Enhanced Container Controls
Enhanced Container Controls provides you with the ability to configure additional EC Container controls so that you can customize certain advanced host system parameters to your fine-tuned needs.
This guide provides a few examples showing you how to use these security and container settings which are available at both the instance and container level.
Instance Level Settings
In this section is an example of an API request configuration that will create a workload with the following enhanced instance-specific features:
- Additional security features via
securityContext.securityContextholds instance-level security attributes and common container settings.
- A list of hosts and IPs that will be inserted into our instance's host file via
hostAliases.hostAliasesis an optional list of hosts and IPs that will be injected into the instance's hosts file if specified.
- Specified DNS parameters for our instance as defined by
dnsConfig.- Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
{
"workload": {
"name": "test workload",
"slug": "test-workload",
"metadata": {
"annotations": {
"workload.platform.stackpath.net/remote-management": "true"
}
},
"spec": {
"networkInterfaces": [{
"network": "default"
}],
"containers": {
"container-0": {
"image": "myimage/non-root-ubuntu:1.0",
"command": ["sleep", "infinity"],
"resources": {
"requests": {
"cpu": "1",
"memory": "2Gi"
}
},
"ports": {
"ssh": {
"port": 22,
"enableImplicitNetworkPolicy": true
},
"http": {
"port": 8080,
"enableImplicitNetworkPolicy": true
}
},
"volumeMounts": [{
"slug": "app-vol",
"mountPath": "/spapp"
}],
"env": {
"SSH_PUBLIC_KEY": {
"value": "<YOUR-SSH-KEY>"
}
}
}
},
"volumeClaimTemplates": [{
"name": "app-vol",
"slug": "app-vol",
"spec": {
"resources": {
"requests": {
"storage": "1Gi"
}
}
}
}],
"runtime": {
"containers": {
"terminationGracePeriodSeconds": "60",
"shareProcessNamespace": true,
"securityContext": {
"runAsUser": "999",
"runAsGroup": "999",
"runAsNonRoot": true,
"sysctls": [{
"name": "net.core.rmem_max",
"value": "10065408"
},
{
"name": "net.core.rmem_default",
"value": "1006540"
}]
},
"hostAliases": [{
"ip": "192.168.3.4",
"hostnames": ["domain.com"]
}],
"dnsConfig": {
"nameservers": ["8.8.8.8"],
"searches": ["domain.com"],
"options": [{"name": "timeout", "value": "10"}]
}
}
}
},
"targets": {
"labs": {
"spec": {
"deploymentScope": "cityCode",
"deployments": {
"minReplicas": 1,
"selectors": [{
"key": "cityCode",
"operator": "in",
"values": ["DFW"]
}]
}
}
}
}
}
}
Container Level Settings
In this section is an example of an API request configuration that will create a workload with the following enhanced container-specific features:
- An
initContainer, which is a specialized container that runs before app containers in an instance. This init container specifically contains additional commands that are not present in our container's image. - Additional probe settings:
initialDelaySeconds: This is the number of seconds after the container has started before liveness probes are initiated.periodSeconds: This defines how often (in seconds) to perform the probe. Defaults to 10 seconds. Minimum value is 1.failureThreshold: This is the minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
- A custom container termination message path via
terminationMessagePath.- Defaults to
/dev/termination-log.
- Defaults to
- Additional security features via
securityContext.
{
"workload": {
"name": "test workload",
"slug": "test-workload",
"metadata": {
"annotations": {
"workload.platform.stackpath.net/remote-management": "true"
}
},
"spec": {
"networkInterfaces": [{
"network": "default"
}],
"initContainers": {
"init-0": {
"image": "myimage/non-root-ubuntu:1.0",
"command": ["sudo", "touch", "/spapp/init-generated-container-file"],
"imagePullPolicy": "IF_NOT_PRESENT",
"resources": {
"requests": {
"cpu": "1",
"memory": "2Gi"
}
},
"volumeMounts": [{
"slug": "app-vol",
"mountPath": "/spapp"
}]
}
},
"containers": {
"container-0": {
"image": "myimage/non-root-ubuntu:1.0",
"command": ["python3"],
"args": ["server.py"],
"workingDir": "/app",
"resources": {
"requests": {
"cpu": "1",
"memory": "2Gi"
}
},
"ports": {
"ssh": {
"port": 22,
"enableImplicitNetworkPolicy": true
},
"http": {
"port": 8080,
"enableImplicitNetworkPolicy": true
}
},
"volumeMounts": [{
"slug": "app-vol",
"mountPath": "/spapp"
}],
"env": {
"SSH_PUBLIC_KEY": {
"value": "YOUR-SSH-KEY"
}
},
"livenessProbe":{
"httpGet":{
"path":"/",
"port": 8080,
"scheme":"HTTP"
},
"initialDelaySeconds":30,
"periodSeconds":10,
"failureThreshold":5
},
"readinessProbe":{
"httpGet":{
"path":"/",
"port":8080,
"scheme":"HTTP"
},
"initialDelaySeconds":30,
"periodSeconds":10,
"failureThreshold":5
},
"lifecycle":{
"preStop":{
"httpGet":{
"path": "/",
"port": 8080,
"scheme": "HTTP"
}
}
},
"terminationMessagePath":"/tmp/custom-termination-path",
"terminationMessagePolicy":"FILE",
"imagePullPolicy": "IF_NOT_PRESENT",
"securityContext":{
"runAsUser":"999",
"runAsGroup":"999",
"runAsNonRoot":true,
"readOnlyRootFilesystem":false,
"allowPrivilegeEscalation":true,
"capabilities":{
"add":["NET_ADMIN"],
"drop":["NET_RAW"]
}
}
}
},
"volumeClaimTemplates": [{
"name": "app-vol",
"slug": "app-vol",
"spec": {
"resources": {
"requests": {
"storage": "1Gi"
}
}
}
}]
},
"targets": {
"labs": {
"spec": {
"deploymentScope": "cityCode",
"deployments": {
"minReplicas": 1,
"selectors": [{
"key": "cityCode",
"operator": "in",
"values": ["DFW"]
}]
}
}
}
}
}
}
Want more?
For a complete list of available Enhanced Container Control settings along with their definitions, please see our Glossary.
Updated about 1 month ago
