Docker-based SVC-Runner installation
Image layers overview
ITEG-made applications facilitating the svc-runner will be provided as product-specific and often customer-specific Docker images, but they will be based on the core image svc-runner-base and inherit it's basic structure which is described below.
The typical layer structure will look like this:
| Image name | Typical tag(s) | Content added | Main location |
|---|---|---|---|
debian | trixie-slim | Slim Debian stable | Dockerhub, everywhere |
svc-runner-base | 1-java21 | JRE, SVC-Runner, Tools | ITEG-Harbor, Dockerhub |
svc-runner-itegized | 1-java21 | Common ITEG addons | ITEG-Harbor |
svc-runner-foo | beta, prod | Application foo | ITEG-Harbor |
svc-runner-foo-bar | beta, prod | Preparations for customer bar | ITEG-Harbor, customer registry |
| Customer specific | beta, prod | Final image-level configuration | Customer registry |
| - (container) | - | Orchestration (conf, secrets, volumes, ...) | Docker runtime environment |
SVC-Runner on Dockerhub
The base image should always available publicly. Running the base image isn't too useful, but it allows to prepare a deploy toolchain. We plan to add a hello world application soon.
The core image is publicly available from Dockerhub as clazzesorg/svc-runner-base.
The default :latest tag is sometimes used for "latest stable", sometimes for "latest commit by the new intern" (or worse, AI). To avoid this ambiguity we decided to go with tags based on the generation, beta or prod, and variants or flavours, see svc-runner-base tags for a complete list.
ITEG-Harbor
The main home for product images is ITEG's own registry, currently a Harbor installation.
For security reasons access to ITEG's Harbor registry is restricted by client IP address and user/password resp. tokens.
Customers can choose between getting pull access to our Registry and providing push access to their own registry.
Details of image svc-runner-base
Volumes
The main volumes are:
| Volume resp. file(s) | Content and non-content | Remarks |
|---|---|---|
/etc/default/svc-runner-extras* | Scripts for picking up environment variables | Sourced by /etc/default/svc-runner |
/etc/svc-runner/adm.d.override/ resp. *.yaml | Optional instance specific configurations | For examples look in /etc/svc-runner/adm.d/*.yaml |
/etc/svc-runner/adm.d/ resp. *.yaml | Default configurations | Don't touch, use as templates for adm.d.override/ |
/etc/svc-runner/ssh.d/ | Directory for following files for SSH daemon | OK to mount whole directory read-only if filled |
/etc/svc-runner/ssh.d/authorized_keys | Public parts of permitted SSH keys | See below and man autorized_keys |
/etc/svc-runner/ssh.d/ssh_host_ed25519_key | Private part of host key for SSH daemon | Create once per instance, then keep stable |
/etc/svc-runner/ssh.d/ssh_host_ed25519_key.pub | Public part of host key for SSH daemon | Create once per instance, then keep stable |
/usr/local/share/ca-certificates/, *.cer, *.pem | Custom CA certificates | Requires USE_SYSTEM_CA_CERTS=1 to be respected |
/certificates/ | Same, for backwards compatibility | Requires USE_SYSTEM_CA_CERTS=1 to be respected |
/usr/share/svc-runner/drivers/*.jar | Additional database drivers | Common database drivers are provided in the image |
More information about the *.yaml files and ssh.d/ content can be found configuration (see SVC-Runner configuration).
When logging to files instead of stdout you might want to mount a logging directory as volume too.
Environment variables and Docker secrets
Important environment variables are:
| Environment variable | Example content | Remarks |
|---|---|---|
| USE_SYSTEM_CA_CERTS | 1 | 1 enables pickup of custom CA certificates |
| SVCRUNNER_DEBUG | false, true | true enables debugging on port 8802 |
| SVCRUNNER_FULL_STACKTRACES | false, true | true enables full stacktraces for NPEs |
| SVCRUNNER_OPTS_EXTRAS | -Doracle.net.tns_admin=/etc/svc-runner/oracle.d |
Further typical content for SVCRUNNER_OPTS_EXTRAS are memory settings like Xms256m -Xmx1024m and -XX:+ExitOnOutOfMemoryError.
There is also support to use environment variables as well as docker secrets in configuration files, for more see SVC-Runner configuration.
Network ports
The following TCP networks ports are open by default resp. dependend on configuration:
| Port | Protocol | Purpose | Remarks |
|---|---|---|---|
| 2200 | SSH | Debugging | |
| 8800 | HTTP | Web UI(s) | |
| 8802 | Java debugging | Deep debugging | Only available if $SVCRUNNER_DEBUG set true |