centurion 1.8.10 → 1.9.0

data/lib/centurion/docker_via_cli.rb

@@ -1,34 +1,47 @@
 require 'pty'
 require_relative 'logging'
 require_relative 'shell'
+require 'centurion/ssh'
 
 module Centurion; end
 
 class Centurion::DockerViaCli
   include Centurion::Logging
 
-  def initialize(hostname, port, docker_path, tls_args = {})
-    @docker_host = "tcp://#{hostname}:#{port}"
+  def initialize(hostname, port, docker_path, connection_opts = {})
+    if connection_opts[:ssh]
+      @docker_host = hostname
+    else
+      @docker_host = "tcp://#{hostname}:#{port}"
+    end
     @docker_path = docker_path
-    @tls_args = tls_args
+    @connection_opts = connection_opts
   end
 
   def pull(image, tag='latest')
     info 'Using CLI to pull'
-    Centurion::Shell.echo(build_command(:pull, "#{image}:#{tag}"))
+    connect do
+      Centurion::Shell.echo(build_command(:pull, "#{image}:#{tag}"))
+    end
   end
 
   def tail(container_id)
     info "Tailing the logs on #{container_id}"
-    Centurion::Shell.echo(build_command(:logs, container_id))
+    connect do
+      Centurion::Shell.echo(build_command(:logs, container_id))
+    end
   end
 
   def attach(container_id)
-    Centurion::Shell.echo(build_command(:attach, container_id))
+    connect do
+      Centurion::Shell.echo(build_command(:attach, container_id))
+    end
   end
 
   def exec(container_id, commandline)
-    Centurion::Shell.echo(build_command(:exec, "#{container_id} #{commandline}"))
+    connect do
+      Centurion::Shell.echo(build_command(:exec, "#{container_id} #{commandline}"))
+    end
   end
 
   def exec_it(container_id, commandline)
@@ -36,7 +49,9 @@ class Centurion::DockerViaCli
     # because docker exec returns the same exit code as the latest command executed on
     # the shell, which causes an exception to be raised if the latest comand executed
     # was unsuccessful when you exit the shell.
-    Centurion::Shell.echo(build_command(:exec, "-it #{container_id} #{commandline} || true"))
+    connect do
+      Centurion::Shell.echo(build_command(:exec, "-it #{container_id} #{commandline} || true"))
+    end
   end
 
   private
@@ -46,28 +61,29 @@ class Centurion::DockerViaCli
   end
 
   def all_tls_path_available?
-    self.class.tls_keys.all? { |key| @tls_args.key?(key) }
+    self.class.tls_keys.all? { |key| @connection_opts.key?(key) }
   end
 
   def tls_parameters
-    return '' if @tls_args.nil? || @tls_args.empty?
+    return '' if @connection_opts.nil? || @connection_opts.empty?
 
     tls_flags = ''
 
     # --tlsverify can be set without passing the cacert, cert and key flags
-    if @tls_args[:tls] == true || all_tls_path_available?
+    if @connection_opts[:tls] == true || all_tls_path_available?
       tls_flags << ' --tlsverify'
     end
 
     self.class.tls_keys.each do |key|
-      tls_flags << " --#{key}=#{@tls_args[key]}" if @tls_args[key]
+      tls_flags << " --#{key}=#{@connection_opts[key]}" if @connection_opts[key]
     end
 
     tls_flags
   end
 
   def build_command(action, destination)
-    command = "#{@docker_path} -H=#{@docker_host}"
+    host = @socket ? "unix://#{@socket}" : @docker_host
+    command = "#{@docker_path} -H=#{host}"
     command << tls_parameters || ''
     command << case action
                when :pull then ' pull '
@@ -78,4 +94,17 @@ class Centurion::DockerViaCli
     command << destination
     command
   end
+
+  def connect
+    if @connection_opts[:ssh]
+      Centurion::SSH.with_docker_socket(@docker_host, @connection_opts[:ssh_user], @connection_opts[:ssh_log_level]) do |socket|
+        @socket = socket
+        ret = yield
+        @socket = nil
+        ret
+      end
+    else
+      yield
+    end
+  end
 end

data/lib/centurion/service.rb

@@ -5,7 +5,7 @@ module Centurion
   class Service
     extend ::Capistrano::DSL
 
-    attr_accessor :command, :dns, :extra_hosts, :image, :name, :volumes, :port_bindings, :network_mode, :cap_adds, :cap_drops, :ipc_mode
+    attr_accessor :command, :dns, :extra_hosts, :image, :name, :volumes, :port_bindings, :network_mode, :cap_adds, :cap_drops, :ipc_mode, :security_opt
     attr_reader :memory, :cpu_shares, :env_vars, :labels
 
     def initialize(name)
@@ -16,6 +16,7 @@ module Centurion
       @cap_adds      = []
       @cap_drops     = []
       @labels        = {}
+      @security_opt  = []
       @network_mode  = 'bridge'
     end
 
@@ -38,6 +39,7 @@ module Centurion
         s.memory        = fetch(:memory, 0)
         s.cpu_shares    = fetch(:cpu_shares, 0)
         s.ipc_mode      = fetch(:ipc_mode, nil)
+        s.security_opt  = fetch(:security_opt, [])
 
         s.add_labels(fetch(:labels, {}))
         s.add_env_vars(fetch(:env_vars, {}))
@@ -100,6 +102,10 @@ module Centurion
       @ipc_mode = mode
     end
 
+    def add_security_opt(seccomp)
+      @security_opt << seccomp
+    end
+
     def build_config(server_hostname, &block)
       container_config = {}.tap do |c|
         c['Image'] = image
@@ -164,6 +170,9 @@ module Centurion
       # Set ipc mode
       host_config['IpcMode'] = ipc_mode if ipc_mode
 
+      # Set seccomp profile
+      host_config['SecurityOpt'] = security_opt unless security_opt.nil? || security_opt.empty?
+
       # Restart Policy
       if restart_policy
         host_config['RestartPolicy'] = {}

data/lib/centurion/ssh.rb

@@ -0,0 +1,40 @@
+require 'net/ssh'
+require 'sshkit'
+
+module Centurion; end
+
+module Centurion::SSH
+  extend self
+
+  def with_docker_socket(hostname, user, log_level = nil)
+    log_level ||= Logger::WARN
+
+    with_sshkit(hostname, user) do
+      with_ssh do |ssh|
+        ssh.logger = Logger.new STDERR
+        ssh.logger.level = log_level
+
+        # Tempfile ensures permissions are 0600
+        local_socket_path_file = Tempfile.new('docker_forward')
+        local_socket_path = local_socket_path_file.path
+        ssh.forward.local_socket(local_socket_path, '/var/run/docker.sock')
+
+        t = Thread.new do
+          yield local_socket_path
+        end
+
+        ssh.loop { t.alive? }
+        ssh.forward.cancel_local_socket local_socket_path
+        local_socket_path_file.delete
+        t.value
+      end
+    end
+  end
+
+  def with_sshkit(hostname, user, &block)
+    uri = hostname
+    uri = "#{user}@#{uri}" if user
+    host = SSHKit::Host.new uri
+    SSHKit::Backend::Netssh.new(host, &block).run
+  end
+end

data/lib/centurion/version.rb

@@ -1,3 +1,3 @@
 module Centurion
-  VERSION = '1.8.10'
+  VERSION = '1.9.0'
 end

data/spec/deploy_dsl_spec.rb

@@ -210,4 +210,19 @@ describe Centurion::DeployDSL do
     DeployDSLTest.set(:image, 'charlemagne')
     expect(DeployDSLTest.defined_service.image).to eq('charlemagne:roland')
   end
+
+  it 'configures ssh connections with no user' do
+    DeployDSLTest.set(:ssh, true)
+    DeployDSLTest.set(:hosts, %w{ host1 })
+
+    DeployDSLTest.on_each_docker_host { |h| expect(h.describe).to eq("host1 via SSH") }
+  end
+
+  it 'configures ssh connections with a user' do
+    DeployDSLTest.set(:ssh, true)
+    DeployDSLTest.set(:ssh_user, 'myuser')
+    DeployDSLTest.set(:hosts, %w{ host1 })
+
+    DeployDSLTest.on_each_docker_host { |h| expect(h.describe).to eq("host1 via SSH user myuser") }
+  end
 end

data/spec/docker_via_api_spec.rb

@@ -3,249 +3,174 @@ require 'centurion/docker_via_api'
 
 describe Centurion::DockerViaApi do
   let(:hostname) { 'example.com' }
-  let(:port) { '2375' }
+  let(:port) { 2375 }
   let(:api_version) { '1.12' }
   let(:json_string) { '[{ "Hello": "World" }]' }
   let(:json_value) { JSON.load(json_string) }
 
-  context 'without TLS certificates' do
-    let(:excon_uri) { "http://#{hostname}:#{port}/" }
-    let(:api) { Centurion::DockerViaApi.new(hostname, port) }
-
+  shared_examples "docker API" do
     it 'lists processes' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/containers/json", {}).
-                       and_return(double(body: json_string, status: 200))
+      Excon.stub(base_req.merge(method: :get, path: '/v1.12/containers/json'), {body: json_string, status: 200})
       expect(api.ps).to eq(json_value)
     end
 
     it 'lists all processes' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/containers/json?all=1", {}).
-                       and_return(double(body: json_string, status: 200))
+      Excon.stub(base_req.merge(method: :get, path: '/v1.12/containers/json?all=1'), {body: json_string, status: 200})
       expect(api.ps(all: true)).to eq(json_value)
     end
 
     it 'creates a container' do
-      configuration_as_json = double
+      configuration_as_json = 'body'
       configuration = double(to_json: configuration_as_json)
-      expect(Excon).to receive(:post).
-                           with(excon_uri + "v1.12" + "/containers/create",
-                                query: nil,
-                                body: configuration_as_json,
-                                headers: {'Content-Type' => 'application/json'}).
-                           and_return(double(body: json_string, status: 201))
+      Excon.stub(base_req.merge(
+        method: :post,
+        path: '/v1.12/containers/create',
+        body: configuration_as_json,
+        headers: {'Content-Type' => 'application/json'}
+      ),
+                 {body: json_string, status: 201})
       api.create_container(configuration)
     end
 
     it 'creates a container with a name' do
-      configuration_as_json = double
+      configuration_as_json = 'body'
       configuration = double(to_json: configuration_as_json)
-      expect(Excon).to receive(:post).
-                           with(excon_uri + "v1.12" + "/containers/create",
-                                query: { name: match(/^app1-[a-f0-9]+$/) },
-                                body: configuration_as_json,
-                                headers: {'Content-Type' => 'application/json'}).
-                           and_return(double(body: json_string, status: 201))
+      Excon.stub(base_req.merge(
+        method: :post,
+        path: '/v1.12/containers/create',
+        query: /^name=app1-[a-f0-9]+$/,
+        body: configuration_as_json,
+        headers: {'Content-Type' => 'application/json'}
+      ),
+      {body: json_string, status: 201})
       api.create_container(configuration, 'app1')
     end
 
     it 'starts a container' do
-      configuration_as_json = double
+      configuration_as_json = 'body'
       configuration = double(to_json: configuration_as_json)
-      expect(Excon).to receive(:post).
-                           with(excon_uri + "v1.12" + "/containers/12345/start",
-                                body: configuration_as_json,
-                                headers: {'Content-Type' => 'application/json'}).
-                           and_return(double(body: json_string, status: 204))
+      Excon.stub(base_req.merge(
+        method: :post,
+        path: '/v1.12/containers/12345/start',
+        body: configuration_as_json,
+        headers: {'Content-Type' => 'application/json'}
+      ),
+      {body: json_string, status: 204})
       api.start_container('12345', configuration)
     end
 
     it 'stops a container' do
-      expect(Excon).to receive(:post).
-                       with(excon_uri + "v1.12" + "/containers/12345/stop?t=300", {read_timeout: 420}).
-                       and_return(double(status: 204))
+      Excon.stub(base_req.merge(method: :post, path: '/v1.12/containers/12345/stop?t=300', read_timeout: 420), {status: 204})
       api.stop_container('12345', 300)
     end
 
     it 'stops a container with a custom timeout' do
-      expect(Excon).to receive(:post).
-                       with(excon_uri + "v1.12" + "/containers/12345/stop?t=30", {read_timeout: 150}).
-                       and_return(double(status: 204))
+      Excon.stub(base_req.merge(method: :post, path: '/v1.12/containers/12345/stop?t=30', read_timeout: 150), {status: 204})
       api.stop_container('12345')
     end
 
     it 'restarts a container' do
-      expect(Excon).to receive(:post).
-                          with(excon_uri + "v1.12" + "/containers/12345/restart?t=30", 
-                            {read_timeout: 150}).
-                          and_return(double(body: json_string, status: 204))
+      Excon.stub(base_req.merge(method: :post, path: '/v1.12/containers/12345/restart?t=30', read_timeout: 150), {status: 204})
       api.restart_container('12345')
     end
 
     it 'restarts a container with a custom timeout' do
-      expect(Excon).to receive(:post).
-                          with(excon_uri + "v1.12" + "/containers/12345/restart?t=300", {:read_timeout=>420}).
-                          and_return(double(body: json_string, status: 204))
+      Excon.stub(base_req.merge(method: :post, path: '/v1.12/containers/12345/restart?t=300', read_timeout: 420), {status: 204})
       api.restart_container('12345', 300)
     end
 
     it 'inspects a container' do
-      expect(Excon).to receive(:get).
-                           with(excon_uri + "v1.12" + "/containers/12345/json", {}).
-                           and_return(double(body: json_string, status: 200))
+      Excon.stub(base_req.merge(method: :get, path: '/v1.12/containers/12345/json'), {body: json_string, status: 200})
       expect(api.inspect_container('12345')).to eq(json_value)
     end
 
     it 'removes a container' do
-      expect(Excon).to receive(:delete).
-                           with(excon_uri + "v1.12" + "/containers/12345", {}).
-                           and_return(double(status: 204))
+      Excon.stub(base_req.merge(method: :delete, path: '/v1.12/containers/12345'), {body: json_string, status: 204})
       expect(api.remove_container('12345')).to eq(true)
     end
 
     it 'inspects an image' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/images/foo:bar/json",
-                            headers: {'Accept' => 'application/json'}).
-                       and_return(double(body: json_string, status: 200))
+      Excon.stub(base_req.merge(method: :get, path: '/v1.12/images/foo:bar/json', headers: {'Accept' => 'application/json'}), {body: json_string, status: 200})
       expect(api.inspect_image('foo', 'bar')).to eq(json_value)
     end
+   end
+
+  context 'without TLS certificates' do
+    let(:api) { Centurion::DockerViaApi.new(hostname, port) }
+    let(:base_req) { {hostname: hostname, port: port} }
 
+    it_behaves_like 'docker API'
   end
 
   context 'with TLS certificates' do
-    let(:excon_uri) { "https://#{hostname}:#{port}/" }
     let(:tls_args)  { { tls: true, tlscacert: '/certs/ca.pem',
                        tlscert: '/certs/cert.pem', tlskey: '/certs/key.pem' } }
+    let(:base_req) { {
+      hostname: hostname,
+      port: port,
+      client_cert: '/certs/cert.pem',
+      client_key: '/certs/key.pem',
+    } }
     let(:api)       { Centurion::DockerViaApi.new(hostname, port, tls_args) }
 
-    it 'lists processes' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/containers/json",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem').
-                       and_return(double(body: json_string, status: 200))
-      expect(api.ps).to eq(json_value)
-    end
-
-    it 'lists all processes' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/containers/json?all=1",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem').
-                       and_return(double(body: json_string, status: 200))
-      expect(api.ps(all: true)).to eq(json_value)
-    end
+    it_behaves_like 'docker API'
+  end
 
-    it 'inspects an image' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/images/foo:bar/json",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem',
-                            headers: {'Accept' => 'application/json'}).
-                       and_return(double(body: json_string, status: 200))
-      expect(api.inspect_image('foo', 'bar')).to eq(json_value)
-    end
+  context 'with default TLS certificates' do
+    let(:tls_args)  { { tls: true } }
+    let(:base_req) { {
+      hostname: hostname,
+      port: port,
+      client_cert: File.expand_path('~/.docker/cert.pem'),
+      client_key: File.expand_path('~/.docker/key.pem'),
+    } }
+    let(:api)       { Centurion::DockerViaApi.new(hostname, port, tls_args) }
 
-    it 'creates a container' do
-      configuration_as_json = double
-      configuration = double(to_json: configuration_as_json)
-      expect(Excon).to receive(:post).
-                           with(excon_uri + "v1.12" + "/containers/create",
-                                client_cert: '/certs/cert.pem',
-                                client_key: '/certs/key.pem',
-                                query: nil,
-                                body: configuration_as_json,
-                                headers: {'Content-Type' => 'application/json'}).
-                           and_return(double(body: json_string, status: 201))
-      api.create_container(configuration)
-    end
+    it_behaves_like 'docker API'
+  end
 
-    it 'starts a container' do
-      configuration_as_json = double
-      configuration = double(to_json: configuration_as_json)
-      expect(Excon).to receive(:post).
-                           with(excon_uri + "v1.12" + "/containers/12345/start",
-                                client_cert: '/certs/cert.pem',
-                                client_key: '/certs/key.pem',
-                                body: configuration_as_json,
-                                headers: {'Content-Type' => 'application/json'}).
-                           and_return(double(body: json_string, status: 204))
-      api.start_container('12345', configuration)
+  context 'with a SSH connection' do
+    let(:hostname) { 'hostname' }
+    let(:port) { nil }
+    let(:ssh_user) { 'myuser' }
+    let(:ssh_log_level) { nil }
+    let(:base_req) { {
+      socket: '/tmp/socket/path'
+    } }
+    let(:api)       { Centurion::DockerViaApi.new(hostname, port, params) }
+    let(:params) do
+      p = { ssh: true}
+      p[:ssh_user] = ssh_user if ssh_user
+      p[:ssh_log_level] = ssh_log_level if ssh_log_level
+      p
     end
 
-    it 'stops a container' do
-      expect(Excon).to receive(:post).
-                       with(excon_uri + "v1.12" + "/containers/12345/stop?t=300",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem',
-                            read_timeout: 420).
-                       and_return(double(status: 204))
-      api.stop_container('12345', 300)
-    end
+    context 'with no log level' do
+      before do
+        expect(Centurion::SSH).to receive(:with_docker_socket).with(hostname, ssh_user, nil).and_yield('/tmp/socket/path')
+      end
 
-    it 'stops a container with a custom timeout' do
-      expect(Excon).to receive(:post).
-                       with(excon_uri + "v1.12" + "/containers/12345/stop?t=30",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem',
-                            read_timeout: 150).
-                       and_return(double(status: 204))
-      api.stop_container('12345')
+      it_behaves_like 'docker API'
     end
 
-    it 'restarts a container' do
-      expect(Excon).to receive(:post).
-                        with(excon_uri + "v1.12" + "/containers/12345/restart?t=30",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem',
-                            read_timeout: 150).
-                        and_return(double(body: json_string, status: 204))
-      api.restart_container('12345')
-    end
+    context 'with no user' do
+      let(:ssh_user) { nil }
 
-    it 'restarts a container with a custom timeout' do
-      expect(Excon).to receive(:post).
-                        with(excon_uri + "v1.12" + "/containers/12345/restart?t=300",
-                            client_cert: '/certs/cert.pem',
-                            client_key: '/certs/key.pem',
-                            read_timeout: 420).
-                        and_return(double(body: json_string, status: 204))
-      api.restart_container('12345', 300)
-    end
+      before do
+        expect(Centurion::SSH).to receive(:with_docker_socket).with(hostname, nil, nil).and_yield('/tmp/socket/path')
+      end
 
-    it 'inspects a container' do
-      expect(Excon).to receive(:get).
-                           with(excon_uri + "v1.12" + "/containers/12345/json",
-                                client_cert: '/certs/cert.pem',
-                                client_key: '/certs/key.pem').
-                           and_return(double(body: json_string, status: 200))
-      expect(api.inspect_container('12345')).to eq(json_value)
+      it_behaves_like 'docker API'
     end
 
-    it 'removes a container' do
-      expect(Excon).to receive(:delete).
-                           with(excon_uri + "v1.12" + "/containers/12345",
-                                client_cert: '/certs/cert.pem',
-                                client_key: '/certs/key.pem').
-                           and_return(double(status: 204))
-      expect(api.remove_container('12345')).to eq(true)
-    end
-  end
+    context 'with a log level set' do
+      let(:ssh_log_level) { Logger::DEBUG }
 
-   context 'with default TLS certificates' do
-    let(:excon_uri) { "https://#{hostname}:#{port}/" }
-    let(:tls_args)  { { tls: true } }
-    let(:api)       { Centurion::DockerViaApi.new(hostname, port, tls_args) }
+      before do
+        expect(Centurion::SSH).to receive(:with_docker_socket).with(hostname, ssh_user, Logger::DEBUG).and_yield('/tmp/socket/path')
+      end
 
-    it 'lists processes' do
-      expect(Excon).to receive(:get).
-                       with(excon_uri + "v1.12" + "/containers/json",
-                            client_cert: File.expand_path('~/.docker/cert.pem'),
-                            client_key: File.expand_path('~/.docker/key.pem')).
-                       and_return(double(body: json_string, status: 200))
-      expect(api.ps).to eq(json_value)
+      it_behaves_like 'docker API'
     end
   end
 end