lifecycle: optimise container lifecycle and process signals (#3332)
* add dumb-init, use exec in wrapper Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix exec? Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
d4b8dd7fcc
commit
db1dd196e0
|
@ -87,7 +87,7 @@ COPY --from=web-builder /work/web/dist/ /web/dist/
|
|||
COPY --from=web-builder /work/web/authentik/ /web/authentik/
|
||||
COPY --from=website-builder /work/website/help/ /website/help/
|
||||
|
||||
USER authentik
|
||||
USER 1000
|
||||
|
||||
ENV TMPDIR /dev/shm/
|
||||
ENV PYTHONUNBUFFERED 1
|
||||
|
@ -95,4 +95,4 @@ ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
|
|||
|
||||
HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "/lifecycle/ak", "healthcheck" ]
|
||||
|
||||
ENTRYPOINT [ "/lifecycle/ak" ]
|
||||
ENTRYPOINT [ "/usr/local/bin/dumb-init", "--", "/lifecycle/ak" ]
|
||||
|
|
14
lifecycle/ak
14
lifecycle/ak
|
@ -29,7 +29,7 @@ function check_if_root {
|
|||
fi
|
||||
# Fix permissions of backups and media
|
||||
chown -R authentik:authentik /media /certs
|
||||
chpst -u authentik:$GROUP env HOME=/authentik $1
|
||||
exec chpst -u authentik:$GROUP env HOME=/authentik $1
|
||||
}
|
||||
|
||||
MODE_FILE="/tmp/authentik-mode"
|
||||
|
@ -41,7 +41,7 @@ if [[ "$1" == "server" ]]; then
|
|||
if [[ ! -z "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || ! -z "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
|
||||
python -m manage bootstrap_tasks
|
||||
fi
|
||||
/authentik-proxy
|
||||
exec /authentik-proxy
|
||||
elif [[ "$1" == "worker" ]]; then
|
||||
wait_for_db
|
||||
echo "worker" > $MODE_FILE
|
||||
|
@ -56,12 +56,14 @@ elif [[ "$1" == "test" ]]; then
|
|||
elif [[ "$1" == "healthcheck" ]]; then
|
||||
mode=$(cat $MODE_FILE)
|
||||
if [[ $mode == "server" ]]; then
|
||||
curl --user-agent "goauthentik.io lifecycle Healthcheck" -I http://localhost:9000/-/health/ready/
|
||||
exec curl --user-agent "goauthentik.io lifecycle Healthcheck" -I http://localhost:9000/-/health/ready/
|
||||
elif [[ $mode == "worker" ]]; then
|
||||
celery -A authentik.root.celery inspect ping -d celery@$HOSTNAME --timeout 5 -j
|
||||
exec celery -A authentik.root.celery inspect ping -d celery@$HOSTNAME --timeout 5 -j
|
||||
fi
|
||||
elif [[ "$1" == "dump_config" ]]; then
|
||||
python -m authentik.lib.config
|
||||
exec python -m authentik.lib.config
|
||||
elif [[ "$1" == "debug" ]]; then
|
||||
exec sleep infinity
|
||||
else
|
||||
python -m manage "$@"
|
||||
exec python -m manage "$@"
|
||||
fi
|
||||
|
|
|
@ -744,6 +744,14 @@ uritemplate = ">=2.0.0"
|
|||
offline = ["drf-spectacular-sidecar"]
|
||||
sidecar = ["drf-spectacular-sidecar"]
|
||||
|
||||
[[package]]
|
||||
name = "dumb-init"
|
||||
version = "1.2.5.post1"
|
||||
description = "Simple wrapper script which proxies signals to a child"
|
||||
category = "main"
|
||||
optional = false
|
||||
python-versions = "*"
|
||||
|
||||
[[package]]
|
||||
name = "duo-client"
|
||||
version = "4.4.0"
|
||||
|
@ -2085,7 +2093,7 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
|
|||
[metadata]
|
||||
lock-version = "1.1"
|
||||
python-versions = "^3.10"
|
||||
content-hash = "e2096a66167fa7ab127faa9de091b18519491c23a736b33961b2259fe85d4185"
|
||||
content-hash = "acbd25177fb5880a50d29da1b0cab9ab09b67078beea12495527695c55ef2ea8"
|
||||
|
||||
[metadata.files]
|
||||
aiohttp = [
|
||||
|
@ -2553,6 +2561,13 @@ drf-spectacular = [
|
|||
{file = "drf-spectacular-0.23.1.tar.gz", hash = "sha256:d1724da1fd4ae99d66333b1c8530f3c51788d87b380f5951830bf8405f234120"},
|
||||
{file = "drf_spectacular-0.23.1-py3-none-any.whl", hash = "sha256:2e42ae16717a5c3b2ae8632ac2b92f7eeb7b4fb9a941bc7879a92343e50ddeb6"},
|
||||
]
|
||||
dumb-init = [
|
||||
{file = "dumb-init-1.2.5.post1.tar.gz", hash = "sha256:6510538a975e0de10658b0210ec2ad62dc3617543af5c6fbd29a3af111eae981"},
|
||||
{file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5d6b1fe9b8efcdbbdcb670efe7a55f9117251ee9648d35ffd0c487fd79515ea5"},
|
||||
{file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a516a16a7dfed012de2524eb449e31f7f583b11b938eebb3ec09fd194497293d"},
|
||||
{file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c52a20fe73a6f56501079f969775098ab83bd9c73648b9e4eb68fa1b02a9b98e"},
|
||||
{file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:fc1e309f52c898ee00df056189f46ca3f6055a72b77015f4eefbd7c58c45290f"},
|
||||
]
|
||||
duo-client = [
|
||||
{file = "duo_client-4.4.0-py2.py3-none-any.whl", hash = "sha256:927b7e838433b20debc8d07c2c418c2e1b650735acb9fcf214eaa3a2caf00358"},
|
||||
{file = "duo_client-4.4.0.tar.gz", hash = "sha256:44e06bf730a201a1e1749215ef16d2c2682a73532eedd58d63663a8adabba3d3"},
|
||||
|
|
|
@ -141,6 +141,7 @@ webauthn = "*"
|
|||
wsproto = "*"
|
||||
xmlsec = "*"
|
||||
twilio = "*"
|
||||
dumb-init = "*"
|
||||
|
||||
[tool.poetry.dev-dependencies]
|
||||
bandit = "*"
|
||||
|
|
Reference in New Issue