Running Pypen

Pypen has a single entry point, start.py, that boots all of its parts in the right order. Inside the container the CMD is simply: 

CMD ["python3", "start.py"]

Boot Sequence

  1. update.py runs to completion. If [upstream].repo is set, the local tree is hard-reset to the remote ref before anything else starts.
  2. Uvicorn boots the Quart ASGI app (the dashboard) on $PORT (default 5000).
  3. s6-svscan starts and begins watching /etc/s6/services. It will start managing services as the worker manager creates them.
  4. worker/ reads project.toml, clones each [[project]], builds its venv, writes its s6 run-script, and signals the supervisor.
  5. ping/ waits for the worker manager to settle, then starts pinging the keep-alive URL.

Logs

Each project gets its own log directory under /var/log/s6, with rotation bounded by the project's logs_size setting. The dashboard streams these logs in real time over Socket.IO.

Signals

Signal Effect
SIGTERM Graceful shutdown of the container; s6 stops every worker in turn.
SIGHUP Reload project.toml; new projects are added, removed projects are torn down.
SIGINT Same as SIGTERM; useful for docker run -it.

Runtime Security

The dashboard is protected by HTTP Basic-style auth using the username / password values from [defaults]. Always change them before exposing Pypen to the public internet, and prefer terminating TLS at a reverse proxy (Caddy, nginx, your platform's HTTPS endpoint).

Do not commit secrets

project.toml can contain access tokens and bot tokens. Mount it as a volume or inject it from a secret manager — never bake it into a public Docker image.