kamal-insecure 2.7.0

data/lib/kamal/commands/docker.rb

@@ -0,0 +1,34 @@
+class Kamal::Commands::Docker < Kamal::Commands::Base
+  # Install Docker using the https://github.com/docker/docker-install convenience script.
+  def install
+    pipe get_docker, :sh
+  end
+
+  # Checks the Docker client version. Fails if Docker is not installed.
+  def installed?
+    docker "-v"
+  end
+
+  # Checks the Docker server version. Fails if Docker is not running.
+  def running?
+    docker :version
+  end
+
+  # Do we have superuser access to install Docker and start system services?
+  def superuser?
+    [ '[ "${EUID:-$(id -u)}" -eq 0 ] || command -v sudo >/dev/null || command -v su >/dev/null' ]
+  end
+
+  def create_network
+    docker :network, :create, :kamal
+  end
+
+  private
+    def get_docker
+      shell \
+        any \
+          [ :curl, "-fsSL", "https://get.docker.com" ],
+          [ :wget, "-O -", "https://get.docker.com" ],
+          [ :echo, "\"exit 1\"" ]
+    end
+end

data/lib/kamal/commands/hook.rb

@@ -0,0 +1,20 @@
+class Kamal::Commands::Hook < Kamal::Commands::Base
+  def run(hook)
+    [ hook_file(hook) ]
+  end
+
+  def env(secrets: false, **details)
+    tags(**details).env.tap do |env|
+      env.merge!(config.secrets.to_h) if secrets
+    end
+  end
+
+  def hook_exists?(hook)
+    Pathname.new(hook_file(hook)).exist?
+  end
+
+  private
+    def hook_file(hook)
+      File.join(config.hooks_path, hook)
+    end
+end

data/lib/kamal/commands/lock.rb

@@ -0,0 +1,70 @@
+require "active_support/duration"
+require "time"
+require "base64"
+
+class Kamal::Commands::Lock < Kamal::Commands::Base
+  def acquire(message, version)
+    combine \
+      [ :mkdir, lock_dir ],
+      write_lock_details(message, version)
+  end
+
+  def release
+    combine \
+      [ :rm, lock_details_file ],
+      [ :rm, "-r", lock_dir ]
+  end
+
+  def status
+    combine \
+      stat_lock_dir,
+      read_lock_details
+  end
+
+  def ensure_locks_directory
+    [ :mkdir, "-p", locks_dir ]
+  end
+
+  private
+    def write_lock_details(message, version)
+      write \
+        [ :echo, "\"#{Base64.encode64(lock_details(message, version))}\"" ],
+        lock_details_file
+    end
+
+    def read_lock_details
+      pipe \
+        [ :cat, lock_details_file ],
+        [ :base64, "-d" ]
+    end
+
+    def stat_lock_dir
+      write \
+        [ :stat, lock_dir ],
+        "/dev/null"
+    end
+
+    def lock_dir
+      dir_name = [ "lock", config.service, config.destination ].compact.join("-")
+
+      File.join(config.run_directory, dir_name)
+    end
+
+    def lock_details_file
+      File.join(lock_dir, "details")
+    end
+
+    def lock_details(message, version)
+      <<~DETAILS.strip
+        Locked by: #{locked_by} at #{Time.now.utc.iso8601}
+        Version: #{version}
+        Message: #{message}
+      DETAILS
+    end
+
+    def locked_by
+      Kamal::Git.user_name
+    rescue Errno::ENOENT
+      "Unknown"
+    end
+end

data/lib/kamal/commands/proxy.rb

@@ -0,0 +1,127 @@
+class Kamal::Commands::Proxy < Kamal::Commands::Base
+  delegate :argumentize, :optionize, to: Kamal::Utils
+
+  def run
+    pipe boot_config, xargs(docker_run)
+  end
+
+  def start
+    docker :container, :start, container_name
+  end
+
+  def stop(name: container_name)
+    docker :container, :stop, name
+  end
+
+  def start_or_run
+    combine start, run, by: "||"
+  end
+
+  def info
+    docker :ps, "--filter", "name=^#{container_name}$"
+  end
+
+  def version
+    pipe \
+      docker(:inspect, container_name, "--format '{{.Config.Image}}'"),
+      [ :awk, "-F:", "'{print \$NF}'" ]
+  end
+
+  def logs(timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
+    pipe \
+      docker(:logs, container_name, ("--since #{since}" if since), ("--tail #{lines}" if lines), ("--timestamps" if timestamps), "2>&1"),
+      ("grep '#{grep}'#{" #{grep_options}" if grep_options}" if grep)
+  end
+
+  def follow_logs(host:, timestamps: true, grep: nil, grep_options: nil)
+    run_over_ssh pipe(
+      docker(:logs, container_name, ("--timestamps" if timestamps), "--tail", "10", "--follow", "2>&1"),
+      (%(grep "#{grep}"#{" #{grep_options}" if grep_options}) if grep)
+    ).join(" "), host: host
+  end
+
+  def remove_container
+    docker :container, :prune, "--force", "--filter", "label=org.opencontainers.image.title=kamal-proxy"
+  end
+
+  def remove_image
+    docker :image, :prune, "--all", "--force", "--filter", "label=org.opencontainers.image.title=kamal-proxy"
+  end
+
+  def cleanup_traefik
+    chain \
+      docker(:container, :stop, "traefik"),
+      combine(
+        docker(:container, :prune, "--force", "--filter", "label=org.opencontainers.image.title=Traefik"),
+        docker(:image, :prune, "--all", "--force", "--filter", "label=org.opencontainers.image.title=Traefik")
+      )
+  end
+
+  def ensure_proxy_directory
+    make_directory config.proxy_boot.host_directory
+  end
+
+  def remove_proxy_directory
+    remove_directory config.proxy_boot.host_directory
+  end
+
+  def ensure_apps_config_directory
+    make_directory config.proxy_boot.apps_directory
+  end
+
+  def boot_config
+    [ :echo, "#{substitute(read_boot_options)} #{substitute(read_image)}:#{substitute(read_image_version)} #{substitute(read_run_command)}" ]
+  end
+
+  def read_boot_options
+    read_file(config.proxy_boot.options_file, default: config.proxy_boot.default_boot_options.join(" "))
+  end
+
+  def read_image
+    read_file(config.proxy_boot.image_file, default: config.proxy_boot.image_default)
+  end
+
+  def read_image_version
+    read_file(config.proxy_boot.image_version_file, default: Kamal::Configuration::Proxy::Boot::MINIMUM_VERSION)
+  end
+
+  def read_run_command
+    read_file(config.proxy_boot.run_command_file)
+  end
+
+  def reset_boot_options
+    remove_file config.proxy_boot.options_file
+  end
+
+  def reset_image
+    remove_file config.proxy_boot.image_file
+  end
+
+  def reset_image_version
+    remove_file config.proxy_boot.image_version_file
+  end
+
+  def reset_run_command
+    remove_file config.proxy_boot.run_command_file
+  end
+
+  private
+    def container_name
+      config.proxy_boot.container_name
+    end
+
+    def read_file(file, default: nil)
+      combine [ :cat, file, "2>", "/dev/null" ], [ :echo, "\"#{default}\"" ], by: "||"
+    end
+
+    def docker_run
+      docker \
+        :run,
+        "--name", container_name,
+        "--network", "kamal",
+        "--detach",
+        "--restart", "unless-stopped",
+        "--volume", "kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy",
+        *config.proxy_boot.apps_volume.docker_args
+    end
+end

data/lib/kamal/commands/prune.rb

@@ -0,0 +1,38 @@
+require "active_support/duration"
+require "active_support/core_ext/numeric/time"
+
+class Kamal::Commands::Prune < Kamal::Commands::Base
+  def dangling_images
+    docker :image, :prune, "--force", "--filter", "label=service=#{config.service}"
+  end
+
+  def tagged_images
+    pipe \
+      docker(:image, :ls, *service_filter, "--format", "'{{.ID}} {{.Repository}}:{{.Tag}}'"),
+      grep("-v -w \"#{active_image_list}\""),
+      "while read image tag; do docker rmi $tag; done"
+  end
+
+  def app_containers(retain:)
+    pipe \
+      docker(:ps, "-q", "-a", *service_filter, *stopped_containers_filters),
+      "tail -n +#{retain + 1}",
+      "while read container_id; do docker rm $container_id; done"
+  end
+
+  private
+    def stopped_containers_filters
+      [ "created", "exited", "dead" ].flat_map { |status| [ "--filter", "status=#{status}" ] }
+    end
+
+    def active_image_list
+      # Pull the images that are used by any containers
+      # Append repo:latest - to avoid deleting the latest tag
+      # Append repo:<none> - to avoid deleting dangling images that are in use. Unused dangling images are deleted separately
+      "$(docker container ls -a --format '{{.Image}}\\|' --filter label=service=#{config.service} | tr -d '\\n')#{config.latest_image}\\|#{config.repository}:<none>"
+    end
+
+    def service_filter
+      [ "--filter", "label=service=#{config.service}" ]
+    end
+end

data/lib/kamal/commands/registry.rb

@@ -0,0 +1,16 @@
+class Kamal::Commands::Registry < Kamal::Commands::Base
+  def login(registry_config: nil)
+    registry_config ||= config.registry
+
+    docker :login,
+      registry_config.server,
+      "-u", sensitive(Kamal::Utils.escape_shell_value(registry_config.username)),
+      "-p", sensitive(Kamal::Utils.escape_shell_value(registry_config.password))
+  end
+
+  def logout(registry_config: nil)
+    registry_config ||= config.registry
+
+    docker :logout, registry_config.server
+  end
+end

data/lib/kamal/commands/server.rb

@@ -0,0 +1,15 @@
+class Kamal::Commands::Server < Kamal::Commands::Base
+  def ensure_run_directory
+    make_directory config.run_directory
+  end
+
+  def remove_app_directory
+    remove_directory config.app_directory
+  end
+
+  def app_directory_count
+    pipe \
+      [ :ls, config.apps_directory ],
+      [ :wc, "-l" ]
+  end
+end

data/lib/kamal/commands.rb

@@ -0,0 +1,2 @@
+module Kamal::Commands
+end

data/lib/kamal/configuration/accessory.rb

@@ -0,0 +1,241 @@
+class Kamal::Configuration::Accessory
+  include Kamal::Configuration::Validation
+
+  DEFAULT_NETWORK = "kamal"
+
+  delegate :argumentize, :optionize, to: Kamal::Utils
+
+  attr_reader :name, :env, :proxy, :registry
+
+  def initialize(name, config:)
+    @name, @config, @accessory_config = name.inquiry, config, config.raw_config["accessories"][name]
+
+    validate! \
+      accessory_config,
+      example: validation_yml["accessories"]["mysql"],
+      context: "accessories/#{name}",
+      with: Kamal::Configuration::Validator::Accessory
+
+    ensure_valid_roles
+
+    @env = initialize_env
+    @proxy = initialize_proxy if running_proxy?
+    @registry = initialize_registry if accessory_config["registry"].present?
+  end
+
+  def service_name
+    accessory_config["service"] || "#{config.service}-#{name}"
+  end
+
+  def image
+    [ registry&.server, accessory_config["image"] ].compact.join("/")
+  end
+
+  def hosts
+    hosts_from_host || hosts_from_hosts || hosts_from_roles || hosts_from_tags
+  end
+
+  def port
+    if port = accessory_config["port"]&.to_s
+      port.include?(":") ? port : "#{port}:#{port}"
+    end
+  end
+
+  def network_args
+    argumentize "--network", network
+  end
+
+  def publish_args
+    argumentize "--publish", port if port
+  end
+
+  def labels
+    default_labels.merge(accessory_config["labels"] || {})
+  end
+
+  def label_args
+    argumentize "--label", labels
+  end
+
+  def env_args
+    [ *env.clear_args, *argumentize("--env-file", secrets_path) ]
+  end
+
+  def env_directory
+    File.join(config.env_directory, "accessories")
+  end
+
+  def secrets_io
+    env.secrets_io
+  end
+
+  def secrets_path
+    File.join(config.env_directory, "accessories", "#{name}.env")
+  end
+
+  def files
+    accessory_config["files"]&.to_h do |local_to_remote_mapping|
+      local_file, remote_file = local_to_remote_mapping.split(":")
+      [ expand_local_file(local_file), expand_remote_file(remote_file) ]
+    end || {}
+  end
+
+  def directories
+    accessory_config["directories"]&.to_h do |host_to_container_mapping|
+      host_path, container_path = host_to_container_mapping.split(":")
+      [ expand_host_path(host_path), container_path ]
+    end || {}
+  end
+
+  def volumes
+    specific_volumes + remote_files_as_volumes + remote_directories_as_volumes
+  end
+
+  def volume_args
+    argumentize "--volume", volumes
+  end
+
+  def option_args
+    if args = accessory_config["options"]
+      optionize args
+    else
+      []
+    end
+  end
+
+  def cmd
+    accessory_config["cmd"]
+  end
+
+  def running_proxy?
+    accessory_config["proxy"].present?
+  end
+
+  private
+    attr_reader :config, :accessory_config
+
+    def initialize_env
+      Kamal::Configuration::Env.new \
+        config: accessory_config.fetch("env", {}),
+        secrets: config.secrets,
+        context: "accessories/#{name}/env"
+    end
+
+    def initialize_proxy
+      Kamal::Configuration::Proxy.new \
+        config: config,
+        proxy_config: accessory_config["proxy"],
+        context: "accessories/#{name}/proxy",
+        secrets: config.secrets
+    end
+
+    def initialize_registry
+      Kamal::Configuration::Registry.new \
+        config: accessory_config,
+        secrets: config.secrets,
+        context: "accessories/#{name}/registry"
+    end
+
+    def default_labels
+      { "service" => service_name }
+    end
+
+    def expand_local_file(local_file)
+      if local_file.end_with?("erb")
+        with_clear_env_loaded { read_dynamic_file(local_file) }
+      else
+        Pathname.new(File.expand_path(local_file)).to_s
+      end
+    end
+
+    def with_clear_env_loaded
+      env.clear.each { |k, v| ENV[k] = v }
+      yield
+    ensure
+      env.clear.each { |k, v| ENV.delete(k) }
+    end
+
+    def read_dynamic_file(local_file)
+      StringIO.new(ERB.new(File.read(local_file)).result)
+    end
+
+    def expand_remote_file(remote_file)
+      service_name + remote_file
+    end
+
+    def specific_volumes
+      accessory_config["volumes"] || []
+    end
+
+    def remote_files_as_volumes
+      accessory_config["files"]&.collect do |local_to_remote_mapping|
+        _, remote_file = local_to_remote_mapping.split(":")
+        "#{service_data_directory + remote_file}:#{remote_file}"
+      end || []
+    end
+
+    def remote_directories_as_volumes
+      accessory_config["directories"]&.collect do |host_to_container_mapping|
+        host_path, container_path = host_to_container_mapping.split(":")
+        [ expand_host_path(host_path), container_path ].join(":")
+      end || []
+    end
+
+    def expand_host_path(host_path)
+      absolute_path?(host_path) ? host_path : File.join(service_data_directory, host_path)
+    end
+
+    def absolute_path?(path)
+      Pathname.new(path).absolute?
+    end
+
+    def service_data_directory
+      "$PWD/#{service_name}"
+    end
+
+    def hosts_from_host
+      [ accessory_config["host"] ] if accessory_config.key?("host")
+    end
+
+    def hosts_from_hosts
+      accessory_config["hosts"] if accessory_config.key?("hosts")
+    end
+
+    def hosts_from_roles
+      if accessory_config.key?("role")
+       config.role(accessory_config["role"])&.hosts
+      elsif accessory_config.key?("roles")
+        accessory_config["roles"].flat_map { |role| config.role(role)&.hosts }
+      end
+    end
+
+    def hosts_from_tags
+      if accessory_config.key?("tag")
+        extract_hosts_from_config_with_tag(accessory_config["tag"])
+      elsif accessory_config.key?("tags")
+        accessory_config["tags"].flat_map { |tag| extract_hosts_from_config_with_tag(tag) }
+      end
+    end
+
+    def extract_hosts_from_config_with_tag(tag)
+      if (servers_with_roles = config.raw_config.servers).is_a?(Hash)
+        servers_with_roles.flat_map do |role, servers_in_role|
+          servers_in_role.filter_map do |host|
+            host.keys.first if host.is_a?(Hash) && host.values.first.include?(tag)
+          end
+        end
+      end
+    end
+
+    def network
+      accessory_config["network"] || DEFAULT_NETWORK
+    end
+
+    def ensure_valid_roles
+      if accessory_config["roles"] && (missing_roles = accessory_config["roles"] - config.roles.map(&:name)).any?
+        raise Kamal::ConfigurationError, "accessories/#{name}: unknown roles #{missing_roles.join(", ")}"
+      elsif accessory_config["role"] && !config.role(accessory_config["role"])
+        raise Kamal::ConfigurationError, "accessories/#{name}: unknown role #{accessory_config["role"]}"
+      end
+    end
+end

data/lib/kamal/configuration/alias.rb

@@ -0,0 +1,15 @@
+class Kamal::Configuration::Alias
+  include Kamal::Configuration::Validation
+
+  attr_reader :name, :command
+
+  def initialize(name, config:)
+    @name, @command = name.inquiry, config.raw_config["aliases"][name]
+
+    validate! \
+      command,
+      example: validation_yml["aliases"]["uname"],
+      context: "aliases/#{name}",
+      with: Kamal::Configuration::Validator::Alias
+  end
+end

data/lib/kamal/configuration/boot.rb

@@ -0,0 +1,25 @@
+class Kamal::Configuration::Boot
+  include Kamal::Configuration::Validation
+
+  attr_reader :boot_config, :host_count
+
+  def initialize(config:)
+    @boot_config = config.raw_config.boot || {}
+    @host_count = config.all_hosts.count
+    validate! boot_config
+  end
+
+  def limit
+    limit = boot_config["limit"]
+
+    if limit.to_s.end_with?("%")
+      [ host_count * limit.to_i / 100, 1 ].max
+    else
+      limit
+    end
+  end
+
+  def wait
+    boot_config["wait"]
+  end
+end