8c4c1e5471
run addons as readonly
2015-10-08 11:07:28 -07:00
dd6891efcb
update mail image
2015-10-08 11:06:29 -07:00
8213f5e311
mongodb: readonly rootfs
2015-10-08 10:24:15 -07:00
ed3f22a6ff
mysql: readonly rootfs
2015-10-08 09:43:05 -07:00
15592bf6d1
postgresql: readonly rootfs
2015-10-08 09:20:25 -07:00
dbde03de14
redis: use readonly rootfs
2015-10-08 09:00:43 -07:00
3b2cf8fa79
new base image 0.4.0
2015-09-28 19:33:58 -07:00
924011e411
Add custom apparmor profile for cloudron apps
...
Docker generates an apparmor profile on the fly under /etc/apparmor.d/docker.
This profile gets overwritten on every docker daemon start.
This profile allows processes to ptrace themselves. This is required by
circus (python process manager) for reasons unknown to me. It floods the logs
with
audit[7623]: <audit-1400> apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7623 comm="python3.4" requested_mask="trace" denied_mask="trace" peer="docker-default"
This is easily tested using:
docker run -it cloudron/base:0.3.3 /bin/bash
a) now do ps
b) journalctl should show error log as above
docker run --security-opt=apparmor:docker-cloudron-app -it cloudron/base:0.3.3 /bin/bash
a) now do ps
b) no error!
Note that despite this, the process may not have ability to ptrace since it does not
have CAP_PTRACE. Also, security-opt is the profile name (inside the apparmor config file)
and not the filename.
References:
https://groups.google.com/forum/#!topic/docker-user/xvxpaceTCyw
https://github.com/docker/docker/issues/7276
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869
This is an infra update because we need to recreate containers to get the right profile.
Fixes #492
2015-09-21 11:01:44 -07:00
ad71662bf8
timezone is already determined automatically using activation
2015-09-18 12:02:36 -07:00
ddde1f5a41
store timezone in config.js (part of provision data)
2015-09-16 15:54:56 -07:00
92e8af2434
Get oauth proxy port from the configs
2015-09-16 10:06:34 -07:00
d12af89e2e
set memory limits for addons
...
mysql, postgresql, mongodb - 100m each
mail, graphite, redis (each instance) - 75m
For reference, in yellowtent:
mongo - 5m
postgresql - 33m
mysql - 3.5m
mail: 26m
graphite - 26m
redis - 32m
2015-09-14 13:47:45 -07:00
c41cacd5e9
remove oauthproxy systemd configs
2015-09-14 12:02:38 -07:00
5eb7a0b64f
Merge apphealthtask into box server
...
We used to run this as a separate process but no amount of node/v8 tweaking
makes them run as standalone with 50M RSS.
Three solutions were considered for the memory issue:
1. Use systemd timer. apphealthtask needs to run quiet frequently (10 sec)
for the ui to get the app health update immediately after install.
2. Merge into box server (this commit)
3. Increase memory to 80M. This seems to make apphealthtask run as-is.
2015-09-14 10:52:11 -07:00
22718cfb02
Rename app.js to box.js
2015-09-14 10:43:47 -07:00
2ec6c4ec77
make janitor a systemd timer
...
one process lesser
2015-09-11 18:43:51 -07:00
a1ddad7b7a
limit node memory usage
...
node needs to be told how much space it can usage, otherwise it keeps
allocating and we cannot keep it under 50M. keeping old space to 30M,
lets the memory hover around 40M
there are many options to v8 but I haven't explored them all:
--expose_gc - allows scripts to call gc()
--max_old_space_size=30 --max_semi_space_size=2048 (old/new space)
node first allocates new objects in new space. if these objects are in use
around for some time, it moves them to old space. the idea here is that it
runs gc aggressively on new space since new objects die more than old ones.
the new space is split into two halves of equal size called semi spaces.
--gc_interval=100 --optimize_for_size --max_executable_size=5 --gc_global --stack_size=1024
http://erikcorry.blogspot.com/2012/11/memory-management-flags-in-v8.html
http://jayconrod.com/posts/55/a-tour-of-v8-garbage-collection
https://code.google.com/p/chromium/issues/detail?id=280984
http://stackoverflow.com/questions/30252905/nodejs-decrease-v8-garbage-collector-memory-usage
http://www.appfruits.com/2014/08/running-node-js-on-arduino-yun/
note: this is not part of shebang because linux shebang does not support args! so we cannot
pass node args as part of shebang.
2015-09-10 21:24:36 -07:00
d5b787b7f0
set memorylimit for crashnotifier as well
2015-09-10 14:19:44 -07:00
a5e4d3cc86
systemd: fix crashnotifier
2015-09-07 21:40:01 -07:00
a259f97049
systemd: pass the instance name as argument
2015-09-07 21:16:22 -07:00
b5a51852d0
systemd: just wait for 5 seconds for box to die
2015-09-07 20:58:14 -07:00
6db422710e
systemd: do not restart crashnotifier
2015-09-07 20:54:58 -07:00
837860d138
200m is a more sane memory limit
2015-09-07 20:48:29 -07:00
d045ab2ec4
systemd: fix config files
2015-09-07 20:46:32 -07:00
a596f2f385
systemd: Fix crashnotifier
2015-09-07 20:14:37 -07:00
43336d43db
Add memory limits on services
2015-09-07 19:16:34 -07:00
03325bfb0d
Move from supervisor to systemd
...
This removes logrotate as well since we use systemd logging
2015-09-07 14:31:25 -07:00
bdf221eb43
Revert "Add hack for broken app backup tarballs"
...
This reverts commit 9723951bfc
2015-08-31 21:44:24 -07:00
9723951bfc
Add hack for broken app backup tarballs
2015-08-31 18:58:38 -07:00
6743dcf49f
Pass along aws config for updates
2015-08-27 22:45:04 -07:00
78e29004a5
Add missing quotes to cloudron.conf
2015-08-27 20:15:04 -07:00
e597dae360
use backupKey from userData
2015-08-25 18:44:52 -07:00
1c5170fcea
Support optional aws related userData
2015-08-25 17:52:01 -07:00
ce9566a72e
Rebase addons to use base image 0.3.3
2015-08-24 10:19:18 -07:00
58a0e8ecf8
Base image is now 0.3.3
2015-08-18 15:43:50 -07:00
6cbd0b19d9
Print graphite container id
2015-08-13 15:57:36 -07:00
a09ebc64d1
fix graph issue finally
2015-08-13 15:54:27 -07:00
45f1d340d7
Use latest graphite
2015-08-13 15:53:36 -07:00
ea1b3d68a9
Create symlink in start.sh (and not container setup)
2015-08-13 15:36:21 -07:00
27789eab15
restart mysql in start.sh and not container setup
2015-08-13 15:16:01 -07:00
ed2a2dca73
restart collectd
2015-08-13 15:04:57 -07:00
4a29beafb3
fix graphs again
2015-08-13 15:03:44 -07:00
8a68b35594
Fix typo
...
remove thead_cache_size. it's dynamic anyways
2015-08-13 14:53:05 -07:00
b1c87dfa2a
Revert "Add hack to make graphs work with latest collectd"
...
This reverts commit a959418544
2015-08-13 14:42:47 -07:00
32f624bd27
limit threads and max connections
2015-08-13 14:42:36 -07:00
4a9f5a0466
Bump infra version
2015-08-13 14:22:39 -07:00
a959418544
Add hack to make graphs work with latest collectd
...
For some reason df-vda1 is not being collected by carbon. I have tried
all sorts of things and nothing works. This is a hack to get it working.
2015-08-13 13:47:44 -07:00
8bbfcea072
Turn off performance_schema in mysql 5.6
2015-08-13 13:47:44 -07:00
f112293d45
systemd has moved around the cgroup hierarchy
...
https://github.com/docker/docker/issues/9902
There is some rationale here:
https://libvirt.org/cgroups.html
2015-08-13 10:21:33 -07:00
d73295d596
Add warning
2015-08-12 19:52:23 -07:00
Girish Ramakrishnan