feat: First version (#1)

.gitattributes

@@ -1,2 +1,4 @@
 * text=auto
-*.sh         eol=lf
+*.sh         eol=lf
+cron-tick-execute eol=lf
+cron-tick eol=lf

.github/settings.yml

@@ -1,6 +1,6 @@
 # https://developer.github.com/v3/repos/#edit
 repository:
-  name: docker-$$IMAGE_NAME$$
+  name: docker-cron-base
   description: ""
   homepage: https://homecentr.github.io/
   private: false

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
   pull_request:
 
 env:
-  IMAGE_NAME: "homecentr/$$IMAGE_NAME$$"
+  IMAGE_NAME: "homecentr/cron-base"
 
 jobs:
   build:
@@ -30,7 +30,7 @@ jobs:
         run: docker build . -t ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }}
 
       - name: Test Docker image
-        run: cd tests && sudo gradle test --info -Dimage_tag=${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }}
+        run: cd tests && sudo gradle test --info -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }}
 
       - name: Scan with Phonito Security
         uses: phonito/phonito-scanner-action@master

.github/workflows/ci_cd.yml

@@ -5,7 +5,7 @@ on:
       - master
 
 env:
-  IMAGE_NAME: "homecentr/$$IMAGE_NAME$$"
+  IMAGE_NAME: "homecentr/cron-base"
 
 jobs:
   build:
@@ -22,6 +22,7 @@ jobs:
         uses: codfish/semantic-release-action@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_URL: "https://api.github.com"
 
       - name: Verify Dockerfile with Hadolint
         uses: brpaz/hadolint-action@master
@@ -40,7 +41,7 @@ jobs:
 
       - name: Test Docker image
         if: env.RELEASE_VERSION != ''
-        run: cd tests && sudo gradle test -Dimage_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+        run: cd tests && sudo gradle test -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
 
       - name: Scan with Phonito Security
         if: env.RELEASE_VERSION != ''

.github/workflows/regular_scan.yml

@@ -4,7 +4,7 @@ on:
     - cron: '0 6 * * *'
 
 env:
-  IMAGE_NAME: "homecentr/$$IMAGE_NAME$$"
+  IMAGE_NAME: "homecentr/cron-base"
 
 jobs:
   build:

Dockerfile

@@ -1 +1,15 @@
-FROM alpine
+FROM homecentr/base:2.3.0-alpine
+
+ENV CRON_SCHEDULE=""
+ENV PUSH_GATEWAY_URL=""
+
+# Copy s6 configuration and scripts
+COPY ./fs/ /
+
+RUN rm /etc/crontabs/root && \
+    apk add --no-cache \
+        # Required to push metrics to push gateway
+        curl=7.67.0-r0 \
+        # Required for UUID generation
+        util-linux=2.34-r1 && \
+    chmod a+x /usr/sbin/cron-tick-execute

README.md

@@ -1,13 +1,55 @@
-# HomeCentr - $$IMAGE_NAME$$
-Template repository for Docker container repositories
+[![Project status](https://img.shields.io/badge/Project%20status-stable%20%26%20actively%20maintaned-green.svg)](https://github.com/homecentr/docker-cron-base/graphs/commit-activity) 
+[![](https://img.shields.io/github/issues-raw/homecentr/docker-cron-base/bug?label=open%20bugs)](https://github.com/homecentr/docker-cron-base/labels/bug) 
+[![](https://images.microbadger.com/badges/version/homecentr/cron-base.svg)](https://hub.docker.com/repository/docker/homecentr/cron-base)
+[![](https://img.shields.io/docker/pulls/homecentr/cron-base.svg)](https://hub.docker.com/repository/docker/homecentr/cron-base) 
+[![](https://img.shields.io/docker/image-size/homecentr/cron-base/latest)](https://hub.docker.com/repository/docker/homecentr/cron-base)
 
-## Project status
+![CI/CD on master](https://github.com/homecentr/docker-cron-base/workflows/CI/CD%20on%20master/badge.svg)
+![Regular Docker image vulnerability scan](https://github.com/homecentr/docker-cron-base/workflows/Regular%20Docker%20image%20vulnerability%20scan/badge.svg)
 
-## Usage (Docker compose)
 
-### Env. variables
-### Exposed ports
+# HomeCentr - cron-base
+This docker image is used as base image for all homecentr images which require a cron scheduler but can also be used on its own. The image executes a mounted script at the specified schedule and reports the results into a Prometheus [push-gateway](https://github.com/prometheus/pushgateway) for easy monitoring and alerting.
+
+## Usage
+
+```yml
+version: "3.7"
+services:
+  cron-base:
+    build: .
+    image: homecentr/cron-base
+    restart: unless-stopped
+    environment:
+      CRON_SCHEDULE: "* * * * *" # Run script every minute
+      PUSH_GATEWAY_URL: "http://push_gateway:9091/metrics/job/cron/label-name/label-value"
+    volumes:
+      - ./example/success:/config # must contain cron-tick script
+```
+
+## Environment variables
+
+| Name | Default value | Description |
+|------|---------------|-------------|
+| PUID | 7077 | UID of the user the cron-tick script should be running as.  |
+| PGID | 7077 | GID of the group the cron-tick script should be running as. |
+| CRON_SCHEDULE |  | [Cron expression](https://crontab.guru/) which defines when/how often the script will be executed. This variable is **mandatory**. |
+| PUSH_GATEWAY_URL | | URL of the [push gateway](https://github.com/prometheus/pushgateway) job where the metrics should be reported. The reporting is skipped if the variable is not set. |
+
+## Exposed ports
+
+The image does not expose any ports.
+
+## Volumes
+
+| Container path | Description |
+|-------------|----------------|
+| /config | Directory containing the script which should be executed, the script must be named `cron-tick`. |
 
 ## Security
+The container is regularly scanned for vulnerabilities and updated. Further info can be found in the [Security tab](https://github.com/homecentr/docker-cron-base/security).
+
+### Container user
+The container supports privilege drop. Even though the container starts as root, it will use the permissions only to perform the initial set up. The cron-tick script is executed as UID/GID provided in the PUID and PGID environment variables.
 
-### Vulnerabilities
+:warning: Do not change the container user directly using the `user` Docker compose property or using the `--user` argument. This would break the privilege drop logic.

docker-compose.yml

@@ -1,6 +1,15 @@
 version: "3.7"
 services:
-  $$IMAGE_NAME$$:
+  cron:
     build: .
-    image: homecentr/$$IMAGE_NAME$$
-    restart: unless-stopped
+    image: homecentr/cron-base:local
+    environment:
+      CRON_SCHEDULE: "* * * * *"
+      PUSH_GATEWAY_URL: "http://push_gateway:9091/metrics/job/cron/instance/base"
+    volumes:
+      - ./example/cron-tick:/config/cron-tick
+      #- ./example/cron-tick-fail:/config/cron-tick
+  push_gateway:
+    image: prom/pushgateway
+    ports:
+      - 9091:9091

example/failure/cron-tick

@@ -0,0 +1,5 @@
+#!/usr/bin/env ash
+
+sleep 2
+
+exit 10

example/success/cron-tick

@@ -0,0 +1,4 @@
+#!/usr/bin/env ash
+
+
+mktemp -d

fs/etc/cont-init.d/20-tick-script.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+
+cp /config/cron-tick /usr/sbin/cron-tick
+chmod a+x /usr/sbin/cron-tick

fs/etc/cont-init.d/21-crontab.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/with-contenv sh
+
+if [ "$CRON_SCHEDULE" == "" ]
+then
+  echo "The env. variable CRON_SCHEDULE is not set but is mandatory."
+  exit 1
+fi
+
+USER_NAME=$(getent passwd "$PUID" | cut -d: -f1)
+echo "$CRON_SCHEDULE /usr/sbin/cron-tick-execute" > /etc/crontabs/$USER_NAME

fs/etc/services.d/cron/finish

@@ -0,0 +1,3 @@
+#!/usr/bin/execlineb -S1
+
+s6-svscanctl -t /var/run/s6/services

fs/etc/services.d/cron/run

@@ -0,0 +1,6 @@
+#!/usr/bin/with-contenv sh
+
+# crond must be ALWAYS started as root (requires setpgid)
+# exec s6-setuidgid "$PUID:$PGID" crond -f -d 2
+
+exec crond -f -l 2

fs/usr/sbin/cron-tick-execute

@@ -0,0 +1,35 @@
+#!/usr/bin/env ash
+EXEC_ID=$(uuidgen)
+ALREADY_RUNNING=$(pgrep -f /usr/sbin/cron-tick-execute > /dev/null 2> /dev/null || "YES")
+
+if [ "$ALREADY_RUNNING" == "YES" ]
+then
+  echo "The last execution is still running. Skipping this one..."
+  exit 0
+fi
+
+echo "====== Execution started ($(date), $EXEC_ID) ======="
+
+OUTPUT=$(time -f "TIME_OUTPUT|%x|%e" /usr/sbin/cron-tick 2>&1)
+
+TICK_EXIT_CODE=$(echo "$OUTPUT" | grep "TIME_OUTPUT" | cut -d'|' -f2 | tr -d '[:space:]')
+TICK_DURATION=$(echo "$OUTPUT" | grep "TIME_OUTPUT" | cut -d'|' -f3 | tr -d '[:space:]')
+
+echo "Script exit code: $TICK_EXIT_CODE, execution duration: $TICK_DURATION seconds"
+
+if [ "$PUSH_GATEWAY_URL" == "" ]
+then
+  echo "PUSH_GATEWAY_URL variable not set, skipping pushing metrics to push gateway."
+else
+  echo "Pushing metrics to $PUSH_GATEWAY_URL"
+
+cat <<EOF | curl -s --data-binary @- "$PUSH_GATEWAY_URL"
+  # TYPE exit_code gauge
+  exit_code $TICK_EXIT_CODE
+  # TYPE duration_seconds gauge
+  duration_seconds $TICK_DURATION
+EOF
+
+fi
+
+echo "====== Execution finished ($(date), $EXEC_ID) ======="

package.json

@@ -1,15 +1,15 @@
 { 
-  "name": "homecentr-$$IMAGE_NAME$$",
+  "name": "homecentr-cron-base",
   "version": "1.0.0",
   "description": "",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/homecentr/docker-$$IMAGE_NAME$$.git"
+    "url": "git+https://github.com/homecentr/docker-cron-base.git"
   },
   "author": "",
   "license": "MIT",
   "bugs": {
-    "url": "https://github.com/homecentr/docker-$$IMAGE_NAME$$/issues"
+    "url": "https://github.com/homecentr/docker-cron-base/issues"
   },
-  "homepage": "https://github.com/homecentr/docker-$$IMAGE_NAME$$#readme"
+  "homepage": "https://github.com/homecentr/docker-cron-base#readme"
 }

tests/.classpath

@@ -6,12 +6,6 @@
 			<attribute name="gradle_used_by_scope" value="test"/>
 		</attributes>
 	</classpathentry>
-	<classpathentry kind="src" output="bin/test" path="src/test/resources">
-		<attributes>
-			<attribute name="gradle_scope" value="test"/>
-			<attribute name="gradle_used_by_scope" value="test"/>
-		</attributes>
-	</classpathentry>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8/"/>
 	<classpathentry kind="con" path="org.eclipse.buildship.core.gradleclasspathcontainer"/>
 	<classpathentry kind="output" path="bin/default"/>