The multi-staged nature and repetitive commands for setting up complex compositions
(e.g., containers with host user's UID:GID, shared networks across compositions, etc.)
is the raison d'être for comp
. Some of the key features are highlighted below.
For running non-root containers with the host user's UID:GID
(e.g., to avoid permission issues with mounted volumes),
one must grab these from the host, and pass them as env
variables,
for docker compose
to pick them up.
The same applies to TZ
and other host-side configs as well.
Not all of these configs are absolute constants
that maybe added to a .env
and never be updated again.
In such cases, we ideally want a "hook" that runs before docker compose
is run,
and updates / generates the .env
as necessary.
Similar hooks are also desirable to set up external networks
that are shared across multiple compositions.
In such cases, the hook would execute a docker network
command
before running docker compose
.
comp
automatically grabs all external networks in YAML files,
and has a hook to create them if they do not already exist.
comp
also has several safeguards that docker compose
doesn't provide.
For instance, any non-existent host directories that are mounted to containers
are automatically created by Docker and are owned by root
,
even when the --user
flag is set!
comp
errors out in such cases, requesting the user for explicit action.
Seemed like overkill, when I initially wrote comp
.
Why not?
Typical workflows:
-
(Re)start compositions:
./comp down,up tang pihole
-
Update repo & restart a composition:
git pull && ./comp pdu pihole
Note how we specify verbs
pull,down,up
using just their first characters. -
Checking the status of compositions:
./comp status tang pihole
See comp#L372 for all supported supported flags and options.
Also see Structure & Conventions for optionally customizing compositions via overrides.
╭── Compositions \ Supported Archs ─── | amd 64 | arm v7 | arm 64 | risc v64 | |||
---|---|---|---|---|---|---|---|
AirDC++
:443/airdcpp/ |
B | airdcpp |
2.13.2
|
✔️ | ✔️ | ✔️ | ✖️ |
Beszel Hub
:4803/ |
B | beszel |
0.9.1
|
✔️ | ✔️ | ✔️ | ✖️ |
Beszel Agent
:45876 |
B | agent |
0.9.1
|
✔️ | ✔️ | ✔️ | ✖️ |
bitmagnet
:4433/ |
B C |
postgres
bitmagnet |
17.2...ne
v0.10.0....5
|
✔️ | ✔️ | ✔️ | ✔️ |
Certbot
:80/ |
B | certbot |
v3.1.0
|
✔️ | ✖️ | ✔️ | ✖️ |
docker_sock
:44432/docker_sock/ |
A | docker.sock‑proxy |
3.0.7
|
✔️ | ✔️ | ✔️ | ✖️ |
Gitea
:443/gitea/ |
B | gitea |
1.23.1-r...s
|
✔️ | ✖️ | ✔️ | ✖️ |
HAss
:4431/ |
B | hass |
2025.1.2_2.0.3
|
✔️ | ✔️ | ✔️ | ✖️ |
Indexarr
:443/jackett/ |
B B |
solvarr
jackett |
v3.3.21
0.22.1261
|
✔️ | ✔️ | ✔️ |
✖️
✖️ |
Kodi.DB
:3306 |
B | mariadb |
11.6.2
|
✔️ | ✖️ | ✔️ | ✖️ |
Monitarr
:443/{lid,rad,son}arr/ |
B B B |
lidarr
radarr sonarr |
2.8.2.4493
5.17.2.9580
4.0.12.2823
|
✔️ | ✔️ | ✔️ |
✖️
✖️ ✖️ |
Navidrome
:443/navidrome/ |
B | navidrome |
0.54.4
|
✔️ | ✔️ | ✔️ | ✖️ |
Netbox
:4432/netbox/ |
B B A |
postgres
redis netbox |
17.2...ne
8.0.2...ne
4.2.2
|
✔️ |
✔️
✔️ ✖️ |
✔️ |
✔️
✖️ ✖️ |
Nextcloud
:443/nextcloud/ |
B B C C B B |
mariadb
redis fulltextsearch imaginary nextcloud cron |
11.6.2
7.4.2
20250116...30
20250114...11
30.0.5-core
30.0.5-core
|
✔️ |
✖️
✔️ ✖️ ✖️ ✔️ ✔️ |
✔️ |
✖️
✔️ ✖️ ✖️ ✖️ ✖️ |
ntfy
:25, :44431/, :44433/ |
A | ntfy |
v2.11.0
|
✔️ | ✔️ | ✔️ | ✖️ |
OpenVPN
:5432 |
A | vpn |
2.6.12
|
✔️ | ✔️ | ✔️ | ✔️ |
Pi‑hole
:53, :4432/pihole/ |
A B |
dnscrypt‑proxy
pihole |
2.1.7
2024.07.0
|
✔️ | ✔️ | ✔️ |
✖️
✔️ |
qBittorrent
:443/qbittorrent/ |
A | qbittorrent‑nox |
5.0.1
|
✔️ | ✔️ | ✔️ | ✖️ |
Tang
:802/tang/ |
A | tang |
git.02...c8
|
✔️ | ✔️ | ✔️ | ✖️ |
Teslamate
:24432/teslamate/ |
B B B |
db
mqtt teslamate |
17.2...ne
2.0.20
1.31.1
|
✔️ | ✔️ | ✔️ |
✔️
✖️ ✖️ |
Tiny HTTPD
:443/ |
A | tiny-httpd |
2.29
|
✔️ | ✔️ | ✔️ | ✖️ |
Traefik
:443, :802, :803, :2443, :4431, :4432 :4433, :4443, :24431, :24432, :24433 :44431, :44432, :44433 :24432/traefik |
B | traefik |
3.3.2
|
✔️ | ✖️ | ✔️ | ✔️ |
Unifi
:3478, :8080, :8843/, :10001 |
B X |
mongodb
unifi |
4.4.18
9.0.108
|
✔️ |
✖️
✔️ |
✔️ |
✖️
✖️ |
Uptime
:24433/ |
A | uptime |
1.23.16..ne
|
✔️ | ✔️ | ✔️ | ✖️ |
Below, we say that a container is a non-root container,
if it allows running the target service as a non-root user,
e.g. using --user
with docker run.
Note that this is different from (less secure compared to) running the container with a rootless docker daemon.
A | Trustworthy: Non-root containers with binaries compiled during build, or from OS repos |
---|---|
B | Secure: Non-root containers with open-source binaries only |
C | Open: Root-ed containers with open-source binaries only |
X | Untrusted: Containers with closed-source binaries |
(Defaults Ports) | HTTP (?80?) | HTTPS (?443?) | |||
Service (80?) |
Internal (4443?) |
Monitor (2443?) |
Service (443?) |
||
WAN | Shared (*) |
✖️ | 4443 | 2443 | 443 |
Exclusive (*1) |
44431 | 24431 | 4431 | ||
LAN | Shared (*2) |
802 | 44432 | 24432 | 4432 |
Exclusive (*3) |
803 | 44433 | 24433 | 4433 |
- Shared: Ports for applications that support serving under subpaths
- Exclusive: Ports for containers that do not support subpaths
- Service: Ports for applications that serve end-user services
- Monitor: Ports for monitoring applications
- Internal: Ports for other internal applications
All local tweaks should be added to *.override.*
files.
-
at the repo root:
static.global.override.env
may store global constants- e.g. ACME configs, ports to be open etc.
- these are exposed as-is to docker compose
- see
static.global.env
for the default
dynamic.global.override.env.sh
may generate additional dynamic variables- e.g. as public IP, UID of calling user etc.
- these are (re)computed just before running each a composition
- see
dynamic.global.env.sh
for the default
-
within each composition:
meta.override.yml
may:- specify other compositions as prerequisites
- see
airdcpp/meta.yml
for an example - these are started and validated before starting the composition
- see
- specify other compositions as related
- see
tang/meta.yml
for an example - these are optionally started and validated after starting the composition
- see
- contain overrides for the
{devices|labels|logging|ports}
fragments
(flags used on the command-line will further override this)- see
.github/workflows/config/meta.override.yml
for an example
- see
- specify messages to be displayed after verb executions
- see
traefik/meta.yml
for an example
- see
- specify other compositions as prerequisites
static.override.env
may store additional service-specific constants- similar idea as its global counterpart
static.global.env
- see
gitea/static.env
for an example
- similar idea as its global counterpart
dynamic.override.env.sh
may generate additional service-specific evironment variables- similar idea as its global counterpart
dynamic.global.env.sh
- see
pihole/dynamic.env.sh
for an example
- similar idea as its global counterpart
compose.override.{yml|yaml}
may contain overrides for docker compose- modular overrides may also be specified for individual YAML fragment files:
compose.{devices|labels|logging|ports}.override.{yml|yaml}
- modular overrides may also be specified for individual YAML fragment files:
compose.{pre,post}_hook.override.*.sh
may define additional hooks to be run beforedocker compose
- see
nextcloud/compose.pre_hook.sh
for an example
- see
compose.{up,down,clean}.{pre,post}_hook.override.*.sh
may define additional verb-specific hooks to be run- see
monitarr/compose.up.pre_hook.sh
for an example
- see
- immediate subdirectories under
config/
,data/
,extra/
, andgenerated/
must match the service names withincompose.yml
- the directory structure at each of
config/X/Y...
,data/X/Y...
,extra/X/Y...
, andgenerated/X/Y...
must match the root directory hierarchy/Y/...
in the target containerX
Mount mode | Git commit | Comments | |
---|---|---|---|
config/ | :ro or - |
✔️ | |
data/ | :rw |
✖️ | |
env/ | - | ✔️ | May contain env_file s |
extra/ | - | ✔️ | Only indirect access, e.g. via generated/ |
generated/ | :ro |
✖️ |