UDX Worker Logo

UDX Worker Guide

Practical reference for running UDX Worker base and child images with predictable config, secret references, supervised services, and release evidence.

Worker is a runtime contract inside the container. Docker, Kubernetes, CI, repo docs, Docker Hub overviews, and checked-in manifests each have their own job.

Use Cases

Use Worker when the runtime contract matters more than inventing another app-specific entrypoint, config loader, secret resolver, and process supervisor.

Run a small process stack

Put supervised commands in services.yaml when one container needs an app server, scheduler, helper daemon, or language runtime process set.

Share runtime config across repos

Use the same worker.yaml shape for non-secret defaults and provider secret refs. Deployment env vars can still override values per environment.

Capture release evidence

Enable runtime output in CI to record the config path, service file path, non-secret values, and redacted secret names used by the image.

Build language-specific images

Use the Node.js or PHP image when the language runtime, app mount path, and service defaults should be part of the image contract.

Migrate old deployment CLI usage

Existing @udx/worker-deployment automation can keep running during migration, but new work should use Docker, Kubernetes, CI, Rabbit/worker contracts, and repo-owned manifests.

Use something simpler when

  • A plain one-process container with normal env vars and stdout logs is enough.
  • You need a job queue, scheduler product, service mesh, or deployment orchestrator.
  • The only question is which tag to pull; use Docker Hub, repo docs, or checked-in manifests.

Where Docs Live

Different pages should answer different user questions. This page is the map, not the only source.

Place Best Question Should Own
udx.dev/worker What is Worker, when should I use it, and where do I go next? Orientation, image family map, common use cases, migration guidance
Source repo docs What is the exact config, CLI behavior, or image contract? Versioned references, schemas, examples, troubleshooting, tests
Docker Hub overview Which image do I pull, what paths do I mount, and what is the first run? Short image summary, tags, mounts, env/runtime output pointers, repo/search links
Repo-owned manifests How is this workload deployed in this environment? Image tag, ports, mounts, env overrides, service account, rollout policy

Quick Start

Start with the smallest image that matches the workload, mount runtime config, and use the host tool that owns deployment.

Step 1. Choose the image

Use the base image for generic automation, Node.js for Node workloads, and PHP for NGINX + PHP-FPM.

usabilitydynamics/udx-worker:latest
usabilitydynamics/udx-worker-nodejs:latest
usabilitydynamics/udx-worker-php:latest

Step 2. Create runtime config directory

Worker reads runtime files from /home/udx/.config/worker.

mkdir -p .config/worker

Step 3. Define services

Keep supervised process commands in services.yaml.

cat > .config/worker/services.yaml <<'EOF'
kind: workerService
version: udx.io/worker-v1/service
services:
  - name: "hello"
    command: "bash -lc 'while true; do echo worker ok; sleep 30; done'"
    autostart: true
    autorestart: true
EOF

Step 4. Run with Docker

Docker owns image selection, mounts, ports, and command args.

docker run --rm \
  -v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
  usabilitydynamics/udx-worker:latest

Step 5. Capture runtime contract when needed

Use runtime output for CI evidence, release review, or troubleshooting.

docker run --rm \
  -e WORKER_RUNTIME_OUTPUT=true \
  usabilitydynamics/udx-worker:latest true > runtime.json

Validation

Checks that prove the image, runtime config, secret wiring, and supervised services agree.

CI or release job

Capture runtime evidence

Store redacted runtime JSON as the artifact a reviewer or deployment job can inspect.

mkdir -p runtime-output

docker run --rm \
  -e WORKER_RUNTIME_OUTPUT=true \
  -v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
  usabilitydynamics/udx-worker:latest \
  true > runtime-output/runtime.json

Assert the contract shape

Fail the job if runtime output is missing or malformed.

jq -e '.env | type == "object"' runtime-output/runtime.json
jq -e '.redacted | type == "array"' runtime-output/runtime.json
jq -e '.paths.services_config | type == "string"' runtime-output/runtime.json

Running container

Re-apply runtime config

Rerun the same config, env, and secret resolution path used by the entrypoint.

worker config apply
worker env status

Check process state

Confirm health and supervised services before looking at logs.

worker health
worker service list
worker service logs <service> --tail 100

Record image contents

Use SBOM output when a release or incident needs image-level evidence.

worker sbom

Runtime Model

Keep runtime and deployment concerns separate.

Concern File Purpose
Runtime env + secrets worker.yaml Defines env values and secret references inside container
Runtime process orchestration services.yaml Defines supervised services and commands
Host deployment Docker, Kubernetes, or CI config Chooses image, mounts, ports, command/args outside container

Common pitfall: editing runtime files when you actually need to change deployment behavior.

Runtime Config

Keep worker.yaml for runtime defaults only.

  • config.env sets default runtime values.
  • config.secrets uses provider refs like gcp/<project>/<secret>.
  • Deployment env vars override worker.yaml (for all deployment types).
# /home/udx/.config/worker/worker.yaml
kind: workerConfig
version: udx.io/worker-v1/config
config:
  env:
    LOG_LEVEL: "info"
  secrets:
    DB_PASSWORD: "aws/db-password/us-west-2"
    API_KEY: "azure/kv-prod/api-key"
    SERVICE_TOKEN: "gcp/my-project/service-token"

Runtime Services

Define supervised services and their command startup contract.

# /home/udx/.config/worker/services.yaml
kind: workerService
version: udx.io/worker-v1/service
services:
  - name: "api"
    command: "bash -lc 'exec /home/udx/bin/start-api.sh'"
    autostart: true
    autorestart: true
    envs:
      - "PORT=8080"
      - "SERVICE_NAME=api"

  - name: "scheduler"
    command: "bash -lc 'exec /home/udx/bin/run-scheduler.sh --interval=60'"
    autostart: true
    autorestart: true
  • Use one command string per service.
  • No args field in services.yaml.
  • Do not put provider references like azure/... in envs.

Env as Secrets

Define provider refs once in worker.yaml, then choose one auth path for your target environment.

Step 1 · Runtime config

Define secret refs in worker.yaml

Keep refs portable here. Deployment env vars can still override values.

# /home/udx/.config/worker/worker.yaml
kind: workerConfig
version: udx.io/worker-v1/config
config:
  secrets:
    DB_PASSWORD: "gcp/my-project/db-password"

Step 2 · Auth path

Local keyless (recommended)

Set provider identity in the deployment platform; Worker uses credentials after auth exists.

Example Kubernetes service account

spec:
  serviceAccountName: worker-runtime

1) Sign in to Google Cloud

gcloud auth login

2) Create/update application default credentials

gcloud auth application-default login

3) Start with the host deployment tool

docker run --rm usabilitydynamics/udx-worker:latest

Step 3 · Inside running container

Verify auth + secret resolution

Check auth state

worker auth status --format json

Resolve one reference

worker env resolve gcp/my-project/service-token

Other auth paths (docs)

Use these for CI/Kubernetes or when keyless local auth is not possible.

  • GitHub Actions Workload Identity (keyless)
  • Kubernetes workload identity / service account mapping
  • JSON key file fallback (legacy, less secure)

Deployment Patterns

Keep deployment concerns outside runtime files: image, mounts, and env overrides.

Migration decision

Do not start new work on the old deployment CLI

Commands such as worker run, worker config, and worker images --all belong to the separate @udx/worker-deployment package. Keep existing automation running while it is migrated, but do not adopt that CLI for new Worker docs or workflows.

Existing automation The current npm package remains available during transition; no new package releases are planned.
New work Use repo-owned manifests, Rabbit/worker contracts, and dev.kit guidance for discovery and execution.

1) Docker

Use Docker directly for local runs and simple CI validation.

docker run --rm \
  -v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
  -e ES_PASSWORD="gcp/staging-project/es-password" \
  usabilitydynamics/udx-worker:latest

2) Runtime troubleshooting

On host

Open shell in running container

docker exec -it <container> bash

Inside container shell

Inspect services

worker service list

Stream logs

worker service logs <service> --tail 100 --follow

3) Kubernetes

Mount services.yaml and optional worker.yaml via ConfigMap at /home/udx/.config/worker. Use cluster workload identity/service account for cloud access.

Deployment env vars (plain values or provider refs like gcp/<project>/<secret>) override worker.yaml across all deployment types.

# Kubernetes deployment pattern
spec:
  serviceAccountName: worker-runtime
  containers:
    - name: worker
      volumeMounts:
        - name: worker-config
          mountPath: /home/udx/.config/worker
      env:
        - name: ES_PASSWORD
          value: "gcp/staging-project/es-password"
  volumes:
    - name: worker-config
      configMap:
        name: worker-runtime-config

CLI Reference

Most-used runtime commands with one-line intent.

Host tools

Start container with Docker

Use host-native deployment tools outside the container.

docker run --rm usabilitydynamics/udx-worker:latest

Apply Kubernetes manifests

Mount Worker runtime config through normal platform primitives.

kubectl apply -f worker-runtime.yaml

Inside container shell

List supervised services

Quick health/visibility check.

worker service list

Stream service logs

Follow one service during startup or incident.

worker service logs <service> --tail 100 --follow

Check provider auth status

Use JSON output for scripts and CI checks.

worker auth status --format json

Image Selection

Start with the base image. Move to a child image only when the workload needs dependencies, files, or service defaults baked into the image. The table lists known public images; use public search links for discovery as the family grows.

Image Best For App Mount Links
udx-worker Generic automation and custom process stacks /home/udx or custom Repo · Hub
udx-worker-nodejs Node.js services and CI jobs /usr/src/app Repo · Hub
udx-worker-php PHP workloads with NGINX + PHP-FPM /var/www Repo · Hub

When to build a child image

  • Use udx-worker when the app can be mounted or copied by the deployment pipeline.
  • Use udx-worker-nodejs or udx-worker-php when the language runtime should be part of the image contract.
  • Build a specialized child image when startup scripts, service defaults, or system packages must ship together.
  • Use public GitHub and Docker Hub search links to discover Worker-based repos/images; worker images --all is from the deprecated deployment CLI path.
  • Do not put deployment orchestration in the child image; keep target selection, mounts, ports, and rollout policy in the host platform.

Extension patterns that hold up

Real child images tend to stay maintainable when they keep the Worker contract obvious and leave environment-specific choices to the deployment platform.

  • Pin the parent Worker image in release paths instead of inheriting from a floating tag.
  • Add only the system packages, language packages, and CLIs the workload actually needs.
  • Copy services.yaml and optional worker.yaml only when they are part of the image contract.
  • Put helper scripts, app libraries, and CLI wrappers in predictable paths with explicit permissions.
  • Keep target env, credentials, mounts, ports, and rollout policy in Docker, Kubernetes, CI, or repo manifests.
  • Switch back to the Worker runtime user before CMD unless the workload documents why it cannot.
  • Validate with runtime output and in-container Worker commands before treating the image as releasable.

Minimal child image pattern

A child image should add workload dependencies and keep the Worker runtime contract intact.

FROM usabilitydynamics/udx-worker:0.41.0

COPY .config/worker/services.yaml /home/udx/.config/worker/services.yaml
COPY bin/ /home/udx/bin/

RUN chmod +x /home/udx/bin/*

Multi-stage app image pattern

Build assets in one stage, copy only runtime output into the Worker stage, then keep the same config/services contract.

FROM usabilitydynamics/udx-worker-nodejs:0.32.0 AS builder
WORKDIR /usr/src/app
COPY package.json package-lock.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM usabilitydynamics/udx-worker-nodejs:0.32.0 AS runtime
COPY --from=builder /usr/src/app/dist /usr/src/app/dist
COPY .config/worker/services.yaml /home/udx/.config/worker/services.yaml
USER udx
CMD ["/usr/local/bin/init.sh"]

Run a child image with mounted config

Pick the image, mount app code where that image expects it, and mount Worker runtime config read-only.

docker run --rm \
  -v "$PWD:/usr/src/app" \
  -v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
  usabilitydynamics/udx-worker-nodejs:latest

Validate the image contract

Release checks should prove the image contains the expected runtime files and that Worker can apply them.

mkdir -p runtime-output

docker run --rm \
  -e WORKER_RUNTIME_OUTPUT=true \
  -v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
  usabilitydynamics/udx-worker-nodejs:latest \
  true > runtime-output/runtime.json

jq -e '.paths.services_config | type == "string"' runtime-output/runtime.json

Need exact image behavior?

Use the image repos for Dockerfiles, tags, paths, and version-specific docs.

Looking for more public images?

Use public repo search and the Docker Hub namespace instead of relying on a hardcoded registry list.

Production Checklist

  • Pin semantic image tags in CI/CD, avoid floating tags in critical pipelines.
  • Mount runtime config read-only whenever possible.
  • Use least-privilege cloud credentials and rotate them regularly.
  • Keep secret references in worker.yaml, not hardcoded values in images.
  • Use JSON output for scripted checks (--format json).
  • Monitor worker service status and logs as part of deployment health checks.
  • Separate high-trust workloads into separate worker deployments.

Contributing

For base and child image contributions, follow repo-specific standards and keep docs/tests updated.

License

UDX Worker images and related tooling are MIT-licensed.