Information on default config and entrypoints for debug

Dockerfile

@@ -110,7 +110,7 @@ ENTRYPOINT ["/bin/sh","-c","sleep infinity"]
 # When complete, if the image is compromised, there's not much that can be done with it.
 FROM runner AS hardened
 
-# create readonly user and group with no shell access
+# create readonly user and group with no shell access.  Readonly user marks folders that are created by NetAlertX, but should not be modified.
 RUN addgroup -g 20212 readonly && \
     adduser -u 20212 -G readonly -D -h /app readonly && \
     usermod -s /sbin/nologin readonly
@@ -133,10 +133,7 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_
 # remove sudo and alpine installers pacakges
 RUN apk del sudo libcap apk-tools && \
     rm -rf /var/cache/apk/*
-# remove all users and groups except readonly and netalertx without userdel/groupdel binaries
-# RUN awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/passwd | xargs -r -n 1 deluser -r && \
-#     awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/group | xargs -r -n 1 delgroup
-# Remove all sudoers
+# remove all users and groups except readonly and netalertx & remove all sudoers
 RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware  /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
     /srv /media && \

install/production-filesystem/README.md

@@ -0,0 +1,20 @@
+
+This is the default filesystem for NetAlertX. it contains
+
+- `/app` - The main application location.  This structure is where the source code (back, front and server directories) is copied and executed in read-only form. It also provides default structures for the working directories, such as: config, db, and log. All other directories are not required in the production image and are not tracked.
+- `/build` - a place where services can be initialized during docker container build. This folder is copied in, executed near the end of the build before the system is locked down, and then deleted.  It is only available during build time.
+- `/opt/venv/lib/pthon3.12/site-acakges/aiofreebox` - this holds a certificate used by aiofreebox package, which interacts with freebox OS.
+- `/services` - a directory where all scripts which control system executions are held
+    - `/services/config` - a directory which holds all configuration files and `conf.d` folders used in the production image.
+        - `/services/config/cond` - `crond` daemon config.
+        - `/services/config/nginx` - `nginx` conf files.
+        - `/services/config/php` - php conf file.
+            `/services/config/php/php-fmp.d` - a `.d` style directory, debugger parameters or other configurations can be dropped in here.
+        - `/services/config/python-backend-extra-launch-parameters` - the contents of this file are added to launch params. It can be used to add debugging capabilities.
+    - `/services/capcheck.sh` - This is run at startup to warn the user if the container does not hold requried permissions to operate certain raw-packet tools.
+    - `/services/healthcheck.sh` - The system healthcheck. This script tests the services and reports if something fails.
+    - `/services/start-backend.sh` - The launcher for python services. This is called at startup by `entrypoint.sh`.
+    - `/services/start-crond.sh` - The launcher for crond task scheduler. This is called at startup by `entrypoint.sh`.
+    - `/services/start-nginx.sh` - The launcher for nginx frontend/website services. This is called at startup by `entrypoint.sh`.
+    - `/services/start-php-fpm.sh` - The launcher for php-fpm, used to interpret php for the frontend website. This is called at startup by `entrypoint.sh`.
+- `/entrypoint.sh` - Called at system startup to launch all services and servers requried by NetAlertX.

install/production-filesystem/services/start-backend.sh

@@ -3,5 +3,11 @@ echo "Starting backend..."
 cd "${NETALERTX_APP}" || exit
 # Change user to netalertx
 export PYTHONPATH="${NETALERTX_SERVER}:${NETALERTX_APP}"
+
+EXTRA_PARAMS=""
+if [ -f /services/config/python/backend-extra-launch-parameters ]; then
+    EXTRA_PARAMS=$(cat /services/config/python-backend-extra-launch-parameters)
+fi
+
 # Start the backend, teeing stdout and stderr to log files and the container's console
-python3 -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)
+python3 ${EXTRA_PARAMS} -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)