Docker Image and Artifact Naming¶
Naming conventions for all CWIQ artifacts — Docker images, CLI binaries, Python packages, and OS-level identifiers.
The Core Rule¶
Never prefix application resources with cwiq-
Only OS-level system identifiers (Linux users, groups, directories, systemd slices) use the cwiq- prefix. Application-level names — Docker images, Nexus repos, Python packages — use orchestrator- or orchestrator/ as appropriate.
Docker Images¶
Naming Pattern¶
Image names use a forward slash (/) separator, not a hyphen:
| Service | Image Name | GitLab ID |
|---|---|---|
| server | orchestrator/server |
5 |
| ui | orchestrator/ui |
4 |
| agent | orchestrator/agent |
6 |
| agent-runner (mcp) | orchestrator/mcp |
8 |
| runner-api | orchestrator/runner-service |
22 |
| audit-consumer | orchestrator/audit-consumer |
23 |
| audit-api | orchestrator/audit-service |
24 |
| ai-catalogue-api | orchestrator/ai-catalogue-service |
25 |
| monitoring-api | orchestrator/monitoring-service |
26 |
| notification-api | orchestrator/notification-service |
27 |
| iam-api | orchestrator/iam-service |
28 |
| notification-worker | orchestrator/notification-worker |
31 |
| monitoring-worker | orchestrator/monitoring-worker |
32 |
| runner-worker | orchestrator/runner-worker |
33 |
Tag Format¶
| Trigger | Tags Applied | Example |
|---|---|---|
Push to main branch |
main-{short-sha}, latest |
main-a1b2c3d, latest |
| Push to feature branch | branch-{slug}-{short-sha} |
branch-feat-search-a1b2c3d |
Push to version tag (v*) |
{version}, stable |
1.2.3, stable |
Push vs Pull Endpoints¶
| Operation | Registry | Variable |
|---|---|---|
| Push (CI builds) | nexus.shared.cwiq.io:8443 |
NEXUS_REGISTRY |
| Pull (deployments, base images) | nexus.shared.cwiq.io:8444 |
NEXUS_REGISTRY_PULL |
Port 8444 is the Docker group repository — it includes hosted images plus a Docker Hub proxy cache, which avoids rate limits on public image pulls.
Executor CLI Binaries¶
Installed by RPM to /usr/local/bin/:
| Binary | Purpose |
|---|---|
orchestrator-executor |
Main CLI — executes agent tasks in 6-layer sandbox |
orchestrator-audit-query |
Queries task execution audit logs |
orchestrator-identity |
Manages subordinate UID/GID allocations |
Sandbox Wrapper Scripts¶
Installed by Ansible to /usr/local/bin/:
| Script | Purpose |
|---|---|
orchestrator-sandbox |
Bubblewrap wrapper — main sandbox entry point |
orchestrator-cgroup-manager |
cgroups v2 resource limit management |
orchestrator-overlay-manager |
OverlayFS mount lifecycle management |
orchestrator-wg-manager |
WireGuard overlay network management |
Python Packages¶
| Package | Import Name | Registry |
|---|---|---|
orchestrator-executor |
orchestrator_cli |
Nexus PyPI |
orchestrator-cli |
orchestrator_cli |
Nexus PyPI |
cwiq-common |
cwiq_common |
Nexus PyPI (v0.2.0) |
PyPI install endpoint: https://nexus.shared.cwiq.io/repository/pypi-group/simple/
RPM Packages¶
Example: orchestrator-executor-0.3.0-1.el9.x86_64.rpm
RPM version source: executor/pyproject.toml (version field). RPM release field: 0.dev for development builds.
Raw Binaries¶
Examples:
- orchestrator-executor-0.3.0 (release build)
- orchestrator-executor-main-a1b2c3d (main branch build)
- orchestrator-sandbox-0.3.0.sh (sandbox wrapper script)
System-Level Names (NEVER Renamed)¶
These are OS-level identifiers and must never be changed:
| Name | Type |
|---|---|
cwiq-agents |
Linux group |
cwiq-agent-runner |
Linux user (Temporal worker) |
/etc/cwiq/ |
Config directory |
/var/lib/cwiq/ |
Runtime data directory |
/run/cwiq/ |
Runtime state directory |
/var/log/cwiq/ |
Log directory |
cwiq.slice |
systemd cgroup slice |
Related Documentation¶
- CI/CD Overview — Pipeline stages and trigger behavior
- Nexus Docker Registry — Registry endpoints and authentication
- Versioning — Semver strategy and release tags