Container Images
Image-mode apps (DeploymentMode = IMAGE — BYOI, build-from-code, build-from-git) run your container directly. Unlike the managed runtimes, there’s no handler or SDK: your container owns the HTTP server. The platform schedules it, wires a port and health probe, forwards invocations to it, and injects correlation headers.
The contract
Your container must:
- Listen on
$PORT. The platform injects aPORTenvironment variable; bind to it rather than hardcoding. The default is80. - Answer
POST /. Invocations arrive as HTTPPOST; the request body is your payload. The gateway forwards inbound paths verbatim, so serve whatever routes you like. - Serve a health endpoint.
GET /healthzreturning 2xx when the app is ready to take traffic (see Health probe). - Run as non-root. The platform applies a hardened security context — non-root, no privilege escalation, all Linux capabilities dropped. Set a non-root
USERin your image (e.g.USER 65534).
A minimal server reads $PORT, handles POST /, and (optionally) reads the x-ignite-* headers — see Recipes → Build an image from your code for a full Dockerfile + server.
Request headers
On each invocation the gateway injects three non-spoofable correlation headers your code can read:
| Header | Value |
|---|---|
x-ignite-execution-id | the execution id |
x-ignite-function-id | the app id (org/name) |
x-ignite-organization-id | the organization id |
Ports
- The container listens on
$PORT(env-injected; default80); a Service fronts it. - To expose a different or additional port, set the app’s
ports(e.g.[8080]). Each declared port gets its own direct FQDN:`<app>-<org>.ignite.dodil.cloud`for port 80,`<app>-<org>-<port>.ignite.dodil.cloud`otherwise. portsis API-only — set it onCreateApp/UpdateAppConfig; there is no CLI flag.
Health probe
- The platform probes
GET <health_path>(default/healthz) and treats a 2xx response as “ready.” - It’s wired as both the readiness and liveness probe (an HTTP
httpGeton your container port). - Timing:
initialDelaySeconds2 (image mode),periodSeconds5,failureThreshold3 (timeout and success threshold use the Kubernetes defaults). - Customize the path with
health_path(API-only). Keep it cheap and unauthenticated — it’s called on a schedule.
Invocation path
invoke_path (default /) is informational only. The gateway forwards inbound paths verbatim — it does not rewrite or enforce a path — so your container sees whatever path the caller used. Use it for documentation/observability, not routing.
Customization summary
| Knob | Default | Set via |
|---|---|---|
Listening port(s) — ports | [80] | API only (CreateApp / UpdateAppConfig) |
Health probe path — health_path | /healthz | API only |
Invoke path — invoke_path (informational) | / | API only |
Deployment mode — deployment_mode | derived from the source | API only |
These knobs are ignored for compile (managed-runtime) apps — the runtime already chooses its port and health endpoint. They only apply to image-mode apps.
Image pull
Images are pulled with imagePullPolicy: Always. For a private external registry (ghcr.io, Docker Hub private, ECR, …), attach a RegistrySecret via registry_secret_ref (BYOI) — the platform materializes the pull credentials onto the pod. The platform’s own build registry needs no secret.
See also
- Code & Runtimes — overview + the compile path
- Recipes — build-from-code, build-from-git, and BYOI end-to-end
- Builds — the image-build service (
BuildService) - Invocation → Direct FQDN — calling the app’s public URL