centurion 1.3.1 → 1.4.0

data/README.md

@@ -153,12 +153,74 @@ IP address (the equivalent of `docker run --dns 172.17.42.1 ...`) like this:
   end
 ```
 
+### Container Names
+
+This is the name that shows up in the `docker ps` output. It's the name
+of the container, not the hostname inside the container.
+
+If you want to name your container, use the `name` setting. The
+actual name for the created container will have a random hex string
+appended, to avoid name conflicts when you repeatedly deploy an image:
+```ruby
+  task :common do
+    set :name, 'backend'
+    # ...
+  end
+```
+With this, the container will be named something like `backend-4f692997`.
+
+### Container Hostnames
+
+If you don't specify a hostname to use inside your container, the container
+will be given the hostname of the Docker server. This probably is good for
+a lot of situations, but it might not be good for yours. If you need to have
+a specific hostname, you can cause Centurion to do that:
+
+```ruby
+set :container_hostname, 'yourhostname'
+```
+
+This is currently pretty inflexible in that the hostname will now be the same
+on all of your hosts. A possible future addition is the ability to pass
+a block to be evaluated on each host.
+
 ### Interpolation
 
 Currently there is one special string for interpolation that can be added to
 any `env_var` value in the DSL. `%DOCKER_HOSTNAME%` will be replaced with the
 current server's hostname in the environment variable at deployment time.
 
+### Use TLS certificate
+
+Centurion can use your certificate in order to execute the Docker commands.
+In order to do so you have 2 choices.
+
+#### Your certificate files are in ~/.docker/
+
+You just need to enable the tls mode as the following:
+
+```ruby
+  task :production => :common do
+    set :tls, true
+    # ...
+  end
+```
+
+Centurion will only set the `--tlsverify` to true and Docker will read your certificate from the `~/.docker/` path.
+
+#### Your certificate files are not in ~/.docker/
+
+Given your files are in `/usr/local/certs/`
+You have to set the following keys:
+
+```ruby
+  task :production => :common do
+    set :tlscacert, '/usr/local/certs/ca.pem'
+    set :tlscert, '/usr/local/certs/ssl.crt'
+    set :tlskey, '/usr/local/certs/ssl.key'
+    # ...
+  end
+```
 
 Deploying
 ---------
@@ -276,7 +338,7 @@ These correspond to the following settings:
 #### Alternative Docker Registry
 
 Centurion normally uses the built-in registry support in the Docker daemon to
-handle pushing and pulling images.But Centurion also has the ability to use
+handle pushing and pulling images. But Centurion also has the ability to use
 external tooling to support hosting your registry on Amazon S3. That tooling is
 from a project called [Dogestry](https://github.com/newrelic-forks/dogestry).
 We have recently improved that tooling substantially in coordination with the
@@ -287,12 +349,10 @@ with Amazon S3 to provide reliable hosting of images.  Setting Centurion up to
 use Dogestry is pretty trivial:
 
  1. Install Dogestry binaries on the client from which Dogestry is run.
-    Binaries are provided in the GitHub release.
+    Binaries are provided in the [GitHub release](https://github.com/newrelic-forks/dogestry).
  1. Add the settings necessary to get Centurion to pull from Dogestry. A config
     example is provided below:
 
-See example below to use `dogestry`:
-
 ```ruby
 namespace :environment do
   task :common do
@@ -312,7 +372,6 @@ We're currently looking at the following feature additions:
 
  * [etcd](https://github.com/coreos/etcd) integration for configs and discovery
  * Add the ability to show all the available tasks on the command line
- * Certificate authentication
  * Customized tasks
  * Dynamic host allocation to a pool of servers
 

data/bin/centurion

@@ -29,7 +29,7 @@ opts = Trollop::options do
   opt :tag,              'tag (latest...)',                             type: String, required: false, short: '-t'
   opt :hosts,            'hosts, comma separated',                      type: String, required: false, short: '-h'
   opt :docker_path,      'path to docker executable (default: docker)', type: String, default: 'docker', short: '-d'
-  opt :nopull,           'Skip the pull_image step',                    type: :flag, default: false, long: '--no-pull'
+  opt :no_pull,          'Skip the pull_image step',                    type: :flag, default: false, short: '-n'
   opt :registry_user,    'user for registry auth (default: nil)',       type: String, default: nil, short: :none
   opt :registry_password,'password for registry auth (default: nil)',   type: String, default: nil, short: :none
 end
@@ -62,7 +62,7 @@ set :docker_registry, Centurion::DockerRegistry::OFFICIAL_URL unless any?(:docke
 # Specify a path to docker executable
 set :docker_path, opts[:docker_path]
 
-set :no_pull, opts[:registry_user]
+set :no_pull, opts[:no_pull_given]
 set :registry_user, opts[:registry_user] if opts[:registry_user]
 set :registry_password, opts[:registry_password] if opts[:registry_password]
 

data/lib/centurion/deploy.rb

@@ -87,10 +87,10 @@ module Centurion::Deploy
     end
   end
 
-  def container_config_for(target_server, image_id, port_bindings=nil, env_vars=nil, volumes=nil, command=nil)
+  def container_config_for(target_server, image_id, port_bindings=nil, env_vars=nil, volumes=nil, command=nil, hostname=nil)
     container_config = {
       'Image'        => image_id,
-      'Hostname'     => target_server.hostname,
+      'Hostname'     => fetch(:container_hostname, target_server.hostname),
     }
 
     container_config.merge!('Cmd' => command) if command
@@ -140,7 +140,7 @@ module Centurion::Deploy
 
   def start_container_with_config(target_server, volumes, port_bindings, container_config)
     info "Creating new container for #{container_config['Image'][0..7]}"
-    new_container = target_server.create_container(container_config)
+    new_container = target_server.create_container(container_config, fetch(:name))
 
     host_config = {}
     # Map some host volumes if needed

data/lib/centurion/deploy_dsl.rb

@@ -3,9 +3,7 @@ require 'uri'
 
 module Centurion::DeployDSL
   def on_each_docker_host(&block)
-    Centurion::DockerServerGroup.new(fetch(:hosts, []), fetch(:docker_path)).tap do |hosts|
-      hosts.each { |host| block.call(host) }
-    end
+    build_server_group.tap { |hosts| hosts.each { |host| block.call(host) } }
   end
 
   def env_vars(new_vars)
@@ -63,8 +61,7 @@ module Centurion::DeployDSL
   end
 
   def get_current_tags_for(image)
-    hosts = Centurion::DockerServerGroup.new(fetch(:hosts), fetch(:docker_path))
-    hosts.inject([]) do |memo, target_server|
+    build_server_group.inject([]) do |memo, target_server|
       tags = target_server.current_tags_for(image)
       memo += [{ server: target_server.hostname, tags: tags }] if tags
       memo
@@ -77,6 +74,11 @@ module Centurion::DeployDSL
 
   private
 
+  def build_server_group
+    hosts, docker_path = fetch(:hosts, []), fetch(:docker_path)
+    Centurion::DockerServerGroup.new(hosts, docker_path, build_tls_params)
+  end
+
   def add_to_bindings(host_ip, container_port, port, type='tcp')
     set(:port_bindings, fetch(:port_bindings, {}).tap do |bindings|
       binding = { 'HostPort' => port.to_s }.tap do |b|
@@ -100,4 +102,18 @@ module Centurion::DeployDSL
       raise ArgumentError.new("Options must contain #{missing.inspect}")
     end
   end
+
+  def tls_paths_available?
+    Centurion::DockerViaCli.tls_keys.all? { |key| fetch(key).present? }
+  end
+
+  def build_tls_params
+    return {} unless fetch(:tlsverify)
+    {
+      tls: fetch(:tlsverify || tls_paths_available?),
+      tlscacert: fetch(:tlscacert),
+      tlscert: fetch(:tlscert),
+      tlskey: fetch(:tlskey)
+    }
+  end
 end

data/lib/centurion/docker_server.rb

@@ -18,10 +18,11 @@ class Centurion::DockerServer
                  :old_containers_for_port, :remove_container
   def_delegators :docker_via_cli, :pull, :tail, :attach
 
-  def initialize(host, docker_path)
+  def initialize(host, docker_path, tls_params = {})
     @docker_path = docker_path
     @hostname, @port = host.split(':')
     @port ||= '2375'
+    @tls_params = tls_params
   end
 
   def current_tags_for(image)
@@ -44,11 +45,13 @@ class Centurion::DockerServer
   private
 
   def docker_via_api
-    @docker_via_api ||= Centurion::DockerViaApi.new(@hostname, @port)
+    @docker_via_api ||= Centurion::DockerViaApi.new(@hostname, @port,
+                                                    @tls_params)
   end
 
   def docker_via_cli
-    @docker_via_cli ||= Centurion::DockerViaCli.new(@hostname, @port, @docker_path)
+    @docker_via_cli ||= Centurion::DockerViaCli.new(@hostname, @port,
+                                                    @docker_path, @tls_params)
   end
 
   def parse_image_tags_for(running_containers)

data/lib/centurion/docker_server_group.rb

@@ -8,10 +8,12 @@ class Centurion::DockerServerGroup
   include Centurion::Logging
 
   attr_reader :hosts
-  
-  def initialize(hosts, docker_path)
+
+  def initialize(hosts, docker_path, tls_params = {})
     raise ArgumentError.new('Bad Host list!') if hosts.nil? || hosts.empty?
-    @hosts = hosts.map { |hostname| Centurion::DockerServer.new(hostname, docker_path) }
+    @hosts = hosts.map do |hostname|
+      Centurion::DockerServer.new(hostname, docker_path, tls_params)
+    end
   end
 
   def each(&block)

data/lib/centurion/docker_via_api.rb

@@ -1,12 +1,14 @@
 require 'excon'
 require 'json'
 require 'uri'
+require 'securerandom'
 
 module Centurion; end
 
 class Centurion::DockerViaApi
-  def initialize(hostname, port)
-    @base_uri = "http://#{hostname}:#{port}"
+  def initialize(hostname, port, tls_args = {})
+    @tls_args = tls_args # Required by tls_enable?
+    @base_uri = "http#{'s' if tls_enable?}://#{hostname}:#{port}"
 
     configure_excon_globally
   end
@@ -14,7 +16,7 @@ class Centurion::DockerViaApi
   def ps(options={})
     path = "/v1.7/containers/json"
     path += "?all=1" if options[:all]
-    response = Excon.get(@base_uri + path)
+    response = Excon.get(@base_uri + path, tls_excon_arguments)
 
     raise unless response.status == 200
     JSON.load(response.body)
@@ -26,7 +28,7 @@ class Centurion::DockerViaApi
 
     response = Excon.get(
       @base_uri + path,
-      :headers => {'Accept' => 'application/json'}
+      tls_excon_arguments.merge(:headers => {'Accept' => 'application/json'})
     )
     raise response.inspect unless response.status == 200
     JSON.load(response.body)
@@ -46,6 +48,7 @@ class Centurion::DockerViaApi
     path = "/v1.7/containers/#{container_id}"
     response = Excon.delete(
       @base_uri + path,
+      tls_excon_arguments
     )
     raise response.inspect unless response.status == 204
     true
@@ -55,17 +58,21 @@ class Centurion::DockerViaApi
     path = "/v1.7/containers/#{container_id}/stop?t=#{timeout}"
     response = Excon.post(
       @base_uri + path,
+      tls_excon_arguments
     )
     raise response.inspect unless response.status == 204
     true
   end
 
-  def create_container(configuration)
+  def create_container(configuration, name = nil)
     path = "/v1.10/containers/create"
     response = Excon.post(
       @base_uri + path,
-      :body => configuration.to_json,
-      :headers => { "Content-Type" => "application/json" }
+      tls_excon_arguments.merge(
+        :query   => name ? {:name => "#{name}-#{SecureRandom.hex(7)}"} : nil,
+        :body    => configuration.to_json,
+        :headers => { "Content-Type" => "application/json" }
+      )
     )
     raise response.inspect unless response.status == 201
     JSON.load(response.body)
@@ -75,8 +82,10 @@ class Centurion::DockerViaApi
     path = "/v1.10/containers/#{container_id}/start"
     response = Excon.post(
       @base_uri + path,
-      :body => configuration.to_json,
-      :headers => { "Content-Type" => "application/json" }
+      tls_excon_arguments.merge(
+        :body => configuration.to_json,
+        :headers => { "Content-Type" => "application/json" }
+      )
     )
     case response.status
     when 204
@@ -92,6 +101,7 @@ class Centurion::DockerViaApi
     path = "/v1.7/containers/#{container_id}/json"
     response = Excon.get(
       @base_uri + path,
+      tls_excon_arguments
     )
     raise response.inspect unless response.status == 200
     JSON.load(response.body)
@@ -109,6 +119,19 @@ class Centurion::DockerViaApi
     end
   end
 
+  def tls_enable?
+    @tls_args.is_a?(Hash) && @tls_args.size > 0
+  end
+
+  def tls_excon_arguments
+    return {} unless [:tlscert, :tlskey].all? { |key| @tls_args.key?(key) }
+
+    {
+      client_cert: @tls_args[:tlscert],
+      client_key: @tls_args[:tlskey]
+    }
+  end
+
   def configure_excon_globally
     Excon.defaults[:connect_timeout] = 120
     Excon.defaults[:read_timeout]    = 120
@@ -117,5 +140,6 @@ class Centurion::DockerViaApi
     Excon.defaults[:debug_response]  = true
     Excon.defaults[:nonblock]        = false
     Excon.defaults[:tcp_nodelay]     = true
+    Excon.defaults[:ssl_ca_file]     = @tls_args[:tlscacert]
   end
 end

data/lib/centurion/docker_via_cli.rb

@@ -6,22 +6,62 @@ module Centurion; end
 class Centurion::DockerViaCli
   include Centurion::Logging
 
-  def initialize(hostname, port, docker_path)
+  def initialize(hostname, port, docker_path, tls_args = {})
     @docker_host = "tcp://#{hostname}:#{port}"
     @docker_path = docker_path
+    @tls_args = tls_args
   end
 
   def pull(image, tag='latest')
-    info "Using CLI to pull"
-    echo("#{@docker_path} -H=#{@docker_host} pull #{image}:#{tag}")
+    info 'Using CLI to pull'
+    echo(build_command(:pull, "#{image}:#{tag}"))
   end
 
   def tail(container_id)
     info "Tailing the logs on #{container_id}"
-    echo("#{@docker_path} -H=#{@docker_host} logs -f #{container_id}")
+    echo(build_command(:logs, container_id))
   end
 
   def attach(container_id)
-    Process.exec("#{@docker_path} -H=#{@docker_host} attach #{container_id}")
+    echo(build_command(:attach, container_id))
+  end
+
+  private
+
+  def self.tls_keys
+    [:tlscacert, :tlscert, :tlskey]
+  end
+
+  def all_tls_path_available?
+    self.class.tls_keys.all? { |key| @tls_args.key?(key) }
+  end
+
+  def tls_parameters
+    return '' if @tls_args.nil? || @tls_args == {}
+
+    tls_flags = ''
+
+    # --tlsverify can be set without passing the cacert, cert and key flags
+    if @tls_args[:tls] == true || all_tls_path_available?
+      tls_flags << ' --tlsverify'
+    end
+
+    self.class.tls_keys.each do |key|
+      tls_flags << " --#{key}=#{@tls_args[key]}" if @tls_args[key]
+    end
+
+    tls_flags
+  end
+
+  def build_command(action, destination)
+    command = "#{@docker_path} -H=#{@docker_host}"
+    command << tls_parameters
+    command << case action
+               when :pull then ' pull '
+               when :logs then ' logs -f '
+               when :attach then ' attach '
+               end
+    command << destination
+    command
   end
 end

data/lib/centurion/dogestry.rb

@@ -52,12 +52,7 @@ class Centurion::Dogestry
     "s3://#{s3_bucket}/?region=#{s3_region}"
   end
 
-  def docker_host
-    @options[:docker_host] || 'tcp://localhost:2375'
-  end
-
-  def set_envs(docker_host)
-    ENV['DOCKER_HOST'] = docker_host
+  def set_envs()
     ENV['AWS_ACCESS_KEY'] = aws_access_key_id
     ENV['AWS_SECRET_KEY'] = aws_secret_key
 
@@ -70,22 +65,14 @@ class Centurion::Dogestry
     command
   end
 
-  def download_image_to_temp_dir(repo, local_dir)
+  def pull(repo, pull_hosts)
     validate_before_exec
-    set_envs("")
+    set_envs()
 
-    flags = "-tempdir #{File.expand_path(local_dir)}"
+    hosts = pull_hosts.join(",")
+    flags = "-pullhosts #{hosts}"
 
-    echo(exec_command('download', repo, flags=flags))
+    echo(exec_command('pull', repo, flags))
   end
 
-  def upload_temp_dir_image_to_docker(repo, local_dir, docker_host)
-    validate_before_exec
-    set_envs(docker_host)
-
-    command = "dogestry upload #{local_dir} #{repo}"
-    info "Executing: #{command}"
-
-    echo(command)
-  end
 end