cloudron-box

Author	SHA1	Message	Date
Girish Ramakrishnan	2d815a92a3	redis: use readonly rootfs	2015-10-08 09:00:43 -07:00
Girish Ramakrishnan	03d4ae9058	new base image 0.4.0	2015-09-28 19:33:58 -07:00
Girish Ramakrishnan	185b574bdc	Add custom apparmor profile for cloudron apps Docker generates an apparmor profile on the fly under /etc/apparmor.d/docker. This profile gets overwritten on every docker daemon start. This profile allows processes to ptrace themselves. This is required by circus (python process manager) for reasons unknown to me. It floods the logs with audit[7623]: <audit-1400> apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7623 comm="python3.4" requested_mask="trace" denied_mask="trace" peer="docker-default" This is easily tested using: docker run -it cloudron/base:0.3.3 /bin/bash a) now do ps b) journalctl should show error log as above docker run --security-opt=apparmor:docker-cloudron-app -it cloudron/base:0.3.3 /bin/bash a) now do ps b) no error! Note that despite this, the process may not have ability to ptrace since it does not have CAP_PTRACE. Also, security-opt is the profile name (inside the apparmor config file) and not the filename. References: https://groups.google.com/forum/#!topic/docker-user/xvxpaceTCyw https://github.com/docker/docker/issues/7276 https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869 This is an infra update because we need to recreate containers to get the right profile. Fixes #492	2015-09-21 11:01:44 -07:00
Girish Ramakrishnan	23a5a1f79f	timezone is already determined automatically using activation	2015-09-18 12:02:36 -07:00
Girish Ramakrishnan	8598fb444b	store timezone in config.js (part of provision data)	2015-09-16 15:54:56 -07:00
Girish Ramakrishnan	2719c4240f	Get oauth proxy port from the configs	2015-09-16 10:06:34 -07:00
Girish Ramakrishnan	5fcba59b3e	set memory limits for addons mysql, postgresql, mongodb - 100m each mail, graphite, redis (each instance) - 75m For reference, in yellowtent: mongo - 5m postgresql - 33m mysql - 3.5m mail: 26m graphite - 26m redis - 32m	2015-09-14 13:47:45 -07:00
Girish Ramakrishnan	8aff2b9e74	remove oauthproxy systemd configs	2015-09-14 12:02:38 -07:00
Girish Ramakrishnan	1cd9d07d8c	Merge apphealthtask into box server We used to run this as a separate process but no amount of node/v8 tweaking makes them run as standalone with 50M RSS. Three solutions were considered for the memory issue: 1. Use systemd timer. apphealthtask needs to run quiet frequently (10 sec) for the ui to get the app health update immediately after install. 2. Merge into box server (this commit) 3. Increase memory to 80M. This seems to make apphealthtask run as-is.	2015-09-14 10:52:11 -07:00
Girish Ramakrishnan	f028649582	Rename app.js to box.js	2015-09-14 10:43:47 -07:00
Girish Ramakrishnan	29e05b1caa	make janitor a systemd timer one process lesser	2015-09-11 18:43:51 -07:00
Girish Ramakrishnan	6945a712df	limit node memory usage node needs to be told how much space it can usage, otherwise it keeps allocating and we cannot keep it under 50M. keeping old space to 30M, lets the memory hover around 40M there are many options to v8 but I haven't explored them all: --expose_gc - allows scripts to call gc() --max_old_space_size=30 --max_semi_space_size=2048 (old/new space) node first allocates new objects in new space. if these objects are in use around for some time, it moves them to old space. the idea here is that it runs gc aggressively on new space since new objects die more than old ones. the new space is split into two halves of equal size called semi spaces. --gc_interval=100 --optimize_for_size --max_executable_size=5 --gc_global --stack_size=1024 http://erikcorry.blogspot.com/2012/11/memory-management-flags-in-v8.html http://jayconrod.com/posts/55/a-tour-of-v8-garbage-collection https://code.google.com/p/chromium/issues/detail?id=280984 http://stackoverflow.com/questions/30252905/nodejs-decrease-v8-garbage-collector-memory-usage http://www.appfruits.com/2014/08/running-node-js-on-arduino-yun/ note: this is not part of shebang because linux shebang does not support args! so we cannot pass node args as part of shebang.	2015-09-10 21:24:36 -07:00
Girish Ramakrishnan	03048d7d2f	set memorylimit for crashnotifier as well	2015-09-10 14:19:44 -07:00
Girish Ramakrishnan	26aefadfba	systemd: fix crashnotifier	2015-09-07 21:40:01 -07:00
Girish Ramakrishnan	51a28842cf	systemd: pass the instance name as argument	2015-09-07 21:16:22 -07:00
Girish Ramakrishnan	773c326eb7	systemd: just wait for 5 seconds for box to die	2015-09-07 20:58:14 -07:00
Girish Ramakrishnan	cb2fb026c5	systemd: do not restart crashnotifier	2015-09-07 20:54:58 -07:00
Girish Ramakrishnan	a4731ad054	200m is a more sane memory limit	2015-09-07 20:48:29 -07:00
Girish Ramakrishnan	aa33938fb5	systemd: fix config files	2015-09-07 20:46:32 -07:00
Girish Ramakrishnan	2a4c467ab8	systemd: Fix crashnotifier	2015-09-07 20:14:37 -07:00
Girish Ramakrishnan	6be6092c0e	Add memory limits on services	2015-09-07 19:16:34 -07:00
Girish Ramakrishnan	e76584b0da	Move from supervisor to systemd This removes logrotate as well since we use systemd logging	2015-09-07 14:31:25 -07:00
Johannes Zellner	212d0bd55a	Revert "Add hack for broken app backup tarballs" This reverts commit `9723951bfc`.	2015-08-31 21:44:24 -07:00
Girish Ramakrishnan	712ada940e	Add hack for broken app backup tarballs	2015-08-31 18:58:38 -07:00
Girish Ramakrishnan	291798f574	Pass along aws config for updates	2015-08-27 22:45:04 -07:00
Girish Ramakrishnan	b104843ae1	Add missing quotes to cloudron.conf	2015-08-27 20:15:04 -07:00
Johannes Zellner	ec21105c47	use backupKey from userData	2015-08-25 18:44:52 -07:00
Johannes Zellner	e6fd05c2bd	Support optional aws related userData	2015-08-25 17:52:01 -07:00
Girish Ramakrishnan	a760ef4d22	Rebase addons to use base image 0.3.3	2015-08-24 10:19:18 -07:00
Girish Ramakrishnan	15c9d8682e	Base image is now 0.3.3	2015-08-18 15:43:50 -07:00
Girish Ramakrishnan	9266302c4c	Print graphite container id	2015-08-13 15:57:36 -07:00
Girish Ramakrishnan	755dce7bc4	fix graph issue finally	2015-08-13 15:54:27 -07:00
Girish Ramakrishnan	dd3e38ae55	Use latest graphite	2015-08-13 15:53:36 -07:00
Girish Ramakrishnan	9dfaa2d20f	Create symlink in start.sh (and not container setup)	2015-08-13 15:36:21 -07:00
Girish Ramakrishnan	d6a4ff23e2	restart mysql in start.sh and not container setup	2015-08-13 15:16:01 -07:00
Girish Ramakrishnan	c2ab7e2c1f	restart collectd	2015-08-13 15:04:57 -07:00
Girish Ramakrishnan	b9e4662dbb	fix graphs again	2015-08-13 15:03:44 -07:00
Girish Ramakrishnan	10df0a527f	Fix typo remove thead_cache_size. it's dynamic anyways	2015-08-13 14:53:05 -07:00
Girish Ramakrishnan	9aad3688e1	Revert "Add hack to make graphs work with latest collectd" This reverts commit `a959418544`.	2015-08-13 14:42:47 -07:00
Girish Ramakrishnan	e78dbcb5d4	limit threads and max connections	2015-08-13 14:42:36 -07:00
Girish Ramakrishnan	5e8cd09f51	Bump infra version	2015-08-13 14:22:39 -07:00
Girish Ramakrishnan	22f65a9364	Add hack to make graphs work with latest collectd For some reason df-vda1 is not being collected by carbon. I have tried all sorts of things and nothing works. This is a hack to get it working.	2015-08-13 13:47:44 -07:00
Girish Ramakrishnan	81b7432044	Turn off performance_schema in mysql 5.6	2015-08-13 13:47:44 -07:00
Girish Ramakrishnan	9face9cf35	systemd has moved around the cgroup hierarchy https://github.com/docker/docker/issues/9902 There is some rationale here: https://libvirt.org/cgroups.html	2015-08-13 10:21:33 -07:00
Girish Ramakrishnan	670ffcd489	Add warning	2015-08-12 19:52:23 -07:00
Girish Ramakrishnan	ec7b365c31	Use BASE_IMAGE as well	2015-08-12 19:51:44 -07:00
Girish Ramakrishnan	433d78c7ff	Fix graphite version	2015-08-12 19:51:08 -07:00
Girish Ramakrishnan	ed041fdca6	Put image names in one place	2015-08-12 19:38:44 -07:00
Girish Ramakrishnan	b8e4ed2369	Use latest images	2015-08-12 19:19:58 -07:00
Girish Ramakrishnan	c125cc17dc	Apps must only get 50% less cpu than system processes when there is a contention for cpu	2015-08-11 17:00:48 -07:00

1 2

62 Commits