The SIP provides a set of Docker base images that should be used for all applications. For starting programs we use cinit, a tool developed to start programs in a container. Checkout the cinit documentation for more information.

Base images allow certain standard tasks (such as setting locales, creating users, etc.) to be correctly implemented in one place. The development work can thus be simplified for the developers and the organization retains some control over all applications being developed as they are all based on the same base images. Also it allows update of the underlying operating system libraries central and in one place (this is done on a weekly basis by ISG VSETH). This also means that every tool is re-deployed at least once a week and by this problems in re-deployment are noticed early.

Best Practices

General Best Practices

Always use fixed versions of programs that you install inside of your container, e.g. don't always pull "latest" version of a program. Pulling the latest version of the program might break a docker build that was previously fine.
If you install programs that are not available in the Debian registry, make sure to verify the download's integrity by using checksum verification (sha256 et al.) and HTTPS (TLS) for the download.

Cinit Best Practices

cinit is the program taking care of all programs you want to run inside the container. In addition to the general usage in the documentation linked above, also keep this in mind:

Don't specify any CMD or ENTRYPOINT inside the Dockerfile.
Don't run apt update or apt upgrade during setup (except after introducing new Debian repositories).
Run all services as non-privileged user. base provides the user and group app-user for this purpose. root is only acceptable for short-term setup tools.
Your service program will most likely need the capability CAP_NET_BIND_SERVICE which allows your unprivileged user to open the network port 80. See capabilities for details.

Available Base Images

The supported base images can be found on Gitlab.

Base Image	Description	Current Image
base	The `base` image is the foundation for all other base-images. It can also be used standalone.	`eu.gcr.io/vseth-public/base:foxtrott`
nginx	The `nginx` image extends the `base` image with an nginx installation that can be used to host static sites or act as a reverse proxy for backend servers.	`eu.gcr.io/vseth-public/nginx:foxtrott`
php7	The `php7` image extends the `nginx` image with a PHP 7.x installation that can be used for hosting PHP based applications.	`eu.gcr.io/vseth-public/php7:echo`
grav	The grav image contains a Grav CMS installation	`eu.gcr.io/vseth-public/grav:delta`
tomcat	The Apache Tomcat Servlet Container	`eu.gcr.io/vseth-public/tomcat:echo`

Other base images

In the future we want to extend the set of base images we provide, the following base images are planned:

Base Image	Description
java	A base-image providing LTS Java version
nodeX	A base-image for certain nodeJS releases

If you're interested in using one of these base images, please contact us.

Migration Guide

All base images are tagged with their version. The current version for all base images is echo. You should always use the tag to refer to a specific version of the base image.

Image tag	Debian version	Remarks
foxtrott	Debian 12 (Bookworm)	This is the current Debian stable version and it is supported
echo	Debian 11 (Bullseye)	This is the previous Debian stable version (oldstable) and it is still supported, you should nevertheless consider to update to echo
delta	Debian 10 (Buster)	This is the previous Debian version and it is no longer supported, you should update to a supported image as soon as possible
charlie	Debian 9 (Stretch)	This is the previous Debian version and it is no longer supported, you should update to a supported image as soon as possible

Echo → Foxtrott

We base on Debian Bookworm

Delta → Echo

We base on Debian Bullseye
curl is removed from the base image. If you really need it, you should install it explicitly in your Dockerfile

Charlie → Delta

We base on Debian Buster now change your libraries

Bravo → Charlie

We base on Debian Stretch. Make sure you move all Ubuntu related code.
We now use an init daemon called cinit. Find the documentation of it in the documentation.
Your app is not supposed to run as user root any more. Instead you should use cinit to spawn your server as user and group app-user. If you need root privileges set the appropriate capabilities which is much more fine-grained than root.
Don't provide either ENTRYPOINT (nothing new) or CMD (this is new) in your Dockerfile. Write a cinit config file instead and place it in /etc/cinit.d/ to have your app registered.
Don't use bash scripts to run your programs. Bash scripts are great to perform simple file moving and text manipulation. Tasks running for longer than a few seconds deserve their own entry as cinit program.
Remove any apt update or apt upgrade commands. You are provided with apt lists from base and are supposed to use those lists.
The timezone is now Europe/Zurich instead of UTC.