All Docker containers created or maintained by TIER are built to the specifications described in this document. We have tried to limit the requirements to the
In order to facilitate support, TIER has made decisions throughout the course of the project to standardize on certain sub-components and more recently to ensure that TIER containers are compatible with our default orchestration strategy of using Docker Swarm mode via Compose.
Secret Processing
Assume secrets are mounted in /run/secrets (to support compose in swarm)
Secret Availability - in-container startup script behavior
Accept the secret in the environment, e.g.,
COMPONENT_DATABASE_PASSWORD=foobar
If the filename version of the name exists, prefer it:
COMPONENT_DATABASE_PASSWORD_FILE=/var/run/secrets/some_file
If both exist, prefer the FILE option a
Logging
All containers log to stdout
Goal - easily parsable logs for:
Component Name
Native logfile name
Environment (e.g., Prod, Dev, test)
A user supplied token via the environment
We will have deployers use the --log-opt tag
This solution solves items 3.iii.2.a, 3.iii.2.c, and 3.iii.2.d
To solve 3.iii.2.b, we need an inventory of components where we are unable to change logfile format. Components with a single logfile per container should be OK and not need remediation.
Supervisord
Issue: can not change format of logfile to prepend “supervisord.log”.
Looked at potential for external process to transform log format before writing to stdout but prefer not to use this mechanism due to added complexity
Scott did some digging
No good news - a source code change is needed
The code is python but they do not use python logging
[AI] Scott will ask about possibility for a feature update
Mariadb - should be OK, single logfile per container
OpenLDAP - should be OK, single logfile per container
COmanage (yet--this could become a requirement for upstream)
Shibboleth idp
Shibboleth itself OK via log4j
Catalina.out tomcat issues
Grouper
Core grouper logging will be ok
Same issues with Supervisord and tomcat