centurion 1.8.10 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ec921ec16391c51e0941a6a9e2d6fe2e060155da
-  data.tar.gz: 5ee10d7e3028d1135e5fe4eb1f8075e1146e643c
+  metadata.gz: 43be6c7bcc352c334aa0e84044443a9f4c6f055a
+  data.tar.gz: 49f52dfe1bc7dc4dfa5e200650f2b786b7c2bdbf
 SHA512:
-  metadata.gz: f8a80e7c694b008596459d7ce7b05000c2a50e6d7e89d388e7589a59287059b2bd487b6dea8fb683e9d283f333e372854aa3900673094d98202e817e6b1bbe5d
-  data.tar.gz: cb23d715dff77b5cb3b0d20fe9d8e3e9dbb74f14c34322e4553024f098ba9b4cc6e6d833b96a355fd970400e9a95aa1a0624448d6e85f9cd928fa35166a1156c
+  metadata.gz: 9ce70d7443f88d79e17a8e0ce9890ad7104cbf89061cee1f957f84c8016b31ced9712fc4e357127e14e945c9d13df2e871fa57cc4a87a41ff4eda0481f3e70eb
+  data.tar.gz: 362f4d002b00c232d32731fbbfcf5ca069bdd3c8a9902e5ba8f2b28715d6e5cb3f0198974a46fded276f30b642545c6620f380b3181e0ed311ba049af24c4be9

data/CONTRIBUTORS.md

@@ -16,6 +16,7 @@ Your name could be here!
  * [Hugo Chinchilla][hugochinchilla]
  * [Dan Selans][dselans]
  * [Dan Young][idleyoungman]
+ * [Trevor Strieber][tstrieber]
 
 Pre-release
 -----------

data/README.md

@@ -25,9 +25,6 @@ Commercial Docker Registry Providers:
 Open-source:
 - The [Docker Distribution](https://github.com/docker/distribution) project,
   built and maintained by Docker. You host this yourself.
-- (*NEW!*) [Dogestry](https://github.com/dogestry/dogestry) is an
-  s3-backed Docker registry alternative that removes the requirement to set up
-  a centralized registry service or host anything yourself.
 
 Status
 ------
@@ -292,6 +289,25 @@ drop_capability 'SOME_CAPABILITY'
 For more information on which kernel capabilities may be specified, see the
 [Docker docs](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration).
 
+### Setting the security options
+
+Some Docker platforms support container security overlays called `seccomp`. 
+During container creation, you may specify security options to control the 
+seccomp permissions. 
+
+To set a seccomp path:
+```ruby
+add_security_opt 'seccomp=/path/to/seccomp/profile.json'
+```
+
+Or, to unblock all syscalls in a container:
+
+```ruby
+add_security_opt 'seccomp=unconfined'
+```
+
+For more information on this argument, see the [Docker docs](https://docs.docker.com/engine/security/seccomp/).
+
 ### Interpolation
 
 Currently there a couple of special strings for interpolation that can be added
@@ -336,13 +352,34 @@ You have to set the following keys:
 
 Modify the paths as appropriate for your cert, ca, and key files.
 
+### Use SSH to connect *beta*
+
+If your Docker server does not expose its HTTP service over TCP, you can
+instead talk to it via SSH.
+
+This functions by creating a local Unix socket that forwards to the remote
+Docker Unix socket, so it requires that the user you connect as has access to
+the Docker socket without any `sudo`. Currently it also assumes that you
+authenticate via public key, so be sure that you have `ssh-add`ed your key to
+your SSH agent if it has a passcode.
+
+You can configure it with a few options:
+
+```ruby
+  task :common do
+    set :ssh, true # enable ssh connections
+    set :ssh_user, "myuser" # if you want to specify the user to connect as, otherwise your current user
+    set :ssh_log_level, Logger::DEBUG # passed on to net/ssh, can be noisy; defaults to Logger::WARN
+  end
+```
+
 Deploying
 ---------
 
 Centurion supports a number of tasks out of the box that make working with
 distributed containers easy.  Here are some examples:
 
-###Do a rolling deployment to a fleet of Docker servers
+### Do a rolling deployment to a fleet of Docker servers
 
 A rolling deployment will stop and start each container one at a time to make
 sure that the application stays available from the viewpoint of the load
@@ -352,9 +389,9 @@ the root path of the application. The healthcheck endpoint is configurable by ad
 `set(:status_endpoint, '/somewhere/else')` in your config. The status endpoint
 must respond with a valid response in the 200 status range.
 
-````bash
+```bash
 $ bundle exec centurion -p radio-radio -e staging -a rolling_deploy
-````
+```
 
 **Custom Health Check**:
 You can use a custom health check by specifying a callable object (anything that
@@ -365,7 +402,7 @@ should return a truthy value, falsey otherwise. Here's an example of a custom
 health check that verifies that an elasticsearch node is up and has joined the
 cluster.
 
-````ruby
+```ruby
 def cluster_green?(target_server, port, endpoint)
   response = begin
     Excon.get("http://#{target_server.hostname}:#{port}#{endpoint}")
@@ -386,7 +423,7 @@ task :production => :common do
   host 'es-01.example.com'
   host 'es-02.example.com'
 end
-````
+```
 
 **Rolling Deployment Settings**:
 You can change the following settings in your config to tune how the rolling
@@ -412,35 +449,36 @@ are the same everywhere. Settings are per-project.
    that are. The default is an empty array. If you have non-HTTP services that you
    want to check, see Custom Health Checks in the previous section.
 
-###Deploy a project to a fleet of Docker servers
+### Deploy a project to a fleet of Docker servers
 
 This will hard stop, then start containers on all the specified hosts. This
 is not recommended for apps where one endpoint needs to be available at all
 times. It is fast.
 
-````bash
+```bash
 $ bundle exec centurion -p radio-radio -e staging -a deploy
-````
+```
 
-###Deploy a bash console on a host
+### Deploy a bash console on a host
 
 This will give you a command line shell with all of your existing environment
 passed to the container. The `CMD` from the `Dockerfile` will be replaced
 with `/bin/bash`. It will use the first host from the host list.
 
-````bash
+```bash
 $ bundle exec centurion -p radio-radio -e staging -a deploy_console
-````
+```
+
 ### Repair unhealthy docker containers
 
 This will preform a health check on each host using rolling deployment
 health check settings and redeploy to the host if a health check fails.
 
-````bash
+```bash
 $ bundle exec centurion -p radio-radio -e staging -a repair
-````
+```
 
-###List all the tags running on your servers for a particular project
+### List all the tags running on your servers for a particular project
 
 Returns a nicely-formatted list of all the current tags and which machines they
 are running on. Gives a unique list of tags across all hosts as well.  This is
@@ -451,7 +489,7 @@ goes wrong mid-deploy.
 $ bundle exec centurion -p radio-radio -e staging -a list:running_container_tags
 ```
 
-###List all the containers currently running for this project
+### List all the containers currently running for this project
 
 Returns a (as yet not very nicely formatted) list of all the containers for
 this project on each of the servers from the config.
@@ -460,13 +498,13 @@ this project on each of the servers from the config.
 $ bundle exec centurion -p radio-radio -e staging -a list:running_containers
 ```
 
-###List registry images
+### List registry images
 
 Returns a list of all the images for this project in the registry.
 
-````bash
+```bash
 $ bundle exec centurion -p radio-radio -e staging -a list
-````
+```
 
 ### Registry
 
@@ -609,4 +647,4 @@ patents, and ideas in that code in our products if we so choose. You also agree
 the code is provided as-is and you provide no warranties as to its fitness or
 correctness for any purpose
 
-Copyright (c) 2014-2016 New Relic, Inc. All rights reserved.
+Copyright (c) 2014-2017 New Relic, Inc. All rights reserved.

data/centurion.gemspec

@@ -36,6 +36,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'trollop'
   spec.add_dependency 'excon', '~> 0.33'
   spec.add_dependency 'logger-colors'
+  spec.add_dependency 'net-ssh'
+  spec.add_dependency 'sshkit'
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake', '~> 10.5'

data/lib/centurion/deploy_dsl.rb

@@ -150,7 +150,7 @@ module Centurion::DeployDSL
 
   def build_server_group
     hosts, docker_path = fetch(:hosts, []), fetch(:docker_path)
-    Centurion::DockerServerGroup.new(hosts, docker_path, build_tls_params)
+    Centurion::DockerServerGroup.new(hosts, docker_path, build_server_params)
   end
 
   def validate_options_keys(options, valid_keys)
@@ -180,13 +180,23 @@ module Centurion::DeployDSL
     Centurion::DockerViaCli.tls_keys.all? { |key| fetch(key).present? }
   end
 
-  def build_tls_params
-    return {} unless fetch(:tlsverify)
-    {
-      tls: fetch(:tlsverify || tls_paths_available?),
-      tlscacert: fetch(:tlscacert),
-      tlscert: fetch(:tlscert),
-      tlskey: fetch(:tlskey)
-    }
+  def build_server_params
+    opts = {}
+    if fetch(:tlsverify)
+      opts[:tls] = fetch(:tlsverify || tls_paths_available?)
+      opts[:tlscacert] = fetch(:tlscacert)
+      opts[:tlscert] = fetch(:tlscert)
+      opts[:tlskey] = fetch(:tlskey)
+    end
+
+    if fetch(:ssh, false) == true
+      opts[:ssh] = true
+
+      # nil is OK for both of these, defaults applied internally
+      opts[:ssh_user] = fetch(:ssh_user)
+      opts[:ssh_log_level] = fetch(:ssh_log_level)
+    end
+
+    opts
   end
 end

data/lib/centurion/docker_server.rb

@@ -18,15 +18,15 @@ class Centurion::DockerServer
                  :remove_container, :restart_container
   def_delegators :docker_via_cli, :pull, :tail, :attach, :exec, :exec_it
 
-  def initialize(host, docker_path, tls_params = {})
+  def initialize(host, docker_path, connection_opts = {})
     @docker_path = docker_path
     @hostname, @port = host.split(':')
-    @port ||= if tls_params.empty?
-      '2375'
-    else
-      '2376'
-    end
-    @tls_params = tls_params
+    @port ||= if connection_opts[:tls]
+                '2376'
+              else
+                '2375'
+              end
+    @connection_opts = connection_opts
   end
 
   def current_tags_for(image)
@@ -64,16 +64,26 @@ class Centurion::DockerServer
     end
   end
 
+  def describe
+    desc = hostname
+    desc += " via TLS" if @connection_opts[:tls]
+    if @connection_opts[:ssh]
+      desc += " via SSH"
+      desc += " user #{@connection_opts[:ssh_user]}" if @connection_opts[:ssh_user]
+    end
+    desc
+  end
+
   private
 
   def docker_via_api
     @docker_via_api ||= Centurion::DockerViaApi.new(@hostname, @port,
-                                                    @tls_params, nil)
+                                                    @connection_opts, nil)
   end
 
   def docker_via_cli
     @docker_via_cli ||= Centurion::DockerViaCli.new(@hostname, @port,
-                                                    @docker_path, @tls_params)
+                                                    @docker_path, @connection_opts)
   end
 
   def parse_image_tags_for(running_containers)

data/lib/centurion/docker_via_api.rb

@@ -2,13 +2,21 @@ require 'excon'
 require 'json'
 require 'uri'
 require 'securerandom'
+require 'centurion/ssh'
 
 module Centurion; end
 
 class Centurion::DockerViaApi
-  def initialize(hostname, port, tls_args = {}, api_version = nil)
-    @tls_args = default_tls_args(tls_args[:tls]).merge(tls_args.reject { |k, v| v.nil? }) # Required by tls_enable?
-    @base_uri = "http#{'s' if tls_enable?}://#{hostname}:#{port}"
+  def initialize(hostname, port, connection_opts = {}, api_version = nil)
+    @tls_args = default_tls_args(connection_opts[:tls]).merge(connection_opts.reject { |k, v| v.nil? }) # Required by tls_enable?
+    if connection_opts[:ssh]
+      @base_uri = hostname
+      @ssh = true
+      @ssh_user = connection_opts[:ssh_user]
+      @ssh_log_level = connection_opts[:ssh_log_level]
+    else
+      @base_uri = "http#{'s' if tls_enable?}://#{hostname}:#{port}"
+    end
     api_version ||= "/v1.12"
     @docker_api_version = api_version
     configure_excon_globally
@@ -17,7 +25,7 @@ class Centurion::DockerViaApi
   def ps(options={})
     path = @docker_api_version + "/containers/json"
     path += "?all=1" if options[:all]
-    response = Excon.get(@base_uri + path, tls_excon_arguments)
+    response = with_excon {|e| e.get(path: path)}
 
     raise unless response.status == 200
     JSON.load(response.body)
@@ -27,61 +35,64 @@ class Centurion::DockerViaApi
     repository = "#{image}:#{tag}"
     path       = @docker_api_version + "/images/#{repository}/json"
 
-    response = Excon.get(
-      @base_uri + path,
-      tls_excon_arguments.merge(headers: {'Accept' => 'application/json'})
-    )
+    response = with_excon do |e|
+      e.get(
+        path: path,
+        headers: {'Accept' => 'application/json'}
+      )
+    end
     raise response.inspect unless response.status == 200
     JSON.load(response.body)
   end
 
   def remove_container(container_id)
     path = @docker_api_version + "/containers/#{container_id}"
-    response = Excon.delete(
-      @base_uri + path,
-      tls_excon_arguments
-    )
+    response = with_excon do |e|
+      e.delete(
+        path: path,
+      )
+    end
     raise response.inspect unless response.status == 204
     true
   end
 
   def stop_container(container_id, timeout = 30)
     path = @docker_api_version + "/containers/#{container_id}/stop?t=#{timeout}"
-    response = Excon.post(
-      @base_uri + path,
-      tls_excon_arguments.merge(
+    response = with_excon do |e|
+      e.post(
+        path: path,
         # Wait for both the docker stop timeout AND the kill AND
         # potentially a very slow HTTP server.
         read_timeout: timeout + 120
       )
-    )
+    end
     raise response.inspect unless response.status == 204
     true
   end
 
   def create_container(configuration, name = nil)
     path = @docker_api_version + "/containers/create"
-    response = Excon.post(
-      @base_uri + path,
-      tls_excon_arguments.merge(
-        query: name ? {name: "#{name}-#{SecureRandom.hex(7)}"} : nil,
+    response = with_excon do |e|
+      e.post(
+        path: path,
+        query: name ? "name=#{name}-#{SecureRandom.hex(7)}" : nil,
         body: configuration.to_json,
         headers: { "Content-Type" => "application/json" }
       )
-    )
+    end
     raise response.inspect unless response.status == 201
     JSON.load(response.body)
   end
 
   def start_container(container_id, configuration)
     path = @docker_api_version + "/containers/#{container_id}/start"
-    response = Excon.post(
-      @base_uri + path,
-      tls_excon_arguments.merge(
+    response = with_excon do |e|
+      e.post(
+        path: path,
         body: configuration.to_json,
         headers: { "Content-Type" => "application/json" }
       )
-    )
+    end
     case response.status
     when 204
       true
@@ -94,14 +105,14 @@ class Centurion::DockerViaApi
 
   def restart_container(container_id, timeout = 30)
     path = @docker_api_version + "/containers/#{container_id}/restart?t=#{timeout}"
-    response = Excon.post(
-      @base_uri + path,
-      tls_excon_arguments.merge(
+    response = with_excon do |e|
+      e.post(
+        path: path,
         # Wait for both the docker stop timeout AND the kill AND
         # potentially a very slow HTTP server.
         read_timeout: timeout + 120
       )
-    )
+    end
     case response.status
     when 204
       true
@@ -116,10 +127,11 @@ class Centurion::DockerViaApi
 
   def inspect_container(container_id)
     path = @docker_api_version + "/containers/#{container_id}/json"
-    response = Excon.get(
-      @base_uri + path,
-      tls_excon_arguments
-    )
+    response = with_excon do |e|
+      e.get(
+        path: path,
+      )
+    end
     raise response.inspect unless response.status == 200
     JSON.load(response.body)
   end
@@ -172,4 +184,19 @@ class Centurion::DockerViaApi
       {}
     end
   end
+
+  def with_excon(&block)
+    if @ssh
+      with_excon_via_ssh(&block)
+    else
+      yield Excon.new(@base_uri, tls_excon_arguments)
+    end
+  end
+
+  def with_excon_via_ssh
+    Centurion::SSH.with_docker_socket(@base_uri, @ssh_user, @ssh_log_level) do |socket|
+      conn = Excon.new('unix:///', socket: socket)
+      yield conn
+    end
+  end
 end