22. RDFox Docker Images¶
This section documents the official Docker images for RDFox, which are publicly available from Docker Hub repository oxfordsemantic/rdfox, and their companion images in repository oxfordsemantic/rdfox-init.
The defaults of the RDFox Docker images are described in the next section,
followed by a section describing suggested approaches for mounting the RDFox
license key, server directory and shell root directory. The final section
provides a selection of example docker run
commands for running the images.
The only pre-requisite for running these is a Docker installation for your
platform. See the official Docker installation page for instructions.
The documentation assumes familiarity with the basics of Docker in general and in particular the different ways of mounting storage into containers with the desired container-side permissions.
Note
For readability, short-form (-v
) mount arguments will be used throughout
but readers should be aware that the official Docker documentation recommends
the long-form (--mount
) alternative.
22.1. Image Defaults¶
Default values for the images in the oxfordsemantic/rdfox repository are described below. It is possible to override all of these defaults but, for simplicity, the documentation of each assumes the other defaults are being used.
- User
The default user within the images is
rdfox
. This determines the default server directory path within containers as/home/rdfox/.RDFox
.- Entrypoint
The default entry point for the images is the RDFox executable embedded at container path
/opt/RDFox/RDFox
. The version of the executable at this path will match the version in the tag for the image.- Command
The default command is
daemon request-logger elf
. This can be overridden with any valid RDFox command (see Section 18).- Working directory
The default working directory for the images is
/data
. This has no impact when starting in daemon mode but will be the default root directory when using the RDFox shell.- Ports
The images expose the default port for the RDFox endpoint: 12110.
- Required superuser capabilities
In the interests of security, images in the oxfordsemantic/rdfox repository have been designed to run with no superuser capabilities (see Linux kernel capabilities). The inclusion of the argument
--cap-drop ALL
in docker run commands, or the equivalent in other environments, is recommended when launching images in the above repository.
22.2. Suggested Mounts¶
The following sections provide suggestions on how to mount the license key, how to mount and initialize storage for the server directory and how to mount storage for the shell root directory.
22.2.1. Mounting the License Key¶
Although various solutions to injecting the RDFox license key are possible, the
recommended approach is to mount a valid, in-date license key file to container
path /opt/RDFox/RDFox.lic
. This will enable the containerized RDFox process
to locate the license without requiring additional command line arguments whilst
ensuring that the license key need not be stored within the server directory.
If using the images in Kubernetes, where the RDFox license key may be held as a
Secret
resource, mounting the secret as described above will hide the
image’s entry-point executable, leading to a failure to start. In this
situation, mapping the secret into the container’s environment via variable
RDFOX_LICENSE_CONTENT
is the next most convenient option.
The methods described above work for both oxfordsemantic/rdfox and oxfordsemantic/rdfox images.
22.2.2. Mounting the Server Directory¶
When RDFox is configured to persist roles and data stores, it does so inside the
configured server-directory. As described above, the default server directory
path for oxfordsemantic/rdfox images is
/home/rdfox/.RDFox
. For use cases where persistence is enabled it is
therefore most convenient to mount storage, whether a host directory or Docker
volume, to that container path. If for any reason the server directory must be
mounted to a different container path, the default command for the image must be
overridden with a valid RDFox command which includes the -server-directory
parameter specifying the container-side server directory path.
Wherever the storage is mounted, it must be readable and writable by the user
that launches RDFox within the container (the rdfox
user by default). In
order to start RDFox in daemon mode without having to supply a role name and
password, it is also necessary that users have previously initialized access
control within the server directory (see Section 12.2.1
for more information about initialization). The companion images described in
the next section can help to prepare new server directories in order to meet all
of these requirements.
22.2.2.1. Initializing the Server Directory with a Companion Image¶
To simplify the initialization of new server directories, each image in the oxfordsemantic/rdfox repository has a companion image with a matching tag in the oxfordsemantic/rdfox repository. The purpose of these images is to prepare a mounted volume as a server directory for a long-lived container that will use the corresponding oxfordsemantic/rdfox image.
Since initialization requires root privileges to ensure the correct file system
access rights, as well as a plaintext password to initialize RDFox’s access
control system, using a companion image to prepare the server directory for a
long-lived RDFox container allows the latter to be run in a more secure
environment. Specifically, the long-lived container can be launched as an
unprivileged system account (such as the image’s default user, rdfox
), all
superuser capabilities can be dropped, and no plaintext password is needed for
the first RDFox server role.
When run against a completely uninitialized server directory, companion images perform the following steps:
ensure that the storage is owned by the
rdfox
user and is readable and writable by that userinvoke RDFox to initialize access control and, optionally, execute a user-supplied RDFox shell script
check that access control settings have been written to the disk.
Step 1 requires that the container is launched as root
with at least the
capabilities CAP_CHOWN
, CAP_SETUID
and CAP_SETGID
. Step 2 requires
an RDFox license key as well as the name and password of the first role for
RDFox. These can be supplied using the same command line arguments and
environment variables as the main oxfordsemantic/rdfox images.
Companion images accept the following subset of RDFox’s supported command line parameters:
-api-log {on|off}
-api-log.directory <api-log-directory>
-api-log.input-recording-limit <recording-limit>
-license-content <license-content>
-license-file <license-file>
-password <role-password>
-persist-ds {off|file}
-role <role-name>
-server-directory <server-directory>
Server parameters specified using the above arguments will not be saved to the
server directory and will have to be specified as arguments to the long-lived
oxfordsemantic/rdfox
container as well, if required. Server parameters that should be used for both
the initializing and long-lived RDFox containers may be supplied in a
server parameters file named parameters
in
the container’s working directory which will be copied to the server directory
before RDFox is invoked.
Note
If the server parameter persist-roles
is not specified in the command
line arguments nor in a parameters
file, no access control settings will
be persisted. This will cause the companion image to return a non-zero exit
code indicating failure since the server directory will remain uninitialized.
Note
It is recommended that both the persist-roles
and persist-ds
parameters be supplied in a parameters file since these settings must always
be specified in a way that matches the persistence type in use in the
directory.
In some cases it may be desirable to create and populate one or more data stores
or to configure access control as part of the initialization step. To facilitate
this, companion images check for a file named initialize.rdfox
in the
container’s working directory and, if it exists, pass it to the RDFox shell to
be executed as an RDFox shell script. This can
help avoid the need to do create and configure via the REST endpoint later on.
When the specified server directory already contains a roles file or directory, indicating that it has already been initialized, companion images return without invoking RDFox.
See Section 22.3 for an example Docker run command for a companion image.
22.2.3. Mounting the Shell Root Directory¶
Often, when developing applications for RDFox it is convenient to keep the
rules, base facts and shell scripts for the application in a single directory.
When using the RDFox shell in Docker, this directory must be mounted into the
container’s file system with the appropriate permissions to allow the rdfox
user to read and write as necessary.
Users are free to use either a named volume or a bind mount for the shell root
directory. Bind mounting a host directory will often be more convenient for this
purpose however named volumes offer more flexibility to achieve the necessary
container-side permissions, particularly where the Docker client is on Windows.
The most convenient target path for the mount is the default working directory
/data
as this is the default value for the shell root variable.
22.3. Example Docker Run Commands¶
The example commands in this section demonstrate how to run RDFox Docker images in several different configurations, starting with the simplest possible and progressing to more realistic scenarios. With the appropriate substitutions, the commands should work on any operating system where the Docker CLI is supported.
In all of the examples, <path-to-license-file>
should be replaced with an
absolute path to a valid, in-date RDFox license key file.
Example: Running Interactively with no Persistence or Endpoint.
The simplest possible docker run
command to launch RDFox in a container
is:
docker run -it -v <path-to-license-file>:/opt/RDFox/RDFox.lic oxfordsemantic/rdfox sandbox
This will start the RDFox shell for interactive usage but is not very useful.
First of all, nothing from the session will be persisted since no server
directory has been configured. Second, since no storage has been mounted to
the /data
path, there is no possibility of importing from or exporting to
the host file system from the RDFox shell and we have no access to any shell
scripts. Finally, since we did not publish the 12110 port it will be
impossible to reach the RDFox endpoint from outside the container even if it
is started using endpoint start
. Nevertheless, this command may be useful
for quickly testing out RDFox functionality on data and rules simple enough
to be typed (or pasted) in.
Example: Initializing a New Server Directory with a Companion Image.
The following command creates a Docker volume with name
rdfox-server-directory
(assuming no such volume exists already) and uses
the latest oxfordsemantic/rdfox image to prepare it
for use with the latest oxfordsemantic/rdfox image. Access control will
be initialized with the role name and password held in the environment
variables RDFOX_ROLE
and RDFOX_PASSWORD
respectively (these must be
set in the environment where the command is run).
docker run --rm -v <path-to-license-file>:/opt/RDFox/RDFox.lic \
-v rdfox-server-directory:/home/rdfox/.RDFox \
-v ${PWD}/parameters:/data/parameters \
-e RDFOX_ROLE \
-e RDFOX_PASSWORD \
oxfordsemantic/rdfox-init
The command relies on a file named parameters
in the working directory of
the host with the following content:
persist-roles file
persist-ds file
If the resulting container exits cleanly, the rdfox-server-directory
volume will be ready for use, as demonstrated in the next example.
Example: Running in Daemon Mode With Persistence
Using volume rdfox-server-directory
, prepared as described in the
preceding example, a containerized RDFox daemon, reachable at host port
<host-port>
, can be launched using the following command:
docker run -d --cap-drop ALL -p <host-port>:12110 \
-v <path-to-license-file>:/opt/RDFox/RDFox.lic \
-v rdfox-server-directory:/home/rdfox/.RDFox \
oxfordsemantic/rdfox
Example: Running Interactively With Persistence
To run interactively users must include the -i
and -t
arguments to
docker run and override the default daemon
command with shell
as in
the following command.
docker run -it --cap-drop ALL \
-v <path-to-license-file>:/opt/RDFox/RDFox.lic \
-v <rdfox-server-directory>:/home/rdfox/.RDFox \
-v <shell-root-directory>:/data \
oxfordsemantic/rdfox shell
When launched this way, RDFox will always prompt for a role name and password
which it will use to initialize access control if
<rdfox-server-directory>
has not previously been initialized, and in all
cases to log into the shell.
Example: Running in Daemon Mode With No Persistence
To run as a purely in-memory data store, where all interaction will be via
the RDFox endpoint, it is possible to supply the name and password of the
first role via environment variables in order to initialize access control
without any interaction via standard input and output. Assuming variables
RDFOX_ROLE
and RDFOX_PASSWORD
have been defined in the environment
where the command will run, a containerized RDFox daemon with no persistence,
reachable at host port <host-port>
, can be launched using the following
command:
docker run -d --cap-drop ALL \
-p <host-port>:12110 \
-v <path-to-license-file>:/opt/RDFox/RDFox.lic \
-e RDFOX_ROLE \
-e RDFOX_PASSWORD \
oxfordsemantic/rdfox \
-persist-roles off -persist-ds off daemon
The RDFox server started by the above command will contain no data stores
initially. These can be created and populated via the REST API however, in
some situations, it may be desirable to do this at startup time using an
RDFox shell script. Given a startup script start.rdfox
in host directory
<shell-root-directory>
, a containerized RDFox daemon with no persistence,
initialized by the script and reachable at host port <host-port>
, can be
launched using the following command:
docker run -d --cap-drop ALL \
-p <host-port>:12110 \
-v <path-to-license-file>:/opt/RDFox/RDFox.lic \
-v <shell-root-directory>:/data \
-e RDFOX_ROLE \
-e RDFOX_PASSWORD \
oxfordsemantic/rdfox -persist-roles off -persist-ds off shell . start
To prevent RDFox from exiting after executing the shell script, and to ensure
that the endpoint is running, the script should conclude with the daemon
command (see Section 15.2.10).
22.4. Checking the Health of RDFox Containers¶
Many container orchestration systems require a health check endpoint to
determine whether a container is healthy. The RDFox endpoint has a dedicated API
for this purpose at path /health
. GET
requests to this path will always
return 204 - No Content
. See also Section 16.17.