0755`. 458 | 459 | Here you have some working examples: 460 | 461 | `/etc/fix-attrs.d/01-mysql-data-dir`: 462 | ``` 463 | /var/lib/mysql true mysql 0600 0700 464 | ``` 465 | `/etc/fix-attrs.d/02-mysql-log-dirs`: 466 | ``` 467 | /var/log/mysql-error-logs true nobody,32768:32768 0644 2700 468 | /var/log/mysql-general-logs true nobody,32768:32768 0644 2700 469 | /var/log/mysql-slow-query-logs true nobody,32768:32768 0644 2700 470 | ``` 471 | 472 | ### Executing initialization and finalization tasks 473 | 474 | Here is the old way of doing it: 475 | 476 | After fixing attributes (through `/etc/fix-attrs.d/`) and before starting 477 | user provided services (through s6-rc or `/etc/services.d`) our overlay will 478 | execute all the scripts found in `/etc/cont-init.d`, for example: 479 | 480 | [`/etc/cont-init.d/02-confd-onetime`](https://github.com/just-containers/nginx-loadbalancer/blob/master/rootfs/etc/cont-init.d/02-confd-onetime): 481 | ``` 482 | #!/command/execlineb -P 483 | 484 | with-contenv 485 | s6-envuidgid nginx 486 | multisubstitute 487 | { 488 | import -u -D0 UID 489 | import -u -D0 GID 490 | import -u CONFD_PREFIX 491 | define CONFD_CHECK_CMD "/usr/sbin/nginx -t -c {{ .src }}" 492 | } 493 | confd --onetime --prefix="${CONFD_PREFIX}" --tmpl-uid="${UID}" --tmpl-gid="${GID}" --tmpl-src="/etc/nginx/nginx.conf.tmpl" --tmpl-dest="/etc/nginx/nginx.conf" --tmpl-check-cmd="${CONFD_CHECK_CMD}" etcd 494 | ``` 495 | 496 | This way is still supported. However, there is now a more generic and 497 | efficient way to do it: writing your oneshot initialization and finalization 498 | tasks as s6-rc services, by adding service definition directories in 499 | `/etc/s6-overlay/s6-rc.d`, making them part of the `user` bundle (so they 500 | are actually started when the container boots), and making them depend on 501 | the `base` bundle (so they are only started after `base`). 502 | 503 | All the information on s6-rc can be found [here](https://skarnet.org/software/s6-rc/). 504 | 505 | When the container is started, the operations are performed in this order: 506 | 507 | - (deprecated) Attribute fixing is performed according to files in `/etc/fix-attrs.d`. 508 | - (legacy) One-shot initialization scripts in `/etc/cont-init.d` are run sequentially. 509 | - Services in the `user` bundle are started by s6-rc, in an order defined by 510 | dependencies. Services can be oneshots (initialization 511 | tasks) or longruns (daemons that will run throughout the container's lifetime). If 512 | the services depend on `base`, they are guaranteed to start at this point and not 513 | earlier; if they do not, they might have been started earlier, which may cause 514 | race conditions - so it's recommended to always make them depend on `base`. 515 | - (legacy) Longrun services in `/etc/services.d` are started. 516 | - Services in the `user2` bundle with the correct dependency are started. 517 | (Most people don't need to use this; if you are not sure, stick to the `user` bundle.) 518 | 519 | When the container is stopped, either because the admin sent a stop command or 520 | because the CMD exited, the operations are performed in the reverse order: 521 | 522 | - Services in the `user2` bundle with the correct dependency are stopped. 523 | - (legacy) Longrun services in `/etc/services.d` are stopped. 524 | - All s6-rc services are stopped, in an order defined by dependencies. For 525 | oneshots, that means that the `down` script in the source definition directory 526 | is executed; that's how s6-rc can perform finalization tasks. 527 | - (legacy) One shot finalization scripts in `/etc/cont-finish.d` are run sequentially. 528 | 529 | The point of the `user2` bundle is to allow user services declared in it to 530 | start *after* the `/etc/services.d` ones; but in order to do so, every service 531 | in `user2` needs to declare a dependency to `legacy-services`. In other words, 532 | for a service `foobar` to start late, you need to: 533 | - Define it in `/etc/s6-overlay/s6-rc.d/foobar` like any other s6-rc service. 534 | - Add an `/etc/s6-overlay/s6-rc.d/foobar/dependencies.d/legacy-services` file 535 | - Add an `/etc/s6-overlay/s6-rc.d/user2/contents.d/foobar` file. 536 | 537 | That will ensure that `foobar` will start _after_ everything in `/etc/services.d`. 538 | 539 | ### Writing an optional finish script 540 | 541 | By default, services created in `/etc/services.d` will automatically restart. 542 | If a service should bring the container down, you should probably run it as 543 | a CMD instead; but if you'd rather run it as a supervised service, then you'll 544 | need to write a `finish` script, which will be run when the service is down; to 545 | make the container stop, the `/run/s6/basedir/bin/halt` command must be invoked. 546 | Here's an example finish script: 547 | 548 | `/etc/services.d/myapp/finish`: 549 | ``` 550 | #!/command/execlineb -S0 551 | 552 | foreground { redirfd -w 1 /run/s6-linux-init-container-results/exitcode echo 0 } 553 | /run/s6/basedir/bin/halt 554 | ``` 555 | 556 | The first line of the script writes `0` to the `/run/s6-linux-init-container-results/exitcode` file. 557 | The second line stops the container. When you stop the container via the `/run/s6/basedir/bin/halt` 558 | command run from inside the container, `/run/s6-linux-init-container-results/exitcode` is read and 559 | its contents are used as the exit code for the `docker run` command that launched the container. 560 | If the file doesn't exist, or if the container is stopped with `docker stop` or another reason, 561 | that exit code defaults to 0. 562 | 563 | It is possible to do more advanced operations in a finish script. For example, here's a script 564 | from that only brings down the service when it exits nonzero: 565 | 566 | `/etc/services.d/myapp/finish`: 567 | ``` 568 | #!/command/execlineb -S1 569 | if { eltest ${1} -ne 0 -a ${1} -ne 256 } 570 | /run/s6/basedir/bin/halt 571 | ``` 572 | 573 | Note that in general, finish scripts should only be used for local cleanups 574 | after a daemon dies. If a service is so important that the container needs 575 | to stop when it dies, we really recommend running it as the CMD. 576 | 577 | ### Logging 578 | 579 | Every service can have its dedicated logger. A logger is a s6 service that 580 | automatically reads from the *stdout* of your service, and logs the data 581 | to an automatically rotated file in the place you want. Note that daemons 582 | usually log to stderr, not stdout, so you should probably start your service's 583 | run script with `exec 2>&1` in shell, or with `fdmove -c 2 1` in execline, in 584 | order to catch *stderr*. 585 | 586 | s6-overlay provides a utility called `logutil-service` which is a wrapper over 587 | the [`s6-log`](https://skarnet.org/software/s6/s6-log.html) program. 588 | This helper does the following: 589 | - read how s6-log should proceed reading the logging script contained in `S6_LOGGING_SCRIPT` 590 | - drop privileges to the `nobody` user (defaulting to `65534:65534` if it doesn't exist) 591 | - clean all the environments variables 592 | - execute into s6-log. 593 | 594 | s6-log will then run forever, reading data from your service and writing it to 595 | the directory you specified to `logutil-service`. 596 | 597 | Please note: 598 | - Since the privileges are dropped automatically, there is no need to switch users with `s6-setuidgid` 599 | - You should ensure the log folder either: 600 | - exists, and is writable by the `nobody` user 601 | - does not exist, but the parent folder is writable by the `nobody` user. 602 | 603 | You can create log folders in `cont-init.d` scripts, or as s6-rc oneshots. 604 | Here is an example of a logged service `myapp` implemented the old way: 605 | 606 | `/etc/cont-init.d/myapp-log-prepare`: 607 | ```sh 608 | #!/bin/sh -e 609 | mkdir -p /var/log/myapp 610 | chown nobody:nogroup /var/log/myapp 611 | chmod 02755 /var/log/myapp 612 | ``` 613 | 614 | `/etc/services.d/myapp/run`: 615 | ```sh 616 | #!/bin/sh 617 | exec 2>&1 618 | exec mydaemon-in-the-foreground-and-logging-to-stderr 619 | ``` 620 | 621 | `/etc/services.d/myapp/log/run`: 622 | ```sh 623 | #!/bin/sh 624 | exec logutil-service /var/log/myapp 625 | ``` 626 | 627 | And here is the same service, myapp, implemented in s6-rc. 628 | 629 | `/etc/s6-overlay/s6-rc.d/myapp-log-prepare/dependencies.d/base`: empty file 630 | 631 | `/etc/s6-overlay/s6-rc.d/myapp-log-prepare/type`: 632 | ``` 633 | oneshot 634 | ``` 635 | 636 | `/etc/s6-overlay/s6-rc.d/myapp-log-prepare/up`: 637 | ``` 638 | if { mkdir -p /var/log/myapp } 639 | if { chown nobody:nogroup /var/log/myapp } 640 | chmod 02755 /var/log/myapp 641 | ``` 642 | 643 |
(Click here for an explanation of the weird syntax 644 | or if you don't understand why your `up` file isn't working.) 645 |

646 | 647 | (Beginning of the detailed section.) 648 | 649 | So, the `up` and `down` files are special: they're not shell scripts, but 650 | single command lines interpreted by [execlineb](https://skarnet.org/software/execline/execlineb.html). 651 | You should not have to worry about execline; you should only remember that 652 | an `up` file contains a single command line. So if you need a script with 653 | several instructions, here's how to do it: 654 | 655 | - Write your script in the language of your choice, in a location of your choice 656 | - Make it executable 657 | - Call that script in the `up` file. 658 | 659 | Here is how you would normally proceed to write the `up` file for 660 | `myapp-log-prepare`: 661 | 662 | `/etc/s6-overlay/s6-rc.d/myapp-log-prepare/up`: 663 | ``` 664 | /etc/s6-overlay/scripts/myapp-log-prepare 665 | ``` 666 | 667 | `/etc/s6-overlay/scripts/myapp-log-prepare`: (needs to be executable) 668 | ```sh 669 | #!/bin/sh -e 670 | mkdir -p /var/log/myapp 671 | chown nobody:nogroup /var/log/myapp 672 | chmod 02755 /var/log/myapp 673 | ``` 674 | 675 | The location of the actual script is arbitrary, it just needs to match 676 | what you're writing in the `up` file. 677 | 678 | But here, it just so happens that the script is simple enough that it can 679 | fit entirely in the `up` file without making it too complex or too 680 | difficult to understand. So, we chose to include it as an example to 681 | show that there's more that you can do with `up` files, if you are 682 | so inclined. You can read the full documentation for the execline 683 | language [here](https://skarnet.org/software/execline/). 684 | 685 | (End of the detailed section, click the triangle above again to collapse.) 686 |

687 |
688 | 689 | `/etc/s6-overlay/s6-rc.d/myapp/dependencies.d/base`: empty file 690 | 691 | `/etc/s6-overlay/s6-rc.d/myapp-log/dependencies.d/myapp-log-prepare`: empty file 692 | 693 | 694 | `/etc/s6-overlay/s6-rc.d/myapp/type`: 695 | ``` 696 | longrun 697 | ``` 698 | 699 | `/etc/s6-overlay/s6-rc.d/myapp/run`: 700 | ```sh 701 | #!/bin/sh 702 | exec 2>&1 703 | exec mydaemon-in-the-foreground-and-logging-to-stderr 704 | ``` 705 | 706 | `/etc/s6-overlay/s6-rc.d/myapp/producer-for`: 707 | ``` 708 | myapp-log 709 | ``` 710 | 711 | `/etc/s6-overlay/s6-rc.d/myapp-log/type`: 712 | ``` 713 | longrun 714 | ``` 715 | 716 | `/etc/s6-overlay/s6-rc.d/myapp-log/run`: 717 | ```sh 718 | #!/bin/sh 719 | exec logutil-service /var/log/myapp 720 | ``` 721 | 722 | `/etc/s6-overlay/s6-rc.d/myapp-log/consumer-for`: 723 | ``` 724 | myapp 725 | ``` 726 | 727 | `/etc/s6-overlay/s6-rc.d/myapp-log/pipeline-name`: 728 | ``` 729 | myapp-pipeline 730 | ``` 731 | 732 | `/etc/s6-overlay/s6-rc.d/user/contents.d/myapp-pipeline`: empty file 733 | 734 | That's a lot of files! A summary of what it all means is: 735 | - myapp-log-prepare is a oneshot, preparing the logging directory. 736 | It is a dependency of myapp-log, so it will be started *before* myapp-log. 737 | - myapp is a producer for myapp-log and myapp-log is a consumer for myapp, 738 | so what myapp writes to its stdout will go to myapp-log's stdin. Both 739 | are longruns, i.e. daemons that will be supervised by s6. 740 | - The `myapp | myapp-log` pipeline is given a name, `myapp-pipeline`, and 741 | this name is declared as a part of the `user` bundle, so it will be started 742 | when the container starts. 743 | - `myapp-log-prepare`, `myapp-log` and `myapp` all depend on the `base` 744 | bundle, which means they will only be started when the system is actually 745 | ready to start them. 746 | 747 | It really accomplishes the same things as the `/etc/cont-init.d` plus 748 | `/etc/services.d` method, but it's a lot cleaner underneath, and can handle 749 | much more complex dependency graphs, so whenever you get the opportunity, 750 | we recommend you familiarize yourself with the [s6-rc](https://skarnet.org/software/s6-rc/) 751 | way of declaring your services and your loggers. The full syntax of a 752 | service definition directory, including declaring whether your service 753 | is a longrun or a oneshot, declaring pipelines, adding service-specific 754 | timeouts if you need them, etc., can be found 755 | [here](https://skarnet.org/software/s6-rc/s6-rc-compile.html#source). 756 | 757 | 758 | ### Dropping privileges 759 | 760 | When it comes to executing a service, no matter whether it's a service or a logger, 761 | a good practice is to drop privileges before executing it. 762 | `s6` already includes utilities to do exactly these kind of things: 763 | 764 | In `execline`: 765 | 766 | ``` 767 | #!/command/execlineb -P 768 | s6-setuidgid daemon 769 | myservice 770 | ``` 771 | 772 | In `sh`: 773 | 774 | ```sh 775 | #!/bin/sh 776 | exec s6-setuidgid daemon myservice 777 | ``` 778 | 779 | If you want to know more about these utilities, please take a look at: 780 | [`s6-setuidgid`](http://skarnet.org/software/s6/s6-setuidgid.html), 781 | [`s6-envuidgid`](http://skarnet.org/software/s6/s6-envuidgid.html), and 782 | [`s6-applyuidgid`](http://skarnet.org/software/s6/s6-applyuidgid.html). 783 | 784 | ### Container environment 785 | 786 | If you want your custom script to have container environments available: 787 | you can use the `with-contenv` helper, which will push all of those into your 788 | execution environment, for example: 789 | 790 | `/etc/cont-init.d/01-contenv-example`: 791 | ```sh 792 | #!/command/with-contenv sh 793 | env 794 | ``` 795 | 796 | This script will output the contents of your container environment. 797 | 798 | ### Read-Only Root Filesystem 799 | 800 | Recent versions of Docker allow running containers with a read-only root filesystem. 801 | If your container is in such a case, you should set `S6_READ_ONLY_ROOT=1` to inform 802 | s6-overlay that it should not attempt to write to certain areas - instead, it will 803 | perform copies into a tmpfs mounted on `/run`. 804 | 805 | Note that s6-overlay assumes that: 806 | - `/run` exists and is writable. If it is not, it will attempt to mount a tmpfs there. 807 | - `/var/run` is a symbolic link to `/run`, for compatibility with previous versions. If it is not, it will make it so. 808 | 809 | In general your default docker settings should already provide a suitable tmpfs in `/run`. 810 | 811 | ### Customizing s6-overlay behaviour 812 | 813 | It is possible somehow to tweak s6-overlay's behaviour by providing an already predefined set of environment variables to the execution context: 814 | 815 | * `PATH` (default = `/command:/usr/bin:/bin`): 816 | this is the default PATH that all the services in the container, 817 | including the CMD, will have. Set this variable if you have a lot 818 | of services that depend on binaries stored in another directory, e.g. 819 | `/usr/sbin`. Note that `/command`, `/usr/bin` and `/bin` will always 820 | be added to that path if they're not already in the one you provide. 821 | * `S6_KEEP_ENV` (default = 0): if set, then environment is not reset and whole supervision tree sees original set of env vars. It switches `with-contenv` into a nop. 822 | * `S6_LOGGING` (default = 0): 823 | * **`0`**: Outputs everything to stdout/stderr. 824 | * **`1`**: Uses an internal `catch-all` logger and persists everything on it, it is located in `/var/log/s6-uncaught-logs`. Anything run as a `CMD` is still output to stdout/stderr. 825 | * **`2`**: Uses an internal `catch-all` logger and persists everything on it, including the output of `CMD`. Absolutely nothing is written to stdout/stderr. 826 | * `S6_CATCHALL_USER` (default = root): if set, and if `S6_LOGGING` is 1 or 2, 827 | then the catch-all logger is run as this user, which must be defined in your 828 | image's `/etc/passwd`. Every bit of privilege separation helps a little with security. 829 | * `S6_BEHAVIOUR_IF_STAGE2_FAILS` (default = 0): determines what the container should do 830 | if one of the service scripts fails. This includes: 831 | * if the early stage2 hook exits nonzero (by default there's no hook) 832 | * if anything fails in `fix-attrs` 833 | * if any old-style `/etc/cont-init.d` or new-style [s6-rc](https://skarnet.org/software/s6-rc/) oneshot fails 834 | * if any old-style `/etc/services.d` or new-style [s6-rc](https://skarnet.org/software/s6-rc/) longrun is marked 835 | as expecting readiness notification, and fails to become *ready* in the allotted time (see 836 | `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` below). The valid values for `S6_BEHAVIOUR_IF_STAGE2_FAILS` 837 | are the following: 838 | * **`0`**: Continue silently even if a script has failed. 839 | * **`1`**: Continue but warn with an annoying error message. 840 | * **`2`**: Stop the container. 841 | * `S6_KILL_FINISH_MAXTIME` (default = 5000): How long (in milliseconds) the system should 842 | wait, at shutdown time, for a script in `/etc/cont-finish.d` to finish naturally. After this 843 | duration, the script will be sent a SIGKILL. Bear in mind that scripts in `/etc/cont.finish.d` 844 | are run sequentially, and the shutdown sequence will potentially wait for `S6_KILL_FINISH_MAXTIME` 845 | milliseconds for *each* script. 846 | * `S6_SERVICES_READYTIME` (default = 50): With services declared in `/etc/services.d`, there is 847 | an unavoidable race condition between the moment when services are started and the moment when 848 | they can be tested for readiness. To avoid that race, we sleep a little time, by default 50 849 | milliseconds, before testing for readiness. If your machine is slow or very busy, you may 850 | get errors looking like `s6-svwait: fatal: unable to s6_svstatus_read: No such file or directory`. 851 | In that case, you should increase the sleeping time, by declaring it (in milliseconds) in the 852 | `S6_SERVICES_READYTIME` variable. Note that it only concerns `/etc/services.d`; s6-rc is immune 853 | to the race condition. 854 | * `S6_SERVICES_GRACETIME` (default = 3000): How long (in milliseconds) `s6` should wait, 855 | at shutdown time, for services declared in `/etc/services.d` to die before proceeding 856 | with the rest of the shutdown. 857 | * `S6_KILL_GRACETIME` (default = 3000): How long (in milliseconds) `s6` should wait, at the end of 858 | the shutdown procedure when all the processes have received a TERM signal, for them to die 859 | before sending a `KILL` signal to make *sure* they're dead. 860 | * `S6_LOGGING_SCRIPT` (default = "n20 s1000000 T"): This env decides what to log and how, by default every line will prepend with ISO8601, rotated when the current logging file reaches 1mb and archived, at most, with 20 files. 861 | * `S6_CMD_ARG0` (default = not set): Value of this env var will be prepended to any `CMD` args passed by docker. Use it if you are migrating an existing image to s6-overlay and want to make it a drop-in replacement: setting this variable to the value of a previously used ENTRYPOINT will help you transition. 862 | * `S6_CMD_USE_TERMINAL` (default = 0): Set this value to **1** if you have a CMD that needs a terminal for its output 863 | (typically when you're running your container with `docker run -it`), and you have set `S6_LOGGING` to a nonzero value. 864 | This setting will make your CMD actually output to your terminal; the drawback is that its output will not be logged. 865 | By default (when this variable is **0** or not set), the stdout and stderr of your CMD are logged when `S6_LOGGING` is nonzero, 866 | which means they go to a pipe even if you're running it in an interactive terminal. 867 | * `S6_FIX_ATTRS_HIDDEN` (default = 0): Controls how `fix-attrs.d` scripts process files and directories. 868 | * **`0`**: Hidden files and directories are excluded. 869 | * **`1`**: All files and directories are processed. 870 | * `S6_CMD_WAIT_FOR_SERVICES` (default = 0): By default when the container starts, 871 | services in `/etc/services.d` will be started and execution will proceed to 872 | starting the `user2` bundle and the CMD, if any of these is defined. If 873 | `S6_CMD_WAIT_FOR_SERVICES` is nonzero, however, the container starting sequence 874 | will wait until the services in `/etc/services.d` are *ready* before proceeding 875 | with the rest of the sequence. Note that this is only significant if the services in `/etc/services.d` 876 | [notify their readiness](https://skarnet.org/software/s6/notifywhenup.html) to s6. 877 | * `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` (default = 0, i.e. infinite): The maximum time (in milliseconds) the services could take to bring up before proceding to CMD executing. 878 | Set this variable to a positive value if you have services that can potentially block indefinitely and you prefer the container to fail 879 | if not everything is up after a given time. 880 | Note that this value also includes the time setting up legacy container initialization (`/etc/cont-init.d`) and services (`/etc/services.d`), so 881 | take that into account when computing a suitable value. In versions of s6-overlay up to 3.1.6.2, the default was 5000 (five seconds), 882 | but it caused more unwanted container failures than it solved issues, so now there's no timeout by default: s6-overlay will wait as long as 883 | is necessary for all the services to be brought up. 884 | * `S6_READ_ONLY_ROOT` (default = 0): When running in a container whose root filesystem is read-only, set this env to **1** to inform init stage 2 that it should copy user-provided initialization scripts from `/etc` to `/run/s6/etc` before it attempts to change permissions, etc. See [Read-Only Root Filesystem](#read-only-root-filesystem) for more information. 885 | * `S6_SYNC_DISKS` (default = 0): Set this env to **1** to inform init stage 3 that it should attempt to sync filesystems before stopping the container. Note: this will likely sync all filesystems on the host. 886 | * `S6_STAGE2_HOOK` (default = none): If this variable exists, its contents 887 | will be interpreted as a shell excerpt that will be run in the early stage 2, 888 | before services are started. This can be used, for instance, to dynamically 889 | patch the service database at run-time right before it is compiled and run. 890 | If the hook program exits nonzero and `S6_BEHAVIOUR_IF_STAGE2_FAILS` is 2 or more, 891 | the container will stop instantly. Please note that running the wrong hook program 892 | may prevent your container from starting properly, or may endanger your security; 893 | so only use this if you know exactly what you are doing. When in doubt, leave 894 | this variable undefined. 895 | * `S6_VERBOSITY` (default = 2): controls the verbosity of s6-rc, and potentially 896 | other tools, at container start and stop time. The default, 2, is normally verbose: 897 | it will list the service start and stop operations. You can make the container quieter 898 | by decreasing this number: 1 will only print warnings and errors, and 0 will only 899 | print errors. You can also make the container _more_ verbose, i.e. print tracing and 900 | debug information, by increasing this number up to 5, but the output will quickly 901 | become _very_ noisy, and most people shouldn't need this. 902 | * `S6_CMD_RECEIVE_SIGNALS` (default = 0): decides whether signals sent to the 903 | container should be sent to the container's pid 1 or to the CMD. By default, when 904 | you perform for instance a `docker stop`, a TERM signal will be sent to the 905 | container's pid 1, which will trigger the full container shutdown sequence - but 906 | if a CMD is present, it will be among the last processes to be killed, only when 907 | everything else is down and the container is about to exit. If this variable is 908 | 1 or more, signals are diverted from pid 1 to the CMD, which means that `docker stop` 909 | will send a SIGTERM to the CMD instead, and the container will only trigger its shutdown 910 | procedure when the CMD is dead. Note that only SIGTERM, SIGQUIT, SIGINT, SIGUSR1, 911 | SIGUSR2, SIGPWR and SIGWINCH are diverted; other signals either are ignored or 912 | cannot be diverted and are necessarily handled by pid 1. Please be aware that using 913 | this option may prevent interactive CMDs from working at all - in other words, if 914 | you're running an interactive CMD in a terminal, don't set this variable; but that 915 | should be fine since in this case you already have interactive ways of stopping your CMD. 916 | * `S6_YES_I_WANT_A_WORLD_WRITABLE_RUN_BECAUSE_KUBERNETES` (default = 0): yes, it's a 917 | mouthful, and yes, we're deadly serious. If you set this variable to 1 (or any non-zero 918 | value), s6-overlay will accept to boot in a situation where `/run` belongs to uid 0 and 919 | is world-writable (permissions 0777) but the container is run as a non-root user. This 920 | is the configuration enforced by some Kubernetes environments, and it is completely 921 | insecure, except that Kubernetes ensures isolation by its own security mechanisms; so, 922 | if you're in such a situation, set that variable, and s6-overlay will still print a 923 | (literally) bright red warning, but it will boot. Otherwise, by default, s6-overlay 924 | refuses to run when it encounters such a insecure setup that it doesn't have the 925 | necessary privileges to fix. 926 | 927 | ### syslog 928 | 929 | If software running in your container requires syslog, extract the 930 | `syslogd-overlay-noarch.tar.xz` tarball: 931 | that will give you a small syslogd emulation. Logs will be found 932 | under various subdirectories of `/var/log/syslogd`, for instance 933 | messages will be found in the `/var/log/syslogd/messages/` directory, 934 | the latest logs being available in the `/var/log/syslogd/messages/current` file. 935 | Logging directories are used rather than files so that logs can be 936 | automatically rotated without race conditions (that is a feature of 937 | [s6-log](https://skarnet.org/software/s6/s6-log.html)). 938 | 939 | It is recommended to add `syslog` and `sysllog` users to your image, for 940 | privilege separation; the syslogd emulation processes will run as these users 941 | if they exist. Otherwise they will default to `32760:32760` and `32761:32761`, 942 | numeric uids/gids that may already exist on your system. 943 | 944 | ## Performance 945 | 946 | - The noarch and symlinks tarballs are all tiny. The biggest tarball is the 947 | one that contains the binaries; it's around 650 kB. 948 | - Uncompressed on a tmpfs, the overlay scripts use about 120 kB, and the 949 | binaries for x86_64 use about 5.7 MB. 950 | - We haven't yet measured the time it takes for the container to be up and running 951 | once you run `docker run`, but you will notice it's fast. Faster than previous 952 | versions of s6-overlay, with fewer delays. And if you convert your `/etc/cont-init.d` 953 | scripts to the s6-rc format, they will be able to run in parallel, so you will 954 | gain even more performance. If you have benchmarks, please send them to us! 955 | 956 | 957 | ## Verifying Downloads 958 | 959 | The s6-overlay releases have a checksum files you can use to verify 960 | the download using SHA256: 961 | 962 | ```sh 963 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp 964 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz.sha256 /tmp 965 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp 966 | ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz.sha256 /tmp 967 | RUN cd /tmp && sha256sum -c *.sha256 968 | ``` 969 | 970 | ## Notes 971 | 972 | ### `USER` directive 973 | 974 | As of version 3.2.1.0, s6-overlay has limited support for running as a user other than `root`: 975 | 976 | * Tools like `fix-attrs` and `logutil-service` are unlikely to work (they rely 977 | on being able to change UIDs). 978 | * The syslogd emulation will not work. 979 | 980 | Generally speaking, if you're running a simple container with a main application and 981 | one or two support services, you may benefit from the `USER` directive if that is 982 | your preferred way of running containers. However, if you're running more than a few 983 | services, or daemons that expect a real system with complete Unix infrastructure, 984 | then USER is probably not a good idea and you would benefit more from using 985 | privilege separation between services in your container. 986 | 987 | ### Terminal support 988 | 989 | Generally speaking, you *should not* run your containers with `docker run -it`. 990 | It is bad practice to have console access to your containers. That said, if your 991 | CMD is interactive and needs a terminal, s6-overlay will try to support it whenever 992 | possible, but the nature of terminals makes it difficult to ensure that everything 993 | works perfectly in all cases. 994 | 995 | In particular, if you are stacking virtualization environments and other layers 996 | already have their own kludges for terminals - for instance, if you are running 997 | s6-overlay under qemu - then it is almost guaranteed that `docker run -it` will 998 | not work. However, once the container is running, you should always be able to 999 | access an interactive shell inside it via `docker exec -it containername /bin/sh`. 1000 | 1001 | The same caveats apply to stopping containers with ^C. Normally containers are 1002 | stopped via `docker stop`, or when the CMD exits; ^C is not an officially supported 1003 | method of stopping them. s6-overlay *tries* to exit cleanly on ^C, whether the 1004 | container is running with `-it` or not, but there will be cases where it is 1005 | unfortunately impossible. 1006 | 1007 | 1008 | ## Releases 1009 | 1010 | Over on the releases tab, we have a number of tarballs: 1011 | 1012 | * `s6-overlay-noarch.tar.xz`: the s6-overlay scripts. 1013 | * `s6-overlay-${arch}.tar.xz`: the binaries for platform *${arch}*. 1014 | They are statically compiled and will work with any Linux distribution. 1015 | * `s6-overlay-symlinks-noarch.tar.xz`: `/usr/bin` symlinks to the s6-overlay scripts. Totally optional. 1016 | * `s6-overlay-symlinks-arch.tar.xz`: `/usr/bin` symlinks to the skaware binaries. Totally optional. 1017 | * `syslogd-overlay-noarch.tar.xz`: the syslogd emulation. Totally optional. 1018 | * `s6-overlay-${version}.tar.xz`: the s6-overlay source. Download it if you want to build s6-overlay yourself. 1019 | 1020 | We have binaries for at least x86_64, aarch64, arm32, i486, i686, riscv64, and s390x. 1021 | The full list of supported arches can be found in [conf/toolchains](https://github.com/just-containers/s6-overlay/blob/master/conf/toolchains). 1022 | 1023 | ### Which architecture to use depending on your TARGETARCH 1024 | 1025 | The `${arch}` part in the `s6-overlay-${arch}.tar.xz` tarball uses 1026 | the naming conventions of gcc, which are not the ones that Docker 1027 | uses. (Everyone does something different in this field depending on 1028 | their needs, and no solution is better than any other, but the Docker 1029 | one is *worse* than others because its naming is inconsistent. The gcc 1030 | convention is better for us because it simplifies our builds greatly and 1031 | makes them more maintainable.) 1032 | 1033 | The following table should help you find the right tarball for you 1034 | if you're using the TARGETARCH value provided by Docker: 1035 | 1036 | | ${TARGETARCH} | ${arch} | Notes | 1037 | |:--------------|:--------|:----------------------| 1038 | | amd64 | x86_64 | | 1039 | | arm64 | aarch64 | | 1040 | | arm/v7 | arm | armv7 with soft-float | 1041 | | arm/v6 | armhf | Raspberry Pi 1 | 1042 | | 386 | i686 | i486 for very old hw | 1043 | | riscv64 | riscv64 | | 1044 | | s390x | s390x | | 1045 | 1046 | If you need another architecture, ask us and we'll try to make a toolchain 1047 | for it. In particular, we know that armv7 is a mess and needs a flurry of 1048 | options depending on your precise target (and this is one of the reasons why 1049 | the Docker naming system isn't good, although arguably the gcc naming system 1050 | isn't much better on that aspect). 1051 | 1052 | ## Contributing 1053 | 1054 | Any way you want! Open issues, open PRs, we welcome all contributors! 1055 | 1056 | ## Building the overlay yourself 1057 | 1058 | - Download the [s6-overlay source]. 1059 | - Check the [conf/defaults.mk](https://github.com/just-containers/s6-overlay/blob/master/conf/defaults.mk) 1060 | file for variables you may want to change. Do not modify the file itself. 1061 | - Call `make` followed by your variable assignments. Example: `make ARCH=riscv64-linux-musl` 1062 | to build the overlay for RISCV64. 1063 | - The tarballs will be in the `output` subdirectory, unless you changed the `OUTPUT` variable. 1064 | 1065 | ## Upgrade Notes 1066 | 1067 | Please see [CHANGELOG](./CHANGELOG.md). 1068 | -------------------------------------------------------------------------------- /conf/defaults.mk: -------------------------------------------------------------------------------- 1 | # This file normally shouldn't be changed; the values can be 2 | # overridden by invoking make with arguments. 3 | # e.g.: make SHEBANGDIR=/usr/bin VERSION=3.2.0.3 4 | 5 | # The version of the software being built. 6 | VERSION := 3.2.1.0 7 | 8 | # Where stuff is going to be built. Change for out-of-tree builds. 9 | OUTPUT := output 10 | 11 | # Where to find the execlineb program. 12 | # Change if building for a distro that provides its own skaware packages. 13 | SHEBANGDIR := /command 14 | 15 | # This is the target triplet for the toolchain. 16 | ARCH := x86_64-linux-musl 17 | 18 | # The path to the base toolchain. 19 | # Leave empty to fetch one from the web. 20 | TOOLCHAIN_PATH := 21 | 22 | # When fetching one from the web, what version we want. 23 | # Only a few versions are available, don't change blindly. 24 | TOOLCHAIN_VERSION := 14.2.0 25 | 26 | # For fetching toolchains: the download command. 27 | # Change to curl -O if you don't have wget. 28 | DL_CMD := wget 29 | -------------------------------------------------------------------------------- /conf/toolchains: -------------------------------------------------------------------------------- 1 | aarch64-linux-musl pi4 2 | arm-linux-musleabi genericv7a 3 | arm-linux-musleabihf pi1 4 | i486-linux-musl i486 5 | i686-linux-musl i686 6 | powerpc64-linux-musl talos 7 | powerpc64le-linux-musl talosel 8 | riscv64-linux-musl rocket 9 | s390x-linux-musl z196 10 | x86_64-linux-musl pc 11 | -------------------------------------------------------------------------------- /conf/versions: -------------------------------------------------------------------------------- 1 | # This file should be readable from a Makefile *and* from a shell. 2 | 3 | # These version numbers are either git commit hashes or git tags. 4 | # Try to keep to the latest commits. 5 | 6 | BEARSSL_VERSION=3c040368f6791553610e362401db1efff4b4c5b8 7 | # BEARSSL_VERSION=v0.6 8 | 9 | # SKALIBS_VERSION=6b8878ed9df46954d49d82bcc091c02a6a1a349e 10 | SKALIBS_VERSION=v2.14.4.0 11 | 12 | # EXECLINE_VERSION=b9eb768dc8a61251a0c39fb3845d898338892587 13 | EXECLINE_VERSION=v2.9.7.0 14 | 15 | # S6_VERSION=07a793bc3b40d690da98dbf4436ac4503061e0fe 16 | S6_VERSION=v2.13.2.0 17 | 18 | # S6_RC_VERSION=09ccd3128f2296d3a0cd1602e64caf06cf22c64f 19 | S6_RC_VERSION=v0.5.6.0 20 | 21 | # S6_LINUX_INIT_VERSION=445c07024609de545795e16035a4a1ab12586561 22 | S6_LINUX_INIT_VERSION=v1.1.3.0 23 | 24 | # S6_PORTABLE_UTILS_VERSION=bc7c571125e245bb5a08578e3b31752fc7335460 25 | S6_PORTABLE_UTILS_VERSION=v2.3.1.0 26 | 27 | # S6_LINUX_UTILS_VERSION=7cdb6a63f20f1abc96738ebf7b97effcae5bfd4b 28 | S6_LINUX_UTILS_VERSION=v2.6.3.0 29 | 30 | # S6_DNS_VERSION=2f3ccc92df447cc5705e6013e61c1e4bd75d393e 31 | S6_DNS_VERSION=v2.4.1.0 32 | 33 | # S6_NETWORKING_VERSION=70eaae07db27291d918aaf84f1c08bc0ac744534 34 | S6_NETWORKING_VERSION=v2.7.1.0 35 | 36 | # S6_OVERLAY_HELPERS_VERSION=3c3f6c5d1eea6454df2ecbcfca00cefe3453703f 37 | S6_OVERLAY_HELPERS_VERSION=v0.1.2.0 38 | -------------------------------------------------------------------------------- /doc/howto.txt: -------------------------------------------------------------------------------- 1 | 2 | How to build this version of s6-overlay: 3 | 4 | - look at the variables in conf/defaults.mk. Do not 5 | modify defaults.mk itself, but those variables are the ones 6 | you can pass to make for configuration. 7 | 8 | - look at the first column of conf/toolchains. These are 9 | the valid values for ARCH. More may be added later. The 10 | second column is an opaque tag for the downloaded toolchain 11 | giving the flavour of the arch. For instance, the 12 | aarch64-linux-musl toolchain is called "pi4" and will build 13 | binaries for a Raspberry Pi 4. 14 | 15 | - invoke make with the OUTPUT, ARCH, DL_CMD etc. that you want. 16 | Do not hesitate to -j8 if you have a big machine. Or to -j128 17 | if you have a REALLY big machine. 18 | 19 | - When it's done, there's a lot of stuff in the output directory. 20 | The ultimate targets are: 21 | 22 | * s6-overlay-${ARCH}.tar.xz: the tarball containing 23 | all the skaware binaries for ${ARCH}, all nice and static. It 24 | should be used by everyone who does not use a distro that provides 25 | the same binaries. 26 | 27 | * s6-overlay-symlinks-arch.tar.xz: the tarball 28 | containing /usr/bin symlinks to those binaries. It should normally 29 | not be used. It MUST NOT be used by distros providing binaries in 30 | /usr/bin. The only people who want this are the ones who want to 31 | manually call skaware binaries without putting /command in their PATH. 32 | The tarball is called "arch" because the symlinks point to the 33 | programs in the arch-dependent package; but since they're only 34 | symlinks, this tarball itself is not arch-dependent. 35 | 36 | * s6-overlay-noarch.tar.xz: this tarball contains 37 | s6-overlay itself, i.e. the set of scripts and files that allow a 38 | container to run under s6. Everyone who wants to run s6-overlay 39 | must install this. 40 | 41 | * s6-overlay-symlinks-noarch.tar.xz: this tarball 42 | contains /usr/bin symlinks to the few scripts provided by s6-overlay. 43 | The overlay itself will run without it, but if users have stuff 44 | like "/usr/bin/printcontenv" hardcoded in their scripts, these 45 | symlinks will help them. Distros that provide skaware binaries 46 | themselves (and do not use slashpackage) will almost certainly 47 | want to install this. 48 | 49 | * syslogd-overlay-noarch.tar.xz: this tarball 50 | contains scripts to run a syslogd emulation at container boot 51 | time. It basically replaces socklog-overlay. (The socklog binary 52 | itself isn't needed anymore since s6 provides a similar utility.) 53 | Users who install this will have a syslogd service in their 54 | container, logging to subdirs of /var/log/syslogd. 55 | -------------------------------------------------------------------------------- /doc/init.txt: -------------------------------------------------------------------------------- 1 | 2 | How the init works: 3 | 4 | - The entry point is /init. 5 | 6 | - /init sets PATH according to the user-configurable 7 | /etc/s6-overlay/config/global_path but makes sure it can still access the 8 | required binaries no matter where they are. 9 | - /init runs /package/admin/s6-overlay/libexec/preinit as root, even if 10 | the container is running with the USER directive. 11 | * preinit ensures that /run exists and is writable and executable, and 12 | that /var/run is a symlink to it. 13 | * preinit deletes and recreates /run/s6 and sets it to the real uid/gid 14 | of the process running the container. 15 | - /init execs into /package/admin/s6-overlay/libexec/stage0 16 | 17 | - stage0 invokes s6-linux-init-maker to create the stage 1 infrastructure 18 | depending on the S6_* environment variables given to the container. 19 | s6-l-i-m is normally intended to be run offline, but since we need a lot of 20 | runtime configurability, we run it online here; it works. 21 | - stage0 execs into the "init" script created by s6-l-i-m, which is the 22 | real stage1 init that normal machines boot on. It's in /run/s6/basedir/bin/init 23 | (it had to be created at run-time by stage0, which is why it's under /run) 24 | but it's just an execution of the s6-linux-init binary with some options. 25 | 26 | - stage1 sets up the supervision tree on /run/service, with (depending on 27 | the value of $S6_LOGGING) a catch-all logger logging to /run/uncaught-logs. 28 | * There are two early services: the catch-all logger (if required), and 29 | a service named s6-linux-init-shutdownd, which you can ignore - it's only 30 | active when the container is going to shut down. 31 | - stage1 execs into s6-svscan, which will remain pid 1 for the rest of 32 | the container's lifetime. 33 | - When the supervision tree is operational, stage2 runs; this is the 34 | /run/s6/basedir/scripts/rc.init script, whose source you can read in 35 | /package/admin/s6-overlay/etc/s6-linux-init/skel/rc.init 36 | 37 | - stage2 reads two s6-rc source directories: the system one in 38 | /package/admin/s6-overlay/etc/s6-rc/sources, and a user-provided one 39 | in /etc/s6-overlay/s6-rc.d which must provide a bundle named "user" 40 | (which can be empty). It compiles these source directories into a 41 | compiled s6-rc database in /run/s6/db. s6-rc-compile is normally intended 42 | to be run offline, but just like with s6-l-i-m, we don't care and we 43 | run it online here because we're going for flexibility and simplicity 44 | for users over a bootability guarantee and optimization of speed. 45 | - stage2 runs the s6-rc engine on that compiled database. This brings 46 | up several services, in that order: (note that S6_RUNTIME_PROFILE is 47 | supported for legacy stuff) 48 | * fix-attrs: reads the files in /etc/fix-attrs.d and fixes permissions 49 | accordingly. This is deprecated; please fix your file permissions from 50 | outside the container instead (or in your Dockerfile). 51 | * legacy-cont-init: runs all the scripts in /etc/cont-init.d 52 | * user: all the services defined in the user bundle, their source 53 | is in /etc/s6-overlay/s6-rc.d - that's where users should migrate 54 | their services in order to benefit from parallelism and dependency 55 | management. By default that user bundle is empty, unless the user has 56 | installed the syslogd-overlay tarball, in which case it contains the 57 | services that implement syslogd. 58 | * legacy-services: all the service directories in /etc/services.d 59 | are copied to /run/s6/legacy-services and linked to the scandir in 60 | /run/service, then s6-svscan is notified. Note that all of this happens 61 | *after* the user bundle has completed: legacy services are the last 62 | ones started. 63 | - That's it, the container is fully operational. 64 | 65 | - If there is no CMD, stage2 exits, having started all its services, 66 | and the container will keep running until something or someone instructs 67 | it to exit. 68 | - If there is a CMD, instead of exiting, stage2 spawns it, and waits 69 | for it to finish. Then it stops the container and returns the exit 70 | code of the CMD to the host. 71 | 72 | To make the container stop with a given exitcode, run: 73 | echo $exitcode > /run/s6-linux-init-container-results/exitcode && /run/s6/basedir/bin/halt 74 | 75 | Signals to s6-svscan (typically triggered by an outside "docker stop" command), 76 | s6-svscanctl commands, or manually running /run/s6/basedir/bin/poweroff or 77 | /run/s6/basedir/bin/shutdown should work as well, but then you do not have 78 | control on the exit code. 79 | -------------------------------------------------------------------------------- /doc/requirements.txt: -------------------------------------------------------------------------------- 1 | In order to build s6-overlay, you need: 2 | 3 | Hardware: 4 | - an x86_64 machine (we don't support crossing from other arches yet) 5 | - more or less 350 MB of disk per arch 6 | * ~ 250 MB for the toolchain 7 | * up to 100 MB for all the build artifacts 8 | * don't worry, the end results are super small 9 | - a functional network connection to d/l via https and git 10 | 11 | Software: 12 | - regular POSIX utilities (grep, find, xargs) 13 | - a cp that supports -a (GNU coreutils or busybox) 14 | - a sed that supports -i (GNU sed or busybox) 15 | - GNU make >= 3.81 16 | - GNU tar with support for .xz archives. We need the --owner options from GNU. 17 | - git 18 | - wget or curl or similar fetching command line utility 19 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/command/logutil-newfifo: -------------------------------------------------------------------------------- 1 | ../package/admin/s6-overlay/command/logutil-newfifo -------------------------------------------------------------------------------- /layout/rootfs-overlay/command/logutil-service: -------------------------------------------------------------------------------- 1 | ../package/admin/s6-overlay/command/logutil-service -------------------------------------------------------------------------------- /layout/rootfs-overlay/command/printcontenv: -------------------------------------------------------------------------------- 1 | ../package/admin/s6-overlay/command/printcontenv -------------------------------------------------------------------------------- /layout/rootfs-overlay/command/with-contenv: -------------------------------------------------------------------------------- 1 | ../package/admin/s6-overlay/command/with-contenv -------------------------------------------------------------------------------- /layout/rootfs-overlay/command/with-retries: -------------------------------------------------------------------------------- 1 | ../package/admin/s6-overlay/command/with-retries -------------------------------------------------------------------------------- /layout/rootfs-overlay/etc/s6-overlay/s6-rc.d/user/contents.d/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/etc/s6-overlay/s6-rc.d/user/contents.d/.empty -------------------------------------------------------------------------------- /layout/rootfs-overlay/etc/s6-overlay/s6-rc.d/user/type: -------------------------------------------------------------------------------- 1 | bundle 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/etc/s6-overlay/s6-rc.d/user2/contents.d/.empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/etc/s6-overlay/s6-rc.d/user2/contents.d/.empty -------------------------------------------------------------------------------- /layout/rootfs-overlay/etc/s6-overlay/s6-rc.d/user2/type: -------------------------------------------------------------------------------- 1 | bundle 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/init: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # This is the first program launched at container start. 4 | # We don't know where our binaries are and we cannot guarantee 5 | # that the default PATH can access them. 6 | # So this script needs to be entirely self-contained until it has 7 | # at least /command, /usr/bin and /bin in its PATH. 8 | 9 | addpath () { 10 | x="$1" 11 | IFS=: 12 | set -- $PATH 13 | IFS= 14 | while test "$#" -gt 0 ; do 15 | if test "$1" = "$x" ; then 16 | return 17 | fi 18 | shift 19 | done 20 | PATH="${x}:$PATH" 21 | } 22 | 23 | if test -z "$PATH" ; then 24 | PATH=/bin 25 | fi 26 | 27 | addpath /bin 28 | addpath /usr/bin 29 | addpath /command 30 | export PATH 31 | 32 | 33 | # Wait for the Docker readiness notification, if any 34 | 35 | if read _ 2>/dev/null <&3 ; then 36 | exec 3<&- 37 | fi 38 | 39 | 40 | # Now we're good: s6-overlay-suexec is accessible via PATH, as are 41 | # all our binaries. 42 | # Run preinit as root, then run stage0 as the container's user (can be 43 | # root, can be a normal user). 44 | 45 | exec s6-overlay-suexec \ 46 | ' /package/admin/s6-overlay-@VERSION@/libexec/preinit' \ 47 | '' \ 48 | /package/admin/s6-overlay-@VERSION@/libexec/stage0 \ 49 | "$@" 50 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/command/logutil-newfifo: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb 2 | 3 | elgetopt "m:o:" 4 | multisubstitute 5 | { 6 | importas -u -D "0600" fmode ELGETOPT_m 7 | importas -u -D "root" owner ELGETOPT_o 8 | elgetpositionals -P0 9 | } 10 | emptyenv -oP 11 | if { eltest ${#} -ge 1 } 12 | 13 | if 14 | { 15 | fdmove -c 1 2 16 | s6-echo "logutil-newfifo: warning: this binary is deprecated, use s6-mkfifo and s6-chown instead" 17 | } 18 | 19 | if { s6-rmrf ${1} } 20 | if { s6-mkfifo -m ${fmode} -- ${1} } 21 | if 22 | { 23 | s6-envuidgid -- ${owner} 24 | s6-chown -U -- ${1} 25 | } 26 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/command/logutil-service: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb 2 | 3 | elgetopt "f:" 4 | multisubstitute 5 | { 6 | importas -u -D "" fifo ELGETOPT_f 7 | elgetpositionals -P0 8 | } 9 | emptyenv -oP 10 | if { eltest ${#} -ge 1 } 11 | ifelse { eltest -n ${fifo} } 12 | { 13 | redirfd -rnb 0 ${fifo} 14 | /package/admin/s6-overlay-@VERSION@/libexec/logutil-service-main ${1} 15 | } 16 | /package/admin/s6-overlay-@VERSION@/libexec/logutil-service-main ${1} 17 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/command/printcontenv: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | if test "$#" -eq 0 ; then 4 | echo 'printcontenv: fatal: too few arguments' 1>&2 5 | exit 100 6 | fi 7 | 8 | if test "0$S6_KEEP_ENV" -ne 0 ; then 9 | eval var=\"\$$1\" 10 | if test -z "$var" ; then 11 | exit 1 12 | else 13 | exec s6-echo -- "$var" 14 | fi 15 | else 16 | exec 2>/dev/null 17 | s6-cat < "/run/s6/container_environment/$1" && echo 18 | fi 19 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/command/with-contenv: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb -S0 2 | 3 | ifelse 4 | { 5 | importas -D 0 S6_KEEP_ENV S6_KEEP_ENV 6 | eltest 0${S6_KEEP_ENV} -eq 0 7 | } 8 | { 9 | emptyenv -p 10 | s6-envdir -Lfn -- /run/s6/container_environment 11 | exec 12 | $@ 13 | } 14 | 15 | $@ 16 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/command/with-retries: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb 2 | 3 | # 4 | # with-retries -n numretries -t millisecs prog... 5 | # 6 | 7 | elgetopt "n:t:" 8 | multisubstitute 9 | { 10 | importas -u -D 3 nretries ELGETOPT_n 11 | importas -u -D 500 timeout ELGETOPT_t 12 | elgetpositionals -P0 13 | } 14 | emptyenv -oP 15 | forbacktickx -x 0,1 -d"\n" i { s6-seq 0 ${nretries} } 16 | importas -u i i 17 | if { eltest ${i} -ne ${nretries} } 18 | foreground 19 | { 20 | s6-maximumtime -t ${timeout} 21 | $@ 22 | } 23 | importas -u ? ? 24 | if -x 99 { eltest ${?} -eq 0 } 25 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/CMDSIG: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if pid=`cat /run/s6/cmdpid 2>/dev/null` ; then 4 | kill -s "${0##*/SIG}" -- "$pid" 5 | else 6 | exec "${0}.s6-linux-init" 7 | fi 8 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # This is stage 2, the part of the initialization that is run once 4 | # the s6 supervision tree has been set up. This is where all the 5 | # services are brought up, and the CMD, if any, is run. 6 | 7 | trap : INT # guard against ^C as much as possible 8 | 9 | prog=/run/s6/basedir/scripts/rc.init 10 | top="$1" ; shift 11 | 12 | haltwith () { 13 | echo "$1" > /run/s6-linux-init-container-results/exitcode 14 | exec /run/s6/basedir/bin/halt 15 | } 16 | 17 | if test -d /run/s6/container_environment ; then 18 | s6-chmod 0755 /run/s6/container_environment 19 | fi 20 | 21 | if v=`printcontenv S6_VERBOSITY` && eltest "$v" =~ '^[[:digit:]]+$' ; then : ; else 22 | v=2 23 | fi 24 | cv=$((v - 1)) 25 | if test "$cv" -lt 0 ; then 26 | cv=0 27 | fi 28 | 29 | if b=`printcontenv S6_BEHAVIOUR_IF_STAGE2_FAILS` && eltest "$b" =~ '^[[:digit:]]+$' ; then : ; else 30 | b=0 31 | fi 32 | 33 | if hook=`printcontenv S6_STAGE2_HOOK` && test -n "$hook" ; then 34 | set +e 35 | $hook 36 | r=$? 37 | set -e 38 | if test "$r" -gt 0 ; then 39 | if test "$b" -ge 2 ; then 40 | echo "$prog: fatal: hook $hook exited $r" 1>&2 41 | haltwith "$r" 42 | elif test "$v" -ge 1 ; then 43 | echo "$prog: warning: hook $hook exited $r" 1>&2 44 | fi 45 | elif test "$v" -ge 2 ; then 46 | echo "$prog: info: hook $hook exited $r" 1>&2 47 | fi 48 | fi 49 | 50 | if profile=`printcontenv S6_RUNTIME_PROFILE` ; then 51 | etc="/etc/cont-profile.d/$profile" 52 | else 53 | etc=/etc 54 | fi 55 | 56 | s6-rc-compile -v"$cv" /run/s6/db "$etc/s6-overlay/s6-rc.d" /package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources 57 | s6-rc-init -c /run/s6/db /run/service 58 | 59 | if timeout=`printcontenv S6_CMD_WAIT_FOR_SERVICES_MAXTIME` && eltest "$timeout" =~ '^[[:digit:]]+$' ; then : ; else 60 | timeout=0 61 | fi 62 | 63 | set +e 64 | s6-rc -v$v -u -t "$timeout" -- change "$top" 65 | r=$? 66 | set -e 67 | 68 | if test "$r" -gt 0 && test "$b" -gt 0 ; then 69 | echo "$prog: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information." 1>&2 70 | if test "$b" -ge 2 ; then 71 | echo "$prog: fatal: stopping the container." 1>&2 72 | haltwith "$r" 73 | fi 74 | fi 75 | 76 | if test "$#" -gt 0 ; then 77 | cd `s6-cat < /run/s6/workdir` 78 | set +e 79 | arg0=`printcontenv S6_CMD_ARG0` 80 | if t=`printcontenv S6_CMD_USE_TERMINAL` && eltest "$t" =~ '^[[:digit:]]+$' -a "$t" -gt 0 && t=`tty` ; then 81 | arg0="redirfd -w 1 $t fdmove -c 2 1 $arg0" 82 | fi 83 | if s=`printcontenv S6_CMD_RECEIVE_SIGNALS` && eltest "$s" =~ '^[[:digit:]]+$' -a "$s" -gt 0 ; then 84 | $arg0 "$@" & 85 | cmdpid="$!" 86 | echo "$cmdpid" > /run/s6/cmdpid 87 | wait "$cmdpid" 88 | r="$?" 89 | rm -f /run/s6/cmdpid 90 | else 91 | $arg0 "$@" 92 | r="$?" 93 | fi 94 | set -e 95 | haltwith "$r" 96 | fi 97 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.shutdown: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if test -d /run/s6/db ; then 4 | if v=`printcontenv S6_VERBOSITY` && eltest "$v" =~ '^[[:digit:]]+$' ; then : ; else 5 | v=2 6 | fi 7 | exec s6-rc -v$v -bda change 8 | fi 9 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.shutdown.final: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb -P 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/cont-finish: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if profile=`printcontenv S6_RUNTIME_PROFILE` ; then 4 | etc="/etc/cont-profile.d/$profile" 5 | else 6 | etc=/etc 7 | fi 8 | 9 | if v=`printcontenv S6_VERBOSITY` && eltest "$v" =~ '^[[:digit:]]+$' ; then : ; else 10 | v=2 11 | fi 12 | 13 | if kimeout=`printcontenv S6_KILL_FINISH_MAXTIME` && eltest "$kimeout" =~ '^[[:digit:]]+$' ; then : ; else 14 | kimeout=0 15 | fi 16 | 17 | for file in `s6-ls "$etc/cont-finish.d" 2>/dev/null | s6-sort` ; do 18 | if test $v -ge 2 ; then 19 | echo "cont-finish: info: running $etc/cont-finish.d/$file" 1>&2 20 | fi 21 | s6-maximumtime -k "$kimeout" "$etc/cont-finish.d/$file" 22 | done 23 | 24 | exit 0 25 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/cont-init: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | r=false 4 | 5 | if profile=`printcontenv S6_RUNTIME_PROFILE` ; then 6 | etc="/etc/cont-profile.d/$profile" 7 | else 8 | etc=/etc 9 | fi 10 | 11 | if v=`printcontenv S6_VERBOSITY` && eltest "$v" =~ '^[[:digit:]]+$' ; then : ; else 12 | v=2 13 | fi 14 | 15 | for file in `s6-ls "$etc/cont-init.d" 2>/dev/null | s6-sort` ; do 16 | if test $v -ge 2 ; then 17 | echo "cont-init: info: running $etc/cont-init.d/$file" 1>&2 18 | fi 19 | set +e 20 | "$etc/cont-init.d/$file" 21 | b="$?" 22 | set -e 23 | if test $v -ge 2 ; then 24 | echo "cont-init: info: $etc/cont-init.d/$file exited $b" 1>&2 25 | fi 26 | if test "$b" -ne 0 ; then 27 | r=true 28 | fi 29 | done 30 | 31 | if $r && b=0`printcontenv S6_BEHAVIOUR_IF_STAGE2_FAILS` && test "$b" -ne 0 ; then 32 | if test $v -ge 1 ; then 33 | echo 'cont-init: warning: some scripts exited nonzero' 1>&2 34 | fi 35 | if test "$b" -ge 2 ; then 36 | exit 1 37 | fi 38 | fi 39 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/fix-attrs: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | got=false 4 | err=false 5 | 6 | if profile=`printcontenv S6_RUNTIME_PROFILE` ; then 7 | etc="/etc/cont-profile.d/$profile" 8 | else 9 | etc=/etc 10 | fi 11 | 12 | if v=`printcontenv S6_VERBOSITY` && eltest "$v" =~ '^[[:digit:]]+$' ; then : ; else 13 | v=2 14 | fi 15 | 16 | apply () { 17 | if test $v -ge 2 ; then 18 | echo "fix-attrs: info: applying $1" 1>&2 19 | fi 20 | got=true 21 | if ! /package/admin/s6-overlay-@VERSION@/libexec/fix-attrs < "$1" ; then 22 | err=true 23 | fi 24 | } 25 | 26 | for file in `s6-ls "$etc/fix-attrs.d" 2>/dev/null | s6-sort` ; do 27 | apply "$etc/fix-attrs.d/$file" 28 | done 29 | 30 | if $got && test $v -ge 1 ; then 31 | echo 'fix-attrs: warning: fix-attrs is deprecated, please fix volume permissions in your container manager instead' 1>&2 32 | fi 33 | if $err && b=0`printcontenv S6_BEHAVIOUR_IF_STAGE2_FAILS` && test "$b" -ne 0 ; then 34 | if test $v -ge 1 ; then 35 | echo 'fix-attrs: warning: some fix files failed to apply' 1>&2 36 | fi 37 | if test "$b" -ge 2 ; then 38 | exit 1 39 | fi 40 | fi 41 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/services-down: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | dir=/run/s6/legacy-services 4 | list= 5 | links= 6 | 7 | for i in `s6-ls "$dir"` ; do 8 | links="$links /run/service/$i" 9 | list="$list $dir/$i" 10 | if test -d "$dir/$i/log" ; then 11 | list="$list $dir/$i/log" 12 | fi 13 | done 14 | 15 | if test -n "$list" ; then 16 | s6-rmrf $links 17 | s6-svscanctl -an /run/service 18 | if grace=`printcontenv S6_SERVICES_GRACETIME` && eltest "$grace" =~ '^[[:digit:]]+$' ; then : ; else 19 | grace=3000 20 | fi 21 | s6-svwait -D -t "$grace" -- $list 22 | fi 23 | 24 | exit 0 25 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/services-up: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | if profile=`printcontenv S6_RUNTIME_PROFILE` ; then 4 | etc="/etc/cont-profile.d/$profile" 5 | else 6 | etc=/etc 7 | fi 8 | 9 | if v=`printcontenv S6_VERBOSITY` && eltest "$v" =~ '^[[:digit:]]+$' ; then : ; else 10 | v=2 11 | fi 12 | 13 | dir=/run/s6/legacy-services 14 | 15 | s6-rmrf "$dir" 16 | s6-mkdir -p -m 0755 "$dir" 17 | list= 18 | notifno= 19 | notifyes= 20 | for i in `s6-ls "$etc/services.d" 2>/dev/null | s6-sort` ; do 21 | if test -d "$etc/services.d/$i" ; then 22 | list="$list $i" 23 | if test $v -ge 2 ; then 24 | s6-echo -n -- "services-up: info: copying legacy longrun $i" 1>&2 25 | fi 26 | s6-hiercopy "$etc/services.d/$i" "$dir/$i" 27 | if test -r "$dir/$i/notification-fd" ; then 28 | notifyes="$notifyes $dir/$i" 29 | if test $v -ge 2 ; then 30 | echo 1>&2 31 | fi 32 | else 33 | notifno="$notifno $dir/$i" 34 | if test $v -ge 2 ; then 35 | echo ' (no readiness notification)' 1>&2 36 | fi 37 | fi 38 | fi 39 | done 40 | 41 | for file in $list ; do 42 | s6-ln -nsf "$dir/$file" "/run/service/$file" 43 | done 44 | 45 | s6-svscanctl -a /run/service 46 | 47 | if dowait=`printcontenv S6_CMD_WAIT_FOR_SERVICES` && eltest "$dowait" =~ '^[[:digit:]]+$' -a "$dowait" -gt 0 ; then 48 | if maxtime=`printcontenv S6_CMD_WAIT_FOR_SERVICES_MAXTIME` && eltest "$maxtime" =~ '^[[:digit:]]+$' ; then : ; else 49 | maxtime=0 50 | fi 51 | 52 | if rtime=`printcontenv S6_SERVICES_READYTIME` && eltest "$rtime" =~ '^[[:digit:]]+$' ; then : ; else 53 | rtime=50 54 | fi 55 | 56 | # Increase if necessary. Unavoidable race condition, use s6-rc instead! 57 | s6-sleep -m "$rtime" 58 | 59 | r=false 60 | if test -n "$notifno" && ! s6-svwait -u -t "$maxtime" -- $notifno ; then 61 | r=true 62 | fi 63 | if test -n "$notifyes" && ! s6-svwait -U -t "$maxtime" -- $notifyes ; then 64 | r=true 65 | fi 66 | if $r && b=`printcontenv S6_BEHAVIOUR_IF_STAGE2_FAILS` && eltest "$b" =~ '^[[:digit:]]+$' -a "$b" -gt 0 ; then 67 | if test $v -ge 1 ; then 68 | echo 'services-up: warning: some legacy longruns failed to start' 1>&2 69 | fi 70 | if test "$b" -ge 2 ; then 71 | exit 1 72 | fi 73 | fi 74 | fi 75 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/base/contents.d/fix-attrs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/base/contents.d/fix-attrs -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/base/contents.d/legacy-cont-init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/base/contents.d/legacy-cont-init -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/base/type: -------------------------------------------------------------------------------- 1 | bundle 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/fix-attrs/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/fix-attrs/up: -------------------------------------------------------------------------------- 1 | /package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/fix-attrs 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-cont-init/dependencies.d/fix-attrs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-cont-init/dependencies.d/fix-attrs -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-cont-init/down: -------------------------------------------------------------------------------- 1 | /package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/cont-finish 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-cont-init/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-cont-init/up: -------------------------------------------------------------------------------- 1 | /package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/cont-init 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/dependencies.d/base -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/dependencies.d/user: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/dependencies.d/user -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/down: -------------------------------------------------------------------------------- 1 | /package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/services-down 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/legacy-services/up: -------------------------------------------------------------------------------- 1 | /package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/services-up 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/base -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/legacy-services: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/legacy-services -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/user: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/user -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/user2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/contents.d/user2 -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/sources/top/type: -------------------------------------------------------------------------------- 1 | bundle 2 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/fix-attrs: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | if test 0`printcontenv S6_FIX_ATTRS_HIDDEN` -ne 0 ; then 4 | lsopt='-a' 5 | else 6 | lsopt='' 7 | fi 8 | 9 | applyrec () { 10 | s6-chown -u "$3" -g "$4" -- "$1" 11 | if test -d "$1" ; then 12 | s6-chmod "$6" "$1" 13 | if test "$2" = true ; then 14 | for subfile in "`s6-ls $lsopt \"$1\"`" ; do 15 | applyrec "$1/$subfile" "$2" "$3" "$4" "$5" "$6" 16 | done 17 | fi 18 | else 19 | s6-chmod "$5" "$1" 20 | fi 21 | } 22 | 23 | while read globex recurse userentry fmode dmode ; do 24 | if test -n "$globex" && test "$globex" != "#" ; then 25 | account="${userentry%%,*}" 26 | if test "$account" != "$userentry" ; then 27 | default="-D${userentry#*,}" 28 | else 29 | default='-i' 30 | fi 31 | if test "${account%%:*}" != "$account" ; then 32 | opts='-nB' 33 | else 34 | opts='' 35 | fi 36 | uidgid=`s6-envuidgid "$default" $opts -- "$account" multisubstitute importas UID UID importas GID GID '' s6-echo -- '${UID}:${GID}'` 37 | uid=${uidgid%%:*} 38 | gid=${uidgid#*:} 39 | 40 | for file in $globex ; do 41 | applyrec "$file" "$recurse" "$uid" "$gid" "$fmode" "$dmode" 42 | done 43 | fi 44 | done 45 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/logutil-service-main: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb -S1 2 | 3 | backtick -D "n20 s1000000 T" -n S6_LOGGING_SCRIPT 4 | { 5 | printcontenv S6_LOGGING_SCRIPT 6 | } 7 | importas -u -sCd" \t" S6_LOGGING_SCRIPT S6_LOGGING_SCRIPT 8 | s6-envuidgid -D 65534:65534 nobody 9 | s6-applyuidgid -U 10 | exec -c 11 | s6-log -b -- ${S6_LOGGING_SCRIPT} ${1} 12 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # This script is spawned by s6-overlay-suexec, as the 4 | # first thing in the userland boot process. 5 | # It is normally run as root, but some configurations want to 6 | # run completely unprivileged and s6-overlay-suexec is denied 7 | # suid, in which case preinit will be unprivileged as well. 8 | 9 | # The point of preinit is to sanity check the system to make 10 | # sure s6-linux-init can run in a safe configuration. If we 11 | # are root, or if the system has been correctly prepared by the 12 | # container manager for a privilegeless execution, we can fix 13 | # any issue we encounter. Otherwise, we just report the problem 14 | # and abort execution. 15 | 16 | # The UID, USER, EUID, GID, GROUP and EGID variables are set for 17 | # us by s6-overlay-suexec, so we can check every possible case. 18 | 19 | prog=/package/admin/s6-overlay/libexec/preinit 20 | 21 | checknoexec () { 22 | IFS=, 23 | set -- $1 24 | IFS= 25 | while test "$#" -gt 0 ; do 26 | if test "$1" = noexec ; then 27 | return 0 28 | fi 29 | shift 30 | done 31 | return 1 32 | } 33 | 34 | # Ensure /run is writable 35 | if test "0$S6_READ_ONLY_ROOT" -ne 0 ; then 36 | echo "$prog: info: read-only root" 1>&2 37 | if ! test -d /run ; then 38 | echo "$prog: fatal: /run is missing or not a directory" 1>&2 39 | exit 100 40 | fi 41 | if : > '/run/test of writability' 2>/dev/null ; then 42 | echo "$prog: info: writable /run. Checking for executability." 1>&2 43 | s6-rmrf '/run/test of writability' 44 | if ! s6-mount -o remount,rw,exec tmpfs /run 2>/dev/null ; then 45 | notfound=true 46 | while read these filesystem type options please ; do 47 | if test $filesystem = /run ; then 48 | notfound=false 49 | if checknoexec "$options" ; then 50 | echo "$prog: warning: your container manager pre-mounts run with \ 51 | the incorrect noexec option, which s6-overlay cannot work with; expect /init \ 52 | to crash soon. To fix the issue, either pre-mount /run with the exec option, \ 53 | or as a workaround give this container the CAP_SYS_ADMIN capability so \ 54 | s6-overlay can fix it at run time." 1>&2 55 | fi 56 | break 57 | fi 58 | done < /proc/mounts 59 | if $notfound ; then 60 | echo "$prog: warning: unable to find /run in /proc/mounts, check that \ 61 | your container manager pre-mounts /proc, and that /run is a tmpfs. The container \ 62 | is likely to crash soon, if /run is (incorrectly) mounted noexec." 1>&2 63 | fi 64 | fi 65 | else 66 | echo "$prog: info: creating a tmpfs on /run" 1>&2 67 | s6-mount -wt tmpfs -o exec,mode=0755 tmpfs /run 68 | fi 69 | else 70 | s6-mkdir -p -m 0755 /run 71 | fi 72 | 73 | eval `s6-overlay-stat /run` 74 | 75 | if test "0$S6_VERBOSITY" -gt 1 ; then 76 | echo "$prog: info: container permissions: uid=$UID ($USER), euid=$EUID, gid=$GID ($GROUP), egid=$EGID" 77 | echo "$prog: info: /run permissions: uid=$uid ($user), gid=$gid ($group), perms=$perms" 78 | fi 79 | 80 | if test "$UID" -ne "$uid" ; then # /run does not belong to the container user 81 | if test "$EUID" -eq 0 ; then 82 | echo "$prog: info: /run belongs to uid $uid instead of $UID - fixing it" 83 | s6-chown -U -- /run 84 | s6-chmod 0755 /run 85 | elif test "$GID" -eq 0 && test "$gid" -eq 0 ; then 86 | if echo "$perms" | s6-grep -qF gxgwgr && echo "$perms" | s6-grep -qvF ow ; then 87 | echo "$prog: info: using /run with gid 0" 88 | else 89 | echo "$prog: fatal: wrong permissions on /run for a gid 0 setup" 90 | exit 100 91 | fi 92 | else 93 | if test "$gid" -eq "$EGID" ; then x=g ; y=gs ; else x=o ; y= ; fi 94 | if test "$uid" -eq 0 && echo "$perms" | s6-grep -q "${x}x${x}w${x}r.*os${y}" ; then 95 | echo "$prog: warning: /run belongs to uid $uid instead of $UID, but we can still work in single-uid mapping." 96 | elif test "$uid" -eq 0 && echo "$perms" | s6-grep -q "oxoworgxgwgruxuwur" && test "0$S6_YES_I_WANT_A_WORLD_WRITABLE_RUN_BECAUSE_KUBERNETES" -ne 0 ; then 97 | printf "$prog: \e[1;31mwarning\e[0m: /run belongs to uid $uid instead of $UID, \e[1;31mis world writable\e[0m, and we're lacking the privileges to fix it, but we have been instructed to accept it.\n" 98 | else 99 | echo "$prog: fatal: /run belongs to uid $uid instead of $UID, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it." 100 | exit 100 101 | fi 102 | fi 103 | fi 104 | 105 | # Ensure /var/run is a symlink to /run 106 | if test -L /var/run && test "`s6-linkname -f /var/run`" = /run ; then : ; else 107 | echo "$prog: notice: /var/run is not a symlink to /run, fixing it" 1>&2 108 | s6-rmrf /var/run 109 | s6-ln -s /run /var/run 110 | fi 111 | 112 | # Clean up in case /run hasn't been wiped or USER has changed 113 | s6-rmrf /run/s6 /run/service /run/uncaught-logs /run/s6-rc* 114 | s6-mkdir -m 0755 /run/s6 /run/service 115 | if test "0$UID" -ne 0 ; then 116 | s6-chown -U -- /run/s6 117 | s6-chown -U -- /run/service 118 | fi 119 | -------------------------------------------------------------------------------- /layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # This script is run as pid 1 after preinit has exited. 4 | # It doesn't need privileges: it should run in all configurations. 5 | # It invokes s6-linux-init-maker with options depending on run-time 6 | # control variables, then execs into the init script created by 7 | # s6-linux-init-maker, which is stage 1. 8 | 9 | analyze_logging_script () { 10 | val=0 11 | t1=true 12 | t2=true 13 | set -- $S6_LOGGING_SCRIPT 14 | while test "$#" -gt 0 ; do 15 | if test "$1" = t && $t1 ; then 16 | val=$((val + 1)) 17 | t1=false 18 | elif test "$1" = T && $t2 ; then 19 | val=$((val + 2)) 20 | t2=false 21 | fi 22 | shift 23 | done 24 | echo $val 25 | } 26 | 27 | basedir=/run/s6/basedir 28 | 29 | if test -n "S6_LOGGING_SCRIPT" ; then 30 | stampopt="-t `analyze_logging_script`" 31 | else 32 | stampopt='-t 2' 33 | fi 34 | 35 | if test "0$S6_KEEP_ENV" -ne 0 ; then 36 | dumpopt='' 37 | else 38 | dumpopt='-s /run/s6/container_environment' 39 | fi 40 | 41 | if test "0$S6_LOGGING" -eq 2 ; then 42 | logopt='' 43 | elif test "0$S6_LOGGING" -eq 1 ; then 44 | logopt='-1' 45 | else 46 | logopt='-B' 47 | fi 48 | 49 | if test -n "$S6_CATCHALL_USER" && test "0$CONTAINER_UID" -eq 0 ; then 50 | loguseropt="-u $S6_CATCHALL_USER" 51 | else 52 | loguseropt='' 53 | fi 54 | 55 | if eltest "$S6_KILL_GRACETIME" =~ '^[[:digit:]]+$' ; then 56 | graceopt="-q $S6_KILL_GRACETIME" 57 | else 58 | graceopt='' 59 | fi 60 | 61 | if test "0$S6_SYNC_DISKS" -ne 0 ; then 62 | syncopt='-S' 63 | else 64 | syncopt='' 65 | fi 66 | 67 | s6-linux-init-maker -NC -D top -c "$basedir" -p "$PATH" -f /package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel $stampopt $dumpopt $logopt $loguseropt $graceopt $syncopt -- "$basedir" 68 | 69 | if test -z "$dumpopt" ; then 70 | s6-rename "$basedir/env" "$basedir/env.orig" 71 | s6-dumpenv -N "$basedir/env" 72 | for file in `s6-ls "$basedir/env.orig"` ; do 73 | s6-hiercopy "$basedir/env.orig/$file" "$basedir/env/$file" 74 | done 75 | fi 76 | 77 | if test "0$S6_CMD_RECEIVE_SIGNALS" -ne 0 ; then 78 | ctldir="$basedir/run-image/service/.s6-svscan" 79 | for sig in TERM QUIT INT USR1 USR2 PWR WINCH ; do 80 | s6-rename "$ctldir/SIG$sig" "$ctldir/SIG$sig".s6-linux-init 81 | s6-hiercopy /package/admin/s6-overlay/etc/s6-linux-init/skel/CMDSIG "$ctldir/SIG$sig" 82 | done 83 | fi 84 | 85 | pwd > /run/s6/workdir 86 | 87 | exec "$basedir/bin/init" "$@" 88 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-bundle/contents.d/syslogd-pipeline: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-bundle/contents.d/syslogd-pipeline -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-bundle/contents.d/syslogd-prepare: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-bundle/contents.d/syslogd-prepare -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-bundle/type: -------------------------------------------------------------------------------- 1 | bundle 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/consumer-for: -------------------------------------------------------------------------------- 1 | syslogd 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/dependencies.d/base -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/dependencies.d/syslogd-prepare: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/dependencies.d/syslogd-prepare -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/notification-fd: -------------------------------------------------------------------------------- 1 | 3 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/pipeline-name: -------------------------------------------------------------------------------- 1 | syslogd-pipeline 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/run: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb -P 2 | 3 | s6-envuidgid -D 32761:32761: -- sysllog 4 | s6-applyuidgid -U -- 5 | backtick -D "n20 s1000000" line { printcontenv S6_LOGGING_SCRIPT } 6 | multisubstitute 7 | { 8 | importas -usC T line 9 | define dir /var/log/syslogd 10 | } 11 | exec -c 12 | s6-log -d3 -- 13 | 14 | - +^auth\\. +^authpriv\\. $T ${dir}/secure 15 | - +^cron\\. $T ${dir}/cron 16 | - +^daemon\\. $T ${dir}/daemon 17 | - +^[[:alnum:]]*\\.debug: $T ${dir}/debug 18 | - +^[[:alnum:]]*\\.err: +^[[:alnum:]]*\\.error: +^[[:alnum:]]*\\.emerg: +^[[:alnum:]]*\\.alert: +^[[:alnum:]]*\\.crit: $T ${dir}/errors 19 | - +^kern\\. $T ${dir}/kernel 20 | - +mail\\. $T ${dir}/mail 21 | - +user\\. $T ${dir}/user 22 | - +^[[:alnum:]]*\\.info: +^[[:alnum:]]*\\.notice: +^[[:alnum:]]*\\.warn: -^auth\\. -^authpriv\\. -^cron\\. -daemon\\. -mail\\. $T ${dir}/messages 23 | + -^auth\\. -^authpriv\\. $T ${dir}/everything 24 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-log/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-prepare/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-prepare/dependencies.d/base -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-prepare/type: -------------------------------------------------------------------------------- 1 | oneshot 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd-prepare/up: -------------------------------------------------------------------------------- 1 | /package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/syslogd-prepare 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/dependencies.d/base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/dependencies.d/base -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/dependencies.d/syslogd-prepare: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/dependencies.d/syslogd-prepare -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/notification-fd: -------------------------------------------------------------------------------- 1 | 3 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/producer-for: -------------------------------------------------------------------------------- 1 | syslogd-log 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/run: -------------------------------------------------------------------------------- 1 | #!@SHEBANGDIR@/execlineb -P 2 | 3 | s6-envuidgid -D 32760:32760: -- syslog 4 | s6-socklog -d3 -U -t3000 5 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/syslogd/type: -------------------------------------------------------------------------------- 1 | longrun 2 | -------------------------------------------------------------------------------- /layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/user/contents.d/syslogd-bundle: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/just-containers/s6-overlay/d6f37bb2052cfc5705154315419dcacb3975f11e/layout/syslogd-overlay/etc/s6-overlay/s6-rc.d/user/contents.d/syslogd-bundle -------------------------------------------------------------------------------- /layout/syslogd-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-rc/scripts/syslogd-prepare: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | dir=/var/log/syslogd 4 | subdirs='cron daemon debug errors everything kernel mail messages user' 5 | 6 | s6-mkdir -p -m 0755 "$dir" 7 | cd "$dir" 8 | s6-mkdir -p -m 0755 $subdirs 9 | 10 | uid=`s6-envuidgid -D 32761:32761: -- sysllog importas UID UID s6-echo '$UID'` 11 | gid=`s6-envuidgid -D 32761:32761: -- sysllog importas GID GID s6-echo '$GID'` 12 | for subdir in $subdirs . ; do 13 | s6-chown -u "$uid" -g "$gid" -- "$subdir" 14 | s6-chmod 02755 "$subdir" 15 | done 16 | s6-mkdir -p -m 0750 secure 17 | s6-chown -u "$uid" -g "$gid" secure 18 | s6-chmod 02750 secure 19 | -------------------------------------------------------------------------------- /mk/bearssl.mk: -------------------------------------------------------------------------------- 1 | BEARSSL_URLDIR := https://www.bearssl.org/git 2 | 3 | .PHONY: bearssl-download bearssl-prepare bearssl-build bearssl-install 4 | 5 | bearssl-download: $(OUTPUT)/sources/bearssl-$(BEARSSL_VERSION)/Makefile 6 | bearssl-prepare: $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/Makefile 7 | bearssl-build: $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/build/libbearssl.a 8 | bearssl-install: $(OUTPUT)/staging-$(ARCH)/include/bearssl.h $(OUTPUT)/staging-$(ARCH)/lib/libbearssl.a 9 | 10 | $(OUTPUT)/sources/BearSSL/Makefile: 11 | exec rm -rf $(OUTPUT)/sources/BearSSL 12 | exec mkdir -p $(OUTPUT)/sources 13 | cd $(OUTPUT)/sources && git clone $(BEARSSL_URLDIR)/BearSSL 14 | exec touch $@ 15 | 16 | $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/inc/bearssl.h: $(OUTPUT)/sources/BearSSL/Makefile 17 | exec rm -rf $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION) 18 | exec mkdir -p $(OUTPUT)/build-$(ARCH) 19 | exec cp -a $(OUTPUT)/sources/BearSSL $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION) 20 | cd $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION) && git checkout $(BEARSSL_VERSION) 21 | exec touch $@ 22 | 23 | $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/build/libbearssl.a: $(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/inc/bearssl.h 24 | cd $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION) && $(MAKE) lib CC=$(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc LD=$(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc LDDLL=$(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc 25 | 26 | $(OUTPUT)/staging-$(ARCH)/include/bearssl.h: $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/inc/bearssl.h 27 | exec mkdir -p $(OUTPUT)/staging-$(ARCH)/include 28 | exec cp -a $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/inc/*.h $(OUTPUT)/staging-$(ARCH)/include/ 29 | 30 | $(OUTPUT)/staging-$(ARCH)/lib/libbearssl.a: $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/build/libbearssl.a 31 | exec mkdir -p $(OUTPUT)/staging-$(ARCH)/lib 32 | exec cp -f $(OUTPUT)/build-$(ARCH)/bearssl-$(BEARSSL_VERSION)/build/libbearssl.a $(OUTPUT)/staging-$(ARCH)/lib/libbearssl.a 33 | -------------------------------------------------------------------------------- /mk/skaware.mk: -------------------------------------------------------------------------------- 1 | SKAWARE := SKALIBS EXECLINE S6 S6_RC S6_LINUX_INIT S6_PORTABLE_UTILS S6_LINUX_UTILS S6_DNS S6_NETWORKING S6_OVERLAY_HELPERS 2 | 3 | SKALIBS_DEPENDENCIES := 4 | EXECLINE_DEPENDENCIES := SKALIBS 5 | S6_DEPENDENCIES := SKALIBS EXECLINE 6 | S6_RC_DEPENDENCIES := SKALIBS EXECLINE S6 7 | S6_LINUX_INIT_DEPENDENCIES := SKALIBS EXECLINE S6 8 | S6_PORTABLE_UTILS_DEPENDENCIES := SKALIBS 9 | S6_LINUX_UTILS_DEPENDENCIES := SKALIBS 10 | S6_DNS_DEPENDENCIES := SKALIBS 11 | S6_NETWORKING_DEPENDENCIES := SKALIBS EXECLINE S6 S6_DNS 12 | S6_OVERLAY_HELPERS_DEPENDENCIES := SKALIBS EXECLINE 13 | 14 | SKALIBS_CATEGORY := prog 15 | EXECLINE_CATEGORY := admin 16 | S6_CATEGORY := admin 17 | S6_RC_CATEGORY := admin 18 | S6_LINUX_INIT_CATEGORY := admin 19 | S6_PORTABLE_UTILS_CATEGORY := admin 20 | S6_LINUX_UTILS_CATEGORY := admin 21 | S6_DNS_CATEGORY := web 22 | S6_NETWORKING_CATEGORY := net 23 | S6_OVERLAY_HELPERS_CATEGORY := admin 24 | 25 | SKALIBS_TOKEN := libskarnet.a.xyzzy 26 | EXECLINE_TOKEN := execline 27 | S6_TOKEN := s6-supervise 28 | S6_RC_TOKEN := s6-rc 29 | S6_LINUX_INIT_TOKEN := s6-linux-init-maker 30 | S6_PORTABLE_UTILS_TOKEN := s6-portable-utils 31 | S6_LINUX_UTILS_TOKEN := s6-linux-utils 32 | S6_DNS_TOKEN := s6-dnsip4 33 | S6_NETWORKING_TOKEN := s6-tlsd-io 34 | S6_OVERLAY_HELPERS_TOKEN := s6-overlay-suexec 35 | 36 | SKAWARE_OPTIONS := --enable-slashpackage --enable-static-libc --disable-shared 37 | SKALIBS_OPTIONS := --with-default-path=/command:/usr/bin:/bin --with-sysdep-devurandom=yes --with-sysdep-grndinsecure=no --with-sysdep-posixspawnearlyreturn=no --with-sysdep-procselfexe=/proc/self/exe 38 | EXECLINE_OPTIONS := --disable-pedantic-posix --enable-multicall 39 | S6_OPTIONS := 40 | S6_RC_OPTIONS := 41 | S6_LINUX_INIT_OPTIONS := 42 | S6_PORTABLE_UTILS_OPTIONS := --enable-multicall 43 | S6_LINUX_UTILS_OPTIONS := --enable-multicall 44 | S6_DNS_OPTIONS := 45 | S6_NETWORKING_OPTIONS := --enable-ssl=bearssl --with-ssl-path=$(OUTPUT)/staging-$(ARCH) 46 | S6_OVERLAY_HELPERS_OPTIONS := 47 | 48 | $(OUTPUT)/build-$(ARCH)/s6-networking-$(S6_NETWORKING_VERSION)/config.mak: $(OUTPUT)/staging-$(ARCH)/include/bearssl.h $(OUTPUT)/staging-$(ARCH)/lib/libbearssl.a 49 | 50 | .PHONY: skaware-install 51 | 52 | define skaware_rules_definition 53 | 54 | $(1)_NAME := $(subst _,-,$(shell echo $(1) | tr A-Z a-z)) 55 | $(1)_INCLUDE_LOCATION := $(OUTPUT)/staging-$(ARCH)/package/$$($(1)_CATEGORY)/$$($(1)_NAME)/include 56 | $(1)_LIBRARY_LOCATION := $(OUTPUT)/staging-$(ARCH)/package/$$($(1)_CATEGORY)/$$($(1)_NAME)/library 57 | 58 | .PHONY: $$($(1)_NAME)-download $$($(1)_NAME)-prepare $$($(1)_NAME)-configure $$($(1)_NAME)-build $$($(1)_NAME)-install 59 | 60 | $$($(1)_NAME)-download: $(OUTPUT)/sources/$$($(1)_NAME)/Makefile 61 | $$($(1)_NAME)-prepare: $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/Makefile 62 | $$($(1)_NAME)-configure: $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/config.mak 63 | $$($(1)_NAME)-build: $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/$$($(1)_TOKEN) 64 | $$($(1)_NAME)-install: $(OUTPUT)/staging-$(ARCH)/package/$$($(1)_CATEGORY)/$$($(1)_NAME)/include/$$($(1)_NAME)/config.h 65 | 66 | $(OUTPUT)/sources/$$($(1)_NAME)/Makefile: 67 | exec rm -rf $(OUTPUT)/sources/$$($(1)_NAME) 68 | exec mkdir -p $(OUTPUT)/sources 69 | cd $(OUTPUT)/sources && git clone $$(if $(filter S6_OVERLAY_%,$(1)),https://github.com/just-containers/$$($(1)_NAME).git,git://git.skarnet.org/$$($(1)_NAME)) 70 | exec touch $$@ 71 | 72 | $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/Makefile: $(OUTPUT)/sources/$$($(1)_NAME)/Makefile 73 | exec rm -rf $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION) 74 | exec mkdir -p $(OUTPUT)/build-$(ARCH) 75 | exec cp -a $(OUTPUT)/sources/$$($(1)_NAME) $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION) 76 | cd $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION) && git checkout $$($(1)_VERSION) && rm -rf .git 77 | exec touch $$@ 78 | 79 | $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/config.mak: $(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/Makefile $$(foreach dep,$$($(1)_DEPENDENCIES),$(OUTPUT)/staging-$(ARCH)/package/$$($$(dep)_CATEGORY)/$$($$(dep)_NAME)/include/$$($$(dep)_NAME)/config.h) 80 | cd $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION) && env "PATH=$(TOOLCHAIN_PATH)/bin:$$(PATH)" "DESTDIR=$(OUTPUT)/staging-$(ARCH)" ./configure --target=$(ARCH) $(SKAWARE_OPTIONS) $$($(1)_OPTIONS) 81 | 82 | $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/$$($(1)_TOKEN): $(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/config.mak 83 | cd $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION) && env "PATH=$(TOOLCHAIN_PATH)/bin:$$(PATH)" $(MAKE) && env "PATH=$(TOOLCHAIN_PATH)/bin:$$(PATH)" $(MAKE) strip 84 | 85 | $(OUTPUT)/staging-$(ARCH)/package/$$($(1)_CATEGORY)/$$($(1)_NAME)/include/$$($(1)_NAME)/config.h: $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION)/$$($(1)_TOKEN) 86 | cd $(OUTPUT)/build-$(ARCH)/$$($(1)_NAME)-$$($(1)_VERSION) && env "PATH=$(TOOLCHAIN_PATH)/bin:$$(PATH)" $(MAKE) -L install update global-links DESTDIR=$(OUTPUT)/staging-$(ARCH) 87 | 88 | skaware-install: $(OUTPUT)/staging-$(ARCH)/package/$$($(1)_CATEGORY)/$$($(1)_NAME)/include/$$($(1)_NAME)/config.h 89 | 90 | endef 91 | 92 | $(foreach pkg,$(SKAWARE),$(eval $(call skaware_rules_definition,$(pkg)))) 93 | -------------------------------------------------------------------------------- /mk/toolchain.mk: -------------------------------------------------------------------------------- 1 | ifeq ($(strip $(TOOLCHAIN_PATH)),) 2 | 3 | TOOLCHAIN_URLDIR := https://skarnet.org/toolchains/cross 4 | 5 | TOOLCHAIN_SUFFIX := $(shell grep -E ^$(ARCH)[[:blank:]] conf/toolchains | { read a b; echo "$$b"; }) 6 | ifeq ($(TOOLCHAIN_SUFFIX),) 7 | $(error Unsupported ARCH variable: $(ARCH). Check conf/toolchains for supported ones.) 8 | endif 9 | 10 | TOOLCHAIN_PATH := $(OUTPUT)/sources/$(ARCH)_$(TOOLCHAIN_SUFFIX)-$(TOOLCHAIN_VERSION) 11 | 12 | $(TOOLCHAIN_PATH).tar.xz: 13 | exec mkdir -p $(OUTPUT)/sources 14 | cd $(OUTPUT)/sources && $(DL_CMD) $(TOOLCHAIN_URLDIR)/$(ARCH)_$(TOOLCHAIN_SUFFIX)-$(TOOLCHAIN_VERSION).tar.xz 15 | 16 | $(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc: $(TOOLCHAIN_PATH).tar.xz 17 | cd $(OUTPUT)/sources && tar -Jxpvf $(ARCH)_$(TOOLCHAIN_SUFFIX)-$(TOOLCHAIN_VERSION).tar.xz 18 | exec touch $(TOOLCHAIN_PATH)/bin/$(ARCH)-gcc 19 | 20 | endif 21 | --------------------------------------------------------------------------------