UDX Worker Guide
Practical reference for running UDX Worker base and child images with predictable config, secret references, supervised services, and release evidence.
Worker is a runtime contract inside the container. Docker, Kubernetes, CI, repo docs, Docker Hub overviews, and checked-in manifests each have their own job.
Use Cases
Use Worker when the runtime contract matters more than inventing another app-specific entrypoint, config loader, secret resolver, and process supervisor.
Run a small process stack
Put supervised commands in services.yaml when one container needs an app server,
scheduler, helper daemon, or language runtime process set.
Share runtime config across repos
Use the same worker.yaml shape for non-secret defaults and provider secret refs.
Deployment env vars can still override values per environment.
Capture release evidence
Enable runtime output in CI to record the config path, service file path, non-secret values, and redacted secret names used by the image.
Build language-specific images
Use the Node.js or PHP image when the language runtime, app mount path, and service defaults should be part of the image contract.
Migrate old deployment CLI usage
Existing @udx/worker-deployment automation can keep running during migration,
but new work should use Docker, Kubernetes, CI, Rabbit/worker contracts, and repo-owned manifests.
Use something simpler when
- A plain one-process container with normal env vars and stdout logs is enough.
- You need a job queue, scheduler product, service mesh, or deployment orchestrator.
- The only question is which tag to pull; use Docker Hub, repo docs, or checked-in manifests.
Where Docs Live
Different pages should answer different user questions. This page is the map, not the only source.
| Place | Best Question | Should Own |
|---|---|---|
udx.dev/worker |
What is Worker, when should I use it, and where do I go next? | Orientation, image family map, common use cases, migration guidance |
| Source repo docs | What is the exact config, CLI behavior, or image contract? | Versioned references, schemas, examples, troubleshooting, tests |
| Docker Hub overview | Which image do I pull, what paths do I mount, and what is the first run? | Short image summary, tags, mounts, env/runtime output pointers, repo/search links |
| Repo-owned manifests | How is this workload deployed in this environment? | Image tag, ports, mounts, env overrides, service account, rollout policy |
Quick Start
Start with the smallest image that matches the workload, mount runtime config, and use the host tool that owns deployment.
Step 1. Choose the image
Use the base image for generic automation, Node.js for Node workloads, and PHP for NGINX + PHP-FPM.
usabilitydynamics/udx-worker:latest
usabilitydynamics/udx-worker-nodejs:latest
usabilitydynamics/udx-worker-php:latest
Step 2. Create runtime config directory
Worker reads runtime files from /home/udx/.config/worker.
mkdir -p .config/worker
Step 3. Define services
Keep supervised process commands in services.yaml.
cat > .config/worker/services.yaml <<'EOF'
kind: workerService
version: udx.io/worker-v1/service
services:
- name: "hello"
command: "bash -lc 'while true; do echo worker ok; sleep 30; done'"
autostart: true
autorestart: true
EOF
Step 4. Run with Docker
Docker owns image selection, mounts, ports, and command args.
docker run --rm \
-v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
usabilitydynamics/udx-worker:latest
Step 5. Capture runtime contract when needed
Use runtime output for CI evidence, release review, or troubleshooting.
docker run --rm \
-e WORKER_RUNTIME_OUTPUT=true \
usabilitydynamics/udx-worker:latest true > runtime.json
Validation
Checks that prove the image, runtime config, secret wiring, and supervised services agree.
CI or release job
Capture runtime evidence
Store redacted runtime JSON as the artifact a reviewer or deployment job can inspect.
mkdir -p runtime-output
docker run --rm \
-e WORKER_RUNTIME_OUTPUT=true \
-v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
usabilitydynamics/udx-worker:latest \
true > runtime-output/runtime.json
Assert the contract shape
Fail the job if runtime output is missing or malformed.
jq -e '.env | type == "object"' runtime-output/runtime.json
jq -e '.redacted | type == "array"' runtime-output/runtime.json
jq -e '.paths.services_config | type == "string"' runtime-output/runtime.json
Running container
Re-apply runtime config
Rerun the same config, env, and secret resolution path used by the entrypoint.
worker config apply
worker env status
Check process state
Confirm health and supervised services before looking at logs.
worker health
worker service list
worker service logs <service> --tail 100
Record image contents
Use SBOM output when a release or incident needs image-level evidence.
worker sbom
Runtime Model
Keep runtime and deployment concerns separate.
| Concern | File | Purpose |
|---|---|---|
| Runtime env + secrets | worker.yaml |
Defines env values and secret references inside container |
| Runtime process orchestration | services.yaml |
Defines supervised services and commands |
| Host deployment | Docker, Kubernetes, or CI config | Chooses image, mounts, ports, command/args outside container |
Common pitfall: editing runtime files when you actually need to change deployment behavior.
Runtime Config
Keep worker.yaml for runtime defaults only.
config.envsets default runtime values.config.secretsuses provider refs likegcp/<project>/<secret>.- Deployment env vars override
worker.yaml(for all deployment types).
# /home/udx/.config/worker/worker.yaml
kind: workerConfig
version: udx.io/worker-v1/config
config:
env:
LOG_LEVEL: "info"
secrets:
DB_PASSWORD: "aws/db-password/us-west-2"
API_KEY: "azure/kv-prod/api-key"
SERVICE_TOKEN: "gcp/my-project/service-token"
Runtime Services
Define supervised services and their command startup contract.
# /home/udx/.config/worker/services.yaml
kind: workerService
version: udx.io/worker-v1/service
services:
- name: "api"
command: "bash -lc 'exec /home/udx/bin/start-api.sh'"
autostart: true
autorestart: true
envs:
- "PORT=8080"
- "SERVICE_NAME=api"
- name: "scheduler"
command: "bash -lc 'exec /home/udx/bin/run-scheduler.sh --interval=60'"
autostart: true
autorestart: true
- Use one
commandstring per service. - No
argsfield inservices.yaml. - Do not put provider references like
azure/...inenvs.
Env as Secrets
Define provider refs once in worker.yaml, then choose one auth path for your target environment.
Step 1 · Runtime config
Define secret refs in worker.yaml
Keep refs portable here. Deployment env vars can still override values.
# /home/udx/.config/worker/worker.yaml
kind: workerConfig
version: udx.io/worker-v1/config
config:
secrets:
DB_PASSWORD: "gcp/my-project/db-password"
Step 2 · Auth path
Local keyless (recommended)
Set provider identity in the deployment platform; Worker uses credentials after auth exists.
Example Kubernetes service account
spec:
serviceAccountName: worker-runtime
1) Sign in to Google Cloud
gcloud auth login
2) Create/update application default credentials
gcloud auth application-default login
3) Start with the host deployment tool
docker run --rm usabilitydynamics/udx-worker:latest
Step 3 · Inside running container
Verify auth + secret resolution
Check auth state
worker auth status --format json
Resolve one reference
worker env resolve gcp/my-project/service-token
Other auth paths (docs)
Use these for CI/Kubernetes or when keyless local auth is not possible.
- GitHub Actions Workload Identity (keyless)
- Kubernetes workload identity / service account mapping
- JSON key file fallback (legacy, less secure)
Deployment Patterns
Keep deployment concerns outside runtime files: image, mounts, and env overrides.
Migration decision
Do not start new work on the old deployment CLI
Commands such as worker run, worker config, and
worker images --all belong to the separate
@udx/worker-deployment package. Keep existing automation running while
it is migrated, but do not adopt that CLI for new Worker docs or workflows.
dev.kit guidance for discovery and execution.
1) Docker
Use Docker directly for local runs and simple CI validation.
docker run --rm \
-v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
-e ES_PASSWORD="gcp/staging-project/es-password" \
usabilitydynamics/udx-worker:latest
2) Runtime troubleshooting
On host
Open shell in running container
docker exec -it <container> bash
Inside container shell
Inspect services
worker service list
Stream logs
worker service logs <service> --tail 100 --follow
3) Kubernetes
Mount services.yaml and optional worker.yaml via ConfigMap at
/home/udx/.config/worker. Use cluster workload identity/service account for cloud access.
Deployment env vars (plain values or provider refs like gcp/<project>/<secret>)
override worker.yaml across all deployment types.
# Kubernetes deployment pattern
spec:
serviceAccountName: worker-runtime
containers:
- name: worker
volumeMounts:
- name: worker-config
mountPath: /home/udx/.config/worker
env:
- name: ES_PASSWORD
value: "gcp/staging-project/es-password"
volumes:
- name: worker-config
configMap:
name: worker-runtime-config
CLI Reference
Most-used runtime commands with one-line intent.
Host tools
Start container with Docker
Use host-native deployment tools outside the container.
docker run --rm usabilitydynamics/udx-worker:latest
Apply Kubernetes manifests
Mount Worker runtime config through normal platform primitives.
kubectl apply -f worker-runtime.yaml
Inside container shell
List supervised services
Quick health/visibility check.
worker service list
Stream service logs
Follow one service during startup or incident.
worker service logs <service> --tail 100 --follow
Check provider auth status
Use JSON output for scripts and CI checks.
worker auth status --format json
Image Selection
Start with the base image. Move to a child image only when the workload needs dependencies, files, or service defaults baked into the image. The table lists known public images; use public search links for discovery as the family grows.
| Image | Best For | App Mount | Links |
|---|---|---|---|
udx-worker |
Generic automation and custom process stacks | /home/udx or custom |
Repo · Hub |
udx-worker-nodejs |
Node.js services and CI jobs | /usr/src/app |
Repo · Hub |
udx-worker-php |
PHP workloads with NGINX + PHP-FPM | /var/www |
Repo · Hub |
When to build a child image
- Use
udx-workerwhen the app can be mounted or copied by the deployment pipeline. - Use
udx-worker-nodejsorudx-worker-phpwhen the language runtime should be part of the image contract. - Build a specialized child image when startup scripts, service defaults, or system packages must ship together.
- Use public GitHub and Docker Hub search links to discover Worker-based repos/images;
worker images --allis from the deprecated deployment CLI path. - Do not put deployment orchestration in the child image; keep target selection, mounts, ports, and rollout policy in the host platform.
Extension patterns that hold up
Real child images tend to stay maintainable when they keep the Worker contract obvious and leave environment-specific choices to the deployment platform.
- Pin the parent Worker image in release paths instead of inheriting from a floating tag.
- Add only the system packages, language packages, and CLIs the workload actually needs.
- Copy
services.yamland optionalworker.yamlonly when they are part of the image contract. - Put helper scripts, app libraries, and CLI wrappers in predictable paths with explicit permissions.
- Keep target env, credentials, mounts, ports, and rollout policy in Docker, Kubernetes, CI, or repo manifests.
- Switch back to the Worker runtime user before
CMDunless the workload documents why it cannot. - Validate with runtime output and in-container Worker commands before treating the image as releasable.
Minimal child image pattern
A child image should add workload dependencies and keep the Worker runtime contract intact.
FROM usabilitydynamics/udx-worker:0.41.0
COPY .config/worker/services.yaml /home/udx/.config/worker/services.yaml
COPY bin/ /home/udx/bin/
RUN chmod +x /home/udx/bin/*
Multi-stage app image pattern
Build assets in one stage, copy only runtime output into the Worker stage, then keep the same config/services contract.
FROM usabilitydynamics/udx-worker-nodejs:0.32.0 AS builder
WORKDIR /usr/src/app
COPY package.json package-lock.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM usabilitydynamics/udx-worker-nodejs:0.32.0 AS runtime
COPY --from=builder /usr/src/app/dist /usr/src/app/dist
COPY .config/worker/services.yaml /home/udx/.config/worker/services.yaml
USER udx
CMD ["/usr/local/bin/init.sh"]
Run a child image with mounted config
Pick the image, mount app code where that image expects it, and mount Worker runtime config read-only.
docker run --rm \
-v "$PWD:/usr/src/app" \
-v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
usabilitydynamics/udx-worker-nodejs:latest
Validate the image contract
Release checks should prove the image contains the expected runtime files and that Worker can apply them.
mkdir -p runtime-output
docker run --rm \
-e WORKER_RUNTIME_OUTPUT=true \
-v "$PWD/.config/worker:/home/udx/.config/worker:ro" \
usabilitydynamics/udx-worker-nodejs:latest \
true > runtime-output/runtime.json
jq -e '.paths.services_config | type == "string"' runtime-output/runtime.json
Production Checklist
- Pin semantic image tags in CI/CD, avoid floating tags in critical pipelines.
- Mount runtime config read-only whenever possible.
- Use least-privilege cloud credentials and rotate them regularly.
- Keep secret references in
worker.yaml, not hardcoded values in images. - Use JSON output for scripted checks (
--format json). - Monitor
worker service statusand logs as part of deployment health checks. - Separate high-trust workloads into separate worker deployments.
Contributing
For base and child image contributions, follow repo-specific standards and keep docs/tests updated.